Schoolwork - BIS and the AI Arms Race: How Export Controls can Maintain American Advantage in AI Hardware
Year of Hacking - Week 0x16
As I wrap up my senior year, one of the more substantial projects I did was a hefty paper on potential controls to prevent the proliferation of advanced semiconductor products to China. The assignment necessitated that I tailor and address this report to a single individual, so this one goes out to you, Jeffrey Kessler, Undersecretary of the Bureau of Industry and Security. Also to my Professor Marsha Maxwell, thanks for creating a competent writing class for us STEM kids.
Here is a version of that report that's not trying to hit word count and reformatted to for a blog post:
BIS and the AI Arms Race: How Controls Can Maintain American Advantage in AI Hardware
The gap between the United States' and China's capability to design and field advanced semiconductor products, particularly Graphics Processing Units (GPUs) and Central Process Units (CPUs) has allowed the United States to effectively set the rules on the proliferation and availability of the most advanced chips. This lever of soft power has secured a lead in the design of leading-edge semiconductors between the US and China, with estimations falling between three (Hosokawa 2024) and six (Miller 2024) years. Maintaining this capability gap is a national security priority (White House 2024), as belligerents can use advanced chips to field advanced Artificial Intelligence (AI) models and Large Language Models (LLMs) for military purposes like information warfare campaigns (McGuire 2025), capability development (Meier 2024) and intelligence processing (Ish et al 2021). Researchers at the Australian National University theorize that the oceans could become transparent by the 2050s, meaning that opponents in a future war will likely utilize advancements in AI to process the massive amounts of data required to create a complete image of the oceans. If this were to happen, the quietest and most survivable leg of the Nuclear Triad will be rendered useless, critically threatening our nuclear deterrent.
The process of fielding advanced models can be split into three discrete steps:
Data gathering
The lab gathers the corpus of data that will be used as the knowledge base for the future model. Generally, the more context added, the easier the model can construct relationships between the data, thus enhancing its capability.
Training
Labs feed the data into the model and give it a score based on how accurate or close the result is to the correct result. This is typically the most resource-intensive step, with final upfront costs often coming to 9 figures from the most well-resourced labs, much of which is spent on hardware and electricity.
Inference
The model will be taken out of training mode and into "inference" mode, meaning that its parameters will no longer change. The model will then be deployed for its final use case. Crucially, both the training and inference steps require massive amounts of GPUs, and it has historically held true that the more GPUs a lab has or how GPU-rich it is, the faster it can iterate on new models (Yeluri 2023).
Shortly after the ratification of the bipartisan $53 billion CHIPS Act in 2023, the Bureau of Industry and Security initiated export controls that restrict the export of the most advanced chips to China and Macau by classifying them as munitions, using the same legal mechanism that restricts American companies from selling weapons to Russia and Iran. This action targeted the H100, Nvidia's latest and most performant AI GPU, and any future chips surpassing its performance characteristics. In October 2024, the export controls expanded the list of countries subject to export restrictions to all arms-embargoed countries, including Russia. They required sellers to implement a form of Know-Your-Customer (KYC) so shell companies and resellers could not be used to provide plausible deniability to organizations, closing the major loophole left in the initial pass.
In January 2025, the Chinese lab DeepSeek AI, a subsidiary of Chinese quant firm High-Flyer, released an open-weight LLM called DeepSeek R1. This model performed similarly to the best-performing open and concurrent closed-weight models. Deepseek claimed they trained the model for only $6 million of capital investment. In the preceding year, Meta trained and released an open-weight model with similar complexity and performance at $90-$120 million. Shortly after Deepseek's claim circulated online spaces, Nvidia's about $600 billion of market cap as their stock tanked from $142.62 to $118.42 (-20.4%). A concurrent drop from $640.13 to $606.78 (-5.2%) for Vanguard's Technology ETF occurred over the three-day period from January 24-27, 2025. Many analysts attribute this selloff to bearish sentiment in the market around American AI labs and their perceived inability to maintain technological parity with Chinese AI labs. In online spaces, analysts, professionals, and AI enthusiasts questioned the significant capital investments required by American AI labs. The narrative echoed in Western tech spaces was that Microsoft and Amazon, Google, Meta, OpenAI, and Twitter were all being demolished in the race for AI by a couple of Chinese 20-somethings quants' side project made in the proverbial cave with a box of scraps.
Would have done numbers in Q1 2025
Many analysts predicted that eventually, open-weight models would achieve parity or outperform the top closed-weight models. However, the country of origin blindsided all but the most informed analysts in the AI space, as DeepSeek is an anomaly in the Chinese tech industry. Before DeepSeek, state-affiliated Chinese tech giants such as Huawei, ByteDance, and Alibaba accomplished the most significant AI work from the country. These organizations operate with military-like adherence to the chain of command, with deviation from the plan set by superiors being intolerable. In contrast, DeepSeek runs more like a scrappy American tech startup, with long hours, high pay, and higher autonomy given to its brilliant young engineers. The Chinese government has since hoisted DeepSeek as a model for future Chinese tech startups to strive to, and most believe that this is the vanguard of future lean Chinese startups that will compete with American equivalents.
Some identified DeepSeek's sudden emergence as a competitor in the notoriously capital-intensive space of AI as the first symptom of a failed attempt at slowing Chinese advancement using toothless export controls and that a different strategy must be employed. While it is likely that the Chinese acquired these GPUs before the 2024 revisions of the export controls, keep in mind that these Chinese labs are backed by the full force of the Chinese Government, as well as the best Chinese hackers, businessmen, and strategists, all unified by economic and political motivations. These opponents will go to great lengths to circumvent any controls implemented from the American side of the ledger.
Recent reporting has also indicated a 366% increase in GPU shipments from manufacturing hubs in Taiwan to companies in Malaysia, given recent tariffs and export controls. Many have theorized that shell companies are being set up in Malaysia and other Southeast Asian nations to dodge export controls (Shilov 2024). While Malaysia is developing a tech sector and much of their growth is legitimate, the spike in shipments following the October 2023 rules likely signals increased demand from shell companies set up on Chinese customers' behalf.
It has become apparent that the current administration must implement new export controls to maintain American dominance in the race for AI. We will examine the feasibility of two hard technical controls:
Requiring manufacturers to implement a "Call-Home" functionality.
Requiring manufacturers to implement Digital Rights Management on specialized software drivers
And four soft administrative controls:Requiring Know-Your-Customer processes for AI services provided by federal contractors
Implementing export controls on specialized software drivers
Instructing law enforcement to charge smugglers of graphics hardware with espionage and other national-security oriented crimes.
Rehiring DOGE-cut staff to the Bureau of Industry and Security, the body responsible for preventing the proliferation of technologies critical to national security.
Technical Controls
Solution 1 - Digital Rights Management (DRM): Drivers and firmware are the software that is run on-chip that manages the basic functions of the chip. GPU firmware allows a chip to be used by the rest of the computer. Typically, proprietary firmware packages are distributed and engineered by chip manufacturers, though open-source drivers exist. Because chip manufacturers have the most in-depth knowledge of its architecture and optimization, proprietary drivers typically provide the best performance and efficiency compared to open-source drivers. NVIDIA, the largest contender in Graphics Cards, has recently tried to open-source some drivers on Linux platforms. However, their most performant drivers are still proprietary.
DRM is a software tool that prevents the proliferation and distribution of software without consent. Existing DRM schemes protect software like Adobe and Microsoft Office without a license and protect streaming services from piracy of their content. Legislation exists that criminalizes the breaking of DRM, like DMCA. This has not stopped the DRM ecosystem from becoming a cat-and-mouse competition between hackers and security researchers against the manufacturers of DRM software, with new methods being introduced and circumvented consistently. However, software providers deploy DRM, and there is a robust ecosystem of DRM packages that can be utilized to accomplish this goal.
We propose that the October ITAR regulations be expanded to include the drivers of graphics hardware past a certain performance threshold and require that all distribution of proprietary drivers implement a DRM solution to prevent the software from being installed on an unauthorized or smuggled chip.
Solution 2 - Call-Home: In informal spaces, some have theorized about implementing a "Call-Home" functionality into target chips to render them useless if they physically leave a particular geography. This "Call-Home" system will utilize latency to estimate how far the computer running a component is from a trusted server. It has been demonstrated that with enough data points and Call Home servers, it is possible to pinpoint the location of a computer precisely.
A Call-Home control system includes two components:
A trusted server for products to contact
A subsystem within a target product
The trusted server will be placed central to a target geography. For example, if a manufacturer wanted to implement a control that would prevent systems from functioning if they left Saudi Arabia, they would likely take advantage of Riyadh's central location and place the physical servers there.
Designers will be required to alter the architecture of a chip to include a system that periodically contacts the server and executes a cryptographic exchange. By using Public-Private cryptography, the system would be secure as long as the private keys held at the physical location of the servers are kept safe.
The process is:
After a set interval, the subsystem will reach out to the trusted Call-Home server.
The Call-Home server will accept the request and initiate a multi-step cryptographic exchange with the subsystem. Measuring the latency between each step of the exchange.
If the handshake takes longer than a set time, the Call-Home server will send a command back to the subsystem to deactivate the chip.
Currently, digital geolocation techniques typically rely on IP addresses and other signals that can ultimately be spoofed by using a proxy or a VPN. Adding latency-based geolocation can defeat the obfuscation by VPNs and proxies.
AI models trained for military applications by the PLA in the PRC will likely be trained on-premises in China. Because of the geographical distance of over 6,000 miles between the United States and China, Call-Home servers placed in the United States will easily discriminate between traffic coming from across the Pacific Ocean or a friendly nation in the Americas or Europe. Multiple Call-Home servers can also be set up in different locations to get more telemetry on potential locations. For example, suppose a server in France observes a short latency while servers in the US or Japan observe a long latency. In that case, we can guess with higher confidence that the target product is located somewhere in Europe. Additionally, this provides policymakers with an accurate accounting of the proliferation of high-end chips worldwide, allowing them to make better-informed decisions on how this technology should be regulated.
The exact impact that failing a Call-Home test will have on a chip can be up to policymakers to decide. There are three possible actions that the Call-Home subsystem can take:
Temporarily render the chip useless until it is brought back to a non-fenced geographic area.
This is the most consumer friendly option, should these measures be executed. As network jitter and unplanned network failures will have minimal impact on on-premises installations.
Deactivate the chip until the customer contacts the manufacturer and can verify ownership.
This solution will be more effective in depriving target organizations of computing resources. However, it will require private companies to collaborate closely with the US Government and devote massive manpower to the constant reactivation of systems from false positives. This solution will likely come with resistance from manufacturers and consumers of these systems.
Intentionally damages the unit by flooding sensitive electronics with power
While a draconian method, this is the most effective way to disincentivize illegal smuggling of hardware outside of greenlit areas, particularly given the price of units. It is reasonable to assume that smugglers and shell-company operators involved in proliferating systems to embargoed or blacklisted organizations would take massive damage to their operations if their products destroy themselves upon first use.
Legal Controls
Regulatory To prevent the illegal export of graphics card hardware, we recommend updating regulatory frameworks for contracting with the federal government and for hardware exporters.
The US Federal Government is the American tech sector's largest and most reliable customer. As such, adjusting compliance frameworks can be used as a lever for American industrial policy. We recommend changing existing compliance frameworks that require government contractors to audit the source of any AI they use internally or provide to the US Government. This update will require any AI used internally or packaged for consumption by the US Government to be run in datacenters in the United States, owned and operated by American companies.
Munitions export controls (ITAR 2025) have already targeted GPUs that surpass a set performance threshold. However, evidence has surfaced that Chinese companies have used shell companies in Taiwan, Hong Kong, Vietnam, and other countries to dodge export controls and acquire GPUs, even after the 2023 revision to the export controls that attempted to close a prominent loophole.
Export control regulations can be applied to any company doing business in the US, regardless of sector. However, they have historically only been employed in a national security context to maintain free market principles (Gregg, 2024). The Intelligence Community and other government sectors have labeled AI as a national security concern. Now is the time to treat the proliferation of the hardware used to build AI as an equal concern to other national security concerns.
We propose that the Department of Commerce develop a certification process to audit primary and third-party sellers of high-end GPUs to certify that they have implemented Know Your Customer (KYC) procedures.
Drivers Export Controls: It is possible to categorize software as a munition under ITAR regulations, particularly in instances of compromised national security. Manufacturers of graphics cards will develop and distribute proprietary drivers that enhance hardware performance. Open-source drivers exist, but invariably are less performant than manufacturer-produced drivers. Manufacturers will also distribute multiple driver versions tailored to specific use cases, like real-time gaming applications or machine learning. While there is legal precedent against restricting the export of source code, human-readable algorithms, and other representations of programs (Berenstein v. US), because of the closed-source nature of these drivers, it would be possible to restrict the export of proprietary drivers that enable training ML models under ITAR with consultation by the Bureau of Industry and Security (BIS) of the Department of Commerce (DoC).
Criminal Penalties The proliferation of AI has been upgraded from a niche competition concern for boutique Silicon Valley companies to a national security concern. As such, judicial punishments for illegally proliferating AI capability should invite commensurate punishment. We can draw upon the Department of Energy's treatment of the Uranium refinement process in the 20th century. With the development of the fission bombs in the 1940s and later the fusion bombs of the 1950s, the technology and capability to procure and refine fissile materials became a national security concern. The Department of Energy and military went through great effort to prevent the proliferation of equipment, particularly centrifuges, that can be used in the process of refining nuclear materials and collaborated with the Department of Justice to prosecute any entity that was attempting to smuggle centrifuges out of the United States, as the Soviet Union could utilize them. While there are few instances of convictions involving selling nuclear equipment to the Soviets, an American and Brit were charged with violating the Federal Munitions Control and Arms Export Acts in 1983 (New York Times 1983). In February 2025, the Singaporean government charged three men with fraud for reexporting restricted Nvidia GPUs to China, according to Channel News Asia.
Law enforcement should be instructed and authorized to cooperate with our international partners in Southeast and East Asia to prosecute those who illegally circumvent soft controls against the proliferation of AI hardware, charging them with espionage and smuggling.
Rehiring of cut BIS staff The Department of Government Efficiency (DOGE) has been ordering severe cuts to all sectors of the executive branch, including the Department of Commerce. While there is no evidence of DOGE firing personnel in the BIS office, the office must be protected from future workforce cuts. DOGE is under the control of foreign-born billionaire Elon Musk, who has significant business dealings in China. This presents a serious security concern, leaving Musk vulnerable to coercion by elements of the Chinese Communist Party (CCP). Given the recent pivot in strategy to the United States Pacific interests, it would be a grievous mistake to fire personnel responsible for steering American economic levers. As such, we recommend that the current BIS be preserved and safeguards be implemented to prevent DOGE or bodies from gutting the office.
Conclusion
Discussions surrounding AI in national security and competition inevitably lead to comparisons to the Manhattan Project. The Stargate project, the half-trillion-dollar AI infrastructure project and so far the only piece of technological industrial policy supported by the second Trump administration, demonstrated that AI dominance is a national security priority. If the Manhattan Project comparison holds, AI chips are the centrifuges producing the fissile material required to create the atom bomb.
By melding soft and hard controls, the Federal Government can exert pressure on the Chinese technology sector. Analysts in the public and private sectors have labeled AI as the most transformative technology of this decade. The United States has led the charge on nearly every critical technology since the atom was split, and technological dominance brought security and prosperity for all Americans. We must continue this legacy into the coming century with competent industrial policy incorporating all arms of government. We have massive leverage over the supply chains that build the critical components of tomorrow's weapons.
Actual Conclusion
This isn’t a perfect paper, I think some of the solutions are toothless. The real solution is more CHIPS acts and competent diplomacy with our technological allies in Europe and East Asia. Citations are scuffed also. Room for improvement. Hopefully when I’m running Google in 30 years I can use this as a starting point to compare my skills.
Sources
Shilov 2024 - Tom's Hardware https://www.tomshardware.com/tech-industry/artificial-intelligence/massive-366-percent-chip-shipment-surge-to-malaysia-amid-increased-nvidia-ai-gpu-smuggling-curbs-ahead-of-looming-sectoral-tariffs
Vaughan-Nichols 2024 - Nvidia finally open sources some of its GPU drivers. How to tell what's under your hood https://www.zdnet.com/article/nvidia-finally-open-sources-some-of-its-gpu-drivers-how-to-tell-whats-under-your-hood/
Miller Focus Taiwan 2024 - China lags TSMC's chip capabilities by around 6 years: 'Chip War' author https://focustaiwan.tw/business/202412140010
Hosokawa Nikei Asia 2024 China's chip capabilities just 3 years behind TSMC, teardown shows https://asia.nikkei.com/Business/Tech/Semiconductors/China-s-chip-capabilities-just-3-years-behind-TSMC-teardown-shows
White House 2024 - FACT SHEET: President Biden Takes Action to Protect American Workers and Businesses from China's Unfair Trade Practices in the Semiconductor Sector https://bidenwhitehouse.archives.gov/briefing-room/statements-releases/2024/12/23/fact-sheet-president-biden-takes-action-to-protect-american-workers-and-businesses-from-chinas-unfair-trade-practices-in-the-semiconductor-sector/
McGuire et al 2025 - Exploring Artificial Intelligence-Enhanced Cyber and Information Operations Integration https://www.armyupress.army.mil/Journals/Military-Review/English-Edition-Archives/March-April-2025/AI-Cyber-Information-Operations-Integration/
Meier 2024 - The fast and the deadly: When Artificial Intelligence meets Weapons of Mass Destruction https://europeanleadershipnetwork.org/commentary/the-fast-and-the-deadly-when-artificial-intelligence-meets-weapons-of-mass-destruction/
Ish et al 2021 - Evaluating the Effectiveness of Artificial Intelligence Systems in Intelligence Analysis https://www.rand.org/pubs/research_reports/RRA464-1.html
Bradbury et al 2020 - Transparent Oceans? The Coming SSBN Counter-Detection Task May Be Insuperable https://researchportalplus.anu.edu.au/en/publications/transparent-oceans-the-coming-ssbn-counter-detection-task-may-be-
Yeluri 2023 - Large Language Models — the hardware connection https://blog.apnic.net/2023/08/10/large-language-models-the-hardware-connection/
Reddit 2021 - Latency-based geolocation - an experiment in POP-hunting https://www.reddit.com/r/Starlink/comments/n33rg5/latencybased_geolocation_an_experiment_in/
Gregg 2024 - A Free, Prosperous and Secure America https://aier.org/article/a-free-prosperous-and-secure-america/
New York Times 1983 - 2 CHARGED WITH SELLING ITEMS OF HIGH TECHNOLOGY TO SOVIET https://www.nytimes.com/1983/12/21/us/2-charged-with-selling-items-of-high-technology-to-soviet.html
Channel News Asia 2025 - 3 men charged with fraud, cases linked to alleged movement of Nvidia chips https://www.channelnewsasia.com/singapore/3-men-charged-fraud-nvidia-chips-singapore-china-deepseek-4964721z
ITAR (2025). PART 121—THE UNITED STATES MUNITIONS LIST https://www.federalregister.gov/documents/2025/01/17/2025-01313/international-traffic-in-arms-regulations-us-munitions-list-targeted-revisions