Access Alert: US Department of Commerce issues Proposed Rulemaking on Cybersecurity and AI for IaaS providers

Access Alert: US Department of Commerce issues Proposed Rulemaking on Cybersecurity and AI for IaaS providers

On 29 January, the US Department of Commerce, through the Bureau of Industry and Security (BIS) and its newly-created Office of Information and Communications Technology and Services (OICTS), issued a Notice of Proposed Rulemaking (NPRM) primarily impacting Infrastructure as a Service (IaaS) providers and their foreign resellers, especially those involved in training large AI models. The NPRM, developed under the direction of both the Biden Administration’s AI Executive Order and Executive Order 13984 on steps to crack down on malicious cyber-enabled activities, aims to prevent foreign malicious cyber actors from abusing the US national cloud infrastructure and threatening national security by implementing customer identification programs (CIPs) for IaaS providers to verify foreign customer identities, mirroring anti-money laundering practices in financial institutions.

The NPRM defines “US IaaS providers” broadly, encompassing a wide range of entities and individuals within the US. It details the requirements of CIPs, including verifying customer and beneficial owner identities, and mandates procedures for detecting malicious cyber activities. Providers are expected to report their compliance through a CIP certification form and are responsible for ensuring foreign resellers comply with these rules. The NPRM would also allow Commerce to identify and regulate transactions with foreign jurisdictions along with persons posing security threats and take action against certain foreign jurisdictions and persons involved in malicious activities using US IaaS products. IaaS providers with approved Abuse of IaaS Products Deterrence Programs (ADPs), which detect and mitigate malicious activities, would be exempted from the new CIP requirements.

The NPRM also introduces requirements for providers to report transactions involving the training of large AI models that could potentially be used for malicious activities. Notably, Commerce proposed a definition for what constitutes a “large AI model with potential capabilities that could be used in malicious cyber-enabled activity”. According to the NPRM, Commerce will use that definition to “determine the set of technical conditions that a large AI model must possess in order to have the potential capabilities that could be used in malicious cyber-enabled activity” and therefore be subject to additional requirements and regulation.

Comments are due by 29 April 2024.

Access Partnership is actively working on several AI projects, tracking global AI developments and empowering our clients to respond strategically. For more information, please contact Jacob Hafey at [email protected].

Related Articles

Advantage Southeast Asia: Emerging AI Leader

Advantage Southeast Asia: Emerging AI Leader

Artificial intelligence (AI) is offering a once-in-a-generation opportunity for economic growth and societal transformation, with the conversation dominated by the...

2 Oct 2024 General
Advancing Malaysia’s Digital Potential through AI with Google

Advancing Malaysia’s Digital Potential through AI with Google

Malaysia’s ambition to become a high-income, digital-first nation is clear in the MADANI Economy framework. Recent discussions on investor-friendly policies...

1 Oct 2024 General
Google and Korea: 20 years of partnership and AI innovation

Google and Korea: 20 years of partnership and AI innovation

Korean entertainment groups like Blackpink and BTS have continually taken the world by storm, while Android revolutionized mobile access for...

26 Sep 2024 General
Access Alert: A new era of global governance – the Pact for the Future

Access Alert: A new era of global governance – the Pact for the Future

On 22 September, the United Nations adopted the Pact for the Future at the Summit of the Future in New...

24 Sep 2024 Opinion