BY ROB KNAKE
With the news this week that the Trump Administration did not roll back but tightened restrictions on NVIDIA’s ability to export advanced chips to China, I would say that the China Hawks most definitely have the upper hand on the AI bulls. With less than a month until the Biden Era diffusion framework is set to come into force, my money is on “repeal and replace” over rescind – there is little point in forcing NVIDIA to take a $5 billion write down if Chinese AI developers will simply be able to evade these controls by purchasing through third countries or renting the same chips at a cloud service provider.
In my last post, I laid out what I think is a workable export control framework. In this post, I want to address the thornier issue of preventing Chinese AI developers from using the chips rented by infrastructure-as-a-service providers like AWS and Azure.
While many in industry continue to push back against the broader “know your customer” (KYC) requirements that the first Trump Administration set into motion with Executive Order 13984, the associated proposed rule and not the AI diffusion framework is where the KYC requirements for AI training in the cloud are set out. The overall rule did not get a favorable review from industry players such as Amazon but the more tailored requirements for reporting AI training by foreign actors on US cloud infrastructure are a workable starting point.
To be sure, these requirements could be fully rescinded as part of the ongoing review of actions taken pursuant as part of the order revoking the Biden AI EO, but re-shaping the regulations to manage this risk, rather than gambling on an outright repeal is the smart play for cloud providers.
Such a system need not be overly burdensome for either the cloud providers or the government. A relatively small number of companies are in the hunt on either side of the Pacific to build frontier AI models and the cloud compute necessary to compete is both highly expensive and fits a small range of uses. Once this KYC regime is in place it can then be expanded if deemed necessary to address broader misuse of the cloud by malicious adversaries (the original intent of Trump’s KYC push).
The challenge here is that too often these kinds of sanction regimes leave businesses at risk no matter how much effort they put into meeting the requirements. While the business community hates regulation, what it really hates is uncertain and vague long-tail risk. Setting requirements that will ultimately fail to meet their objective while also leaving cloud providers in legal jeopardy will be the worst possible outcome. This is the kind of regime we have created for ransomware payments. It’s illegal to make a payment to an entity on the OFAC Sanctions list but ransomware groups don’t advertise that they are on that list. Ransomware victims can disclose details of a planned payment to the government, which will advise on whether they believe the organization is subject to sanctions, but doing so does not remove legal risk if the assessment is wrong and a payment is made.
Learning from what has gone wrong on ransomware payments, any new KYC regime needs to provide a safe harbor for companies that implement a KYC program but are nonetheless duped by the combined efforts of Chinese tech companies and Chinese intelligence agencies. Corporate responsibility should end once cloud providers have confirmed that the company is not a Chinese company and is not on the list of banned entities the Commerce Department maintains.
At this point, identifying front companies working on behalf of Chinese companies needs to be the responsibility of the intelligence community, the FBI and the Commerce Department. Companies should provide the government with the details of any organizations seeking to use advanced chips above established thresholds, then the government candetermine whether the party is in fact a front company. But unlike the ransomware defense, a thumbs up from the USG should equal a get-out-of-jail free card.
Given the national security priority we are placing on limiting Chinese development of AI, identifying Chinese efforts to circumvent this regime can and should be a priority for the intelligence community. Moreover, the effort to do so needs to be cooperative with industry. Identifying Chinese companies attempting to use our cloud compute for AI frontier model training must be cooperative and intelligence must flow in both directions. (A model for this is the NSA’s Cybersecurity Collaboration Center).
Cloud providers can and should do their part – the basic tools to validate identities and verify their corporate sponsors are readily available. But given how high the stakes are, we should expect companies seeking to evade this regime to be difficult for even the most well-resourced KYC programs to stop. That is where responsibility must shift back on to the government.