With its export controls regulations on advanced US semiconductor chips, the US Export Administration Regulations (“EAR”) aimed to prevent the People’s Republic of China (“PRC”) from developing its own advanced chips and sophisticated artificial intelligence (“AI”) models, and stop the enhancement of the Chinese Communist Party’s (“CCP”) Military-Civil Fusion Policy.1
China’s DeepSeek challenges US AI supremacy: A pivotal shift in export controls discussions
On 20 January 2025, DeepSeek launched the DeepSeek-R1 (“R1”) large language model which competes with US AI products such as ChatGPT by OpenAI and Gemini by Google.2 Famed Silicon Valley venture capitalist Marc Andreessen posted the term “Sputnik Moment” on social media to describe the shock felt.3
DeepSeek states that R1 was trained on Nvidia H800 GPUs (“Nvidia H800”),4 a US chip with lower capabilities than the more advanced US semiconductors typically used in cutting-edge AI models developed in the US.
Nvidia launched the Nvidia H800 in March 2023 for export to the PRC in compliance with the US EAR.5 On 17 October 2023, the US Bureau of Industry and Security (“BIS”) released new licensing requirements to close a loophole in the US export control regime and, thus, prevent the export of the Nvidia H800 to the PRC.6
This revelation serves as a wake-up call, emphasizing the urgent need to address and close loopholes in the current US export controls framework to avoid another DeepSeek “Sputnik Moment.”
US export controls and AI: Closing the cloud loophole
A cloud loophole in the current US export controls regime has been detected. Chinese companies can train their AI models by remotely accessing the US cloud using advanced US semiconductor chips controlled under the EAR. This creates a challenge, as the US export control regime does not currently address remote access to controlled items stored in the cloud.
Such a loophole originated from the fact that under the actual US export control regime, BIS is not empowered to issue licenses and impose penalties related to remote access of items under the jurisdiction of the US and listed on the Commerce Control List (“controlled items”). Between 2009 and 2014, BIS confirmed, in three advisory opinions, that cloud-based services are not subject to the EAR since no commodity, software, or technology is exported to the user.7
As AI has developed and is becoming essential for governments worldwide to modernize and enhance their military power, there is a growing concern that this loophole undermines US efforts to control strategic exports. To close this loophole, a proposition to amend the Export Control Reform Act of 2018 (“ECRA”) was raised before the House of Representatives.8 The ECRA, implemented through the EAR, establishes a legal framework for regulating the export, reexport, and transfer of dual-use goods, which can be used for both civil and military purposes, as well as specific military parts and components.
The Remote Access Security Act: A step toward closing the loophole
In response to the detected loophole, on 10 September 2024, Michael Lawler, the Republican representative of New York’s 17th congressional district, confirmed the vulnerability in the current US export controls regime before the House of Representatives.9 Mr Lawler emphasized the importance of closing the gap, advocating for the passage of the bipartisan Remote Access Security Act. This proposed law would allow BIS to issue licenses and impose penalties for remote access to controlled items if such access threatens US national security or foreign policy, thus closing this detected loophole.
The Remote Access Security Act aligns with President Trump’s “America First Trade Policy,” which underlines the need to identify and eliminate loopholes in the existing US export controls regime, “especially those that enable the transfer of strategic goods… to countries to strategic rivals and their proxies.”10
The bill passed the House of Representatives and was received in the Senate on 10 September 2024.11 It was then referred to the Senate Committee on Banking, Housing, and Urban Affairs.12 Bipartisan support and the “America First Trade Policy” suggest that the Remote Access Security Act is likely to pass the Senate and receive approval from the president.
Defining remote access
The Remote Access Security Act is aimed at amending notably section 1742 of the ECRA to include remote access of controlled items within the US export controls regime and thus close the existing loophole within the regime.
Remote access means access to “an item subject to the jurisdiction of the (US) and included on the (US) Commerce Control List… by a foreign person through a network connection, including the internet or a cloud computing service, from a location other than where the item is physically located, to use the functions of the item if the use of those functions may pose a serious risk to the national security or foreign policy of the (US), such as by:
- training an artificial intelligence model…;
- accessing a quantum computer that could enable offensive cyber operations or other risks to national security;
- accessing hacking tools.”13
Preparing for the Remote Access Security Act
US and foreign entities providing cloud services need to be proactive in preparing for BIS’s potential implementation of the Remote Access Security Act, especially regarding the license requirement for remote access to controlled items.
One crucial step is to conduct thorough due diligence on controlled items that can be accessed remotely via the Internet or cloud platforms. This entails evaluating both tangible items (e.g., chips) and intangible items (e.g., software or technologies) that may be affected by the new regulation.
Cloud service providers will also need to adjust their compliance processes and procedures to prevent unauthorized remote access to controlled items. This could involve creating more stringent access controls, monitoring users’ locations, and ensuring that sensitive technologies are not being utilized for purposes that could undermine US national security.
Notes and references
1.Speech of Michael Lawler before the House Representatives on 10 September 2024
2.BBC, DeepSeek: How China’s ‘AI heroes’ overcame US curbs to stun Silicon Valley, 28 January 2025
4 DeepSeek-V3 Technical Report, 3. Infrastructures, 3.1. Computer Clusters; see also another link DeepSeek-V3 Technical Report, 3. Infrastructures, 3.1. Computer Clusters (links as of 7 February 2025)
5 Reuters, Nvidia tweaks flagship H100 chip for export to China as H800, 22 March 2023
7 BIS, US Department of Commerce, Advisory Opinion, 13 January 2009; see also BIS, US Department of Commerce, Advisory Opinion, 11 January 2011; and BIS, US Department of Commerce, Advisory Opinion, November 13, 2014 (links as of 7 February 2025)
8 The Remote Access Security Act (H.R. 8152), 118th Congress (2023/2024), Actions (link as of 7 February 2025)
9 Speech of Michael Lawler before the House Representatives on 10 September 2024 (link as of 7 February 2025)
10 America First Trade Policy – The White House, 20 January 2025, Sec. 4 Additional Economic Security Matters, (c) (link as of 7 February 2025)
11 The Remote Access Security Act (H.R. 8152), 118th Congress (2023/2024), Actions (link as of 7 February 2025)
12 The Remote Access Security Act (H.R. 8152), 118th Congress (2023/2024), Actions (link as of 7 February 2025)
13 The Remote Access Security Act (H.R. 8152), sec. 2 Control of Remote Access of Items under the Export Control Reform Act of 2018, (1) (link as of 7 February 2025)
