Two years ago, the Biden administration fired the first shot in the great AI arms race of the twenty-first century. By announcing sweeping export controls on October 7th, 2022, the U.S. government leveraged American companies’ strength in semiconductors to block China’s access to the most high performance chips — those used in training and running advanced AI models. 

The stated goal was to prevent U.S. chips from aiding China’s military modernization, but given the transformational power of AI, it also signaled America’s intent to exert more control over the technology. 

“It was a turning point in the debate about controlling technology exports to the rest of the world,” says Geoffrey Gertz, a senior fellow at the Center for a New American Security and former Biden administration official. Since then, he says, “there has been a broader permissiveness towards using export controls on critical emerging technologies to match the progress in AI’s capabilities.”

The next front in this campaign for control appears to be cloud computing. While the U.S. export rules blocked Chinese access to physical chips, they didn’t totally foreclose access to the chips’ computational power. AI systems, after all, are created when you link up tens of thousands, if not hundreds of thousands, of these high-performing chips in a data center — data centers that can be accessed remotely through “the cloud.” 

Cloud computing leaves open the possibility that China can access AI computational power without buying the actual chips. An investigation by Reuters, for instance, found close to a dozen examples of Chinese entities seeking access to advanced AI chips via cloud service providers like Amazon Web Services (AWS) and Microsoft Azure. There is also evidence Chinese companies are accessing high-end chips through data centers in other countries such as Malaysia, where TikTok parent company ByteDance has reportedly pledged more than $2 billion in AI investment. Chinese academics are also actively pursuing partnerships with the UAE’s Mohamed bin Zayed University of Artificial Intelligence, a top research institute with access to U.S. chips. 

For many, this is seen as a glaring loophole to the chip controls. In September, lawmakers in the U.S. House of Representatives passed the Remote Access Security Act, a bill that would restrict China’s access to remote cloud services, which is an industry dominated by U.S. companies like Amazon, Microsoft and Google. (The bill has yet to make it out of committee in the Senate.) 

“Chinese companies have been remotely accessing tech covered by export controls, enabling the CCP to develop AI and modernize their military forces,” said Michael Lawler (R-NY), who sponsored the House bill. “This must end.” 

Many experts, however, warn that the cloud loophole is less a bug than a feature of America’s technological advantages over China — and one the U.S. should actively exploit. 

“I think of the cloud as the best case scenario for the U.S., because you can actually understand a lot from the data you already collect without impinging on customer data privacy,” says Tim Fist, a senior technology fellow with the Institute for Progress, a Washington, D.C., think tank. 

While the Reuters report, for instance, drew alarm from some members of Congress, other experts are sanguine about its findings: Most of the tender documents reportedly showed the researchers looking to rent access to no more than a few thousand semiconductors — an indication that they aren’t using the cloud to train so-called ‘frontier models,’ or large-scale AI systems that push the boundaries of what AI is capable of. 

Fist notes that Chinese researchers and AI companies would prefer to use American cloud providers because the quality is still much better than domestic alternatives. But if access is restricted, it could further help Beijing’s quest for “AI sovereignty” — an evolution of the “digital sovereignty” strategy China used to justify the construction of the Great Firewall in the 2000s and splinter the internet. 

Where the debate now lies is: Do you focus exclusively on preventing China from getting access? Or are you more concerned about making sure that compute [computational power] is concentrated in the U.S. and with close friends and allies?

Chris Miller, an associate professor at Tufts University

In the wake of the chip export controls, China has pursued an all-out effort to develop and protect its home-grown chip industry, spending an estimated $37 billion on chipmaking equipment last year and launching a new $48 billion national semiconductor fund in March. A chip being developed by national champion Huawei could eventually match the performance of Nvidia’s current line of graphics processing units (GPUs). If China catches up in AI cloud computing, companies like Alibaba, Tencent and Huawei would likely support the Chinese government’s strategy of exporting this model of AI sovereignty, which some experts warn could make the world’s AI capabilities and intentions more opaque. 

Herein lies the temptation for the U.S. government: So long as the world’s AI computing activities stay tethered to the U.S. cloud, there is an opportunity to bake transparency into the system. With over two-thirds of all cloud computing services still controlled by three U.S. companies (AWS, Microsoft Azure and Google Cloud), the U.S. government could force international customers to be more transparent about their AI development activities.

In January, the Commerce Department proposed draft new rules that would impose banking-style ‘know-your-customer’ requirements on American cloud computing providers, including identifying foreign customers anywhere in the world and notifying the government when they believe a foreign customer is training a large AI model. As Commerce Secretary Gina Raimondo put it in an interview with TIME magazine in June: “We have something the world wants. … To the extent that we can use that to bring other countries to us and away from China, and away from human-rights abuses with the use of technology, that’s a good thing.”

The question now is how to take advantage of America’s cloud companies without letting their power float away.

“There is high level agreement in the U.S. government that compute [computational power] that’s relevant for advanced AI needs to be controlled,” says Chris Miller, an associate professor at Tufts University and author of Chip War: The Fight for the World’s Most Critical Technology. “Where the debate now lies is: Do you focus exclusively on preventing China from getting access? Or are you more concerned about making sure that compute [computational power] is concentrated in the U.S. and with close friends and allies?”

THE EAST-WEST PLAN

When Americans visualize “the cloud,” they’re probably not thinking of anything terrestrial. But the cloud is, in fact, highly territorial: 37 percent of the world’s data centers are located in the U.S., according to Data Center Map, a market intelligence firm. The country’s largest data center market — with close to 350 data centers — is located in Northern Virginia’s ‘Data Center Alley,’ which Amazon estimates handles 70 percent of global internet traffic each day.

Ashburn, Virginia — a wealthy Washington, D.C. suburb — became home to America’s largest cluster of data centers starting in 2007, mainly because the town ticked a number of the important boxes: cheap power (28 percent below the national average), reliable water, and proximity to a highly trained workforce. 

For most of history, Hohhot, Inner Mongolia, has not been abundant in any of those things. Yet Hohhot has earned the title of China’s “Cloud Valley” as it has become one of the country’s fastest growing regions for data centers. In Hohhot, China Telecom claims to have built the largest data center in the world: a $3-billion, 11-million-square-foot facility. Neighboring Ulanqab City, meanwhile, hosts Apple’s second data center in China. (Chinese law requires Chinese customer data be stored domestically.) 

Both projects are part of China’s “East Data, West Computing” plan — an audacious attempt to encourage Chinese cloud providers to move to inland China (the west of the country), where they can take advantage of the relatively cheap land prices and electricity rates to build vast data centers in underdeveloped regions. Because of onerous market entry conditions, Chinese firms already dominate the domestic cloud computing industry: Alibaba, Tencent and Huawei collectively control more than 70 percent of the domestic market, with state-owned telecoms companies like China Mobile and China Telecom accounting for much of the rest. But the goal of “East Data, West Computing,” which was launched in 2022, is to consolidate efforts and lower costs in order to build the “compute” the country needs for AI.

By the end of next year, a local official in Hohhot told state media, they hope to increase the region’s compute more than five-fold, with 91 percent of total capacity going towards ‘smart computing’ (read: AI).

“[Hohhot] is part of a national strategic plan,” says Andrew Stokols, a researcher at MIT studying China’s urban planning of data centers. “[Central planners] reference the south-north water transfer project [a $62 billion project to divert water from China’s Yangtze River more than 700 miles to the country’s arid north]. This is the digital equivalent of that.”

Yet even with cheap power and subsidized land, the East-West plan initially defied market logic, with many private companies, particularly those in the consumer internet business, reluctant to sign on. Conventional data centers, after all, are typically located close to population hubs in order to support high speed data transfers. If you’re trying to stream a Netflix show from an AWS server, for instance, you don’t want Amazon’s data center to be transmitting data from the other side of the country. 

But the demands of the AI sector have turned this calculus on its head — and made the East-West plan more attractive in the process. Compared to traditional cloud computing, which has frequent traffic back-and-forth with users, data centers for training AI are more solitary.

“The AI story is changing [cloud computing] because a lot of the models can be trained in remote locations,” says Stokols. “Remote is actually ideal because you can send it there, train it, and send it back. The remote centers actually make a lot of sense.”

AI models are also extremely power hungry, making abundant and cheap energy critical to running them cost effectively. According to the International Energy Agency, a single ChatGPT query requires 9.6 times more electricity than a typical Google search. One estimate suggests that OpenAI’s latest model, GPT-4, took at least 50 gigawatt-hours of electricity to train — the equivalent of about nine hours of electricity consumption by all of New York City. The energy needs also increase when training models on older or less advanced chips — which are the only chips China can legally buy. 

Chinese AI researchers are counting on the East-West plan’s energy advantage to make better use of the chips they already have and help China overcome Washington’s chip blockade. In a speech in July, Zhang Pingan, CEO of Huawei Cloud, argued as much: “The notion that without these advanced chips, we cannot lead in AI must be discarded in China,” he said. “Leveraging bandwidth, network and energy advantages to address computing power issues in the cloud is a reliable direction for China.”

In collaboration with a state-owned lab, Huawei is helping to develop a “National Integrated Computing Power Network” — an interconnected grid of AI cloud computing centers and supercomputers that would eventually allocate compute like a public utility. Its architects aim to get the system up and running by next year, and there are signs that the grid’s pieces are falling into place. After years of underutilization, usage of the country’s national data clusters is up, a top official at China’s National Data Bureau told reporters in July. The bureau has required that, by late-2025, at least 60 percent of newly-added compute in China be added to the national network.

A robust national computing grid, China hopes, will help the country get closer to so-called “sovereign AI.”

The more closed the systems are, the more prone they are to centralization and single points of failure. And the only way to counter sovereign AI is demonstrating the benefits of the alternative.

Konstantinos Komaitis, a senior resident fellow at the Atlantic Council’s Digital Forensics Research Lab

“The battle of a hundred models has led to a fragmentation of computing resources, delaying the development of ‘sovereign foundation models,’” Zhang Yunquan, a researcher with the Chinese Academy of Sciences Institute of Computing Technology, told Chinese media in March. Drawing an analogy to China’s nuclear and intercontinental ballistic missile programs, he added: “Whether it is specialized supercomputing projects or AI chip breakthrough projects, the state needs to coordinate resources, forming teams akin to the “Two Bombs, One Satellite” program to achieve rapid breakthroughs.”

Many leading AI scholars in China see sovereign AI as a national necessity. Yan Kunru, chief AI ethics expert at the National Natural Science Foundation of China, has said the country “must develop AI with Chinese characteristics” that “cannot be influenced by Western values.” And two scholars with the Ministry of State Security’s research institute have warned that the failure to establish sovereign AI would expose China to “digital colonization.”

AI sovereignty, in its simplest form, makes a lot of sense; many countries want to produce and manage their own AI to ensure it is tailored to their own cultures and needs. The Singaporean government, for example, is sponsoring a large language model called SEA-LION (“Southeast Asian Languages in One Network”) that is trained on the region’s 11 languages. Chafing over the dominance of U.S. internet tech giants, France and Germany have also embraced sovereign AI and sought to reduce their dependence on U.S. cloud service providers. 

Beijing is promoting this position abroad, both at standard-setting bodies like the U.N. and with countries that are buying its infrastructure. In places like Pakistan and Kenya, for example, where Huawei is helping to build AI-powered “safe city” surveillance programs, officials have emphasized the need to respect the sovereignty and jurisdiction of its partner countries.

To some, that might seem positive and rights-affirming, but Konstantinos Komaitis, a senior resident fellow at the Atlantic Council’s Digital Forensics Research Lab, warns that AI sovereignty can be a “trap.” To authoritarian governments, he says, sovereignty can also be used to justify building systems that are more opaque and closed off from the world. 

“If there’s one thing we learned from the internet, it’s that openness works really well for innovation,” he says. “The more closed the systems are, the more prone they are to centralization and single points of failure. And the only way to counter sovereign AI is demonstrating the benefits of the alternative.”

CHIPS FOR PEACE?

In December 1953, U.S. president Dwight Eisenhower delivered a speech that reset America’s approach to the atomic age. 

The nuclear arms race with the Soviet Union was well underway, and Eisenhower was wrestling with a dilemma: How could he promote America’s leadership in the transformational technology without enabling adversaries to misuse it for harm? 

The president proposed a grand bargain: America would export technology and expertise to countries that desired civilian nuclear programs in exchange for their commitment to only use the technology for peaceful means. He called the plan “Atoms for Peace.” 

While historians debate the plan’s success in controlling the proliferation of nuclear weapons, the idea has regained some cachet in the debate over AI. As in the 1950s, after all, America leads the development of a technology that the world is clamoring for. And as was the case then, the country closest behind the U.S. in developing the technology is its primary geopolitical rival, setting the stage for a two-horse race for influence and market dominance around the world. 

In July, Cullen O’Keefe, a former researcher at OpenAI, wrote a proposal calling for the U.S. to distribute AI technology and know-how in exchange for commitments to AI safety and the nonproliferation of high-risk capabilities. In a callback to Eisenhower’s grand nuclear bargain, he titled the proposal “Chips for Peace.”

“The ability of the U.S. and its allies to exclude noncomplying states from access to the chips and data centers that enable the development of frontier AI models undergirds the whole agreement,” he wrote, “similar to how regulation of highly enriched uranium undergirds international regulation of atomic energy.” 

But “chips for peace” is complicated by at least two factors. Unlike nuclear warheads, of which there are roughly 12,000 in the world, hundreds of thousands of AI chips are produced every year, which makes keeping track of each and every one of them almost impossible. Plus, unlike with nuclear power, the government isn’t holding the reins over AI’s development. Private American companies are producing some of the biggest advancements in AI as well as the infrastructure needed to train it — and they aren’t exactly happy about what they see as government overreach, including the Commerce Department’s proposed know-your-customer (KYC) rules. 

The U.S. needs to be showing that it is not only focused on restrictions and risk scenarios, but that we are equally concerned with ensuring AI is benefitting the world. What exactly that package looks like is something we’re still figuring out.

Geoffrey Gertz, a senior fellow at the Center for a New American Security

“Cloud providers don’t want to snoop on your workload, even though they theoretically could,” says Lennart Heim, a researcher with the RAND Corporation who specializes in AI governance. “There is a norm of strong confidentiality that allows Netflix to use AWS, for example, even though Amazon is a direct competitor. They could snoop, but it would undermine the whole business model.”

The proposed rules would also give Commerce a say over how cloud providers provide AI computing to foreign customers. As foreign states clamor for more sovereign AI, this could emerge as a tension point. Many cloud computing providers, for instance, are currently offering customers varying degrees of control over the keys to their data centers while leasing them compute. In August, Google Cloud announced an arrangement with Saudi Arabia that would leave control of customer data to a Saudi state-owned enterprise. 

More scrutiny from the U.S. government could threaten such accommodations, which could, in turn, make Chinese services more competitive.

“When it comes to training frontier models, there is no competition [to Nvidia] right now,” says Miller. “But what about a data center for inference [the process by which a trained AI model draws conclusions]? You need GPUs, but maybe not as many as a training center. That’s where China may emerge as competition.” 

“As long as there is still huge demand [for cloud computing resources] and the U.S. is the top service provider, we can put in additional constraints and countries will still want to use our products,” adds CNAS’s Gertz. “But a lot of foreign governments and companies feel uneasy when they hear the U.S. government is going to keep records on who’s using the cloud. The more obligations we put in, the more we are helping potential competitors catch up to us.”

As Alibaba, Tencent and Huawei grow their global market share, U.S. providers like Microsoft, AWS and Google are trying to position themselves as the more trusted providers. Some analysts say the government is sympathetic to the argument that it’s in its interest for U.S. firms to win contracts in emerging markets, but it’s not always an easy balance to strike. 

A controversial deal between Microsoft and Emirati AI firm G42, for instance, has attracted intense scrutiny due to G42’s ties to China, including through its CEO, Peng Xiao. 

The $1.5 billion deal, which was first announced in April and brokered by Commerce, would allow G42 to train its AI using Microsoft’s data centers in exchange for a number of commitments. Reporting by the New York Times suggests G42 has promised to cease using Huawei telecom equipment and that G42 would need to seek permission before it shares its technologies with other governments. Microsoft would reportedly also have the power to audit G42’s use of its technology. 

But many in the government, especially Congress, are still uneasy with the deal. In July, the chairs of the House foreign affairs and China committees raised concerns about the national security implications of the deal in a letter to Jake Sullivan, the national security advisor: “We support your efforts to work hand in glove with U.S. companies like Microsoft to strengthen our dominance in AI; however, we must also be cleareyed about the risks posed by transferring our most critical AI technology particularly when it comes to countries where the PRC is active.” 

Miller says the question the U.S. government is wrestling with is: “Do you drive a hard bargain [with industry] now in a way that may erode trust, versus be more lenient now in a way that gets more buy-in in the future?”

Even some advocates for regulating the cloud believe that Commerce’s draft KYC requirements go too far. The draft rules “call for doing KYC on essentially every single customer of an infrastructure service, so this could conceivably include many low-level users who are using it for just storage,” says Fist. “You can have a much more targeted approach without impinging on their privacy.” 

Fist and Heim recently wrote a proposal that would narrow the focus of the U.S.’s cloud rules to only the biggest risks. Advanced weapons design, for instance, demands tens of thousands (if not hundreds of thousands) of AI chips, making it possible for cloud providers to spot such applications since they bill based on the number of hours that customers utilize their chips. “[Know your customer] for large transactions is something that companies already do,” says Heim. “If someone spends $70 million on compute that might be a warning sign that they’re training a GPT-4.” 

Designing biological weapons, by contrast, can be done with only a few dozen AI chips, which Heim says makes it impossible to scan for without imposing onerous surveillance requirements on cloud providers. 

This, he says, is an unavoidable weakness of the export control model. “You’re not going to stop [bad actors] from executing threat models that use only 1,000 chips,” he says. What would help stop an AI-generated toxin, he argues, “are the traditional things we should be doing anyway, like pandemic prevention.”

Gertz, meanwhile, argues that getting buy-in to America’s cloud rules requires more than just fine-tuning the details. While controlling access to U.S. chips may be in the national interest, “our restrictive measures would have greater legitimacy if we can show they have benefits as well,” he says.

“What is the value proposition for other countries out of the AI boom if the U.S. is going to be controlling it? The U.S. needs to be showing that it is not only focused on risk scenarios, but that we are equally concerned with ensuring AI is benefitting the world,” he says. “What exactly that package looks like is something we’re still figuring out.”

---