Q&A: Blank Rome's Anthony Rapa on new proposed rule for the regulation of cloud providers

Recently, the Department of Commerce (Department) published a notice of proposed rulemaking (NPRM) for establishing new requirements for Infrastructure as a Service (IaaS) providers. Why did the federal government need to take this action and what threats and challenges is it being applied against?

Rapa: As described by Commerce in the NPRM, U.S. authorities are concerned with potential malicious use of U.S. IaaS by foreign threat actors, including intellectual property theft, espionage activities, targeting of U.S. critical infrastructure, and training of large AI models that can automate such malicious activity. 

Specifically, the concern regarding IaaS arises from the “temporary registration and ease of replacement” for such services, as Commerce describes it.  

In order to address this, successive U.S. presidents issued executive orders calling for action in this area. In January 2021 President Trump issued Executive Order 13984, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,” which directed Commerce to issue rules requiring U.S. IaaS providers to verify the identity of their foreign customers. 

Later, in October 2023, President Biden issued Executive Order 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” a sprawling order covering various aspects of AI safety and development. Executive Order 14110 in part directed Commerce to issue rules requiring U.S. IaaS providers to make certain reports when a foreign customer uses their services to train a large AI model with the potential for malicious cyber-enabled activity.

Those two executive orders are the source of the January 2024 proposed rule.

What would this proposed Commerce rule require domestic IaaS providers to do in vetting and creating a secure customer identification program for foreign clients?

Rapa: The proposed rule requires all U.S. IaaS providers to create, implement, and maintain an appropriately tailored, written customer identification program (CIP)—akin to the “know your customer” (“KYC”) information that banks maintain. The primary purpose of the CIP is to verify whether potential customers and beneficial owners are foreign or U.S. persons, and to verify the identities of potential foreign customers and their beneficial owners.

At minimum, U.S. IaaS providers must gather and retain specific identifying information from potential foreign customers and foreign beneficial owners (i.e., 25% or more owners) to verify their identity, including their:

• Name
• Address
• Means and source of payment
• Email address
• Telephone number
• IP address used

If the customer is a U.S. person, that is the end of the exercise.

If, however, the provider has collected all requisite information and determined that the potential customer and beneficial owner(s) are non-U.S. persons or entities, the provider must then confirm the identity of the potential foreign customer and foreign beneficial owner through selected documentary or non-documentary identity verification procedures.

An IaaS provider may apply for an exemption from the CIP requirement by demonstrating that it has established an appropriate “Abuse of IaaS Products Deterrence Program” as specified in the proposed rule.

Will Commerce be able to propose “special measures” and restrict access of foreign clients and other entities that are operating in locations that are deemed bad actors in nation states engaged in malicious cyber activity?

Rapa: Yes, the proposed rule would empower Commerce to impose “special measures” on entire jurisdictions with a large number of persons engaged in malicious cyber activities, or on specified foreign individuals or entities engaged in such activities. 

Such “special measures” can include prohibiting or imposing conditions on the opening or maintaining of an IaaS account by individuals or entities located in a specified foreign jurisdiction, or by designated foreign individuals or entities.

Discuss the impact of this ruling will have in helping global organizations to create a standard of cybersecurity policy and procedure that will address advanced AI threats and potentially damaging business operations.

Rapa: The overall takeaway is that the proposed rule would establish significant due diligence and monitoring requirements for U.S. IaaS providers that would be new for the industry (as compared with, e.g., the financial industry, which is used to these rules), and would necessitate the dedication of significant resources to designing and executing on a compliance program.

More specific key takeaways regarding the proposed rule are as follows:

• The proposed rule would institute a CIP requirement for U.S. IaaS providers akin to the “know your customer” requirements applicable to banks, introducing a complex compliance protocol that will require resources and lead time.
• The proposed rule would impose a requirement for U.S. IaaS providers to make a report to Commerce upon becoming aware of a foreign customer using their services to train a large AI model with the potential capability to engage in certain malicious cyber activities.  This would impose a significant monitoring obligation on providers.
• The proposed rule would require U.S. providers to flow the CIP and reporting requirements through to foreign resellers.
• The stakes of noncompliance would be high, with violations punishable under the International Emergency Economic Powers Act, which provides for civil penalties of up to the greater of ~$368,000 per violation or twice the value of the transaction connected to the violation, or criminal penalties of up to one million dollars and/or 20 years’ imprisonment.
• Affected or interested parties may submit to Commerce comments on the proposed regulations until April 29, 2024.