On January 29, 2024, the Department of Commerce (“Department”) published a proposed rule (“Proposed Rule”) to require providers and foreign resellers of U.S. Infrastructure-as-a-Service (“IaaS”) products to (i) verify the identity of their foreign customers and (ii) notify the Department when a foreign person transacts with that provider or reseller to train a large artificial intelligence (“AI”) model with potential capabilities that could be used in malicious cyber-enabled activity. The proposed rule also contemplates that the Department may impose special measures to be undertaken by U.S. IaaS providers to deter foreign malicious cyber actors’ use of U.S. IaaS products.  The accompanying request for comments has a deadline of April 29, 2024.

The Proposed Rule would effectuate many of the requirements laid out in the Executive Order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities (“E.O. 13984”).  E.O. 13984, issued three years prior to the Proposed Rule, set in motion requirements for IaaS providers to enact certain customer identity verification procedures and take special measures to prevent their services from being used by foreign actors for malicious cyber-enabled activities.  The AI provisions of the Proposed Rule stem from the more recent Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (“E.O. 14110″), issued on October 30, 2023, which directed the Department to propose regulations for U.S. IaaS providers to (i) submit reports to the Department when a customer transacts with the provider to train an AI model that could be used for malicious cyber-enabled activities and (ii) ensure foreign resellers of IaaS products also conduct identity verification of foreign account holders.

The proposed regulations are further explained and summarized below:

Key Definitions:

Certain terms are broadly defined and capture large segments of the U.S. cloud computing sector.  Below are definitions for four key terms that illustrate the scope of the Proposed Rule.

  • IaaS Product means a product or service offered to a consumer, including complimentary or ‘‘trial’’ offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The term is inclusive of “managed” products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and “unmanaged” products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of “virtualized” products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (e.g., “virtual private servers”), and “dedicated” products or services in which the total computing resources of a physical machine are provided to a single person (e.g., “bare-metal servers”).
  • U.S. IaaS Providermeans any United States person that offers any IaaS product. The Department noted that this definition includes any United States person that is a direct provider of U.S. IaaS products and any of their U.S. resellers.
  • Foreign Reseller is defined as a foreign person who has established an IaaS account to provide the IaaS product subsequently, in whole or in part, to a third party.  
  • Malicious cyber-enabled activities are activities, other than those authorized by or in accordance with U.S. law, that seek to compromise or impair the confidentiality, integrity, or availability of computer, information, or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.

Regulated Activities:

  • Customer Identification Program (“CIP”): Each U.S. IaaS provider must maintain and implement a written CIP and must ensure that foreign resellers of their IaaS products also maintain and implement the same.  The mechanics of the CIP can vary based on the provider’s size, type of IaaS products offered, and other risks, and can be comprised of documentary or non-documentary verification methods.  However, in all cases, the CIP must involve collecting, at a minimum, certain specified information about each potential foreign customer and must include procedures that enable the U.S. IaaS provider or foreign reseller of U.S. IaaS products to form a reasonable belief that it can identify the true identity of each customer, including to determine whether the potential customer and all beneficial owners are U.S. persons. Each U.S. IaaS provider must certify and describe to the Department the implementation of its CIP and that of its foreign resellers of U.S. IaaS products on an annual basis or upon any significant business changes or material changes to a CIP.  If the U.S. provider receives evidence showing that a foreign reseller failed to implement a CIP or to make good-faith efforts to prevent its use for U.S. IaaS products for malicious cyber-enabled activities, it must take steps to close the foreign account, report the suspected or actual malicious activity, and terminate the reseller relationship if the issues are not resolved.  The Commerce Secretary may exempt any U.S. IaaS provider or foreign reseller from the CIP requirements, subject to a finding that the party has implemented security best practices to otherwise deter abuse of IaaS products.
  • Special Measures to Deter Malicious Cyber Activity: Under the Proposed Rule, the Commerce Secretary (the “Secretary”) may require the U.S. IaaS provider to take one of two “special measures,” if the Secretary determines (in accordance with specified determination factors) that reasonable grounds exist to conclude that a foreign jurisdiction or foreign person is conducting malicious cyber-enabled activities using U.S. IaaS products. In deciding to impose a special measure, the Secretary shall consider whether the special measure will create a significant competitive disadvantage for U.S. IaaS providers, whether the special measure would have a significant adverse effect on legitimate business activities regarding the foreign jurisdiction or person in question, and the effect of the special measure on U.S. national security, law enforcement, supply chains, foreign policy, or public health and safety.  The special measures are:
  • Jurisdiction-based Prohibitions: The Secretary may prohibit or impose conditions on the opening or maintaining of an account with any U.S. IaaS provider or their reseller by any foreign person located in a foreign jurisdiction found to have any significant number of foreign persons offering U.S. IaaS products used for malicious cyber-enabled activities, or by any U.S. IaaS provider of U.S. IaaS products for or on behalf of a foreign person.
  • Individual-based Prohibitions: The Secretary may prohibit or impose conditions on the opening or maintaining of an account with any U.S. IaaS provider or their reseller for or on behalf of a foreign person, if such an account involves any foreign person found to be directly obtaining or engaged in a pattern of conduct of obtaining U.S. IaaS products for use in malicious cyber-enabled activities or offering U.S. IaaS products used in malicious cyber-enabled activities.
  • Reporting of Large AI Model Training The Proposed Rule would also require U.S. IaaS providers and foreign resellers to submit reports to the Department when they have knowledge of “covered transactions” with foreign persons that result in the use of U.S. IaaS products to train “large AI models with potential capabilities that could be used in malicious cyber-enabled activity.”[1]  Specifically, a reportable “covered transaction” is defined as any transaction by, for, or on behalf of a foreign person that results or could result in the training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity, or any transaction that did not originally result in such training but could now result in such training due to developments or updates in training procedures and model capabilities.  The Department also plans to specify the technical specifications for the AI models that are subject to the reporting requirements through future rulemaking.  Separate from reporting covered transactions, the Proposed Rule would require IaaS providers to disclose as part of the CIPs the procedures in place for identifying when foreign persons may use AI for malicious cyber-enabled activity.  Relatedly, the Department is authorized to evaluate risks associated with the likelihood that an IaaS product or provider may be used for malicious cyber-enabled activity, and recommend remediation measures to address such risks.  

Given the wide-ranging implications of the Proposed Rule, including sweeping new information gathering obligations that impact customers, we expect the Proposed Rule will spur significant interest (and potential concerns) among U.S. cloud providers. 


[1] The Proposed Rule defines “large AI models” as any AI model that meets the definition of a “dual-use foundation model” or that “otherwise has technical parameters of concern” that enable the AI model to “aid or automate aspects of malicious cyber-enabled activity.”  As defined by E.O. 14110, dual-use foundation models refer to models that are trained on broad data, applicable in a wide range of contexts, contain tens of billions of parameters, and able to perform tasks that pose serious risks to security.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Fagan David Fagan

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including twice being named Dealmaker of the Year by The American Lawyer. Clients laud him for “[seeing] far more matters than many other lawyers,” his “incredible insight,” and “know[ing] how to structure deals to facilitate regulatory reviews” (Chambers USA).

David’s practice covers representations of both foreign and domestic companies before CFIUS and related national security regulators. The representations encompass matters in which the principal assets are in the United States, as well as those in which there is a smaller U.S. nexus but where solving for the CFIUS issues—including through proactive mitigation and carve-outs—is a critical path for the transaction. David has handled transactions for clients across every sector subject to CFIUS review, including some of the most sensitive and complex matters that have set the template for CFIUS compliance and security agreements in their respective industries. He is also routinely called upon to rescue transactions that have run into challenges in CFIUS, and to negotiate solutions with the U.S. government that protect national security interests, while preserving shareholder and U.S. business interests.

Reflecting his work on U.S.-China investment issues and his experience on complex U.S. national security matters intersecting with China, David is regularly engaged by the world’s leading multi-national companies across a range of industries to advise on strategic legal projects, including supply chain matters, related to their positioning in the emerging competition between the U.S. and China, as well as on emerging legal issues such as outbound investment restrictions and regulations governing information and communications technologies and services (ICTS). David also has testified before a congressional commission regarding U.S. national security, trade, and investment matters with China.

In addition, in the foreign investment and national security area, David is known for his work on matters requiring the mitigation of foreign ownership, control or influence (FOCI) under applicable national industrial security regulations, including for many of the world’s leading aerospace and defense companies and private equity firms, as well as telecommunications transactions that undergo a public safety, law enforcement, and national security review by the group of agencies known as “Team Telecom.”

In his cybersecurity practice, David has counseled companies on responding to some of the most sophisticated documented cyber-based attacks on their networks and information, including the largest documented infrastructure attacks, as well as data security incidents involving millions of affected consumers. He has been engaged by boards of directors of Fortune 500 companies to counsel them on cyber risk and to lead investigations into cyber attacks, and he has responded to investigations and enforcement actions from the Federal Trade Commission (FTC) and state attorneys general. David has also helped clients respond to ransomware attacks, insider theft, vendor breaches, hacktivists, state-sponsored attacks affecting personal data and trade secrets, and criminal organization attacks directed at stealing personal data, among other matters.

Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Ingrid Price Ingrid Price

Ingrid Price advises clients on a range of national security matters including cross border investment, supply chain security, and public policy. She regularly represents clients worldwide seeking national security approval for foreign investments before the Committee on Foreign Investment in the United States…

Ingrid Price advises clients on a range of national security matters including cross border investment, supply chain security, and public policy. She regularly represents clients worldwide seeking national security approval for foreign investments before the Committee on Foreign Investment in the United States (CFIUS) and in proceedings related to the mitigation of foreign ownership, control, or influence (FOCI). She also advises clients on the implications of the new Information and Communication Technologies and Services (ICTS) Rule, particularly with respect to how it may impact technology companies going forward.

Drawing on her experience as in-house counsel where she directly counseled business leaders, engineers and operations teams on security and compliance matters, Ingrid maintains a client-centered perspective as she helps guide them through the national security regulatory processes. She has successfully represented numerous clients in gaining CFIUS approval across various technology sectors, including AI, mobile applications, software, telecommunications, and robotics, in addition to clients across other industries ranging from financial services to energy and real estate. Ingrid also has significant experience negotiating agreements on behalf of clients with the U.S. government to mitigate national security concerns in connection with achieving CFIUS approval, including several agreements specifically focused on data protection.

Prior to joining Covington, Ingrid clerked for Chief Judge James E. Baker of the U.S. Court of Appeals for the Armed Forces. She also served as in-house counsel on law enforcement matters, security operations, and communications products at Amazon Web Services before returning to Covington as Special Counsel.

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder counsels national and multinational companies across industries on data privacy, cybersecurity, and emerging technologies, including Artificial Intelligence and Internet of Things.

In particular, Jayne advises clients on compliance with federal, state, and global privacy frameworks, and counsels clients on navigating the…

Jayne Ponder counsels national and multinational companies across industries on data privacy, cybersecurity, and emerging technologies, including Artificial Intelligence and Internet of Things.

In particular, Jayne advises clients on compliance with federal, state, and global privacy frameworks, and counsels clients on navigating the rapidly evolving legal landscape. Her practice includes partnering with clients on the design of new products and services, drafting and negotiating privacy terms with vendors and third parties, developing privacy notices and consent forms, and helping clients design governance programs for the development and deployment of Artificial Intelligence and Internet of Things technologies.

Jayne routinely represents clients in privacy and consumer protection enforcement actions brought by the Federal Trade Commission and state attorneys general, including related to data privacy and advertising topics. She also helps clients articulate their perspectives through the rulemaking processes led by state regulators and privacy agencies.

As part of her practice, Jayne advises companies on cybersecurity incident preparedness and response, including by drafting, revising, and testing incident response plans, conducting cybersecurity gap assessments, engaging vendors, and analyzing obligations under breach notification laws following an incident.

Photo of Irina Danescu Irina Danescu

Irina Danescu is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Committee on Foreign Investment in the United States (“CFIUS”) Practice Groups.

Irina advises clients on a broad range of cybersecurity, data…

Irina Danescu is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Committee on Foreign Investment in the United States (“CFIUS”) Practice Groups.

Irina advises clients on a broad range of cybersecurity, data privacy, and national security issues. She has assisted clients with understanding and complying with cybersecurity and privacy obligations, conducting internal investigations and due diligence, and preparing submissions to CFIUS and other regulatory agencies.

Photo of Shayan Karbassi Shayan Karbassi

Shayan Karbassi is an associate in the firm’s Washington, DC office. He represents and advises clients on a range of cybersecurity and national security issues. As a part of his cybersecurity practice, Shayan assists clients with cyber and data security incident response and…

Shayan Karbassi is an associate in the firm’s Washington, DC office. He represents and advises clients on a range of cybersecurity and national security issues. As a part of his cybersecurity practice, Shayan assists clients with cyber and data security incident response and preparedness, government and internal investigations, and regulatory compliance. He also regularly advises clients with respect to risks stemming from U.S. criminal and civil anti-terrorism laws and other national security issues, to include investigating allegations of terrorism-financing and litigating Anti-Terrorism Act claims.

Shayan maintains an active pro bono litigation practice with a focus on human rights, freedom of information, and free media issues.

Prior to joining the firm, Shayan worked in the U.S. national security community.

Photo of August Gweon August Gweon

August Gweon counsels national and multinational companies on data privacy, cybersecurity, antitrust, and technology policy issues, including issues related to artificial intelligence and other emerging technologies. August leverages his experiences in AI and technology policy to help clients understand complex technology developments, risks…

August Gweon counsels national and multinational companies on data privacy, cybersecurity, antitrust, and technology policy issues, including issues related to artificial intelligence and other emerging technologies. August leverages his experiences in AI and technology policy to help clients understand complex technology developments, risks, and policy trends.

August regularly provides advice to clients on privacy and competition frameworks and AI regulations, with an increasing focus on U.S. state AI legislative developments and trends related to synthetic content, automated decision-making, and generative AI. He also assists clients in assessing federal and state privacy regulations like the California Privacy Rights Act, responding to government inquiries and investigations, and engaging in public policy discussions and rulemaking processes.

Photo of John Webster Leslie John Webster Leslie

Web Leslie advises clients on a broad range of risks, challenges, and opportunities at the intersection of technology and security, including on matters of cybersecurity, critical infrastructure, national security, and data privacy.

As a part of his investigations practice, Web helps clients navigate…

Web Leslie advises clients on a broad range of risks, challenges, and opportunities at the intersection of technology and security, including on matters of cybersecurity, critical infrastructure, national security, and data privacy.

As a part of his investigations practice, Web helps clients navigate complex civil and criminal investigations related to cyber and national security, including under the False Claims Act, FTC Act, and state equivalents. His practice also includes helping clients manage internal investigations related to cyber compliance and insider threat risks. Web also routinely advises clients throughout all stages of incident response and breach notification arising from nation-state activity, sophisticated criminal threat actors, and other cyber threats.

On compliance matters, Web assists clients across numerous industries, including in healthcare, financial services, telecommunications, technology, transportation, manufacturing, food and beverage, and insurance, to address the ever-expanding regulatory landscape. He advises on various issues including: statutory and contractual security requirements, cybersecurity guidance and best practices, cyber maturity assessments, incident preparedness, critical infrastructure risks, third-party risk management, and international cyber regulations, among others. Web’s regulatory practice also includes public policy advocacy related to cyber regulation and national security policy.

In addition to his regular practice, Web counsels pro bono clients on technology, immigration, and criminal law matters.

Web previously served in government in different roles at the Department of Homeland Security, including at the National Protection and Programs Directorate—known today as the Cybersecurity and Infrastructure Security Agency—where he specialized in cybersecurity and critical infrastructure protection, public-private partnerships, and interagency cyber operations. He also served as Special Assistant to the Secretary of Homeland Security.