On January 29, 2024, the Department of Commerce (“Department”) published a proposed rule (“Proposed Rule”) to require providers and foreign resellers of U.S. Infrastructure-as-a-Service (“IaaS”) products to (i) verify the identity of their foreign customers and (ii) notify the Department when a foreign person transacts with that provider or reseller to train a large artificial intelligence (“AI”) model with potential capabilities that could be used in malicious cyber-enabled activity. The proposed rule also contemplates that the Department may impose special measures to be undertaken by U.S. IaaS providers to deter foreign malicious cyber actors’ use of U.S. IaaS products.  The accompanying request for comments has a deadline of April 29, 2024.

The Proposed Rule would effectuate many of the requirements laid out in the Executive Order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities (“E.O. 13984”).  E.O. 13984, issued three years prior to the Proposed Rule, set in motion requirements for IaaS providers to enact certain customer identity verification procedures and take special measures to prevent their services from being used by foreign actors for malicious cyber-enabled activities.  The AI provisions of the Proposed Rule stem from the more recent Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (“E.O. 14110″), issued on October 30, 2023, which directed the Department to propose regulations for U.S. IaaS providers to (i) submit reports to the Department when a customer transacts with the provider to train an AI model that could be used for malicious cyber-enabled activities and (ii) ensure foreign resellers of IaaS products also conduct identity verification of foreign account holders.

The proposed regulations are further explained and summarized below:

Key Definitions:

Certain terms are broadly defined and capture large segments of the U.S. cloud computing sector.  Below are definitions for four key terms that illustrate the scope of the Proposed Rule.

  • IaaS Product means a product or service offered to a consumer, including complimentary or ‘‘trial’’ offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The term is inclusive of “managed” products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and “unmanaged” products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of “virtualized” products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (e.g., “virtual private servers”), and “dedicated” products or services in which the total computing resources of a physical machine are provided to a single person (e.g., “bare-metal servers”).
  • U.S. IaaS Providermeans any United States person that offers any IaaS product. The Department noted that this definition includes any United States person that is a direct provider of U.S. IaaS products and any of their U.S. resellers.
  • Foreign Reseller is defined as a foreign person who has established an IaaS account to provide the IaaS product subsequently, in whole or in part, to a third party.  
  • Malicious cyber-enabled activities are activities, other than those authorized by or in accordance with U.S. law, that seek to compromise or impair the confidentiality, integrity, or availability of computer, information, or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.

Regulated Activities:

  • Customer Identification Program (“CIP”): Each U.S. IaaS provider must maintain and implement a written CIP and must ensure that foreign resellers of their IaaS products also maintain and implement the same.  The mechanics of the CIP can vary based on the provider’s size, type of IaaS products offered, and other risks, and can be comprised of documentary or non-documentary verification methods.  However, in all cases, the CIP must involve collecting, at a minimum, certain specified information about each potential foreign customer and must include procedures that enable the U.S. IaaS provider or foreign reseller of U.S. IaaS products to form a reasonable belief that it can identify the true identity of each customer, including to determine whether the potential customer and all beneficial owners are U.S. persons. Each U.S. IaaS provider must certify and describe to the Department the implementation of its CIP and that of its foreign resellers of U.S. IaaS products on an annual basis or upon any significant business changes or material changes to a CIP.  If the U.S. provider receives evidence showing that a foreign reseller failed to implement a CIP or to make good-faith efforts to prevent its use for U.S. IaaS products for malicious cyber-enabled activities, it must take steps to close the foreign account, report the suspected or actual malicious activity, and terminate the reseller relationship if the issues are not resolved.  The Commerce Secretary may exempt any U.S. IaaS provider or foreign reseller from the CIP requirements, subject to a finding that the party has implemented security best practices to otherwise deter abuse of IaaS products.
  • Special Measures to Deter Malicious Cyber Activity: Under the Proposed Rule, the Commerce Secretary (the “Secretary”) may require the U.S. IaaS provider to take one of two “special measures,” if the Secretary determines (in accordance with specified determination factors) that reasonable grounds exist to conclude that a foreign jurisdiction or foreign person is conducting malicious cyber-enabled activities using U.S. IaaS products. In deciding to impose a special measure, the Secretary shall consider whether the special measure will create a significant competitive disadvantage for U.S. IaaS providers, whether the special measure would have a significant adverse effect on legitimate business activities regarding the foreign jurisdiction or person in question, and the effect of the special measure on U.S. national security, law enforcement, supply chains, foreign policy, or public health and safety.  The special measures are:
  • Jurisdiction-based Prohibitions: The Secretary may prohibit or impose conditions on the opening or maintaining of an account with any U.S. IaaS provider or their reseller by any foreign person located in a foreign jurisdiction found to have any significant number of foreign persons offering U.S. IaaS products used for malicious cyber-enabled activities, or by any U.S. IaaS provider of U.S. IaaS products for or on behalf of a foreign person.
  • Individual-based Prohibitions: The Secretary may prohibit or impose conditions on the opening or maintaining of an account with any U.S. IaaS provider or their reseller for or on behalf of a foreign person, if such an account involves any foreign person found to be directly obtaining or engaged in a pattern of conduct of obtaining U.S. IaaS products for use in malicious cyber-enabled activities or offering U.S. IaaS products used in malicious cyber-enabled activities.
  • Reporting of Large AI Model Training The Proposed Rule would also require U.S. IaaS providers and foreign resellers to submit reports to the Department when they have knowledge of “covered transactions” with foreign persons that result in the use of U.S. IaaS products to train “large AI models with potential capabilities that could be used in malicious cyber-enabled activity.”[1]  Specifically, a reportable “covered transaction” is defined as any transaction by, for, or on behalf of a foreign person that results or could result in the training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity, or any transaction that did not originally result in such training but could now result in such training due to developments or updates in training procedures and model capabilities.  The Department also plans to specify the technical specifications for the AI models that are subject to the reporting requirements through future rulemaking.  Separate from reporting covered transactions, the Proposed Rule would require IaaS providers to disclose as part of the CIPs the procedures in place for identifying when foreign persons may use AI for malicious cyber-enabled activity.  Relatedly, the Department is authorized to evaluate risks associated with the likelihood that an IaaS product or provider may be used for malicious cyber-enabled activity, and recommend remediation measures to address such risks.  

Given the wide-ranging implications of the Proposed Rule, including sweeping new information gathering obligations that impact customers, we expect the Proposed Rule will spur significant interest (and potential concerns) among U.S. cloud providers. 


[1] The Proposed Rule defines “large AI models” as any AI model that meets the definition of a “dual-use foundation model” or that “otherwise has technical parameters of concern” that enable the AI model to “aid or automate aspects of malicious cyber-enabled activity.”  As defined by E.O. 14110, dual-use foundation models refer to models that are trained on broad data, applicable in a wide range of contexts, contain tens of billions of parameters, and able to perform tasks that pose serious risks to security.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Fagan David Fagan

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

Mr. Fagan has been recognized by Chambers USA and…

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

Mr. Fagan has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including twice being named Dealmaker of the Year by The American Lawyer for 2016 and 2019. Clients laud him for providing “excellent advice,” “know[ing] everything there is to know about CFIUS” and being “extremely well regarded” by key regulators. (Chambers USA)

In the foreign investment and national security area, Mr. Fagan is known for his work on matters requiring the mitigation of foreign ownership, control or influence (FOCI) under applicable national industrial security regulations, including for many of the world’s leading aerospace and defense firms, private equity firms, and sovereign investors, as well as telecommunications transactions that undergo a public safety, law enforcement, and national security review by the group of agencies known as “Team Telecom.”

Mr. Fagan’s practice covers representations of both foreign and domestic companies before CFIUS and related national security regulators. The representations encompass matters in which the principal assets are in the United States, as well as those in which there is a smaller U.S. nexus but where solving for the CFIUS issues – including through proactive mitigation and carve-outs – is a critical path for the transaction. Mr. Fagan is also routinely called upon to rescue transactions that have run into challenges in CFIUS, and to negotiate solutions with the U.S. government that protect national security interests, while preserving shareholder and U.S. business interests.

Reflecting his work on U.S.-China investment issues and his experience on complex U.S. national security matters intersecting with China, Mr. Fagan is regularly engaged by multi-national companies, including the world’s leading technology companies, to advise on strategic legal projects, including supply chain matters, related to their positioning in the emerging competition between the U.S. and China. Mr. Fagan also has testified before a congressional commission regarding U.S. national security, trade, and investment matters with China.

In the privacy and data security area, Mr. Fagan has counseled companies on responding to some of the most sophisticated documented cyber-based attacks on their networks and information, including the largest documented infrastructure attacks, as well as data security incidents involving millions of affected consumers. He has been engaged by boards of directors of Fortune 500 companies to counsel them on cyber risk and to lead investigations into cyber attacks, and he has responded to investigations and enforcement actions from the Federal Trade Commission (FTC) and state attorneys general. Mr. Fagan has also helped clients respond to ransomware attacks, insider theft, vendor breaches, hacktivists, state-sponsored attacks affecting personal data and trade secrets, and criminal organization attacks directed at stealing personal data, among other matters.

In addition, he routinely counsels clients on preparing for and responding to cyber-based attacks on their networks and information, enhancing their supply chain and product development practices, assessing their security controls and practices for the protection of data, developing and implementing information security programs, and complying with federal and state regulatory requirements. He also frequently advises clients on transactional matters involving the transfer of personal data.

Photo of Ashden Fein Ashden Fein

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing…

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Mr. Fein frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

Additionally, Mr. Fein assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, and requirements related to supply chain security.

Before joining Covington, Mr. Fein served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Mr. Fein currently serves as a Judge Advocate in the U.S. Army Reserve.

Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She also represents and advises domestic and international…

Micaela McMurrough has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She also represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Ingrid Price Ingrid Price

Ingrid Price is a special counsel in the firm’s Washington, DC office. She advises clients on a range of national security and public policy matters.

Ingrid represents clients worldwide seeking national security approval for foreign investments before the Committee on Foreign Investment in…

Ingrid Price is a special counsel in the firm’s Washington, DC office. She advises clients on a range of national security and public policy matters.

Ingrid represents clients worldwide seeking national security approval for foreign investments before the Committee on Foreign Investment in the United States (CFIUS) and advises clients seeking to mitigate foreign ownership, control, or influence (FOCI) under national industrial security regulations.

Ingrid clerked for Chief Judge James E. Baker of the U.S. Court of Appeals for the Armed Forces. She also previously worked as in-house counsel for Amazon Web Services.

Photo of Web Leslie Web Leslie

Web Leslie represents and advises emerging and leading companies on a broad array of technology issues, including on cybersecurity, national security, investigations, and data privacy matters.

Web provides strategic advice and counsel on cybersecurity preparedness, data breach, cross-border privacy law, and government investigations…

Web Leslie represents and advises emerging and leading companies on a broad array of technology issues, including on cybersecurity, national security, investigations, and data privacy matters.

Web provides strategic advice and counsel on cybersecurity preparedness, data breach, cross-border privacy law, and government investigations, and helps clients navigate complex policy matters related to cybersecurity and national security.

In addition to his regular practice, Web also counsels pro bono clients on technology, immigration, and criminal law matters, including representing a client sentenced to life without parole by a non-unanimous jury in Louisiana.

Web previously served in government in various roles at the Department of Homeland Security, including at the Cybersecurity and Infrastructure Security Agency (CISA), where he specialized in cybersecurity policy, public-private partnerships, and interagency cyber operations. He also served as Special Assistant to the Secretary of Homeland Security.

Photo of Irina Danescu Irina Danescu

Irina Danescu is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Committee on Foreign Investment in the United States (“CFIUS”) Practice Groups.

Irina advises clients on a broad range of cybersecurity, data…

Irina Danescu is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Committee on Foreign Investment in the United States (“CFIUS”) Practice Groups.

Irina advises clients on a broad range of cybersecurity, data privacy, and national security issues. She has assisted clients with understanding and complying with cybersecurity and privacy obligations, conducting internal investigations and due diligence, and preparing submissions to CFIUS and other regulatory agencies.

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection…

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.

Photo of Shayan Karbassi Shayan Karbassi

Shayan Karbassi is an associate in the firm’s Washington, DC office. He is a member of the firm’s Data Privacy and Cybersecurity and White Collar and Investigations Practice Groups. Shayan advises clients on a range of cybersecurity and national security matters. He also…

Shayan Karbassi is an associate in the firm’s Washington, DC office. He is a member of the firm’s Data Privacy and Cybersecurity and White Collar and Investigations Practice Groups. Shayan advises clients on a range of cybersecurity and national security matters. He also maintains an active pro bono practice.

August Gweon

August Gweon counsels national and multinational companies on data privacy, cybersecurity, antitrust, and technology policy issues, including issues related to artificial intelligence and other emerging technologies. August leverages his experiences in AI and technology policy to help clients understand complex technology developments, risks…

August Gweon counsels national and multinational companies on data privacy, cybersecurity, antitrust, and technology policy issues, including issues related to artificial intelligence and other emerging technologies. August leverages his experiences in AI and technology policy to help clients understand complex technology developments, risks, and policy trends.

August regularly provides advice to clients for complying with federal, state, and global privacy and competition frameworks and AI regulations. He also assists clients in investigating compliance issues, preparing for federal and state privacy regulations like the California Privacy Rights Act, responding to government inquiries and investigations, and engaging in public policy discussions and rulemaking processes.