Today, the DOC’s Bureau of Industry and Security published a notice of proposed rulemaking (NPRM) in the Federal Register (89 FR 73612-73617) on “Establishment of Reporting Requirements for the Development of Advanced Artificial Intelligence Models and Computing Clusters”. This rulemaking would fulfill the requirements for §4.2(a)(i) of EO 14110, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. This proposed rule would amend the BIS Industrial Base Surveys—Data Collections regulations by establishing reporting requirements for the development of advanced artificial intelligence (AI) models and computing clusters.
Definitions
The proposed 15 CFR 702.7 provides definitions at subsection (c) of the following key terms used in the new regulation:
Artificial intelligence (AI),
Model weights, and
AI and Cybersecurity
In the preamble discussion about the government’s interest in dual-use foundation models, one of the defense related uses discussed is the use of AI models in detecting cybersecurity attacks:
“As a final example, developers of cybersecurity software, which can be applied to protect a wide range of systems and infrastructure that are critical to the national defense, use AI models to increase the speed at which that software detects and responds to cyberattacks.”
The preamble goes on to discuss the needs of the federal government for information about various aspects of AI model development. The discussion specifically addresses concerns about vulnerabilities to cybersecurity attacks:
“For similar reasons, the U.S. Government must minimize the vulnerability of dual-use foundation models to cyberattacks. Dual-use foundation models can potentially be disabled or manipulated by hostile actors, and it will be difficult for the U.S. Government to rely on a particular model unless it can determine that the model is robust against such attacks. Accordingly, the U.S. Government needs information about the cybersecurity measures that companies developing dual-use foundation models use to protect those models, as well as information about those companies' cybersecurity resources and practices.”
Reporting Requirements
The new §702.7 would require reporting to BIS six months before planned ‘applicable activities’. Those ‘applicable activities’ include:
Conducting any AI model training run using more than 10^26 computational operations (e.g., integer or floating-point operations); or
Acquiring, developing, or coming into possession of a computing cluster that has a set of machines transitively connected by data center networking of greater than 300 Gbit/s and having a theoretical maximum greater than 10^20 computational operations (e.g., integer or floating-point operations) per second (OP/s) for AI training, without sparsity.
Once an initial notification to BIS is made the ‘covered person’ must update that report quarterly, even if nothing has changed since the previous report. In that case, once seven consecutive quarterly reports of ‘no change’ have been made, the reporting requirement ceases until six months before a new ‘applicable activity’ is planned.
Initial notifications to BIS will be made by email. BIS will respond by sending a list of questions the covered person would be required to answer about the planned applicable activities. The questions would address the following issues (and perhaps additional issues as appropriate):
Any ongoing or planned activities related to training, developing, or producing dual-use foundation models, including the physical and cybersecurity protections taken to assure the integrity of that training process against sophisticated threats,
The ownership and possession of the model weights of any dual-use foundation models, and the physical and cybersecurity measures taken to protect those model weights,
The results of any developed dual-use foundation model's performance in relevant AI red-team testing, including a description of any associated measures the company has taken to meet safety objectives, such as mitigations to improve performance on these red-team tests and strengthen overall model security, and
Other information pertaining to the safety and reliability of dual-use foundation models, or activities or risks that present concerns to U.S. national security.
Presumably, the last ‘other information’ provision will, at least partially, be interpreted to mean reporting safety and/or security incidents involving the related AI models.
Public Comments
BIS is soliciting public comments on this rulemaking, including comments about the following topics:
Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # BIS-2024-0047). Comments should be submitted by October 11th, 2024.
Commentary
BIS notes that: “For similar reasons, the U.S. Government must minimize the vulnerability of dual-use foundation models to cyberattacks.” Unfortunately, the only cybersecurity reporting action that BIS is taking in this rulemaking is including a requirement to “including the physical and cybersecurity protections taken to assure the integrity of that training process against sophisticated threats”. Anyone that follows cybersecurity news has to realize that even well designed systems are subject to 3rd party researchers finding and exploiting vulnerabilities that are unidentified by the vendor. While design reviews such as the one required in this rulemaking are important, a comprehensive cybersecurity program also requires a vulnerability disclosure program and a cyber incident reporting program.
The second would be the easiest to deal with. Language could be added to the proposed §720.7 that would designate any entity or person required to submit quarterly reports under this proposed regulation as a ‘covered entity’ as defined by 6 USC 681(4). This would trigger CIRCIA cyber incident reporting requirements under 6 USC 681b. This could look like the following added §720.7(d):
“(d) Cyber Incident Reporting --- Individuals or entities required to complete quarterly reports under subsection (a)(2) will be considered to be a ‘covered entity’ as defined in in 6 U.S.C. 681(4) for the purposes of cyber incident reporting requirements under 6 U.S.C. 681b(a)(1).”