Privacy

In late January, the Bureau of Industry and Security of the US Department of Commerce published a formal proposal for a new KYC (Know Your Customer) rule regulating infrastructure as a service (IaaS) products, i.e., cloud infrastructure providers.

The KYC component in question here is the Customer Identification Program (CIP), among other requirements related to IaaS.

In the notice, which also calls for comments to be submitted by the end of April, the government agency cites the January 2021 Cyber Executive Order on “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities” and claims that a proposal is “a significant step” toward implementing it.

This order was issued by the Trump administration; but in the fall of last year, Biden’s White House issued its AI Executive Order that reports said requires foreign resellers of US IaaS services “to undertake almost identical KYC activities to those proposed in the Cyber Executive in relation to US providers.”

The department claims that the proposed rule was prompted by the desire to advance US national security interests, specifically targeting malicious foreign actors and hackers that cause damage either to critical infrastructure or said national interests.

If adopted, the rule would require US IaaS providers and those reselling their services abroad to “verify the identity of their foreign customers” and report to the department if those products are used to train large AI language models.

The minimum identification requirements include name, address, means and source of payment, email address, phone number, and IP address of a customer.

US IaaS providers who are found to violate the rule will face civil (money fines) and criminal penalties envisaged in the International Emergency Economic Powers Act – either a quarter of a million dollars or twice the value of a violating transaction, whichever is higher, while criminal consequences range from a fine of up to one million to 20 years in prison – or both.

The US government claims that US-run cloud servers are being used by malicious foreign actors for espionage, intellectual property theft, and targeting of critical infrastructure, and uses this argument to justify drafting the upcoming new rule.

It also complains that temporary registration “and ease of replacement for such services” makes it difficult for the government to track its targets.

And because currently, foreign resellers are not under obligation to track identity – US law enforcement finds it difficult to “obtain identifying information about malicious actors through service of compulsory legal process.”