BIS Asked to Hold off on Cloud Export Controls, Clarify Chip Rules

Technology companies, trade groups, think tanks and researchers urged the government to be cautious as it evaluates its semiconductor-related export controls and prepares new ones, warning that misguided restrictions could cede American technology leadership to China, hurt the competitiveness of U.S. companies and raise the complexity of an already fraught compliance landscape.

In more than 100 pages of comments recently made public by the Bureau of Industry and Security, businesses asked the administration to refine the chip control parameters that were updated in rules last year, more clearly define what some said are vague terms and definitions, improve the rules’ new chip export notification process, work to convince allies to impose the same measures and continue to exclude certain deemed exports from the scope of the new license requirements.

Although the submissions touched on a range of topics included in the hundreds of pages of new and tweaked regulations issued by BIS in October (see 2310170055), many spent time warning the U.S. about controls that haven’t yet been imposed: potential restrictions on remote access to advanced semiconductors through cloud service providers. BIS in October asked for feedback about how it should approach potential cloud restrictions, and whether new measures to stop Chinese companies from using cloud computing services to access export controlled chips are warranted or feasible (see 2401260051 and 2312080048).

Several commenters, including Microsoft, said they aren’t. Rather than placing sweeping controls on Chinese access to cloud computing services, the company said BIS should instead target specific “entities of concern” from accessing cloud services, including companies added to its Entity List, its Military End User List and its Unverified List.

Microsoft said it “understands that certain entities pose a heightened national security threat” because they can use advanced chips from cloud providers in artificial intelligence-powered technologies. But BIS should “focus any restrictions on specific entities … in lieu of broad country-wide prohibitions. A broad ban is more encompassing than necessary to address the national security threat.”

The company also suggested Commerce impose know-your-customer requirements on cloud providers instead of export controls, which would mandate certain due diligence practices. The agency proposed KYC rules for cloud services in January (see 2401290015).

Both the National Foreign Trade Council and BSA | The Software Alliance, two trade groups, said new cloud controls would contradict past BIS advice to companies. They pointed to advisory opinions the agency issued in 2009 and 2011, which said cloud services aren’t subject to the Export Administration Regulations. NFTC said it “urges BIS to remain consistent with longstanding precedent regarding grid and cloud computing services.”

Like Microsoft, the NFTC said that if BIS moves forward with some form of cloud controls, it should opt for entity-specific restrictions rather than country-wide controls. It said “overly broad controls” would hurt U.S. software service providers’ sales, “stifling their innovation and technological advancement, and impeding the adoption of their technologies worldwide.” NFTC also said non-U.S. companies, if they can’t access American cloud providers, would instead “build their technology off of Chinese” providers.

These country-wide controls would be “much more encompassing than is necessary to address any national security threat” and would lead to “serious unintended consequences,” BSA said, such as “accelerating Chinese development of its own Advanced AI Chips.”

At least one commenter urged BIS to quickly move forward with new cloud controls. The Institute for AI Policy and Strategy, an organization that says it works to reduce risks posed by AI, said the U.S. should “move forward as soon as possible” with at least “limited controls on cloud access.” But those controls don’t necessarily have to cover chips used in advanced AI applications, the institute said -- at least at first.

“The US will very likely want to impose some controls on cloud access to AI chips later,” it said. “Having the legal framework, international coordination, regulatory expertise, and enforcement practices established and proven ahead of time will likely be necessary to make those later controls fully successful and timely.”

The institute said initial controls should apply to military- or intelligence-related end uses and users in China and to “extremely large frontier AI training runs.” They should also be “preceded by reporting requirements and information collection” rules so the U.S. can better understand which Chinese entities are using cloud services.

But Georgetown University’s Center for Security and Emerging Technology said there aren’t enough Chinese entities looking to remotely access controlled chips to justify the costs of imposing those measures. It said the “most concerning threat vector” are Chinese-headquartered infrastructure-as-a-service (IaaS) providers located outside of China, but that threat “has already been addressed” through the headquartered-based export controls released by BIS in October. Those controls restrict Chinese-headquartered companies -- and other companies headquartered in U.S.-arms-embargoed countries outside of China -- from buying certain controlled chips.

“The headquartered-based approach is novel and may need to be adjusted to improve effectiveness in the future,” CSET said, “but on the surface it will likely be effective in preventing Chinese companies from gaining access to controlled chips at scale via Chinese-headquartered IaaS providers located outside of China.”

Several commenters asked BIS to adjust those headquartered-based controls, including the Semiconductor Industry Association, which said the definition for a “headquartered” company isn’t clear. “Any regulation requiring the exporter to make a determination of where a particular company is ‘headquartered’ must be clear, simple, and straightforward to assess,” SIA said.

Electronics company Lenovo said certain headquarters-based controls shouldn’t apply to a company that “does not have its day-to-day operations directed by an entity headquartered” in a restricted country, even if their ultimate parent is. “It is increasingly popular for multinational companies to adopt headquarters in two or more countries around the world,” the company said. “Applying the ‘headquarters’ test in such situations is difficult for those engaging in business with the dual-headquartered company.”

BIS should create “metrics” -- along with specific examples and best practices -- that can be used by exporters to assess whether a company’s ultimate parent is headquartered in a restricted country, the U.S.-China Business Council said. It also asked the agency to put together a “continually updated list of entities that meet these criteria” so companies can screen against them.

“As currently written, ‘headquartered in’ is a vague and overly broad concept with different meanings depending on the recipient and could include entities with minority Chinese ownership,” the business council said. “Under the current framework, companies will spend significant compliance resources conducting due diligence that is unlikely to catch restricted entities.”

SIA made similar points, saying even if BIS clarifies “what the ambiguous term ‘headquartered’ means,” compliance will still be challenging. It asked whether the agency will make exporters get a headquarters-related certification from every customer, whether exporters will need to update that certification regularly (because company headquarters can move “without notice”), and whether BIS penalties against companies “related to errors in identification of ‘headquarters’ locations” will reflect the “challenges of making accurate determinations and keeping those determinations current.”

The chip association also asked BIS to rethink its new License Exception Notified Advanced Computing (NAC), which includes a process under which companies may qualify for a license exception by submitting notifications for certain exports of “gray-zone” semiconductors that fall just below the new chip control parameters (see 2311200042). Notifications submitted under NAC should undergo a “formal interagency review process,” SIA said, which should include a way for exporters to appeal cases in which BIS decides that an export doesn’t qualify for the exception.

Intel asked BIS to eliminate the “redundant notifications” exporters must submit for the “same or similar product,” and said the agency should offer “bulk authorizations.” It should also shift some of the license exception’s reporting requirements to “post-shipment, rather than pre-notification.”

American chip company AMD urged BIS to expand NAC to also cover software and technology related to “NAC eligible hardware items.” The fact that companies can only use the exception for hardware “creates another level of complexity for exporters,” AMD said.

Many commenters, including SIA, thanked BIS for not applying deemed export controls as part of the October updates, which could have added license requirements for certain transfers that take place on U.S. soil. Even if that licensing policy was based on a presumption of approval, SIA said the “process of applying for such licenses alone would discourage the hiring” of certain foreign nationals and “create significant business and operational delays in a fast-paced industry due to the extended timeline from persons being hired to actively working.”

Intel said deemed export requirements are often “primarily a ‘paperwork’ exercise” and “often act as a barrier to competitiveness of U.S. companies,” while BSA said having to obtain a license for each foreign researcher subject to the requirements “would drastically slow down innovation.”

Other commenters asked BIS to improve the process surrounding electronic export filings for semiconductors controlled under the chip rules, which are identified with a new “.z paragraph” under their Export Control Classification Numbers. To identify those .z items in electronic export filings, the National Customs Brokers & Forwarders Association of America said BIS should either allow exporters to submit a report to the agency “regarding the .z item(s)” or allow them to include the “.z ECCN paragraph in the commodity description field in” the Automated Export System.

NCBFAA said there should be “greater coordination between” BIS, the Census Bureau and CBP to make sure AES can accept this information in the Electronic Export Information filing field. “By updating this data field to accept ECCN paragraph inputs, filers would be in a better position to comply with the new reporting requirements for .z items pursuant to [the October rules] and consistent with other reporting options under the EAR.”

Intel raised similar concerns. It said the government’s “delay in updating the AES system according to the requirements of new rule publications presents a challenge for exporters to remain compliant with the EAR.”

BIS received at least two comments from Chinese industry groups that criticized the new controls. The China Semiconductor Industry Association said the restrictions “further disrupt the global supply chain,” while the China Chamber of Commerce for Import and Export of Machinery and Electronic Products said they violate World Trade Organization rules and are an example of “unilateral bullying.”

Both groups said the restrictions will impact exports of advanced computing chips used for important civil reasons, such as medical imaging, weather forecasting and geological exploration. The China Semiconductor Industry Association asked BIS to grant exemptions for advanced chips used for those and other civil uses.

It also asked BIS to allow U.S. companies to honor any contracts made with Chinese companies before the updated rules were released on Oct. 17. American companies should be able to continue to “make deliveries” for contracts that were already in place, it said, and offer repair, maintenance and debugging services for chip equipment that has already been exported.

The association noted that China represents the world’s largest semiconductor market and has a “huge appetite” for innovation. “As such," it said, "the interests of the Chinese industry should be duly recognized.”