All Work
Policy

Comment on the Commerce Department's Proposed Cloud Computing Rules

Jason Green-Lowe
May 1, 2024

In January, the Commerce Department's Bureau of Industry and Security (BIS) issued a notice of proposed rulemaking (NPRM) with requirements for US cloud computing providers to identify their customers and report when foreign customers train massive dual-use AI models. This NPRM comes in response to directives in the 2021 Cyber Executive Order (EO 13984) and the 2023 AI Executive Order (EO 14110).

The Center for AI Policy replied to the Commerce Department's request for comments to help shape these rules effectively. Below is an executive summary of our full comment.

Executive Summary

The Bureau of Industry and Security’s proposed rule implementing Executive Orders 13984 and 14110 is aimed at:

  1. reducing the frequency and severity of cyberattacks,
  2. improving government awareness of how cloud computing resources are being used, and
  3. deterring foreign actors from abusing America’s cloud computing resources.

Although the rule as currently written will have some tendency to achieve these goals, the rule could be significantly more effective if it included broader and more proactive enforcement provisions. Currently, the rule’s enforcement scheme is heavily focused on examining the formal policies and procedures that have been adopted by cloud computing providers. However, the rule contains very few provisions for checking to see whether these procedures are actually being implemented. This problem applies to both the Customer Identification Program (CIP) requirement and to the Abuse Deterrence Programs (ADPs) that many providers will adopt in order to gain an exemption from the CIP requirement. To fix this problem, BIS should require cloud providers to prepare and submit a small random sample of case studies each year, showing how they have applied their CIP and/or ADP to actual customers.

In addition to proactively checking to see how well cloud providers are applying their CIPs and ADPs, the Commerce Department should consider broadening the scope of the rule to include a reporting requirement for foreign purchasers of cloud resources that are likely to substantially lower the barrier of entry for non-experts to design, synthesize, acquire, or use chemical, biological, radiological, or nuclear (CBRN) weapons. Such a requirement would be consistent with the spirit of EO 14110, and would be authorized by the International Emergency Economic Powers Act as activated by EO 12938, in which the President declared a formal state of emergency based on the need to prevent the proliferation of weapons of mass destruction.

Read the Center for AI Policy's full comment here.