Remote Access Security Act

What happened: On December 17, 2025, Senator McCormick (R-PA) introduced S. 3519, the Remote Access Security Act, with three cosponsors (Wyden, Cotton, Coons — bipartisan). The bill amends the Export Control Reform Act of 2018 to define 'remote access' to controlled US items via cloud infrastructure by 'foreign persons of concern' as an export subject to license requirements. This specifically targets access to dual-use AI models that could lower barriers to WMD design, enable offensive cyber operations, or evade human oversight, as well as surveillance tools and offensive cyber capabilities. The bill was read twice and referred to the Committee on Banking, Housing, and Urban Affairs — the earliest legislative stage with no hearings or markups yet. The money trail: This bill authorizes NO direct funding. It creates a regulatory compliance burden on cloud providers by expanding the definition of 'export' to include cloud-based remote access. The cost impact is entirely on the private sector: compliance systems, licensing delays, and lost revenue from restricted international customers. There is no appropriation component — this is a regulatory mandate with compliance costs borne by affected companies. Structural winners and losers: The clear losers are the four dominant US cloud hyperscalers: Amazon (AWS), Microsoft (Azure), Alphabet (Google Cloud), and Oracle (OCI). These companies derive significant revenue from international cloud customers, including AI and high-performance computing workloads. The bill forces them to screen foreign customer access to their most valuable AI products, directly limiting the addressable market for high-margin AI inference and training services. There are NO direct winners — cybersecurity pure-plays like CrowdStrike ($CRWD) and Palo Alto Networks ($PANW) are not directly affected because the bill targets cloud INFRASTRUCTURE providers, not cybersecurity software vendors selling defensive tools. The bill specifically exempts defensive cyber operations ('network defense activities'), limiting impact on endpoint security vendors. Market data analysis: The real market data shows a mixed picture for the affected cloud providers. Amazon ($AMZN) is at $259.70, up +30.28% over 30 days but with a flattening 7-day trend (+1.7%). Microsoft ($MSFT) is at $429.25, up +20.32% over 30 days but down -0.85% over 7 days. Alphabet ($GOOGL) is at $349.78, up +27.5% over 30 days and +3.08% over 7 days — approaching its 52-week high of $353.18. Oracle ($ORCL) stands out at $165.96, down -11.49% over 7 days and having dropped sharply from $187.50 on April 22 to $165.96 today — this significant 7-day decline likely reflects company-specific factors but the legislation adds further headwinds for OCI's AI revenue growth. The 30-day trends for all four are strongly positive, indicating the market has not priced in this early-stage legislation yet. Timeline: The bill is at the earliest legislative stage — introduced and referred to committee in December 2025 with no further action. The Committee on Banking, Housing, and Urban Affairs must hold hearings, mark up the bill, and report it to the full Senate. Passage requires a floor vote in both the Senate and House, then presidential signature. Given that this is the 119th Congress (2025-2027) and the bill was introduced only 4 months ago, it faces a long legislative path. Bipartisan sponsorship (McCormick-R, Wyden-D, Cotton-R, Coons-D) increases its chances but does not guarantee passage. Significant industry lobbying opposition from the cloud providers is expected.