Industry Files Comments to Proposed Rule on Malicious Cyber-Enabled Activities
Summary
On April 29, 2024, the comment period closed for the Department of Commerce’s Bureau of Industry and Security’s (BIS) proposed rule that would impose significant know-your-customer (KYC), monitoring and reporting obligations on U.S. providers of Infrastructure as a Service (IaaS) products and their foreign resellers. The proposed rule implements the 2021 EO 13984 on “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities” and portions of the Biden administration’s EO 14110 on “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.” More in-depth coverage of the proposed rule is available here. BIS requested comments on “all aspects” of the proposed rule and received 522 comment submissions. Stakeholders opined on BIS’ definition of “large AI model with potential capabilities that could be used in malicious cyber-enabled activities” and proposed alternative definitions for what should constitute a “large AI model.” Comments also touched on the risk of incentivizing good faith AI developers to take their business to non-U.S. IaaS providers to avoid the proposed customer identification requirements. Indeed, some stakeholders noted that they already employ various cybersecurity measures to ensure that their offerings are not used for malicious cyber-enabled activities and argued that additional safeguards would impose undue cost and administrative burden. Further, while some commentators called on Commerce to abandon the disclosure requirements entirely, others urged the BIS to narrow the scope of covered products and “U.S. IaaS providers” that would be subject to any final rule. We anticipate that BIS will issue a final rule that will impose new compliance obligations on U.S. IaaS providers and their foreign resellers. It will remain to be seen whether Commerce will narrow the scope of these requirements in response to comments received.
