A new proposed rule from the Department of Commerce seeks to protect cloud services from foreign cyber threats to national security and artificial intelligence by creating requirements for cloud infrastructure providers.
Under the proposed regulation from the department’s Bureau of Industry and Security, cloud Infrastructure as a Service (IaaS) providers and foreign resellers of their products would have to verify foreign users’ identities in an effort to make it easier for the U.S. government to track malicious cyber actors.
IaaS providers would also have to submit reports — including information such as the customer’s name, address, phone number, and IP address — whenever a foreign person transacts with them to train “large AI models with potential capabilities that could be used in malicious cyber-enabled activity,” according to the proposed rule, which was published in the Federal Register on Monday.
“Today’s rule puts foreign malicious cyber actors on notice that we are taking action to prevent them from using our own cloud infrastructure to undermine our national security interests,” Alan Estevez, undersecretary for industry and security, said in a written statement.
The proposed rule comes as part of the Biden administration’s broader efforts to increase safety and security of AI. The president’s recent October AI executive order required the department to issue such a proposed rule within 90 days of its release. Meanwhile, a 2021 executive order also gave the department authority to require U.S. IaaS providers to verify a foreign user’s identity.
Industry reaction to the rule was relatively positive. Mason Molesky, cybersecurity and cloud policy executive for IBM, said in a statement that the company “supports the intentions of the proposed rule to mitigate the misuse of domestic cloud and AI infrastructure, but greater industry engagement is needed to avoid unintended consequences for enterprise cloud providers and to address data privacy concerns for clients outside the U.S.”
Fred Humphries, Microsoft’s corporate vice president for government affairs at Microsoft, said in a LinkedIn post that the tech giant welcomes “the important work that the Commerce Department is undertaking to strengthen AI governance and address malicious cyber activity. We support Know Your Customer (KYC) requirements for providers of AI infrastructure and cybersecurity best practice requirements for providers of Infrastructure as a Service (IaaS) products, and we look forward to opportunities to provide input on how those requirements are further defined and implemented.”
The Commerce Department began seeking public feedback in an advanced notice of proposed rulemaking in September 2021 and said it incorporated many of those comments into the proposal.
“Today’s proposed rule gives the Secretary of Commerce the tools she needs to address risks while maintaining the Department’s overall approach to national security: to innovate and do business wherever we can, and to protect what we must,” Estevez said in the statement.
Public comments are due by the end of April.
