President Biden's executive order (EO) on artificial
intelligence (AI) directs the Secretary of Commerce to impose,
within 90 days, expansive reporting requirements on dual-use
foundation models and large scale computing clusters, as well as
U.S. Infrastructure as a Service (IaaS) transactions involving
foreign persons. These reporting requirements are extremely broad
and would require, for example, companies to report on (1) not only
ongoing but also planned activities related to training,
developing, or producing dual-use foundation models; (2) ownership
and possession of the model weights; (3) the results of the
model's performance in AI red-team testing; and (4) any
acquisition, development, or possession of a potential large-scale
computing cluster. U.S. IaaS providers would also be required to
report on its transactions with foreign persons for training a
large AI model with potential capabilities for use in malicious
cyber-enabled activity. In addition, the EO also flows down the
identity verification requirement to foreign resellers of U.S. IaaS
products, taking one step further than Executive Order 13984 issued
in January 2021.1
While the EO directs the Secretary of Commerce to define the technical conditions that would trigger the applicable reporting requirements, the EO also provides technical conditions that apply in the interim. The interim technical conditions utilize processing speed metrics in defining the scope of the requirements, in line with the U.S. government's recent approach to controlling advanced computing chips with AI capabilities and supercomputers as reflected in the recently announced export control measures on semiconductor items. (Please refer to our Advisory for the discussion of the export control measures on semiconductor items announced in October 2023.) Importantly, while the EO does not require that the Secretary of Commerce promulgate any specific export control measures on AI, the reports that the U.S. government would receive under the EO implementing regulations would likely inform the Department of Commerce in refining or adding export control measures that may impact the AI sector.
President Biden invoked the Defense Production Act (DPA) for the reporting requirements on dual-use foundation models and large scale computing clusters, while relying on the International Emergency Economic Powers Act (IEEPA) with respect to the U.S. IaaS-related requirements that are intended to address malicious cyber-enabled activities. Reliance on the IEEPA to address malicious cyber-enabled activities is not new, as other presidents have similarly relied on the IEEPA and issued executive orders seeking to address malicious cyber-enabled activities.2 The DPA, on the other hand, was originally enacted to facilitate the production of goods and services necessary for national security in response to the Korean War. In recent years, the Executive Branch has invoked the DPA to provide funds for technological innovation, combat cyberespionage, produce ventilators and other products for combating the COVID-19 pandemic, and accelerate domestic production of green energy. The EO follows these more recent uses of the DPA, which some have criticized as being beyond the original intent of the DPA.3
1. Executive Order 13984 required the Secretary of Commerce to propose regulations that would require U.S. IaaS providers to verify the identity of a foreign person obtaining an IaaS account, but did not specifically address the foreign reseller's identity verification obligation.
2. See, e.g., Executive Order 13694 (Apr. 1, 2015); Executive Order 13757 (Dec. 28, 2016), Executive Order 13984 (Jan. 19, 2021).
3. See John Villasenor, Brookings Institution, Good for Growing an AI Workforce, but a Concerning Expansion of the Defense Production Act (Nov. 2, 2023).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.