The United States Department of Commerce (Commerce) issued a notice of proposed rulemaking (NPRM) seeking comments on new proposed regulations that would, if enacted, impose extensive Know Your Customer (KYC) and Customer Identification Program (CIP) requirements on U.S. Infrastructure as a Service (IaaS) providers. The regulations would subject aspects of the U.S. technology industry to the type of regulation more commonly associated with the financial industry, and would impose, among other things, extensive new compliance programs to validate the identity of foreign users, U.S. government review and approval of internal compliance measures, and new reporting requirements. It would also grant the U.S. government authority to prohibit the provision of certain IaaS services to customers that may be engaged in malign activities.
The proposed regulations, referred to as “Infrastructure as a Service Providers’ Responsibility To Verify the Identity of Their Customers, Special Measures, and the Use of Their Products for Large AI Model Training,” are the latest move by the Biden administration to address national security concerns about bad actors exploiting vulnerabilities in U.S. cloud computing to steal sensitive data and intellectual property and launching disruptive denial-of-service attacks against critical industries.
The NPRM implements executive orders 14110 and 13894, authorizing Commerce to issue regulations that help identify foreign malicious cyber actors and to impose measures against such actors. The rules will be administered by the Office of Information and Communications Technology and Services, within the Bureau of Industry and Security, which includes within its mandate export controls, the review of certain ICTS transactions, and other national security-focused trade controls.
Companies with IaaS offerings should closely review the proposed rules, as they could impose substantial new compliance burdens on U.S. technology companies and their foreign partners. Comments on the NPRM must be submitted by April 29, 2024.
Definitions
The NPRM contains a number of key definitions on which Commerce seeks comments from the industry. Companies in the cloud computing industry should carefully review the “expansive” proposed definition of “IaaS products,” as U.S. providers and resellers of such products would be subject to the new KYC, CIP, and reporting obligations. Commerce is seeking comments from the industry on the categories of products or services that fall within the proposed definition, and notes that content delivery networks, proxy services, and domain name resolution services would be in scope. The NPRM defines IaaS products as:
“[A] product or service offered to a consumer, including complimentary or ‘trial’ offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of ‘managed’ products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and ‘unmanaged’ products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of ‘virtualized’ products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (e.g., ‘virtual private servers’), and ‘dedicated’ products or services in which the total computing resources of a physical machine are provided to a single person (e.g., ‘bare-metal servers’).”
Customer Identification Program
The proposed rule would require U.S. IaaS providers, along with their U.S. and foreign resellers, to implement and maintain a comprehensive CIP, or a KYC program, to verify the identity of foreign persons that sign up for or maintain accounts that access or use a provider’s products or services. The NPRM would require CIPs to contain the following elements, among others:
In addition to the above, Commerce is seeking industry comments on requirements related to third-party and internal audits, U.S. government preapproval of CIPs, proactive notifications to the U.S. government of potential red flags, and whether small businesses might find it more difficult to develop a CIP.
Commerce May Impose “Special Measures”
The NPRM would empower Commerce to impose “special measures” that prohibit or restrict access to IaaS products by foreign jurisdictions or designated persons that the agency determines are engaged in malicious cyber-enabled activities. Before imposing a special measure, Commerce must find, in consultation with other agencies, that there are reasonable grounds to believe that a foreign jurisdiction or foreign person is using U.S. IaaS for malicious cyber-enabled activities. Special measures may be imposed for up to one year and may be extended upon a finding that the measures remain necessary for additional time. Failure to implement a special measure may expose a provider to penalties.
New Reporting Requirements for Large AI Model Training
The NPRM would require U.S. IaaS providers and resellers to file a report whenever they have knowledge of a covered transaction, defined to include a transaction by, for, or on behalf of a foreign person that results or could result in the training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity. Such a model is defined as one with “the technical conditions of a dual-use foundation model, or that otherwise has technical parameters of concern, that has capabilities that could be used to aid or automate aspects of malicious cyber-enabled activity, including but not limited to social engineering attacks, vulnerability discovery, denial-of-service attacks, data poisoning, target selection and prioritization, disinformation or misinformation generation and/or propagation, and remote command-and-control, as necessary and appropriate of cyber operations.” Commerce would publish and update technical definitions of qualifying models in the Federal Register.
Civil and Criminal Penalties
Violations of the new regulations, including the failure to create a CIP, failure to file certifications, and failure to seek reauthorization of CIPs, would be subject to civil and criminal penalties imposed by the International Emergency Economic Powers Act (IEEPA). Penalties under IEEPA are significant, including a maximum civil penalty not to exceed the greater of $250,000 per violation or twice the transaction amount, as well as criminal penalties for willful violations, including imprisonment of up to 20 years and/or a fine of up to $1 million. IEEPA penalties are indexed to inflation and therefore rise over time. This is the same penalty framework used by the U.S. government to enforce most of its economic sanction regimes, and fines can be substantial when multiple violations are found or are ongoing.
Next Steps
IaaS providers should carefully review the NPRM and consider submitting comments prior to the April 29, 2024, deadline. Please reach out to your Fenwick Trade & National Security contact with any questions about these proposed rules.