Remote Access Security Act (RASA)

U.S. export controls restrict selling advanced AI chips to China, but do not clearly reach the same compute when it is rented remotely through the cloud. RASA would close this gap in the Bureau of Industry and Security’s (BIS) authorities. This brief assesses how the legislation should be scoped, provides a table of options, and recommends S. 3519 expand its definition of cloud infrastructure. 

Key Takeaways

  1. RASA secures BIS authority over cloud compute. It would clarify BIS statutory authority over remote access to controlled items, needed to prevent otherwise prohibited users from accessing the United States’ most advanced AI semiconductors. 

  2. The Senate text (S. 3519) defines cloud infrastructure services too narrowly. It currently covers only Infrastructure-as-a-Service (IaaS), which reaches entities that rent bare-metal compute to train a model, but not those same entities when they train on a managed platform service. We recommend the Committee expand the definition to include at least a scoped definition of Platform-as-a-Service (PaaS). 

  3. RASA’s scope could reach beyond compute. These choices could extend RASA beyond compute to other controlled items. If the legislation extends to Software-as-a-Service (SaaS), like the passed House text does (H.R. 2683), it could grant BIS clear authority to control access to U.S. AI models.

RASA: Needed to Secure BIS Authority Over Cloud Compute 

BIS implements export controls on certain dual-use commodities, software, and technology by assigning items an export control classification number (ECCN) with a defined set of technical specifications and license requirements that is added to the Commerce Control List (CCL). Advanced AI chips are included under ECCN 3A090, which prohibits chips of a certain performance threshold from being exported to foreign adversary countries, including China. While there are license requirements placed on the physical chips matching 3A090 specifications, that same level of compute performance is still accessed remotely by otherwise prohibited end users, even though companies are abiding by export rules. The minimum amount of compute that China is reportedly accessing could boost China’s compute access by at least 60 percent in 2026.¹

BIS does not interpret its authorities to include cloud services as a controllable item, per several advisory opinions published since 2009.² By amending the Export Control Reform Act, RASA would clarify BIS statutory authority over cloud services and equip BIS to close the gap in its export control regime through which China is still accessing advanced US compute. RASA could also impact how the Bureau interprets its authorities over remote access to other items subject to the EAR, such as electronic design automation (EDA) software and AI models. 

RASA: Scope to Include Relevant Cloud Services, While Avoiding Overreach on Low-Risk Software Services

The Senate text includes scoped clarifications to the amendments it makes to ECRA on remote access services. It defines “remote access” as access to items on the CCL by a foreign person of concern through a cloud infrastructure service. Cloud infrastructure service is defined as Infrastructure-as-a-Service (as defined by NIST). Foreign person of concern is defined as the government of, entity located or headquartered in, or person subject to the jurisdiction of a “covered nation,” meaning North Korea, China, Russia, and Iran, as well as Macau and Hong Kong. 

Researchers at IAPS think some of these definitions should remain, and some should be amended. We propose the following chart to think about how broadly or narrowly the rule is scoped. 

Items Controlled


If the legislation is defined too narrowly, it may fail to capture the various services by which compute can be remotely accessed to train a frontier model (or run an offensive cyber operation or surveillance campaign as listed in the Senate bill’s examples). If the legislation is too broad, it risks handing the executive branch sweeping authority over ordinary software services.

To scope the controlled items, there are three considerations: AI compute ECCNs only; any item on the CCL; or any item that is subject to the EAR (CCL items plus the EAR99 category). To scope cloud services, we think of this as a range of NIST-defined cloud services: IaaS; PaaS; SaaS. As written, we find the Senate scope for RASA authorities too narrow. Limiting the authority to IaaS only covers entities that rent bare-metal controlled compute to train a model. Those same entities could also train a model on a managed platform service. 

We recommend the Committee expand the definition of cloud infrastructure service to include PaaS and keep the scope of items controlled to the Commerce Control List.

Based on this recommendation, we suggest the following changes to the legislation, marked in brown text: 

(B) CLOUD INFRASTRUCTURE SERVICE DEFINED.—For purposes of subparagraph (A): 

(i) The term ‘cloud infrastructure service’ has the meanings given the terms ‘Infrastructure as a Service’ and ‘Platform as a Service’ by the National Institute of Standards and Technology in Special Publication 800-145 (or any successor publication), including any machine learning as a service or comparable managed services that enables a consumer to develop, train, fine-tune, or operate an artificial intelligence model.

Implications for AI Model Access

The implications of this statutory authority could extend beyond compute access. Depending on how the legislation is scoped, it could grant BIS the authority to implement export controls on access to U.S. AI models. This is significant against the backdrop of the is-informed letter from the Secretary of Commerce to Anthropic, which informed Anthropic that a license is required for the export, reexport, or transfer of the Mythos 5 Model and Fable 5 Model to foreign nationals worldwide. 

It is not clear how the Mythos/Fable model restriction was being implemented. The letter relied on military-intelligence end user and end use controls, so it does not establish a model-specific ECCN that would set the technical thresholds, meaning it did not specify what layer of the model should be controlled.³ The letter said the requirement applied to the transmission or release of the models, referred to as “the sending or taking of the model out of the United States in any manner.” It is unclear whether this includes remotely accessing the model via SaaS, without transmitting the model weights. Given Anthropic shut down model access at the application layer, we can assume they interpreted the control to cover remote access, but it is unclear whether this is consistent with current authorities. Should RASA legislation include SaaS, this would in effect grant BIS authority to impose model access controls.

Notably, the House version of RASA already includes a broad definition of “remote access” that appears to cover SaaS. If Congress seeks to grant this level of statutory authority over SaaS and therefore model access to BIS, Congress should be careful about the parameters it sets. However, this is not a reason to exclude SaaS, it could be an opportunity to clarify what BIS can and cannot control via SaaS to reduce the executive branch’s reliance on other authorities that do not fit AI model restrictions.


Endnotes

  1. If China were to remotely access 670,000 H100-equivalents as reports suggest, that would increase its total access to advanced AI compute by about 60 percent. See The Substrate: How much US compute is China renting from the cloud?

  2. See BIS advisory opinions issued in 2009, 2011, 2014.

  3. With the exception of the Biden Administration’s ECCN 4E091 established in the Diffusion Rule to cover certain closed AI model weights, however this rule remains unenforced following the Trump Administration’s announcement that the rule would be rescinded and replaced.

Next
Next

IAPS Reacts to the White House Executive Order on AI Innovation and Security