企业经营的困境。
https://www.oracle.com/news/announcement/blog/export-control-diffusion-confusion-2025-01-05/
Export Control Diffusion Confusion
By Ken Glueck, Executive Vice President, Oracle—Jan 5, 2025
There is an old adage in Washington that a regulation’s harmfulness is directly proportional to the number of new acronyms created (warning, spoiler alert). By that standard, the Biden Administration’s “Export Control Framework for Artificial Intelligence Diffusion” will go down as one of the most destructive to ever hit the U.S. technology industry. A few weeks ago, we wrote about the so-called Diffusion Framework here. Had we known then what we know now, we might not have been so circumspect.
The Bureau of Industry and Security’s (“BIS”) proposed Interim Final Rule (“IFR”) is a highly complex and wildly overbroad attempt to regulate Artificial Intelligence and GPUs in the name of national security. For over half a century, bipartisan consensus has held that the best way to achieve U.S. technological leadership is to regulate technology with a light touch. As a result, American companies have continued to lead each successive generation of technology, from the personal computer to the Internet, to mobile, to the cloud, and now Artificial Intelligence.
We all agree on specific areas where the U.S. must control access to GPUs because of the technologies they enable. Two clear examples that must be controlled outside of the U.S. are (i) the use of AI to speed the modeling and developing of weapons of mass destruction and (ii) Frontier Model development with the potential to create Artificial General Intelligence “AGI.”
BIS could have fashioned a regulatory scheme specifically targeted at these and other high-risk uses and specified a set of restricted users of very high-volume GPUs. The Diffusion Framework misses this mark by a wide margin and chooses instead to disrupt U.S. leadership in cloud, chips, and AI. And what Congress accomplished by passing the CHIPS Act (a mere $280 billion) the Biden Administration takes away with the Diffusion Framework, because in one IFR it has managed to shrink the global chip market for U.S. firms by 80 percent and hand it to the Chinese.i
Today, and in the future, the most common use for AI and GPUs is to power new features within a larger cloud service or system.ii Enterprises are training AI models on their own data to enhance productivity and create differentiation. Whole industries are using AI to create entirely new offerings and efficiencies, like in healthcare, transportation or hospitality. AI is used to reduce fraud and increase compliance in industries like banking and insurance. Public sector entities are using AI to increase public safety. SaaS applications—like Customer Relationship Management, Supply Chain, Enterprise Resource Planning—use AI Agents to improve performance and productivity. Mobile applications use AI Agents for the same reasons. Search and recommender engines use AI to improve and better tailor results. And we can all agree that none of these workloads or uses of AI technology and the GPUs they rely on constitute national security concerns.
Substantial quantities of GPUs are common components of public cloud offerings all around the world. The Diffusion Framework even acknowledges the benefits of AI across industry and society, but then focuses on highly hypothetical dual-use concerns posed by unrestricted use of GPUs and worries about so-called “diversion” or “aggregation.” These concerns are unfounded, as GPU supply chains are tightly controlled, and when deployed most of these GPUs are “on rails”—meaning they are either architected, implemented, or supported in such a manner as to limit their uses elsewhere, including for malicious or concerning purposes.
Somehow, this one basic fact—AI as a feature of all public, commercial clouds—escaped those drafting the Diffusion Framework. Hundreds if not thousands of data centers around the world hosting commercial cloud services already deploy and use significant numbers of GPUs—yet in far fewer numbers than would even come close to creating national security concerns. These GPUs and the systems they are embedded within are deployed by U.S. cloud providers and are closely monitored because they generate revenue for the services they enable. Yet rather than apply surgical precision to regulate specific activities of concern, the Diffusion Framework drops the Mother of All Regulationsiii on the commercial cloud industry, regulating in one Interim Final Rule (“IFR”) nearly all commercial cloud computing globally for the first time in history.
With such a dramatic new set of regulations you might expect the Biden Administration undertook a lengthy consultation and public comment period. You would be wrong. There was no consultation or comment period. We digress, but just so we are clear, an Interim Final Rule is Washington’s oxymoronic version of the jumbo shrimp.iv It’s not interim at all. It’s every bit final. Industry is now facing a final rule, that is over 200 pages of unknown complexity and that is being rushed to press just 10 days before a new Administration is inaugurated.
Turning to what we know about the rule itself, the IFR turns decades of export control policy on its head. Rather than base controls around a simple set of restricted countries (i.e. D: 5 countries + Macau), or any other cognizable list, the Framework imposes a global license requirement (as in, everywhere) for AI technology and GPUs. This is without question a substantial deviation from the scoping of the threat in the February 5, 2024, Office of the Director of National Intelligence, Annual Threat Assessment of the U.S. Intelligence Community and the April 26, 2024, Department of Homeland Security Report on Reducing the Risks at the Intersection of Artificial Intelligence and Chemical, Biological, Radiological, and Nuclear Department, both cited in the draft IFR and neither referencing Portugal as a country of concern, for example. Nor did they cite Saudi Arabia or the UAE in the context of AI at all.
The Framework introduces so many new acronyms in what we may better call the Confusion Framework that it’s hard to keep them straight: AIA, ACM, LPP, DC VEU, UVEU, NVEU, TPP, ACA. Then the Framework identifies 20 AIA countries (Artificial Intelligence Authorization Countries) for modestly better regulatory treatment than the rest of the world, but at the same time creates a regulatory morass for cloud providers to even service some of our closest allies. In a single confusing action, the BIS retroactively regulates global cloud GPU deployments; shrinks the global market for U.S. cloud and chip suppliers; establishes volume restrictions; tells 20 countries they can be trusted only if they agree to new unilaterally imposed terms—including certification and semi-annual reporting requirements—and likely pushes the rest of the world to Chinese technology, which the CCP will be only too happy to leverage to catch up with the U.S.
Next, the Framework sets up UVEUs (Universal Validated End Users). These are apparently trusted ultimate consignees (i.e. U.S. cloud hyperscalers) that will enjoy faster access to provide GPUs worldwide. The problem with UVEUs is they come with strings attached … actually, the regulation shackles UVEUs to the BIS in perpetuity. The UVEU program is tethered to FedRAMP High (plus a series of NIST standards), a U.S. government-defined collection of information and physical security requirements “to account for the government’s most sensitive, unclassified data in cloud computing environments...”—not commercial industry data.v FedRAMP High requires annual third-party audits, specific staffing and access controls, and it includes data sovereignty requirements, mandating U.S. locations for storage of U.S. government data. The problem is that outside of the U.S. (and even for the overwhelming majority of data centers inside the U.S.), there is no reason for the thousands of existing commercial data centers to meet these requirements, and they currently do not. The UVEU process would fundamentally change the economics of data center deployment around the world. Having been through the FedRAMP High process, it is not for the faint of heart.
On the other end of the spectrum is another acronym, LPP (a license exception for Low Processing Performance). Under LPP, most countries outside of the favored club of 20 would be permitted low levels of GPUs governed by country-specific caps. The IFR introduces GPU caps aggregated for all exporters and re-exporters for countries under LPP that are well below what would be needed for even the most non-concerning cloud GPU workloads, rendering LPP almost meaningless. You might not understand how limiting the LPP exception is because it first requires a Total Processing Performance (“TPP”) to English conversion. Bottom line, it’s essentially a null set, so we are back to UVEU.
The overarching problem with the Diffusion Framework is that global commercial cloud has been built out continuously and globally over the past twenty years. Large investments have been made. Customer commitments have been made. Location decisions are driven by infrastructure, like power and bandwidth. Many critical questions seem to not be answered or even considered, prior to the issuance of an IFR. How does the rule reconcile sovereign clouds deployed around the world with the prior permission of the U.S. government? What about regulated customers, like banks, which deploy cloud in their own data centers? What about a national healthcare system? Does technology refresh count towards the country caps? What about data centers co-located and managed by others? Will existing data centers all have to meet the U.S. government-centric requirements of UVEU FedRAMP High?
The Framework completely misses the reality that the very large data centers—the ones with hundreds of thousands of GPUs capable of truly training frontier models that BIS allegedly wants to regulate—draw so much power you can see them from Mars. There’s no hiding in plain sight. GPUs cannot be secretly aggregated or diverted from U.S. cloud providers in such large quantities to be concerning without being caught. As a national security imperative, let’s understand what these very large implementations are, who controls them, and who the customers are. And then let’s focus the regulation on those limited areas of concern.
Finally, there’s when the IFR is supposed to go into effect—as of this writing, a mere 60 days after publication in the Federal Register. Let’s be clear. A rule of this consequence on that timetable will turn the U.S. cloud industry upside down.
We all agree on the need to protect national security from the very real threats from certain AI uses; however, this rule does more to achieve extreme regulatory overreach than protect U.S. interests and those of our partners and allies. It practically enshrines the law of intended consequences and will cost the U.S. critical technology leadership.
In one of the most bizarre, what’s up is down and down is up moments, the government proponents of this rule claim that they are protecting U.S. hyperscalers from global competition. Respectfully, apart from the previously articulated and agreed upon national security concerns, we don’t need a ride, we need government to get out of the way.
To retroactively and surreptitiously issue a final rule of this magnitude without industry consultation and only days before the change in Administration is highly consequential. For the first time, we are applying draconian new regulations to largely unregulated public, commercial cloud. We are stifling innovation and strangling emerging business models. Worse, without fully contemplating the rule’s effects, we are likely handing most of the global AI and GPU market to our Chinese competitors.
Let that sink in.
i https://www.wsj.com/politics/national-security/china-biden-chip-manufacturing-gina-raimondo-b98c2606?st=uw8Tfc&reflink=article_email_share
ii The Biden Administration even tracks examples of common uses of AI here: https://ai.gov/ai-use-cases/ and here: https://github.com/ombegov/2024-Federal-AI-Use-Case-Inventory
iii GBU-43/B Massive Ordnance Air Blast bomb. https://www.defense.gov/Multimedia/Photos/igphoto/2001732840/
ivYes, Reddit, we are taking a side. It’s an oxymoron.
v https://www.fedramp.gov/understanding-baselines-and-impact-levels/
The Bureau of Industry and Security’s (“BIS”) proposed Interim Final Rule (“IFR”) is a highly complex and wildly overbroad attempt to regulate Artificial Intelligence and GPUs in the name of national security. For over half a century, bipartisan consensus has held that the best way to achieve U.S. technological leadership is to regulate technology with a light touch. As a result, American companies have continued to lead each successive generation of technology, from the personal computer to the Internet, to mobile, to the cloud, and now Artificial Intelligence.
We all agree on specific areas where the U.S. must control access to GPUs because of the technologies they enable. Two clear examples that must be controlled outside of the U.S. are (i) the use of AI to speed the modeling and developing of weapons of mass destruction and (ii) Frontier Model development with the potential to create Artificial General Intelligence “AGI.”
BIS could have fashioned a regulatory scheme specifically targeted at these and other high-risk uses and specified a set of restricted users of very high-volume GPUs. The Diffusion Framework misses this mark by a wide margin and chooses instead to disrupt U.S. leadership in cloud, chips, and AI. And what Congress accomplished by passing the CHIPS Act (a mere $280 billion) the Biden Administration takes away with the Diffusion Framework, because in one IFR it has managed to shrink the global chip market for U.S. firms by 80 percent and hand it to the Chinese.i
Today, and in the future, the most common use for AI and GPUs is to power new features within a larger cloud service or system.ii Enterprises are training AI models on their own data to enhance productivity and create differentiation. Whole industries are using AI to create entirely new offerings and efficiencies, like in healthcare, transportation or hospitality. AI is used to reduce fraud and increase compliance in industries like banking and insurance. Public sector entities are using AI to increase public safety. SaaS applications—like Customer Relationship Management, Supply Chain, Enterprise Resource Planning—use AI Agents to improve performance and productivity. Mobile applications use AI Agents for the same reasons. Search and recommender engines use AI to improve and better tailor results. And we can all agree that none of these workloads or uses of AI technology and the GPUs they rely on constitute national security concerns.
Substantial quantities of GPUs are common components of public cloud offerings all around the world. The Diffusion Framework even acknowledges the benefits of AI across industry and society, but then focuses on highly hypothetical dual-use concerns posed by unrestricted use of GPUs and worries about so-called “diversion” or “aggregation.” These concerns are unfounded, as GPU supply chains are tightly controlled, and when deployed most of these GPUs are “on rails”—meaning they are either architected, implemented, or supported in such a manner as to limit their uses elsewhere, including for malicious or concerning purposes.
Somehow, this one basic fact—AI as a feature of all public, commercial clouds—escaped those drafting the Diffusion Framework. Hundreds if not thousands of data centers around the world hosting commercial cloud services already deploy and use significant numbers of GPUs—yet in far fewer numbers than would even come close to creating national security concerns. These GPUs and the systems they are embedded within are deployed by U.S. cloud providers and are closely monitored because they generate revenue for the services they enable. Yet rather than apply surgical precision to regulate specific activities of concern, the Diffusion Framework drops the Mother of All Regulationsiii on the commercial cloud industry, regulating in one Interim Final Rule (“IFR”) nearly all commercial cloud computing globally for the first time in history.
With such a dramatic new set of regulations you might expect the Biden Administration undertook a lengthy consultation and public comment period. You would be wrong. There was no consultation or comment period. We digress, but just so we are clear, an Interim Final Rule is Washington’s oxymoronic version of the jumbo shrimp.iv It’s not interim at all. It’s every bit final. Industry is now facing a final rule, that is over 200 pages of unknown complexity and that is being rushed to press just 10 days before a new Administration is inaugurated.
Turning to what we know about the rule itself, the IFR turns decades of export control policy on its head. Rather than base controls around a simple set of restricted countries (i.e. D: 5 countries + Macau), or any other cognizable list, the Framework imposes a global license requirement (as in, everywhere) for AI technology and GPUs. This is without question a substantial deviation from the scoping of the threat in the February 5, 2024, Office of the Director of National Intelligence, Annual Threat Assessment of the U.S. Intelligence Community and the April 26, 2024, Department of Homeland Security Report on Reducing the Risks at the Intersection of Artificial Intelligence and Chemical, Biological, Radiological, and Nuclear Department, both cited in the draft IFR and neither referencing Portugal as a country of concern, for example. Nor did they cite Saudi Arabia or the UAE in the context of AI at all.
The Framework introduces so many new acronyms in what we may better call the Confusion Framework that it’s hard to keep them straight: AIA, ACM, LPP, DC VEU, UVEU, NVEU, TPP, ACA. Then the Framework identifies 20 AIA countries (Artificial Intelligence Authorization Countries) for modestly better regulatory treatment than the rest of the world, but at the same time creates a regulatory morass for cloud providers to even service some of our closest allies. In a single confusing action, the BIS retroactively regulates global cloud GPU deployments; shrinks the global market for U.S. cloud and chip suppliers; establishes volume restrictions; tells 20 countries they can be trusted only if they agree to new unilaterally imposed terms—including certification and semi-annual reporting requirements—and likely pushes the rest of the world to Chinese technology, which the CCP will be only too happy to leverage to catch up with the U.S.
Next, the Framework sets up UVEUs (Universal Validated End Users). These are apparently trusted ultimate consignees (i.e. U.S. cloud hyperscalers) that will enjoy faster access to provide GPUs worldwide. The problem with UVEUs is they come with strings attached … actually, the regulation shackles UVEUs to the BIS in perpetuity. The UVEU program is tethered to FedRAMP High (plus a series of NIST standards), a U.S. government-defined collection of information and physical security requirements “to account for the government’s most sensitive, unclassified data in cloud computing environments...”—not commercial industry data.v FedRAMP High requires annual third-party audits, specific staffing and access controls, and it includes data sovereignty requirements, mandating U.S. locations for storage of U.S. government data. The problem is that outside of the U.S. (and even for the overwhelming majority of data centers inside the U.S.), there is no reason for the thousands of existing commercial data centers to meet these requirements, and they currently do not. The UVEU process would fundamentally change the economics of data center deployment around the world. Having been through the FedRAMP High process, it is not for the faint of heart.
On the other end of the spectrum is another acronym, LPP (a license exception for Low Processing Performance). Under LPP, most countries outside of the favored club of 20 would be permitted low levels of GPUs governed by country-specific caps. The IFR introduces GPU caps aggregated for all exporters and re-exporters for countries under LPP that are well below what would be needed for even the most non-concerning cloud GPU workloads, rendering LPP almost meaningless. You might not understand how limiting the LPP exception is because it first requires a Total Processing Performance (“TPP”) to English conversion. Bottom line, it’s essentially a null set, so we are back to UVEU.
The overarching problem with the Diffusion Framework is that global commercial cloud has been built out continuously and globally over the past twenty years. Large investments have been made. Customer commitments have been made. Location decisions are driven by infrastructure, like power and bandwidth. Many critical questions seem to not be answered or even considered, prior to the issuance of an IFR. How does the rule reconcile sovereign clouds deployed around the world with the prior permission of the U.S. government? What about regulated customers, like banks, which deploy cloud in their own data centers? What about a national healthcare system? Does technology refresh count towards the country caps? What about data centers co-located and managed by others? Will existing data centers all have to meet the U.S. government-centric requirements of UVEU FedRAMP High?
The Framework completely misses the reality that the very large data centers—the ones with hundreds of thousands of GPUs capable of truly training frontier models that BIS allegedly wants to regulate—draw so much power you can see them from Mars. There’s no hiding in plain sight. GPUs cannot be secretly aggregated or diverted from U.S. cloud providers in such large quantities to be concerning without being caught. As a national security imperative, let’s understand what these very large implementations are, who controls them, and who the customers are. And then let’s focus the regulation on those limited areas of concern.
Finally, there’s when the IFR is supposed to go into effect—as of this writing, a mere 60 days after publication in the Federal Register. Let’s be clear. A rule of this consequence on that timetable will turn the U.S. cloud industry upside down.
We all agree on the need to protect national security from the very real threats from certain AI uses; however, this rule does more to achieve extreme regulatory overreach than protect U.S. interests and those of our partners and allies. It practically enshrines the law of intended consequences and will cost the U.S. critical technology leadership.
In one of the most bizarre, what’s up is down and down is up moments, the government proponents of this rule claim that they are protecting U.S. hyperscalers from global competition. Respectfully, apart from the previously articulated and agreed upon national security concerns, we don’t need a ride, we need government to get out of the way.
To retroactively and surreptitiously issue a final rule of this magnitude without industry consultation and only days before the change in Administration is highly consequential. For the first time, we are applying draconian new regulations to largely unregulated public, commercial cloud. We are stifling innovation and strangling emerging business models. Worse, without fully contemplating the rule’s effects, we are likely handing most of the global AI and GPU market to our Chinese competitors.
Let that sink in.
i https://www.wsj.com/politics/national-security/china-biden-chip-manufacturing-gina-raimondo-b98c2606?st=uw8Tfc&reflink=article_email_share
ii The Biden Administration even tracks examples of common uses of AI here: https://ai.gov/ai-use-cases/ and here: https://github.com/ombegov/2024-Federal-AI-Use-Case-Inventory
iii GBU-43/B Massive Ordnance Air Blast bomb. https://www.defense.gov/Multimedia/Photos/igphoto/2001732840/
ivYes, Reddit, we are taking a side. It’s an oxymoron.
v https://www.fedramp.gov/understanding-baselines-and-impact-levels/