Bipartisan Act addresses national security gap in era of cloud computing
WASHINGTON, D.C., December 17, 2025 – Today, Senators Dave McCormick (R-PA) and Ron Wyden (D-OR) introduced the Remote Access Security Act, which amends the Export Control Reform Act of 2018 to extend existing export controls to the remote access of controlled U.S. technology through cloud infrastructure.
The Export Control Reform Act of 2018 (ECRA) gives the Executive Branch authority to regulate exports, reexports, and in-country transfers of sensitive items to protect national security. However, ECRA does not explicitly address remote access to controlled technology, which has become a growing concern as cloud computing enables powerful capabilities to be accessed from anywhere in the world.
“Under current law, bad actors can train AI models by accessing advanced chips under the jurisdiction of the US, and the Bureau of Industry and Security has no authority to require a license. This legislation closes this existing security gap by extending export controls to include remote access scenarios, ensuring that both physical possession and remote access to sensitive technology by foreign advisories face equivalent scrutiny when national security risks are present,” said Senator Dave McCormick.
“The remote-access loophole is a major weakness in America’s national security policy. Keeping cutting-edge chips out of the hands of China, Russia and other unfriendly regimes is key to securing U.S. AI leadership and global economic competitiveness. Foreign countries shouldn’t be able to end-run export bans on American technology just by accessing servers over the internet. I’m glad to partner on the Remote Access Security Act to ensure adversaries can’t remotely access American technology to undermine American interests,” said Senator Ron Wyden.
Remote access is defined as access by a foreign person of concern, specifically those from Russia, Iran, North Korea, and China (including Hong Kong and Macau), to U.S.-controlled items on the Commerce Control List through cloud infrastructure services, such as servers, processors and storage.
For example, under this bill, if a Chinese firm would like to rent access to a cluster of advanced chips already subject to U.S.-controls in an overseas datacenter, the Department of Commerce can require a license if determined that remote access is a risk to U.S. national security. Put simply, if the U.S. has the authority to prohibit the export of critical U.S. technology, then the remote access to that same technology should also be subject to control.
Three examples of high-risk national security activities involving access to controlled technologies, such as advanced AI chips, identified in the legislation include:
Conducting surveillance to undermine human rights through spyware, location tracking, or biometric identification
Training AI models to enable weapons of mass destruction, automated cyber attacks, or systems that evade human oversight
Accessing tools designed for offensive cyber operations
###