Cloud Security Act targets China AI loophole in US export controls
Synopsis
U.S. export controls ban the sale of advanced AI chips to China — but not the rental of computing power those chips provide via American cloud platforms. The Cloud Security Act, introduced by two bipartisan lawmakers on 26 June, targets that structural gap by letting cloud providers voluntarily report suspected misuse and requiring user identity verification. It is one of the most direct legislative attempts yet to close the cloud-computing backdoor in Washington's AI containment strategy.
Key Takeaways
Congressmen Josh Gottheimer and John Moolenaar introduced the Cloud Security Act on 26 June .
The bill targets a loophole allowing adversaries like China to rent AI computing power from U.S. cloud providers, bypassing chip export restrictions.
The legislation proposes voluntary reporting to the Department of Commerce for cloud firms that suspect foreign adversary misuse.
Current law restricts companies from disclosing customer records to the government, creating legal uncertainty for firms detecting suspicious activity.
The bill would also require cloud platforms to verify the identity of their users as a baseline safeguard.
The measure has bipartisan support and targets services offered by major American cloud providers whose infrastructure is accessible globally.
Two bipartisan U.S. lawmakers on Friday, 26 June introduced the Cloud Security Act, legislation designed to close a significant gap in American export controls that critics say allows China and other adversaries to access advanced artificial intelligence computing power through U.S.-based cloud service providers — bypassing restrictions on physical chip sales entirely.
The Loophole at the Centre of the Bill
Congressman Josh Gottheimer and Congressman John Moolenaar, Chairman of the House Select Committee on China, argued that existing U.S. export controls effectively restrict the direct sale of advanced AI chips to countries and entities of concern — but do not cover the rental of computing capacity powered by those same chips via cloud platforms.
Under current rules, a foreign actor barred from purchasing a restricted semiconductor can still rent remote access to equivalent processing power from a major American cloud provider, without ever taking ownership of the hardware. The proposed legislation targets precisely that enforcement gap.
What the Legislation Proposes
The Cloud Security Act seeks to amend existing law to allow cloud computing providers to voluntarily report to the U.S. Department of Commerce any suspected misuse of their services by customers linked to U.S. adversaries. Currently, companies face legal uncertainty because existing statutes restrict the disclosure of customer content or records to government authorities — leaving firms that suspect foreign exploitation with limited recourse.
The bill also proposes that cloud platforms verify the identity of their users, creating a baseline accountability layer that proponents say is absent from the current framework.
What the Lawmakers Said
'We can't let our adversaries — especially China — dodge our export controls by simply renting what they can't buy,' Gottheimer said. He added that the bill gives American companies 'the legal clarity they need to do the right thing and report when bad actors are trying to use our own cloud infrastructure to threaten our national security.'
Moolenaar framed the issue in broader strategic terms, saying China 'will buy what it can and steal the rest,' and is 'actively trying to get backdoor access to U.S. data centres and train its AI models via cloud computing.' He argued that U.S. cloud platforms have a direct role in countering China's AI buildup, which he described as fuelling its 'military and surveillance ambitions.'
Why This Matters for the AI Race
The bill arrives at a moment of intensifying competition between the United States and China over AI capabilities. Washington has steadily tightened chip export controls — most recently through restrictions on Nvidia's advanced processors — but enforcement has consistently lagged behind the ingenuity of workarounds. Cloud-based access represents one of the most structurally difficult gaps to close, given that the underlying hardware never crosses a border.
Notably, major American cloud providers including Amazon Web Services, Microsoft Azure, and Google Cloud operate global infrastructure, raising complex questions about jurisdictional enforcement and customer verification at scale. The bill's voluntary reporting framework is designed to provide legal cover for firms that currently risk liability by proactively flagging suspicious usage.
What Comes Next
The Cloud Security Act will now move through the legislative process. Its bipartisan backing — spanning both sides of the aisle on the politically sensitive question of China — is considered an asset, though technology industry groups are likely to scrutinise provisions around user verification and disclosure obligations. The Department of Commerce has not yet issued a formal response to the bill.
Point of View
The chip never needs to cross the border for the capability to do so. The voluntary reporting mechanism is pragmatic but limited; it places the compliance burden on companies that face commercial incentives to look the other way. The harder question — whether mandatory verification and reporting would survive legal challenge under existing privacy and trade law — is one the bill's backers have not yet fully answered. If the legislation passes without robust enforcement teeth, it risks becoming another headline measure that adversaries route around within months.
NationPress
27 Jun 2026
Frequently Asked Questions
What is the Cloud Security Act introduced by U.S. lawmakers?
The Cloud Security Act is bipartisan legislation introduced on 26 June by Congressmen Josh Gottheimer and John Moolenaar to close a gap in U.S. export controls that allows adversaries like China to access advanced AI computing power by renting capacity from American cloud providers, rather than purchasing restricted chips directly.
Why do existing U.S. export controls not cover cloud computing access?
Current U.S. export controls restrict the sale of advanced AI chips to countries and entities of concern, but do not address the rental of computing capacity powered by those same chips via cloud platforms. Because the hardware never changes ownership or crosses a border, it falls outside the existing enforcement framework.
What does the Cloud Security Act require cloud providers to do?
The bill proposes allowing cloud providers to voluntarily report suspected misuse by customers linked to U.S. adversaries to the Department of Commerce. It also calls for cloud platforms to verify the identity of their users, addressing a baseline accountability gap in current practice.
Why can't cloud companies currently report suspicious foreign users to the government?
Existing law restricts companies from disclosing customer content or records to government authorities, creating legal uncertainty for firms that believe foreign adversaries may be exploiting their platforms. The Cloud Security Act is designed to provide legal clarity and cover for voluntary disclosures.
What is the broader significance of this bill for the US-China AI competition?
The bill represents one of the most direct legislative attempts to close a structural backdoor in Washington's AI containment strategy. As the U.S. and China compete intensively over AI capabilities, cloud-based access to advanced computing has emerged as a key workaround that physical chip export controls alone cannot address.
