The Department of Commerce is looking to push cloud providers to supply more in-depth knowledge of their foreign customer base, as part of President Biden’s executive orders on AI and cybersecurity.
Commerce issued a notice of proposed rulemaking (NPRM) on Jan. 29 that would require U.S. Infrastructure as a Service (IaaS) providers to verify the identity of their foreign customers. The department is accepting comments on the proposed rule through April 29.
“Foreign malicious cyber actors have utilized U.S. IaaS products to commit intellectual property and sensitive data theft, to engage in covert espionage activities, and to threaten national security by targeting U.S. critical infrastructure,” stated the Commerce Department.
“The temporary registration and ease of replacement for such services makes it more difficult for the government to track malicious actors. Additionally, the ability of malicious actors to use foreign-person resellers of U.S. IaaS products (‘foreign resellers’), who might not track identity, hinders law enforcement’s ability to obtain identifying information about malicious actors through service of compulsory legal process,” the department added.
The proposed rule is also looking for industry insight on how to best keep track of foreign entities that are looking to transact with IaaS providers that are training large AI models that could potentially be used to cause harm in cyber-enabled activities.
“The emergence of large-scale computing infrastructure—to which U.S. IaaS providers and foreign resellers provide access as a service, and which foreign malicious actors could use to train large AI models that can assist or automate their malicious cyber activity—has raised considerable concern about the identities of entities that transact with providers to engage in certain AI training runs,” the Commerce Department said.
As part of this notice, Commerce is also looking for information on current practices, if any, that U.S. IaaS providers use to verify the identity of their customers, and how regulations might burden them.
“The Department acknowledges that this rulemaking will impose compliance costs for at least some U.S. IaaS providers and has addressed these costs in the regulatory impact analysis included in the preamble of this proposed rule,” stated the Commerce Department.