In a significant move to enhance national security, a bipartisan group of senators has introduced legislation aimed at closing a critical loophole in U.S. export controls concerning sensitive technology accessed via cloud computing. On March 27, 2024, Sen. Dave McCormick, a Republican from Pennsylvania, and Sen. Ron Wyden, a Democrat from Oregon, announced the Remote Access Security Act, which seeks to amend the Export Control Reform Act of 2018.
The proposed legislation would extend existing export controls to cover remote access of controlled U.S. technologies, addressing concerns that current laws are inadequate in the face of rapid technological advancements. As cloud computing facilitates access to powerful chips and advanced software from virtually anywhere in the world, the senators are responding to fears that adversaries may exploit these technologies for nefarious purposes.
Addressing National Security Risks
“Under current law, bad actors can train AI models by accessing advanced chips under the jurisdiction of the U.S., and the Bureau of Industry and Security has no authority to require a license,” McCormick stated, emphasizing the necessity of the bill. The legislation aims to subject remote access to the same scrutiny as physical possession of sensitive technologies when national security risks are involved.
Wyden highlighted the growing trend of adversaries seeking to circumvent U.S. export bans by renting access to American-controlled computing power instead of importing hardware. “Foreign countries shouldn’t be able to end-run export bans on American technology just by accessing servers over the internet,” he remarked, underscoring the importance of this measure in maintaining U.S. leadership in artificial intelligence and global competitiveness.
Key Provisions of the Remote Access Security Act
The Export Control Reform Act currently allows the executive branch to regulate exports, reexports, and in-country transfers of sensitive items. The new legislation aims to clarify that these controls also apply when a “foreign person of concern” remotely accesses controlled technology through cloud infrastructure, including servers, processors, or data storage. The bill specifically identifies foreign persons of concern as individuals or entities linked to China, including Hong Kong and Macau, as well as Russia, Iran, and North Korea.
Under the proposed framework, the Commerce Department would have the authority to require a license if, for instance, a Chinese firm attempts to rent access to clusters of advanced U.S.-controlled chips located in overseas data centers, particularly if such access poses a national security risk.
The legislation aims to prevent several high-risk activities, including the training of artificial intelligence models that could facilitate the creation of weapons of mass destruction, automated cyberattacks, or systems designed to evade human oversight. It also seeks to limit access to tools intended for offensive cyber operations and technologies used for surveillance that may violate human rights through spyware, location tracking, or biometric identification.
Supporters of the Remote Access Security Act argue that it represents a broader effort by Congress to modernize national security policy in light of the realities of cloud computing and artificial intelligence. The ability to control access to sensitive technologies is becoming increasingly critical, as the implications of remote access can be as significant as those of physical possession.
The bill was introduced on March 27, 2024, and is expected to be reviewed by the relevant Senate committees for further deliberation. As the landscape of technology continues to evolve, lawmakers are taking proactive steps to ensure national security remains a priority in the digital age.