In a significant move to bolster national security, a bipartisan group of senators introduced legislation aimed at addressing vulnerabilities in cloud technology access. On October 25, 2023, Senators Dave McCormick, a Republican from Pennsylvania, and Ron Wyden, a Democrat from Oregon, unveiled the Remote Access Security Act. This legislation seeks to extend U.S. export controls to encompass foreign access to sensitive American technology via cloud services, responding to growing concerns about national security risks posed by cloud computing.
The proposed bill amends the Export Control Reform Act of 2018 to ensure that remote access to controlled U.S. technologies is subjected to the same scrutiny as the physical export of such technologies. This change comes as the proliferation of advanced chips and software accessible through cloud platforms raises alarms that existing export regulations may not adequately address the rapid pace of technological advancement.
Addressing Security Gaps
Senator McCormick emphasized the urgency of the situation, stating, “Under current law, bad actors can train AI models by accessing advanced chips under the jurisdiction of the U.S., and the Bureau of Industry and Security has no authority to require a license.” He argues that the new legislation would effectively close this loophole, ensuring that remote access is monitored to mitigate potential national security threats.
Senator Wyden added that adversaries have increasingly exploited U.S. export bans by renting access to American-controlled computing power rather than importing hardware directly. “Foreign countries shouldn’t be able to end-run export bans on American technology just by accessing servers over the internet,” Wyden remarked, highlighting the bill’s importance in maintaining U.S. leadership in artificial intelligence and global competitiveness.
Clarifying Export Regulations
The current framework allows the executive branch to regulate exports, reexports, and in-country transfers of sensitive items. The Remote Access Security Act would clarify that these controls apply when a “foreign person of concern” remotely accesses technology through cloud infrastructure, which includes servers, processors, and data storage systems.
The legislation specifically identifies individuals or entities tied to China, including Hong Kong and Macau, as well as Russia, Iran, and North Korea, as foreign persons of concern. Under the proposal, the Commerce Department could require a license if, for example, a Chinese firm seeks to rent access to clusters of advanced U.S.-controlled chips located in overseas data centers and that access poses a national security risk.
The bill outlines several high-risk activities it aims to prevent, including training artificial intelligence models that could facilitate the development of weapons of mass destruction, automated cyberattacks, or systems intended to evade human oversight. Additionally, it would restrict access to tools designed for offensive cyber operations and technologies used for surveillance that could infringe upon human rights.
Supporters of the measure argue that it reflects a broader effort by Congress to adapt national security policies to the realities of cloud computing and artificial intelligence. As access control becomes increasingly crucial, the Remote Access Security Act is positioned to play a vital role in safeguarding sensitive technologies.
The bill was introduced on October 25, 2023, and will now be reviewed by the relevant Senate committees for further consideration. As the legislative process unfolds, the implications of this proposal could reshape how the U.S. manages its technological exports in an increasingly interconnected world.
