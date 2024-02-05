The US Department of Commerce has proposed that infrastructure as a service (IaaS) providers should put in place a know-your-customer (KYC) verification system for foreign customers using their services. The department says that it will create a customer identification program that clearly defines—

How the IaaS provider will collect identifying information about its customers

How the IaaS provider will verify the identity of its foreign customers, store and maintain identifying information, and notify its customers about the disclosure of identifying information.

The regulation also requires IaaS providers to report to the Department when they have knowledge they will engage or have engaged in a transaction with a foreign person that could “allow that foreign person to train a large AI [artificial intelligence] model with potential capabilities that could be used in malicious cyber-enabled activity.” Such a model is one that has capabilities of automating activities including (but not limited to) —

social engineering attacks

vulnerability discovery

denial-of-service attacks

data poisoning

disinformation or misinformation generation.

Reportable information includes the identifying information about the training run ( i.e., the customer’s name, address, the means and source of payment for the customer’s Account, email addresses, telephone numbers, and IP addresses) and the existence of the training run.

The reason behind this regulatory change:

According to the US government, foreign state actors use US IaaS services (or cloud services) to commit data theft, engage in espionage activities, and threaten national security by targeting US critical infrastructure. “After carrying out such illicit activity, these actors can quickly move to replacement infrastructure offered by U.S. IaaS providers of U.S. IaaS products,” the proposed regulation explains. Further, the US government expressed concern that given the large-scale computing infrastructure that US IaaS provides as a service, could be used by foreign bad actors to train AI models. These AI models could, in turn, be used by bad actors to automate their malicious cyber activities.

Speaking to Reuters , U.S. Commerce Secretary Gina Raimondo alluded that this regulation might be targeted at China. “We can’t have non-state actors or China or folks who we don’t want accessing our cloud to train their models,” Raimondo said. She noted that the US has export control on chips and that these chips are in American cloud data centers. “So we also have to think about closing down that avenue for potential malicious activity,” she explained.

Who is a US IaaS under the regulation?

Any US seller of an IaaS product or a US reseller of a US-based IaaS product would fall under the scope of this regulation. Foreign subsidiaries of US-based IaaS service providers would not be included under the regulation.

What information would IaaS providers be required to collect?

The regulation says that IaaS providers must collect and ask their foreign resellers to collect (at a minimum)—

The foreign user’s name and address.

The name and source of payment for each customer’s account.

Email addresses

Telephone Numbers

Internet protocol (IP) addresses used for access or administration of the IaaS account.

IaaS providers may alter their CIPs to require additional information from prospective customers that is necessary to verify the identity of any foreign person. The department seeks comments on the costs and burdens associated with this proposed requirement and whether it should include additional data collection in a baseline requirement for CIPs. IaaS providers and would not be required to verify the identity of customers with accounts opened by or on behalf of a U.S. person. That is, unless, “a foreign beneficial owner is added to the Account or the Account or a portion of the account is resold to a foreign person.” The CIP must contain steps on a provider would take if it is unable to verify the identity of any customer including refusing to open an account and/or additional monitoring pending attempts at verification.

What will be the method of identity verification?

IaaS providers will be allowed to craft their customer identification programs to verify the identity of their prospective foreign customers perform effective customer verification, and maintain identifying information about their foreign customers. Providers must ensure their CIPs include “risk-based procedures that enable the provider to form a reasonable belief about the true identity of each customer.”Providers are required to update their customer identification processes annually and verify that such annual updates have occurred.

These risk-based procedures must be based on the provider’s assessment of relevant risks including—

The different types of services provided by them

The method used to open various types of accounts

The varying types of identifying information available to the provider

The provider’s customer base.

The department proposes to allow each provider to create a CIP that matches its unique service offerings and customer bases. Provided that IaaS providers meet certain minimum requirements in their CIPs, providers can create CIPs that are flexible and minimally burdensome to their business operations. The regulation suggests that US resellers of U.S. IaaS services would be subject to the minimum standards in this proposed rule. U.S. resellers would also be responsible for establishing the identity of their potential customers, including all prospective beneficial owners of IaaS accounts, and determining whether they are U.S. persons.

Providers and resellers are required to maintain records on the information collected and describe measures taken to ensure that the information is secure. They must keep identifiable information on record for two years after the date on which an account was last accessed or closed. The department has sought comments about providers’ burdens in maintaining records for two years and whether there are “alternative ways to allow for both immediate and long-term access to customer information should an account be used for malicious cyber-enabled activity.”

Rules on foreign re-sellers:

The regulation suggests that U.S. IaaS providers would be required to furnish a copy of any foreign reseller’s customer identification program to the Department within ten calendar days following a request for the same. Upon finding evidence that a foreign reseller has failed to maintain or implement customer identification, “U.S. IaaS providers must report malicious cyber-enabled activity and close accounts associated with the activity and must terminate the reseller relationship within 30 calendar days.”

Special Measures for Certain Foreign Jurisdictions:

The regulation allows the US Secretary of Commerce to prohibit or impose restrictions on the opening and maintenance of IaaS accounts in a jurisdiction that “has any significant number of foreign persons offering U.S. IaaS products that are used for malicious cyber-enabled activities or any significant number of foreign persons directly obtaining U.S. IaaS products for use in malicious cyber-enabled activities.”

To determine whether a foreign jurisdiction requires a special measure, the Secretary of Commerce must consider the following (among other information) —

Evidence that cyber actors have obtained U.S. IaaS products in that jurisdiction, this includes whether such actors obtained such U.S. IaaS products through reseller accounts.

The extent to which that foreign jurisdiction is a source of malicious cyber-enabled activities.

Whether the U.S. has a mutual legal assistance treaty with that foreign jurisdiction

The experience of law enforcement in finding information about activities involving U.S. IaaS products originating in or routed through such foreign jurisdictions.

It proposes that the Department of Commerce should be allowed to open investigations of its own accord or accept referrals from other executive branch agencies or providers to evaluate evidence about a particular foreign jurisdiction/person to impose special measures.

You can read the full regulation here . It is open for comments until April 29, 2024.

