Commerce Issues Proposed Rule on “Malicious Cyber-Enabled Activities” and Artificial Intelligence
On January 29, 2024, the Department of Commerce’s Bureau of Industry and Security (BIS) issued a proposed rule (the Proposed Rule) that would impose significant know-your-customer (KYC), monitoring and reporting obligations on U.S. providers of Infrastructure as a Service (IaaS) products and their foreign resellers.
The Proposed Rule implements the 2021 Executive Order 13984 on “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities” (the Cyber EO) and portions of the Biden administration’s EO 14110 on “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” (the AI EO) (see prior alert here).
BIS has requested comments on “all aspects of this proposed rule.” Comments must be submitted to BIS by April 29, 2024.
We encourage companies to review the Proposed Rule to determine the potential impact on their businesses and whether to submit comments to Commerce. Akin is happy to assist with preparation of comments or advise on the potential application of the Proposed Rule to specific facts.
Key Takeaways:
- If implemented, the Proposed Rule would create a substantial new compliance regime—the “Customer Identification Program” (CIP)—targeting U.S. providers (U.S. Providers) that offer “IaaS products” outside the U.S. and foreign resellers of such IaaS products. U.S. Providers will be responsible for ensuring that their foreign resellers comply with the CIP requirements.
- The Proposed Rule broadly defines “IaaS products” to include “a product or service offered to a consumer . . . that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications.” This definition suggests that the Proposed Rule will apply broadly to, e.g., cloud-service providers (CSP) and anyone that resells computing capacity from a CSP.
- The CIP includes robust KYC requirements, including a requirement that U.S. Providers identify the “beneficial owner” of all accounts (i.e., U.S. and foreign customer accounts) and additional requirements related to foreign-customer accounts. The proposed rule also requires U.S. Providers to report information about their non-U.S. customer base to the U.S. government.
- The rule also gives Commerce the authority to impose prohibitions or conditions on U.S. Providers that are providing or maintaining IaaS accounts for foreign jurisdictions or foreign persons where the government determines that “reasonable grounds exist for concluding that a foreign jurisdiction or foreign person is conducting malicious cyber-enabled activities using U.S. IaaS products[.]”
- U.S. Providers and their foreign resellers would be required to report to Commerce any “transaction by, for, or on behalf of a foreign person which results or could result in the training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity[.]”
- The Proposed Rule includes dozens of defined terms, including “beneficial owner,” “IaaS product,” “U.S. IaaS provider,” “foreign reseller,” and “malicious cyber-enabled activities.” A full list of definitions is included in Section 7.301 of the Proposed Rule.
- Violations of the rule may be subject to civil or criminal enforcement actions.
Background
The last two presidential administrations have identified the threat from foreign actors’ malicious use of U.S. IaaS products to commit intellectual property and sensitive data theft, espionage and targeting of U.S. critical infrastructure.
The Trump administration issued the Cyber EO on January 19, 2021. The Cyber EO directed Commerce to propose (1) KYC requirements for U.S. Providers and (2) prohibitions and/or conditions on foreign use of U.S. IaaS under certain conditions. In September 2021, Commerce issued an advanced-notice of proposed rulemaking (the ANPRM) seeking input from U.S. Providers regarding their current KYC practices and how they might implement and be impacted by the additional KYC requirements, potential prohibitions and conditions proposed in the Cyber EO.
Similarly, the Biden administration’s AI EO in October 2023 directed Commerce to require foreign resellers of U.S. IaaS products to undertake almost identical KYC activities to those proposed in the Cyber EO in relation to U.S. Providers.
The Proposed Rule addresses comments received in response to the September ANPRM, implements the KYC requirements in the Cyber and AI EOs, proposes “special measures” the U.S. government may take to prohibit or condition the provision of U.S. IaaS Products to foreign jurisdictions and persons of concern, and requires reporting to Commerce on any use of U.S. IaaS to train certain AI models.
Any final rule will be implemented and enforced by BIS’s Office of Information and Communications Technology and Services (OICTS). Per the recently updated OICTS website, “the ICTS program implements five Executive Orders . . . and related regulations under the International Emergency Economic Powers Act[,]” including the Cyber EO and the AI EO. OICTS was founded in 2021 and has rapidly grown its headcount since then, including the appointment of OICTS’s first Executive Director, Elizabeth Cannon, on January 23, 2024.
Obligations of U.S. Providers under the Proposed Rule
Key obligations imposed on U.S. Providers under the Proposed Rule include:
- “[M]aintain[ing] and implement[ing] a written [CIP]” that verifies the identify of U.S. customers and takes additional steps in relation to any non-U.S. customers.
- “[E]nsur[ing] that foreign resellers of their U.S. IaaS products maintain and implement a written CIP[.]”
- Providing Commerce with a copy of a foreign reseller’s written CIP within ten calendar days of the Commerce’s request.
- Taking steps to ensure that foreign resellers comply with CIP requirements, or else terminate the reseller relationship and report any suspected malicious cyber-enabled activity to relevant authorities.
- Notifying Commerce of the U.S. Provider’s implementation of its CIP and any required foreign reseller CIPs through a detailed CIP certification form.
- Annually certifying, on behalf of itself and its foreign resellers, that, e.g., the U.S. Provider has reviewed and updated the CIP since the last certification.
- Submitting additional reports to Commerce on the occurrence of certain changes to the company or the CIP between annual certifications.
- Reporting the following AI-training related transactions to Commerce:
- “A transaction by, for, or on behalf of a foreign person which results or could result in the training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity . . . ;” or
- “A transaction by, for, or on behalf of a foreign person, in which the original arrangements provided for in the terms of the transaction would not result in a training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity, but a development or update in the arrangements means the transaction now does or could result in the training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity[.]”
- Maintaining and safeguarding records in relation to the Proposed Rule for at least two years past the date the account was closed or last accessed.
Authorities of U.S. Government under the Proposed Rule
The Proposed Rule would grant the U.S. government authorization to, among other things:
- Review U.S. Providers’ CIP submissions (including submissions of foreign reseller CIPs), notify U.S. Providers of any shortcomings and require that the U.S. Provider resolve the shortcoming and resubmit the CIP.
- Evaluate risk that U.S. Providers’ services are being used by:
- “Foreign malicious cyber actors; or”
- “A foreign person to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity[.]”
- Conduct compliance assessments of U.S. Providers, including requesting audits of the U.S. Providers’ processes and procedures.
- Recommend remediation measures or review specific transactions based on the results of a compliance assessment.
- Enforce the proposed regulations.
Additionally, the Proposed Rule gives Commerce the authority to impose prohibitions or conditions on providing or maintaining IaaS accounts for foreign jurisdictions or foreign persons where the government determines that “reasonable grounds exist for concluding that a foreign jurisdiction or foreign person is conducting malicious cyber-enabled activities using U.S. IaaS products[.]”
This “reasonable grounds” determination is based on factors identified in Section 7.307(b)(3) of the Proposed Rule.
Additional Detail on Key Provisions of the Proposed Rule
KYC Data Collection
At a minimum, data collected under a CIP must include a customer’s name, address, the means and source of payment for each customer’s account, contact information and IP addresses used for access or administration of the account. CIPs must also specify how the U.S. Provider will ensure that all beneficial owners at the inception of an account and any new beneficial owners added to an account undergo the same identification process.
CIP Reporting Requirements
U.S. Providers will be required to submit to Commerce certain information about their own and their foreign resellers’ CIPs, including their procedures for verifying customer identity and detecting malicious cyber activity, as well as information about their IaaS products and customer base.
U.S. Providers and their foreign resellers must also annually certify to Commerce that they have updated their CIPs to account for “any changes in its service offerings since its last certification” and “any changes in the threat landscape since its last certification[.]”
In these annual certifications, U.S. Providers must also attest that their current CIP complies with Commerce’s requirements and identify “the number of times the IaaS provider was unable to verify the identity of any customer since its last certification” and the resolution for each of those situations.
Identity Verification Requirements
The Proposed Rule would require U.S. Providers and their foreign resellers to verify the identities of foreign persons who obtain accounts (and their beneficial owners, as applicable) prior to opening an account. U.S. Providers must also establish a process for verifying the identity of any customer that does not produce requested documents. U.S. Providers are not required to verify the identities of customers with accounts opened by or on behalf of a U.S. person, unless a foreign beneficial owner is added to the account, or a portion of the account is resold to a foreign person.
Exemptions from CIP Requirements
U.S. Providers may seek an exemption from the CIP requirements. Commerce may grant an exemption if it determines that “the provider complies with security best practices to deter the abuse of IaaS products” and has established an Abuse of IaaS Products Deterrence Program (ADP).
The Proposed Rule provides a long list of requirements that a U.S. Provider’s ADP must meet to qualify for an exemption from CIP requirements.
To determine whether a provider qualifies for such exemption, Commerce will evaluate whether the ADP’s size and complexity is commensurate to the provider’s business; the ADP’s ability to deter, detect and respond to red flags; oversight of reseller arrangements; cooperation with law enforcement to provide forensic information for investigations; and participation in government collaboration efforts.
U.S. Providers would be required to update ADPs regularly to reflect changes in risks to accounts based on experiences with malicious cyber-enabled activities; changes in methods of malicious cyber-enabled activities; changes in methods to detect, prevent and mitigate malicious cyber-enabled activities; changes in the types of accounts the provider offers or maintains; and changes in the business arrangements of the provider.
Penalties and Enforcement
If implemented, violations of the rule could result in civil or criminal penalties. Violations include failure to implement and maintain a CIP; failing to submit necessary reports, certifications or recertifications; making false or misleading representations, notifications or certifications, or concealing material facts; and not notifying Commerce about an “IaaS transaction that might result in a customer obtaining or using a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.”