Comment by pavon
1 year ago
No, that is just one part of it. The proposed rules are intended to cover both EO13984, which addresses foreign entities using US IaaS for Cyber attacks, and EO14110 which addresses foreign entities using AI hardware.
They require all IaaS[1] to determine if customers are US persons, and if not to collect and retain certain identifying information[2], and provide annual reports describing their processes[3]. It grants the Secretary of Commerce extra-judicial power to force any IaaS to stop doing business with any foreign customer, or place restrictions on their use[4]. This section lists things that the Secretary should consider in doing so, but doesn't have any hard requirements. Finally, it requires the IaaS to report certain foreign use of AI[5].
[1]§7.301 https://www.federalregister.gov/d/2024-01580/p-189
[2]§7.302 https://www.federalregister.gov/d/2024-01580/p-219
[3]§7.304 https://www.federalregister.gov/d/2024-01580/p-266
[4]§7.307 https://www.federalregister.gov/d/2024-01580/p-377
[5]§7.308 https://www.federalregister.gov/d/2024-01580/p-403
> It grants the Secretary of Commerce extra-judicial power to force any IaaS to stop doing business with any foreign customer
This can backfire, as foreign customers of public clouds may switch to local providers, which erodes the US near-monopoly on cloud services. Ironically this can reduce the visibility and control the US government has over foreign nation states.
E.g.: most of the Australian government is hosted in either Azure or AWS. That kind of thing might stop if extrajudicial power is granted to pull the plug on any customer on any time.
If they’re inspecting what people are running on GPU instances to report that information back to the US government it’s going to give a lot of people pause for thought. It’s basically violating guarantees that many businesses have with cloud providers.