Cloud Security , Security Operations
US IaaS Providers Face 'Know Your Customer' Regulation
Rule Is a Bid to Deter Malicious Foreign Use of US IaaS ProvidersCloud providers told the government they aren't very happy about a proposed regulation requiring them to verify the identity of foreign customers, but their complaints are unlikely to stop the U.S. Department of Commerce from proceeding with the rule.
See Also: The Forrester Wave™: Cloud Workload Security, Q1 2024
The Commerce Department on Monday published a proposal calling for infrastructure-as-a-service providers to implement a "know your customer" program that includes new data retention and record-keeping requirements. The proposal stems from an executive order then-President Donald Trump signed during his last hours in office.
"Most commenters indicated that any requirements in this proposed regulation would impose burdens on U.S. IaaS providers," the department said in its analysis of comments from an advance notice of proposed rule-making published in September 2021.
Commerce's response was that it "acknowledges that this rule-making will impose compliance costs for at least some U.S. IaaS providers." The department estimates the rule will affect as many as 1,837 IaaS providers and resellers. Elements such as developing a customer identification program, keeping it updated and annually certifying its accuracy could collectively cost companies up to $170 million annually, Commerce said.
The proposed regulation would also require IaaS providers to notify the federal government when they're in a transaction that would allow a foreign person to train a large AI model with capabilities that could potentially be used in malicious activity online. The proposal says Commerce will later define the set of technical conditions an AI model must possess in order to qualify for the reporting requirement (see: Biden's AI Executive Order, 90 Days On).
The government said it will stop IaaS providers from providing accounts to foreigners if it believes the foreigner is selling access to the cloud for use in cyberattacks or if the foreigner is located in a jurisdiction that has experienced a significant number of hacks. A 1977 law known as the International Emergency Economic Powers Act gives the White House power over private sector transactions made during a national emergency, which President Barack Obama in 2015 declared exists in cybersecurity.
IBM, a leading IaaS provider, supports the "intentions" of the proposed rule to mitigate domestic cloud and AI infrastructure misuse, said Mason Molesky, a cybersecurity and cloud policy executive for the company, in an emailed statement.
"But greater industry engagement is needed to avoid unintended consequences for enterprise cloud providers," he added, and said that "data privacy concerns for clients outside the U.S" need to be addressed.
The public has until April 29 to provide comments on the proposed regulations.