On October 25, 2023, a bipartisan effort emerged in the United States Senate aimed at addressing a significant gap in national security. Senators Dave McCormick, a Republican from Pennsylvania, and Ron Wyden, a Democrat from Oregon, introduced the Remote Access Security Act. This legislation seeks to extend U.S. export controls to include foreign access to sensitive American technology via cloud computing.
The proposed bill amends the Export Control Reform Act of 2018 to cover not only the physical export of controlled technologies but also their remote access. This move comes as concerns mount over the ability of foreign adversaries to access advanced U.S. technologies through cloud platforms, potentially undermining national security.
Addressing Security Risks
Senator McCormick highlighted the loophole in current legislation, noting that “bad actors can train AI models by accessing advanced chips under the jurisdiction of the U.S., and the Bureau of Industry and Security has no authority to require a license.” The new bill aims to rectify this by subjecting remote access to the same scrutiny as physical possession when national security risks are involved.
Senator Wyden emphasized the urgency of the situation, stating that adversaries have increasingly sought to bypass U.S. export bans by renting access to American-controlled computing power rather than importing hardware directly. “Foreign countries shouldn’t be able to end-run export bans on American technology just by accessing servers over the internet,” he said. This legislation is positioned as essential for maintaining U.S. leadership in artificial intelligence and preserving global competitiveness.
Scope and Implications of the Legislation
The Export Control Reform Act currently allows the executive branch to regulate exports, reexports, and in-country transfers of sensitive items. The new legislation clarifies that these controls will also apply when a “foreign person of concern” remotely accesses controlled technology through cloud infrastructure, such as servers or data storage devices.
Defined as individuals or entities linked to China, including Hong Kong and Macau, as well as Russia, Iran, and North Korea, these foreign persons of concern would face stringent licensing requirements. For instance, if a Chinese firm seeks to rent access to advanced U.S.-controlled chips located in overseas data centers, the Commerce Department could require a license if that access poses a national security risk.
The proposed legislation identifies several high-risk activities it aims to prevent, including the training of artificial intelligence models for weapons of mass destruction, automated cyberattacks, and the development of systems designed to evade human oversight. It would also restrict access to tools intended for offensive cyber operations and surveillance technologies that could infringe on human rights.
Supporters of the Remote Access Security Act argue that it reflects a broader effort by Congress to adapt national security policy to the realities of cloud computing and artificial intelligence. The ability to control access to sensitive technologies is increasingly viewed as critical to protecting national interests.
The bill has been introduced and will now proceed to relevant Senate committees for further consideration. As the landscape of technology evolves, lawmakers are recognizing the need for updated regulations to address emerging threats.
