On August 9, 2023, the Biden administration released a long-anticipated executive order designed to curb U.S. investments in key technology sectors in China. The proposed regulations, which aim to cover investments made by U.S. citizens and U.S.-incorporated companies (defined as “U.S. persons”) in semiconductors and microelectronics, quantum information technologies, and artificial intelligence (AI) systems, include two provisions:

1. A prohibition on certain investments in a specific subset of the aforementioned technologies.
2. A requirement to notify the U.S. government about investment activity related to a broader set of these technologies.

The order authorizes the U.S. Department of the Treasury to spearhead this outbound investment regime, and the Treasury has since released a program proposal seeking public comments on a variety of topics, including how to scope a potential prohibition on U.S. investment in China’s AI ecosystem.

Moreover, the order argues that advanced technologies like AI enhance an adversary’s military capabilities in a way that threatens U.S. national security. The administration is particularly concerned about investments in AI systems that could enable China’s military modernization efforts in areas such as the development of advanced weapons systems, intelligence and surveillance, cyber-enabled capabilities, and others. That said, distinguishing between military and civilian AI systems will prove challenging—if not impossible—due to the dual-use nature of AI. We propose a different approach, focusing on leveraging an existing tool—the Chinese Military-Industrial Complex Companies (CMIC) List. This list, controlled by the Treasury, has some of the right scope already, but would need to be updated and expanded for the purposes of working with this proposed program. Doing so will allow the U.S. government to most effectively capture the AI systems that present the most pressing national security risks, while avoiding overreach and potential unintended consequences that undermine U.S. competitiveness in AI development.

What is AI?

There is no single definition of AI. This is in part because AI is a general-purpose technology with a broad range of applications that span across industries, sectors, and use cases in both military and civilian or commercial settings. Although headlines lately have focused on generative AI models—in particular, large language models (LLMs) like OpenAI’s ChatGPT—AI has a variety of sub-disciplines and research areas, including computer vision, robotics, and others. 

For the purposes of an outbound investment regime, the Treasury is considering the following definition for AI systems:

In enforcing the proposed program outlined in the August 9 order, the Treasury aims to focus on U.S. investments in Chinese entities that are engaged in the development of AI systems that are used “exclusively” or “primarily” for military, government intelligence, or mass surveillance end uses. However, using this definition alone, it will be nearly impossible to identify an AI system that is “exclusively” designed for these national security-relevant end uses. Thus, for the order to be implemented effectively, the administration will first need to identify when and how an AI system becomes exclusively relevant for military, intelligence, and surveillance end uses.

This is no simple task. AI is a general-purpose technology that has both military and civilian or commercial applications, and does not fit neatly into one category or another. OpenAI’s GPT-4 is already demonstrating this to be true; for instance, the language-learning app Duolingo has incorporated GPT-4 into its offerings to help users simulate real-time conversations with native speakers, but companies like Palantir are also integrating LLMs like GPT-4 in their AI platform for the purposes of battlefield information processing and sensemaking. Even with a sector-based approach, distinguishing between military and civilian AI applications is challenging. Autonomous vehicle (AV) technology, for instance, can be translated between the commercial and military sectors. As one example, California-based firm Kodiak Robotics, which got its start in the autonomous trucking and freight industry, won a $50 million contract in December 2022 to develop self-driving reconnaissance vehicles for the U.S. Army.

Not only is it difficult to draw a distinction between military and civilian AI systems, but it can also be challenging to determine if an AI system built for a specific commercial or military environment is useful or potentially dangerous when deployed in a different scenario. Scoping a prohibition around U.S. investment in military AI systems will require policymakers to keep both of the aforementioned lessons in mind. 

Principles of Scoping AI for National Security: An End-User Approach

The order’s main objective is to restrict U.S. investment in Chinese entities developing AI that could pose significant national security risks. Because of the difficulties in identifying specific technical characteristics of AI systems that make them more or less relevant in a military context, we recommend taking an end-user list-based approach to a prohibition regime that can be updated regularly as more information on specific problematic actors in China becomes available. This approach is technology-agnostic and not specifically tailored to AI. In fact, it could be applied on top of the existing prohibitions that the administration has laid out for quantum information systems, as well as semiconductors and microelectronics. For AI, we believe this is the most effective way, at this time, to prevent the most threatening Chinese AI developers from benefiting from U.S. investments and the intangible benefits that accompany these investments.

The CMIC List could serve as the foundation for this end-user list-based prohibition. This list, also under the authority of the Treasury, was designed to prevent U.S. persons from buying equities in Chinese companies deemed by the U.S. government to be part of China’s military-industrial complex or complicit in surveillance regimes against ethnic minority groups. However, this list has not been updated since 2021.

In order to use the CMIC List in this context, it must first be updated and expanded. As it stands, the CMIC List is scoped to cover “Chinese entities that operate or have operated in the defense and related materiel sector or the surveillance technology sector.” Since this objective aligns with that of the order, this scoping would not have to change. However, in order to capture privately-held companies that are engaged in the same types of “covered transactions” as proposed in the EO, the CMIC List should be expanded beyond publicly-traded securities.¹ These transactions include:

1. Acquisition of equity interest, including mergers and acquisitions
2. Provision of debt financing
3. Joint ventures. 

Once reshaped, the CMIC List could become a powerful resource for the U.S. government to block investment in threatening military actors in China, but only if it is updated on a regular basis. As part of the initial update and expansion of the list, relevant U.S. government stakeholders could begin by triaging the U.S. Department of Commerce’s Entity List, as well as the U.S. Department of Defense’s list of “Chinese Military Companies Operating in the United States” (also known as the NDAA 1260H List), to look for entities that have been added to each respective list for their complicity in China’s military modernization and surveillance ecosystem, and add these to the CMIC List. Some examples include the semiconductor company Cambricon, as well as the surveillance firm iFlytek. 

Once the CMIC List scope has been revised, the Treasury can then design an outbound investment prohibition that forbids (and likely deters) “U.S. persons” from investing in any Chinese entities that are on a revised version of the CMIC List. This would also, as per the proposed program from the Treasury, include any entity that is 50 percent or more owned by an entity on the CMIC List.

Why Take This Approach?

There are several benefits to focusing on end-user lists. First, without a specific definition of “exclusively” military AI systems, any attempts to scope a prohibition around technical thresholds could risk over-capturing purely civilian systems and disrupting international supply chains. For example, a prohibition on investments in Chinese companies developing or manufacturing autonomous vehicles, although arguably warranted due to the potential military applications of AV technology, could have massive implications for the global development and production of cars due to China’s dominant position in the automotive industry. 

Second, any attempts to build technical thresholds for more “military” AI systems could risk missing large swaths of potentially dangerous AI. AI technology is changing rapidly, and although progress in AI over the past decade has been driven in large part by a growing demand for compute, CSET research has shown that other factors like algorithms, talent, and natural resources may play an even bigger role in AI progress going forward. As such, shaping any investment prohibition on technical characteristics that are relevant at this time may become obsolete as the technology progresses.

Third, taking a list-based approach may make industry compliance easier and more effective, as U.S. companies that want to invest in Chinese AI companies would not have to individually interpret if a potential investment was tied to the Chinese military-industrial complex. Instead, the U.S. government can tell companies where the most risky areas are for AI investment in China and not leave that up for interpretation. Moreover, by adopting a list-based approach, the U.S. government may push investors to be more inclined to do the necessary due diligence to prove that their potential AI investment in China is not tied to a problematic actor. 

Finally, although we acknowledge that a list-based approach may lead to a more intense game of “whack-a-mole” with the U.S. government chasing after different Chinese entities that may change names or mask affiliations, we believe that no better alternative exists at this time. Moreover, a broader notification regime for U.S. investments in AI systems in China can act as a safety net to catch problematic investments that do not involve a listed party. If the Treasury were to determine that a notified transaction should have been a prohibition, then it has the authority (under the International Emergency Economic Powers Act “IEEPA”) to prohibit or unwind the transaction; however, this power should be used sparingly and only in the most egregious cases. Otherwise, overusing of the authority would likely disincentivize U.S. companies from providing notification in the first place.

1. In a 2023 CSET report entitled, U.S. Outbound Investment into Chinese AI Companies, we noted that the CMIC List already includes some privately-held companies such as Huawei, Inspur, and Yitu, despite its mandate. It also lists Chinese defense state-owned enterprises such as China Aerospace Science and Technology Corporation, China General Nuclear Power Group, and China National Offshore Oil Corporation that are not traded on any stock market.