A bipartisan group of U.S. senators has introduced legislation aimed at enhancing national security by addressing vulnerabilities associated with cloud computing. On March 6, 2024, Senator Dave McCormick, a Republican from Pennsylvania, and Senator Ron Wyden, a Democrat from Oregon, unveiled the Remote Access Security Act. This bill aims to expand the existing Export Control Reform Act of 2018 to include remote access to sensitive U.S. technologies via cloud platforms, not just their physical export.
The legislation responds to growing concerns that current export laws are lagging behind advancements in technology. As cloud computing becomes increasingly prevalent, powerful chips and sophisticated software can be accessed from virtually any location worldwide. Senator McCormick emphasized the urgency of the situation, stating, “Under current law, bad actors can train AI models by accessing advanced chips under the jurisdiction of the U.S., and the Bureau of Industry and Security has no authority to require a license.”
Closing Security Gaps in Technology Access
The proposed legislation seeks to close this loophole, ensuring that remote access to controlled U.S. technologies is subjected to the same level of scrutiny as physical possession. Senator Wyden noted that adversaries are exploiting these gaps by renting access to American-controlled computing power instead of directly importing hardware. He remarked, “Foreign countries shouldn’t be able to end-run export bans on American technology just by accessing servers over the internet.”
The Export Control Reform Act currently allows the executive branch to regulate the export, re-export, and in-country transfer of sensitive items. The new act would clarify that these controls also apply when a “foreign person of concern” remotely accesses controlled technology via cloud infrastructure, such as servers or data storage. The definition of foreign persons of concern includes individuals or entities linked to China, Russia, Iran, and North Korea.
Addressing Emerging Threats
Under the proposed bill, the U.S. Department of Commerce could require licenses for situations where, for example, a Chinese firm seeks to rent access to clusters of advanced U.S.-controlled chips located in overseas data centers, if deemed a national security risk. The legislation aims to mitigate several high-risk activities, such as training AI models that could facilitate the development of weapons of mass destruction, automated cyberattacks, or technologies that evade human oversight.
Additionally, the act would restrict access to tools designed for offensive cyber operations and technologies that could infringe on human rights through surveillance, spyware, or biometric identification. Supporters of the measure argue that it reflects a broader legislative effort to adapt national security policy to the realities of cloud computing and artificial intelligence, emphasizing that control over access can be as crucial as control over physical hardware.
The Remote Access Security Act has been introduced and is set to be reviewed by relevant Senate committees for further consideration. As the technological landscape continues to evolve, the need for robust security measures remains a pressing concern for lawmakers.
