Skip to main content

Clifford Chance

Clifford Chance
Cyber<br />

Cyber

Talking Tech

Notice of Proposed Rulemaking: New Cybersecurity Measures and Implications for IaaS Providers

Cyber Security 15 February 2024

On January 29, 2024, the Department of Commerce published a notice of proposed rulemaking (NPRM) with requirements for Infrastructure as a Service (IaaS) providers, commonly referred to as "cloud infrastructure providers." The NPRM proposes measures designed to counter the escalating threat posed by foreign malicious actors who wish to exploit U.S. cloud services for nefarious cyber-enabled activities, thereby jeopardizing critical infrastructure[1] and national security. Of particular concern is the potential misuse of cloud infrastructure for training large artificial intelligence (AI) models.

The NPRM is part of a series of actions stemming from the Executive Order of January 19, 2021, "Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities," and the Executive Order of October 30, 2023, "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence," aimed at addressing national security threats through cybersecurity measures. These orders target significant malicious cyber-enabled activities, reflecting a broader strategy to enhance U.S. cybersecurity infrastructure and protect against foreign threats, particularly in the context of critical technology[2] sectors such as AI.

What is the requirement?

The NPRM requires U.S. IaaS providers to maintain records related to IaaS accounts with foreign interests and verify the identity of each individual or beneficiary account holder. The proposed regulation requires creating a Customer Identification Program (CIP), verifying identities of foreign customers, tracking customer identities, reporting certain transactions related to large AI models, and ensuring that foreign resellers maintain CIPs. Noncompliance could result in civil and criminal penalties.

Unless exempted, a U.S. IaaS provider must establish a CIP and submit annual certifications to the Department of Commerce, affirming such provider's review and adjustment of its CIP to address changes in the threat landscape since the last certification. The CIP must be suitable for the U.S. IaaS provider's scale, product offerings, and risks associated with service types, account openings, available identifying information, and customer base. If an IaaS provider acts solely as a reseller, it may opt to have an agreement with the primary U.S. IaaS provider that allows it to reference, use, or adopt such primary provider's CIP to fulfill section requirements. Additionally, U.S. IaaS providers must ensure that foreign resellers maintain written CIPs (appropriately customized for their pertinent customer base), ensuring consistency across the supply chain.

A CIP must incorporate risk-based procedures for verifying the identity of each foreign customer, which includes:

  • determining whether potential customers and beneficial owners are foreign or U.S. persons
  • conducting reasonable due diligence to confirm the true identity of any customer or beneficial owner claiming to be a foreign or a U.S. person
  • creating detailed procedures for obtaining identity verification from potential customers and beneficial owners
  • obtaining the name, address, payment information, email address, telephone contact information, and IP address from any potential foreign customer or foreign beneficial owner before opening an account.

The proposed regulations also require U.S. IaaS providers to report any transactions with foreign entities that could enable the training of large AI models with potential for malicious cyber-enabled activities. U.S. IaaS providers must report if they know, suspect, or have reason to believe that a transaction could be used for malicious activities.

The NPRM outlines a process for U.S. IaaS providers and their foreign resellers to request exemptions from CIP requirements. The Department of Commerce proposes standards for exemptions, requiring electronic submission of requests. It invites comments on these procedures and seeks input on security best practices and potential "safe harbor" activities that could justify exemptions.

Who is covered?

The NPRM would apply to all U.S. direct providers of U.S. IaaS products and any of their U.S. resellers.

When does the new rule take effect?

The rule is at the Notice of Proposed Rulemaking stage.  The Department of Commerce has released the proposed rule for comment to solicit feedback from stakeholders and the public before finalizing the regulations. The text of the proposed rule is available on the Federal Register’s website here. The deadline for public comments is April 29, 2024.

Potential Impact on U.S. IaaS Providers

U.S. IaaS providers should continue to monitor the Department of Commerce website for updates and consult legal counsel to navigate compliance.

If the rule is enacted as stated in the NPRM, U.S. IaaS providers should consider taking the following next steps:

  • Develop a detailed CIP compliant with the rule, as referenced above.
  • Implement systems for thorough identity verification of all customers, especially foreign entities.
  • Establish protocols for reporting transactions related to large AI models that could be used in malicious activities.
  • Moreover, customers of U.S. IaaS providers and any of their U.S. resellers should be prepared for the following:
  • Provide detailed identity and operational information as required by the IaaS provider.
  • Review and adjust data handling and processing practices to ensure compliance with potential data sharing and privacy implications of the new rule.
  • For customers based outside the U.S., prepare for increased scrutiny and data protection requirements.

In anticipation of the final rule, any U.S. provider of IaaS products, including its U.S. reseller, and any of their customers, is encouraged to contact our team for further information, or to discuss necessary strategies and measures to ensure future compliance.

Notes

[1] "Critical infrastructure" means any systems and assets, whether physical or cyber-based, so vital to the United States that the degradation or destruction of such systems and assets would have a debilitating impact on national security, including, but not limited to, national economic security and national public health or safety. This term includes the vast network of highways, connecting bridges and tunnels, railways, utilities and buildings necessary to maintain normalcy in daily life. See: https://www.dhs.gov/science-and-technology/critical-infrastructure

[2] "Critical technology” includes technology controlled under the International Traffic in Arms Regulations (ITAR); certain items listed on the Commerce Control List; regulated nuclear equipment and materials; select agents and toxins; and emerging and foundational technologies identified and controlled under the Export Control Reform Act of 2018. See 31 C.F.R. § 800.215.