Tim Fist, a fellow at CNAS’s Technology and National Security Program, brings us today’s breakdown.

On Monday BIS dropped a new proposed rule on cloud monitoring and large AI training-run reporting, focused on US infrastructure-as-a-service (IaaS) firms such as Amazon Web Services, Microsoft Azure, and Google Cloud. It’s one of the first big regulatory moves off the back of the recent AI Executive Order. Let’s dive in.

First, some background on where this is coming from. The proposed regulations implement guidance from two key Executive Orders: a Trump EO from 2021, which focused on “foreign malicious cyber actors’ use of IaaS products,” and the more recent 2023 AI EO, regarding the “safe, secure, and trustworthy development and use of AI.”

At a high level, this latest proposed rule will require US cloud providers to

1. figure out who their customers are,

2. require foreign resellers of their services to do the same, and

3. report to Commerce when foreign customers train large models with potentially dangerous capabilities.

Commerce’s fear is that cloud computing services offered by US firms could be misused to support cyber attacks, as well as the development and deployment of potentially dangerous AI systems. Cloud providers, Commerce believes, may have the power to stop this. Commerce Secretary Gina Raimondo said in an interview with Reuters last week,

Those chips are in American cloud data centers, so we also have to think about closing down that avenue for potential malicious activity.

But there isn’t much in the way of regulation in this area, even in cases where export-controlled AI chips are on offer to customers in China. As I wrote with Jordan and Lennart Heim last year,

Right now, these guardrails are sparse. US cloud service providers have no official responsibility for how customers use their services, even if those services are used to aid foreign militaries or intelligence efforts. How, then, should these services be regulated? Existing financial regulations can offer some lessons. Thanks to the centrality of the dollar, the US government can track global flows of money to prevent illicit activity such as money laundering. Because their firms dominate key chokepoints in the advanced semiconductor supply chain (manufacturing equipment, advanced materials, and design software), the United States and a few key allies hold a similar position with respect to advanced chips.

While Commerce determined a blanket ban on high-end AI chips going to China was seen as necessary due to the difficulty in figuring out who was using them in the PRC, cloud offers a much more fine-grained approach to distinguish between different users — as well as cutting off access to hardware. This regulation makes it possible for cloud providers to implement “Know Your Customer” (KYC) schemes to help prevent misuse of AI computing. KYC has been suggested by some policy researchers, industry leaders like Microsoft, and was further fleshed out in a recent paper by the Center for the Governance of AI.

All these ideas roughly map onto what Commerce now plans to do. The proposed regulations will require US cloud providers to implement “Customer Identification Programs” (CIPs): risk-based processes for identity verification and recordkeeping. US cloud providers must develop these and report on their progress to Commerce; they must also ensure that foreign resellers of their services also implement and maintain CIPs. The new rule would also require US cloud providers to report how they plan to detect this activity.

Monitoring AI development

Commerce adopts a somewhat circular and hard-to-pin-down definition for the AI systems they are worrying about:

Then, looking at their definition of “technical conditions of a dual-use foundation model”:

The capabilities of concern Commerce highlights seem broadly right for the class of systems they’re trying to target. Even so, the regulations don’t explicitly state any technical thresholds beyond the model containing “at least tens of billions of parameters” — a weirdly poorly specified parameter perhaps to maintain flexibility to update the threshold going forward. It may be the case that Commerce will lean on the definitions already specified in the recent AI Executive order, but it’s notable that those definitions don’t appear anywhere in the new regulations.

To track the creation of such models, the regulations require US cloud providers to report AI model training to Commerce whenever they have knowledge of a “covered transaction.” Here, a “covered transaction” is defined as any usage of services by, for, or on behalf of a foreign person that results or could result in the training of a model with the capabilities described above. Again, to actually implement these regulations, IaaS providers will need a clearer technical definition with some level of ex-ante measurability.

For reference, here are the thresholds defined in the AI EO:

Reports must be filed within fifteen days, and must include information on the foreign person and the training run (compute, anticipated start/end date, model weight security measures, among other things). Further, US cloud providers must require their foreign resellers to report training runs using the same criteria.

What about enforcement?

Though the proposed regulations mostly focus on setting up reporting processes, they do include some enforcement measures. Most notable among them is the section on “special measures,” which requires US IaaS providers to restrict access to certain customers — or all customers in certain jurisdictions (e.g. China) — if Commerce tells them to. The conditions under which this restriction requirement can kick in are:

• a foreign jurisdiction has a significant number of foreign persons reselling or directly using US IaaS products for malicious cyber activity, or

• a particular foreign person has established a pattern of doing the same.

US IaaS providers must comply within 180 days of Commerce restricting a person or jurisdiction, and the restrictions can’t remain in place for more than 365 days without an explicit extension [Jordan: this seems pretty lax?]. Commerce also says it will be cautious when creating restrictions and take into account competitive disadvantages or undue cost/burden on US providers, especially when applied to an entire jurisdiction. Those provisions are reassuring — indeed, in many cases, US cloud computing services will be substitutable by foreign offerings; in such cases, it may be better to retain observability and leverage.

Open questions remain!

These regulations draw on mature best practices from the financial services sector, and they seem like a solid path for closing some key gaps in AI supply chain security. There are a few key challenges, however, that Commerce and cloud providers will need to work through:

1. What are the specific technical properties of training runs that cloud providers should use to determine whether they’re reported? The compute-based thresholds defined in Biden’s AI EO make sense as the only real way we have to define AI capabilities ex-ante. Commerce should clarify whether these thresholds will apply, and commit to updating them over time as our understanding of AI capabilities and risks across different domains evolves.

2. How can cloud providers figure out whether a customer intends to conduct (or is doing) a training run with the properties Commerce is interested in? Simply using the information already available for billing purposes — hardware configuration and chip-hours — can tell you a lot. If a customer has access to 20,000 NVIDIA H100s connected by a high-speed network, they’re probably not hosting a fashion blog. But more detailed verification will likely be necessary to avoid false positives and workloads slipping under the radar.

3. That brings us to the next challenge: what privacy and IP issues are these proposed rules creating, and how can they be avoided? The regulations call for cloud firms to report “Information on training practices, including the model of the primary AI used in the training run accelerators.” This reporting requirement is potentially problematic: will a French AI lab want their US cloud compute vendor tracking what kinds of models they are developing? After all, the US firm is often going to be a direct competitor. Privacy-preserving hardware technologies like “trusted execution environments” could provide a solution here. Several groups have recently proposed using these kinds of technologies to verify the properties of AI computational workloads without revealing sensitive code or data.

4. How easy will it be for foreign customers to spoof their identity to evade detection? If a foreign customer has enough money to conduct a frontier training run, they’ll also have enough money to fake identification, set up shell companies, spoof IP addresses, and more.

Back to Jordan here with three more open questions:

1. Why did rule take so long? When the October 7th 2022 export controls dropped, I was podcasting the next day, talking about how Chinese access to Western cloud providers was an enormous loophole. But it took 480 days to do anything about it! To what extent was this a question of getting interagency buy-in for addressing cloud — or does it just take this long to write a sixty-six-page rule nowadays? If it’s the latter, beyond more funding are there statutory changes that could allow BIS to move more nimbly?

2. To what extent does limiting training runs matter from a national AI capabilities perspective? If Chinese firms can continue to leverage the latest and greatest open-source models coming out of the West (that are really good nowadays! Mistral is currently beating out Anthropic’s public offering), will there really be much of a point of doing a whole training run from scratch? After, all Altman recently said that GPT only “will be okay.”

3. For all those closed-source models ahead of Mistral … there’s nothing today from the US policy side stopping OpenAI or Google from selling model access into the PRC. Is BIS cooking up an attempt to restrict exports of algorithms? Would it just be better for long-term national competitiveness if Chinese firms were dependent on Western models and inference in the cloud running on Nvidia as opposed to Huawei chips? Or is AI diffusion, rather than frontier tech, really going to be what determines national outcomes?

Other Interesting Wrinkles We Found in the Rule