Communications Litigation Today was a Warren News publication.

Researchers Caution Against Restricting Chinese Access to Cloud Computing Services

The U.S. should avoid placing export controls on cloud computing services to try to prevent Chinese companies from using a loophole that allows them to access controlled semiconductors, researchers said. Georgetown’s Center for Security and Emerging Technology and the Center for a New American Security explored this strategy in a new report released this week but said export controls don't “appear feasible and may have adverse consequences.”

The report comes about two months after the Bureau of Industry and Security said it was looking at ways to stop Chinese companies from using cloud providers to skirt its October chip controls (see 2303210037). The researchers said BIS could use U.S.-persons controls to restrict access to advanced cloud computing services, but that strategy could put U.S. people and companies “at a disadvantage in the global cloud service industry.”

The report specifically said BIS would face challenges implementing these controls multilaterally or plurilaterally, especially because no other country has the “equivalent” of BIS’ “U.S. persons” controls. “So plurilateralizing U.S. policies in this context would require a massive overhaul of allied export control authorities,” the researchers said. “There are also no international harmonized standards or governance policies related to cloud computing, which makes plurilateral action even more difficult.”

Without plurilateral controls, the U.S. would be able to place export controls on access to advanced cloud computing services only when a U.S. person is involved in the sale of the service, the report said, which could incentivize foreign cloud service providers to remove “‘U.S. persons’ from their China sales teams to avoid U.S. licensing requirements. Not only do these factors limit the effectiveness of achieving the stated objective, but they would also lead U.S. companies to disproportionately bear the cost of a new control.”

The researchers also argued that the controls would be “ineffective” because cloud service providers aren’t required to collect location data or information on “the chips to which their customers have access -- information that would be needed to control the activities of ‘U.S. persons.’” And even if the U.S. were to implement the controls alongside “Know Your Customer” requirements, Chinese entities “could possibly achieve similar performance levels in aggregate by purchasing or renting (via cloud computing services) chips that are not covered by U.S. export controls,” the researchers said.

The report recommends that BIS “continue to monitor the ways” China can access controlled chips through “alternative means” and try to “craft more fine-grained controls” instead of broad bans on categories of semiconductors. Even though those controls would be “arguably possible, using the [Export Administration Regulations] as it stands to control the sale of advanced cloud computing services to Chinese users is fraught with potential loopholes.” The researchers said they plan to publish another report that will “focus on controlling access to compute for specific problematic actors and end-uses in China.”