A bipartisan group of U.S. senators has taken decisive action to address national security concerns related to cloud technology. On March 15, 2024, Sen. Dave McCormick, a Republican from Pennsylvania, and Sen. Ron Wyden, a Democrat from Oregon, introduced the Remote Access Security Act. This legislation seeks to amend the Export Control Reform Act of 2018 to extend U.S. export controls to foreign access of sensitive American technology through the cloud, closing a critical security loophole.
The new bill arises from increasing concerns about how cloud computing allows access to powerful chips and advanced software from virtually anywhere. Presently, existing export laws are viewed as inadequate in addressing the rapid pace of technological change. In a statement, McCormick highlighted the risks, stating, “Under current law, bad actors can train AI models by accessing advanced chips under the jurisdiction of the U.S., and the Bureau of Industry and Security has no authority to require a license.” This legislation aims to ensure that remote access to controlled technologies receives the same level of scrutiny as physical exports when national security is at stake.
Wyden emphasized the need for the bill, noting that adversaries are increasingly circumventing U.S. export bans by renting access to American-controlled computing power instead of importing hardware directly. “Foreign countries shouldn’t be able to end-run export bans on American technology just by accessing servers over the internet,” he said. The proposed measure is viewed as essential to preserving U.S. leadership in artificial intelligence and maintaining global competitiveness.
Currently, the Export Control Reform Act grants the executive branch authority to regulate exports, reexports, and in-country transfers of sensitive items. The Remote Access Security Act aims to clarify that these controls also apply when a “foreign person of concern” remotely accesses controlled technology through cloud infrastructure such as servers, processors, or data storage.
The term “foreign persons of concern” includes individuals or entities associated with countries such as China, including Hong Kong and Macau, as well as Russia, Iran, and North Korea. If passed, the bill would empower the Commerce Department to require licenses for foreign entities seeking to rent access to advanced U.S.-controlled chips located in overseas data centers when deemed a national security risk.
The legislation also identifies specific high-risk activities to be curtailed. These include the training of artificial intelligence models that could potentially facilitate weapons of mass destruction, automated cyberattacks, or systems designed to evade human oversight. Moreover, it would restrict access to tools intended for offensive cyber operations and technologies used for surveillance that may violate human rights through methods such as spyware and biometric identification.
Supporters of the Remote Access Security Act argue that the bill reflects a broader congressional effort to adapt national security policies to the realities of cloud computing and artificial intelligence. In an era where access control can be as significant as control over physical hardware, this legislative move may play a crucial role in reinforcing U.S. technology security.
The bill has now entered the legislative process and will be reviewed by the relevant Senate committees. As discussions continue, the implications of such a measure could reshape how sensitive technological resources are managed and accessed in the context of national security.
