Today, anyone can buy banned NVIDIA GPUs on Xiaohongshu and rent A100 access on Ali Cloud at competitive prices. But that doesn’t necessarily mean it’s already too late for the US to control China’s access to leading-edge compute. In the article below I coauthored with CNAS’s Tim Fist and GovAI’s Lennart Heim, we sketch out how targeted end-user checks can help Commerce enforce the spirit of the October 7 regulations.
Two quick announcements before we get into it:
ChatGPT’s new Code Interpreter is incredible. You can upload datasets and — in seconds, without any coding experience — explore what’s inside them. We’re running a chart contest this week, with the best Code Interpreter-created chart + 100-word description winning $250! Here’s something that took me a few minutes for inspiration, a brief tutorial to get you started, and two lists of China-related databases: UCSD’s and NYU Shanghai’s. Here’s a form to submit. Deadline is Thursday, 6 p.m. Eastern!
ChinaTalk is hiring for a part-time reporter. If you want to have a ton of fun covering modern China — and get paid doing it — consider applying here.
This piece below first ran in Foreign Policy.
This past fall, the Biden administration moved decisively to cut off China’s supply of powerful chips, targeting the cutting-edge semiconductors used for supercomputing and artificial intelligence. However, recent reporting points to blacklisted Chinese entities—including China’s top nuclear weapons lab—gaining access to restricted chips through a combination of smuggling and renting through the cloud. Smuggling also appears to be possible for low-level vendors: Other recent reporting found that Chinese small businesses are smuggling restricted chips through neighboring countries, and that 40,000 to 50,000 of these chips are already in China. If the administration wants to succeed in holding a chokepoint over national security-sensitive supercomputing, the US agency tasked with export control enforcement (the Bureau of Industry and Security, or BIS) will have to get more creative.
First, some context. Last year’s export controls included a swath of measures targeting China’s access to semiconductor manufacturing equipment, specific fabrication facilities (known as “fabs”), and certain chips. The chip-specific controls attempted to ban Chinese entities from procuring advanced AI chips based on fixed performance thresholds. The ban applies not just to US-made chips, but also to any chip produced using US-origin technology, software, or equipment.
Given the United States’ pivotal role in the semiconductor industry, this was ostensibly a crippling blow. Two US firms—NVIDIA and AMD—dominate the market for the powerful chips targeted by the controls. But carrying out a ban this big was never going to be easy. Unlike other dual-use items, cutting-edge chips are manufactured in the millions. They can also usually fit in a shoebox, making smuggling possible even at the scale required to build modern supercomputers (thousands of chips). And despite the controls’ focus on physical exports, most Chinese technology firms access chips virtually using services offered by cloud computing companies. These services are not monitored to prevent usage by blacklisted foreign entities under the United States’ current system of safeguards.
China has readily exploited these weaknesses. According to its employees, blacklisted facial recognition company SenseTime has been using intermediaries to smuggle banned components from the United States, mirroring the approach taken by China’s top nuclear weapons lab, the state-run Chinese Academy of Engineering Physics. And despite being blacklisted for human rights abuses, state-backed artificial intelligence firm iFlyTek has been renting access to controlled NVIDIA chips via the cloud. There is little practical difference between using a physically exported chip and using a chip “virtually” through the cloud. However, this practice is currently completely legal, even for firms like iFlyTek. This tactic could soon become even easier: NVIDIA has recently signaled its intentions to expand its cloud supercomputing offerings to China.
How should the United States address these gaps while preserving its global dominance in supercomputing? First: The BIS needs to patch current controls by addressing the physical smuggling of chips. The current enforcement process relies heavily on an initial licensing step, where a US entity seeking to export controlled technology to a foreign actor is either approved or denied the right to do so. Unfortunately, this process has historically failed to keep up with Chinese and Russian actors’ ability to quickly establish shell companies. Researchers at the Center for Security and Emerging Technology found extensive evidence of this practice in projects run by Chinese defense agencies and state-owned enterprises.
Once a license is approved, the BIS is also responsible for ensuring that technology isn’t smuggled to blacklisted entities. But this process is both time-consuming and underfunded. A recent report by the Center for Strategic and International Studies interviewed US officials involved in this process, who claim that it can take the Russian and Chinese military “mere days” to establish shell companies for purchasing controlled technology. In contrast, the current process for discovering smuggling can “take years, if it is uncovered at all.”
To address these problems, we propose a random chip sampling program. What would this look like? First, require that sellers of controlled chips register their sales with the BIS using unique IDs assigned during manufacturing. Then place requirements on sellers to notify the BIS about any secondhand sales and any cases where chips are destroyed or lost. Finally, to stop chips from leaking into China, conduct randomized end-use checks to confirm the current registered owner of a chip actually has it in their possession. The BIS has historically done this with larger devices, such as lithography machines (a category of manufacturing equipment crucial for producing advanced chips). But given that millions of controlled chips are sold each year, BIS officials couldn’t hope to keep tabs on each one manually. Instead, by checking the location of a small but random share of all sold chips, the BIS would catch (or better yet, deter) any supercomputer-scale smuggling of chips to China. Thankfully, the most concerning use cases for these chips, such as building a next-generation authoritarian version of ChatGPT or conducting advanced ballistic simulations, require thousands of chips running continuously for weeks. We estimate that with 5,000 inspections a year, the BIS could achieve greater than 90 percent confidence that no smuggling of chips at this scale was occurring.
At first glance, such a program might appear impossibly ambitious due to the sheer size of the semiconductor market. However, though there are countless chip companies and products available on the market, likely less than a dozen companies currently sell chips powerful enough to be subject to export controls. A few of the largest are NVIDIA (US), AMD (US), Graphcore (UK), Cerebras (US), and Biren (China), which together make just six different chips that fall within the controls. Inspections could take advantage of these firms’ existing logistics networks for chip maintenance.
There’s another way military-linked firms and labs could use advanced chips’ capabilities: virtual access through cloud computing services. Top cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud already offer the ability to remotely leverage the computing power of export-controlled chips, and NVIDIA recently announced its plans to rent out supercomputing power to Chinese firms.
At face value, the availability of these services to Chinese users may appear concerning. However, a blanket ban on all Chinese access to advanced US cloud computing would be a mistake. Chinese cloud computing users could still access controlled chips by renting access through non-US cloud service providers. There is currently no viable way for the United States to impose extraterritorial controls on these services. Given this reality, better for the United States to retain its dominance in cloud offerings for advanced chips, making it harder for Chinese firms to utilize a market gap to accelerate their own offerings. A blanket ban for physical chip exports made sense because of the difficulty of controlling who has access to the chip after it is shipped overseas. But effective regulations over cloud services could distinguish between users in a much more fine-grained way: The chip remains on US soil, and service providers could implement guardrails to help prevent cloud chips from being used for applications that threaten US national security.
Right now, these guardrails are sparse. US cloud service providers have no official responsibility for how customers use their services, even if those services are used to aid foreign militaries or intelligence efforts. How, then, should these services be regulated? Existing financial regulations can offer some lessons. Thanks to the centrality of the dollar, the US government can track global flows of money to prevent illicit activity such as money laundering. Because their firms dominate key chokepoints in the advanced semiconductor supply chain (manufacturing equipment, advanced materials, and design software), the United States and a few key allies hold a similar position with respect to advanced chips.
The US Financial Crimes Enforcement Network requires both customers and financial institutions to comply with “Know Your Customer” standards to prevent illegal activity. And Suspicious Acts Reports require financial institutions to file reports of transactions exceeding $10,000 and to report any transactions that might signal criminal activity. Using its leverage over supply chains, the US government could use analogous tactics to prevent blacklisted entities from accessing powerful chips and their capabilities.
As a starting point, we propose that cloud providers implement “Know Your Customer” checks for any customers using large quantities of export-controlled chips. The thoroughness of checks should scale proportionally with estimated risk and computational intensity: customers seeking to use thousands of export-controlled chips simultaneously should undergo the most rigorous screening. Such a practice would only affect a small minority of cloud customers who are engaged in supercomputing and large-scale AI training. This proposal aligns with a recent announcement by the Biden administration and a report from Microsoft about viable ways to govern the most powerful AI systems.
Of course, US cloud providers are not the only game in town. The US government should work with its allies to spread responsible screening practices internationally, much as the Financial Action Task Force has set international standards to prevent global money laundering and terrorist financing. If Chinese cloud providers with data centers outside of China do not cooperate, end-use controls could be placed on physical chip exports to prevent these firms from offering them.
The BIS’s role has grown in importance and must now be resourced for its mission. The agency’s budget has not grown in proportion to the number of controlled items it is expected to regulate. Compounding budgetary issues, the bureau as it stands today suffers from antiquated software, understaffing, and a lack of presence in key regions. For example, only two personnel from the BIS’s export control enforcement department are based in China. Moreover, due to IT system incompatibilities, the BIS’s analysis team is unable to use US trade data to check where controlled goods are being exported due to mismatches in product categorizations, limiting its ability to automate export monitoring.
These issues are fixable. The US Congress should grant the BIS a larger budget and empower it with the tools to deal with the emerging challenges posed by powerful chips. Solutions need not break the bank. Using conservative estimates, the chip inspection program we describe above could be implemented with an annual budget of less than $5 million. However, implementing such a program should be paired with a more comprehensive overhaul of the BIS’s processes and technology to allow it to deal with future challenges. A recent Center for Strategic and International Studies report recommends an annual budget increase of $44.6 million to provide the BIS with modern processes and technologies to better identify and target high-risk transactions and entities.
Finally, the United States must work more closely with its allies and partners—Taiwan, the Netherlands, Japan, India, and South Korea—to coordinate export control enforcement. By sharing information and coordinating enforcement efforts, the United States and its allies can prevent rogue actors from exploiting loopholes in export control regimes and ensure that sensitive technologies do not end up in the wrong hands.
Enforcing a ban on Chinese access to leading-edge chips won’t be easy. But by establishing a chip inspection program, taking steps to help ensure cloud services are secure, providing the BIS with more funding, and continuing to seek allied cooperation, the US government can erect significant barriers to China using advanced computing to power a new generation of dangerous military applications.
Next, I discuss the risk that these sets of policies may help presage a technological future that would invalidate the whole effort.