Regarding Biden's upcoming interim final rule titled "Export Control Framework for Artificial Intelligence Diffusion", SIA issued the following statement.

They said that this potential regulatory action is expected to impose global restrictions on the export of advanced integrated circuits from the United States and impose onerous licensing requirements.

"SIA and our member companies share the U.S. government's commitment to maintaining national security. However, we are deeply concerned about the unprecedented scope and complexity of this potential regulation, which was developed without industry input and could seriously undermine the United States' leadership and competitiveness in semiconductor technology and advanced artificial intelligence systems.

"We would like to caution against making such a rapid and significant policy shift during the transition period and without meaningful consultation with the industry. In the absence of such consultation, we urge the government to issue a proposed rule or hand over the policymaking process to the incoming Trump administration to ensure that government and industry leaders and our global partners have the appropriate opportunity to thoughtfully address this critical issue. "We stand ready to work with the U.S. government to best achieve its national security goals in a targeted manner while ensuring our companies can continue to compete and win globally." Oracle even bluntly stated in its related commentary that this approach would hand over the GPU market to China.

Oracle: Export controls spread confusion

There's an old Washington adage that the harm done by a regulation is proportional to the number of new acronyms it has (warning, spoilers). By that standard, the Biden administration's "AI Proliferation Export Control Framework" will be one of the most destructive policies ever enacted on the U.S. tech industry. We wrote about the so-called proliferation framework here a few weeks ago. Had we known then what we know now, we might not have been so cautious.

The interim final rule (IFR) proposed by the Bureau of Industry and Security (BIS) is an extremely complex and overly broad attempt to regulate AI and GPUs in the name of national security. For more than half a century, bipartisan consensus has been that the best way to achieve U.S. technological leadership is to apply light-touch regulation to technology. As a result, U.S. companies have led every generation of technology, from PCs to the internet, mobile devices, cloud computing, and now AI.

We all agree that the U.S. must control specific areas of access to GPUs because they enable technology. Two clear examples of where control must be done outside the U.S. are (i) using AI to accelerate the modeling and development of weapons of mass destruction, and (ii) cutting-edge model development that has the potential to create artificial general intelligence (AGI).

BIS could have developed a regulatory scheme specifically targeting these and other high-risk uses and designated a restricted set of users of very high-volume GPUs. The proliferation framework falls far short of that goal, choosing instead to undermine U.S. leadership in cloud computing, chips, and AI. What Congress accomplished with the CHIPS Act (which was only $280 billion) was taken away by the Biden administration with the proliferation framework, as it succeeded in shrinking the global chip market for U.S. companies by 80% in one IFR and giving it to the Chinese.

The most common use of AI and GPUs today and in the future is to power new features in larger cloud services or systems. Enterprises are training AI models with their own data to improve productivity and create differentiation. Entire industries are using AI to create entirely new products and efficiencies, such as healthcare, transportation, or hospitality. AI is used to reduce fraud and improve compliance in industries such as banking and insurance. Public sector entities are using AI to improve public safety. SaaS applications (such as customer relationship management, supply chain, enterprise resource planning) use AI agents to improve performance and productivity. Mobile applications use AI agents for the same reasons. Search and recommendation engines use AI to improve and better tailor results. We all agree that none of these workloads or the uses of AI technologies and the GPUs they rely on pose national security concerns.

About GPU

GPUs are common components of public cloud offerings around the world in large numbers. The Proliferation Framework even acknowledges the benefits of AI across industry and society, but then focuses on the highly hypothetical dual-use issues and concerns about so-called "diversion" or "aggregation" that arise from unrestricted use of GPUs. These concerns are unfounded because the GPU supply chain is tightly controlled and, when deployed, most GPUs are "on track" - meaning they are architected, implemented, or supported in a way that restricts their use elsewhere, including for malicious or worrisome purposes.

Somehow, those who drafted the Proliferation Framework overlooked this basic fact: AI is a feature of all public commercial clouds. Hundreds or even thousands of data centers around the world that host commercial cloud services already have large numbers of GPUs deployed and in use, but far fewer than would raise national security concerns. These GPUs and the systems they are embedded in are deployed by U.S. cloud providers and are closely monitored because they generate revenue for the services they support. Yet, rather than precisely regulating specific worrisome activities, the Proliferation Framework drops the "mother of all regulations" for the commercial cloud industry, regulating virtually all commercial cloud computing worldwide for the first time ever in an Interim Final Rule ("IFR").

The new regulations

With such a dramatic new regulation, you might expect the Biden Administration to engage in a lengthy consultation and public comment period. But you'd be wrong. There was no consultation or comment period at all. We digress, but for clarity, the Interim Final Rule is a giant shrimp version of Washington's self-contradiction. It is not interim at all. It is completely final. The industry is now faced with a Final Rule that is over 200 pages long, of unknown complexity, and hastily printed 10 days before the new Administration took office.

When it comes to what we know about the rule itself, the IFR upends decades of export control policy. Rather than centering controls around a simple set of restricted countries (i.e. D: 5 countries + Macau) or any other identifiable list, the Framework imposes global licensing requirements (i.e. ubiquitous) on AI technology and GPUs. This is undoubtedly a significant departure from the scope of the threat in the February 5, 2024, Office of the Director of National Intelligence Annual Threat Assessment of the United States Intelligence Community and the April 26, 2024, Department of Homeland Security Report on Reducing the Risk of Intersection of Artificial Intelligence and the Chemical, Biological, Radiological, and Nuclear Sectors, both of which are cited in the draft IFR, but neither of which mentions countries of concern such as Portugal. They also do not mention Saudi Arabia or the UAE in the context of AI.

The framework introduces so many new acronyms that we might better call it the "confusion framework" that it is difficult to directly connect them all: AIA, ACM, LPP, DC VEU, UVEU, NVEU, TPP, ACA. The framework then identifies 20 AIA countries (AI Authorized Nations) that have slightly better regulatory treatment than the rest of the world, but at the same time creates a regulatory quagmire for cloud providers to serve even our closest allies. In a confusing move, BIS retroactively regulates global cloud GPU deployment; shrinks the global market for U.S. cloud and chip suppliers; establishes quantitative limits; tells 20 countries they can only be trusted if they agree to new unilaterally imposed terms (including certification and semi-annual reporting requirements); and threatens to push the rest of the world toward Chinese technology that the CCP will be only too happy to use to catch up with the U.S..

Next, the framework establishes UVEUs (Universal Verified End Users). These are apparently trusted end consignees (i.e., U.S. cloud hyperscalers) who will enjoy faster access to GPUs available worldwide. The problem with UVEUs is that they come with strings attached… In effect, the regulation tethers UVEUs to BIS in perpetuity. The UVEU program is tied to FedRAMP High (and a host of NIST standards), a collection of information and physical security requirements defined by the U.S. government "for the government's most sensitive, unclassified data in cloud computing environments…"  -  not commercial industry data. FedRAMP High requires annual third-party audits, specific staffing and access controls, and includes data sovereignty requirements requiring U.S. locations to store U.S. government data. The problem is that there is no reason for the thousands of existing commercial data centers outside of the U.S. (or even for the vast majority of data centers within the U.S.) to meet these requirements, and they currently do not. The UVEU process will fundamentally change the economics of global data center deployments. Having lived through the FedRAMP High process, I know it's not for the faint of heart.

At the other extreme is another acronym, LPP (License Exception for Low Processing Performance). Under the LPP, most countries outside the 20 favored clubs allow low levels of GPUs, regulated by country-specific caps. The IFR introduces GPU caps for all exporters and re-exporters for countries under the LPP that are far below what is required for even the least worrisome cloud GPU workloads, rendering the LPP almost meaningless. You may not appreciate how restrictive the LPP exception is because it first requires a translation of the total processing performance ("TPP") into English. At the end of the day, it's essentially an empty set, so we're back to the UVEU.

The main problem with the proliferation framework is that the global commercial cloud has been built continuously and globally for the past two decades. Massive investments have been made. Customer commitments have been made. Location decisions are driven by infrastructure like power and bandwidth. Many key questions seem to have been left unanswered or even considered before the IFR was issued. How does the rule reconcile sovereign clouds deployed around the world with prior permission from the U.S. government? What about regulated customers (like banks) that deploy clouds in their own data centers? What about national healthcare systems? Do technology refreshes count toward national caps? What about data centers co-located and managed by others? Do all existing data centers have to meet the US government-centric UVEU FedRAMP High requirements?

This framework completely ignores the reality that hyperscale data centers (with hundreds of thousands of GPUs capable of truly training cutting-edge models, and which BIS allegedly wants to regulate) consume so much power that they can be seen from Mars. They can't hide in plain sight. GPUs can't be secretly aggregated or transferred from US cloud providers in such large quantities that they would attract attention if not discovered. As a national security imperative, let's understand what these hyperscale facilities are, who controls them, and who the customers are. Then let's focus regulation on these limited areas of concern.

Finally, when is the IFR effective? As of this writing, there are only 60 days left until publication in the Federal Register. Let's be clear. This rule, implemented on this timeline, will upend the U.S. cloud computing industry.

We all agree on the need to protect national security from the very real threats posed by certain AI applications; however, this rule does more to achieve extreme regulatory overreach than to protect the interests of the United States and its partners and allies. It effectively establishes the law of intended consequences and will cause the United States to lose leadership in critical technologies.

In this most bizarre of moments, when up is down and down is up, the administration supporting this rule claims that they are protecting U.S. hyperscalers from global competition. With all due respect, we do not need a free ride, we need the administration to get out of the way, except for the previously articulated and agreed-upon national security concerns.

The consequences of publishing such a significant final rule in secret, without industry input, and just days before a change of administration are very serious. For the first time, we are applying draconian new regulations to a largely unregulated public commercial cloud. We are stifling innovation and killing emerging business models. Worse, if the impact of the rules is not fully considered, we may well lose much of the global AI and GPU market to our Chinese competitors.

Source: Content is compiled from Oracle and other sources

View more at EASELINK