Open source is now a national security threat

On April 23, the White House accused China of running "industrial-scale campaigns" to steal American AI technology. A day later, the State Department followed up with a diplomatic cable sent to embassies worldwide, warning allied nations about alleged IP theft by DeepSeek and other Chinese firms. The same week, DeepSeek released V4, a 1.6 trillion parameter model optimized for Huawei's Ascend chips, not Nvidia's. The message from Washington was clear: open-source AI is now a vector for espionage, and sharing research across borders is a threat to national security. But when a government starts treating open models as weapons, the collateral damage isn't just diplomatic. It's the entire open-source ecosystem that made American AI dominance possible in the first place.

The framing war: IP theft vs. open competition

The White House memo from the Office of Science and Technology Policy describes China's approach as "deliberate, industrial-scale distillation campaigns." Distillation, in AI terms, means training smaller models using outputs from larger ones, a technique that's not only legal but widely practiced across the industry. OpenAI, Google, and virtually every AI lab uses distillation internally. The accusation rests on a specific claim: that Chinese firms like DeepSeek are systematically querying American models (like ChatGPT) at scale to replicate their capabilities. OpenAI reportedly warned U.S. lawmakers in February that DeepSeek was targeting its models for replication. There's a real concern here. If companies are violating terms of service at scale to extract proprietary model behavior, that's a legitimate business and legal issue. But the government's framing goes much further than ToS violations. It conflates several distinct activities: actual unauthorized access, legitimate distillation research, open-source model usage, and the broader flow of published AI research. This conflation matters. When the State Department sends a global cable warning about "AI theft," it doesn't distinguish between someone scraping an API and someone downloading a model that was deliberately released as open-weight. The umbrella is wide enough to cover both, and that ambiguity is the problem.

DeepSeek V4 and the export control paradox

The timing of DeepSeek's V4 release feels almost deliberate. Days after the U.S. escalated rhetoric about Chinese AI theft, DeepSeek dropped a model that demonstrates exactly what export controls were supposed to prevent, and exactly why they haven't worked. V4-Pro has 1.6 trillion parameters and a one-million-token context window. More significantly, it runs on Huawei's Ascend chips. The entire thesis behind U.S. chip export controls, which began in October 2022 and have been tightened multiple times since, was that restricting access to Nvidia's best hardware would slow China's AI progress. Instead, restrictions created the incentive structure for China to build around them. DeepSeek reportedly trained earlier models on Nvidia H800s (chips designed to comply with first-generation export rules but later banned). Now V4 is optimized for domestic silicon. Huawei confirmed its latest AI computing cluster can support the model, and DeepSeek has said prices will drop further once Huawei's 950 supernodes come online at scale later this year. As Brookings noted in their analysis of earlier DeepSeek models, the export controls' failure isn't that they did nothing, but that they were too slow and too leaky to prevent the stockpiling of restricted chips, while simultaneously accelerating China's domestic chip development roadmap. The CSIS assessment was even more pointed: DeepSeek's efficiency gains are partly a direct consequence of having to do more with less. Export controls didn't stop the adversary. They just taught the adversary to stop needing you.

We've been here before: the crypto wars

In the early 1990s, the U.S. government classified strong encryption as a munition under the International Traffic in Arms Regulations (ITAR). Exporting encryption software was legally equivalent to exporting weapons. Phil Zimmermann, the creator of PGP (Pretty Good Privacy), became the target of a three-year federal criminal investigation after his encryption tool found its way onto the internet and was downloaded outside the United States. Zimmermann's response was ingenious: he published the PGP source code as a printed book. Books were protected by the First Amendment and couldn't be classified as munitions. The government's position was untenable, the idea that mathematical knowledge becomes a weapon when it crosses a border, and eventually the export restrictions were loosened. The parallels to today's AI debate are striking. Model weights are, at their core, large matrices of numbers. Research papers describing novel architectures are published openly. The techniques behind distillation, reinforcement learning from human feedback, mixture-of-experts routing, these are all published knowledge, much of it originating from American labs. Trying to control the spread of open-source AI is like trying to control the spread of math. You can make it illegal, but you can't make it impossible. And in the process, you damage the very ecosystem of open collaboration that gave you your lead.

The irony: openness built America's AI lead

Here's what makes the current posture so self-defeating: American AI dominance was built on open research. The transformer architecture, the foundation of virtually every modern AI model, came from "Attention Is All You Need," a paper published by eight Google researchers in 2017. It was released openly. No export controls. No classification. Just a paper on arXiv that anyone in the world could read. PyTorch and TensorFlow, the two frameworks that underpin nearly all AI development, were open-sourced by Meta and Google respectively. ImageNet, the dataset that catalyzed the deep learning revolution, was a publicly available academic resource. GPT-2, which OpenAI initially held back out of safety concerns, was eventually released in full, and the resulting ecosystem of fine-tuned models accelerated the entire field. The U.S. didn't win the AI race by hoarding knowledge. It won by creating an environment where the best researchers in the world wanted to work, where ideas circulated freely, where startups could build on the shoulders of published research without asking permission. The current trajectory threatens exactly that. When the government treats model weights as potential munitions, researchers think twice about publishing. When cross-border collaboration becomes suspect, international talent looks elsewhere. When open-source becomes a liability rather than an asset, the ecosystem that produced transformers, diffusion models, and RLHF starts to wither.

The chilling effect is already real

The practical consequences of framing open-source AI as a security threat are already emerging. Several dynamics are converging. First, there's the question of who publishes what. If sharing model weights can be characterized as enabling foreign adversaries, labs face a risk calculus that didn't exist five years ago. The incentive shifts toward closed models, proprietary APIs, and restricted access, exactly the approach that benefits large incumbents and hurts smaller players and academic researchers. Second, cross-border research collaboration gets harder. AI research has been remarkably international, with papers regularly co-authored by researchers in the U.S., China, the U.K., Canada, and elsewhere. When governments start treating these collaborations with suspicion, the talent pipeline narrows. The best researchers don't just work in Silicon Valley. They come from everywhere, and they'll go where they're welcome. Third, there's the compliance burden. If model provenance becomes a regulatory concern, every company shipping AI products needs to document where their training data came from, which models influenced their development, and whether any "tainted" open-source components are in their stack. This is a real cost that falls disproportionately on startups and small teams. Finally, there's the global precedent. If the U.S. successfully frames open-source AI as a security vector, other governments will follow. The EU, already aggressive on AI regulation, could layer additional restrictions. China, for its part, has its own history of restricting information flows. The result is a fragmented AI landscape where the free flow of research, the thing that made rapid AI progress possible, is balkanized along national lines.

Steelman: the legitimate concerns

None of this means that the U.S. government's concerns are entirely fabricated. There is credible evidence that DeepSeek has had access to Nvidia H100 chips in violation of export controls. A U.S. official told Reuters in 2025 that DeepSeek aids China's military and that the company is referenced over 150 times in procurement records for the People's Liberation Army. The House Select Committee on the CCP published a report detailing DeepSeek's use of export-controlled chips. Distillation at scale, if it involves systematically circumventing API rate limits and terms of service to extract proprietary model behavior, is a legitimate business concern. It's different from downloading an openly released model, and the distinction matters. China's civil-military fusion doctrine, where the line between commercial AI and military AI is intentionally blurred, creates genuine security risks that don't exist with, say, a French AI startup using Llama. These are real problems. But the solution to specific instances of chip smuggling and API abuse isn't to reframe the entire concept of open-source AI as a threat. That's like banning books because some people use libraries for the wrong reasons.

What actually matters for builders

If you're building AI products right now, the practical takeaways are more mundane than the geopolitical drama suggests, but they're worth paying attention to. Model provenance is becoming a real concern. Know where your base models come from, what they were trained on, and whether they have any licensing restrictions that could become politically charged. This isn't just legal compliance, it's risk management. Don't assume the current open-source landscape is permanent. If regulatory winds shift further, models that are freely available today might face distribution restrictions tomorrow. Build with that optionality in mind. Watch the export control space closely. The rules have changed multiple times since 2022, and they'll change again. If you're deploying AI products internationally, understanding which models, chips, and techniques are under scrutiny is part of the job. And advocate for openness where you can. The open-source AI ecosystem is a public good that benefits everyone, from solo developers to Fortune 500 companies to academic researchers. It's worth defending, not because open source is without risks, but because the alternative, a world where AI knowledge is hoarded behind national borders and corporate walls, is worse for everyone.

The real danger

The deepest irony of this moment is that the U.S. government's strategy might actually accelerate the outcome it fears most. By treating open-source AI as a weapon, the U.S. pushes the global open-source community toward alternatives. If American labs become too restricted to publish openly, Chinese labs like DeepSeek, Alibaba's Qwen team, and others will fill the vacuum. Qwen already has over 700 million downloads and is the world's largest provider of open-weight AI systems. The more the U.S. restricts, the more it cedes the open-source ecosystem to competitors who are happy to step in. And once developers worldwide are building on Chinese open-source models as their default foundation, that's an influence vector that no diplomatic cable can undo. Encryption went through this exact cycle. The U.S. tried to control it, failed, and eventually accepted that strong encryption benefits everyone, including American citizens and businesses. The crypto wars ended not because the security concerns disappeared, but because the costs of restriction outweighed the benefits. Open-source AI will likely follow the same arc. The question is how much damage we do to the ecosystem in the meantime.