OPINION — Artificial intelligence is at the center of the U.S.-China rivalry, with companies in both nations racing to develop and deploy leading AI systems. The success of China’s DeepSeek model revealed just how fragile America’s lead is – with experts estimating Chinese AI capabilities lag only 7-10 months behind the U.S. While America’s position appears more tenuous than before, massive US investment and the compounding effects of semiconductor export controls suggest the the U.S. can maintain or even expand its lead. However, this advantage hinges on America’s ability to safeguard its breakthroughs from theft and sabotage.
While attention focuses on publicly available models like ChatGPT, the real risk to U.S. national interests is the theft of unreleased “internal models.” These AI systems being developed, tested, and deployed behind closed doors represent the frontier of American AI innovation. If stolen, they could be used to strengthen Chinese military capabilities and economic competitiveness. AI companies cannot secure these critical assets alone. To preserve America’s technological edge, the U.S. government must work with AI developers to secure these internal models.
Emerging National Security Capabilities
Current AI models are increasingly demonstrating national security-relevant capabilities in areas such as cybersecurity. Companies are already using models for network penetration tests and identifying software vulnerabilities. Using models to power AI agents—which are systems that can better interact with environments and work autonomously—further improves cyber capabilities. Multiple research teams have demonstrated that specialized AI cyber agents can enhance a model’s cyber attack proficiency by enabling multistage attacks. In one evaluation, a model successfully executed over 246 distinct actions to infiltrate a simulated version of the Equifax network that was breached in 2017. New reasoning capabilities will unlock even more powerful agent-based systems. In late 2024, OpenAI’s o3 reasoning model scored 75% on the ARC-AGI benchmark, a test that measures abstract reasoning and novel problem-solving. This represents a significant improvement over GPT-4o’s 5% score in early 2024.
AI models are also making dramatic progress in science and engineering. In just one year, their ability to complete real-world programming tasks has more than tripled, improving from a 20% success rate in early 2024 to 70% in early 2025. In other areas, AI companies report deploying models that demonstrate PhD-level abilities in physics and biology—domains critical for both scientific advancement and weapons development.
The intersection of technology, defense, space and intelligence is critical to future U.S. national security. Join The Cipher Brief on June 5th and 6th in Austin, Texas for the NatSecEDGE conference. Find out how to get an invitation to this invite-only event at natsecedge.com
PRC Motives: Theft and sabotage
Today, the United States maintains a narrow lead in AI capabilities, an advantage U.S. leaders recognize as crucial to national security. As China rapidly closes this gap, internal models will become attractive targets. These systems, such as future public releases still undergoing testing and specialized models powering AI research and development, are particularly valuable targets because they will likely possess sophisticated capabilities in autonomous decision-making, software engineering, and scientific research.
By stealing internal models, Beijing could access leading AI systems. These advanced systems could then enhance China’s military and cyber capabilities. The Chinese military already uses American open-source models – any future stolen models would likely be used militarily as well. Models with advanced cyber capabilities could enhance ongoing Chinese cyber operations targeting U.S. critical infrastructure. These models could in turn help Chinese hackers develop evasive malware or identify zero-day vulnerabilities.
Stolen models could also accelerate AI research and development, enabling China to achieve long-term technological parity with the U.S. This could threaten both America’s national and economic security. Internal models designed to automate AI research or provide training data could help Chinese developers create next-generation models. Some are already claiming that DeepSeek used outputs from OpenAI’s ChatGPT to train its V3 model.
Using its own models, DeepSeek has also demonstrated that it can transfer powerful capabilities from large, complex models to smaller, efficient models using a process called distillation. Through this technique, DeepSeek’s developers transferred reasoning capabilities from their R1 model to smaller models.
If Chinese companies gained access to unreleased American AI models, they could use the same distillation process to transfer these advanced systems’ capabilities to smaller, cheaper models. Using this “take and transfer” approach, Chinese developers could bypass U.S. semiconductor export controls and leverage billions of dollars in U.S. research and infrastructure investments.
These distilled models could erode American AI companies’ market position, allowing Chinese competitors to offer comparable capabilities at much lower prices. China has already successfully used similar market strategies in other technology sectors, most notably in telecommunications. In 2020, the Justice Department accused Chinese telecom giant Huawei of using stolen trade secrets to reduce research costs and gain significant competitive advantages. In total, the FBI estimates that Chinese intellectual property theft and corporate espionage costs U.S. companies nearly $600 billion annually.
Sabotage is also a risk. AI researchers have identified methods to sabotage AI models during training and development. In one unsettling example, researchers created “sleeper agent” models that pass evaluations by appearing harmless, but later exhibit malicious behavior. Using these techniques, China could target AI systems intended for U.S. critical infrastructure or Defense. This risk will heighten as major AI companies like Anthropic and OpenAI partner with defense contractors.
Security is hard
Given the strong incentives to steal internal models, the next question is whether Chinese hackers have the means to do so. Unfortunately, cybersecurity firms are finding Chinese cyber operations are becoming more common, more capable, and more strategic. In 2024, Crowdstrike found China-related activity surged 150%, with some sectors facing three times as many attacks as in the previous year. Recent notable Chinese cyber operations have breached systems at Microsoft, the U.S. State Department, and U.S. telecommunications companies. The telecommunication breach was so severe that U.S. officials recommended Americans should start communicating using encrypted messaging systems.
Recognizing these risks, many AI companies now maintain dedicated policies for securing, evaluating, and releasing models. However, security breaches at leading AI developers have raised concerns among lawmakers. In 2023, OpenAI’s internal messaging system was compromised, exposing AI system design details. In 2024, a former Google employee was charged with stealing artificial intelligence trade secrets. Other issues compound developers’ abilities to secure environments, including cyber workforce shortages and widespread software vulnerabilities. Even if developers did meet certain security requirements, some experts believe it is currently impossible to defend internet-connected systems against nation states using today’s commercial cybersecurity products and best practices.
Looking for a way to get ahead of the week in cyber and tech? Sign up for the Cyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead. Sign up today.
Recommendations
Given these national security concerns and Chinese espionage capabilities, private AI companies cannot adequately address the threats alone. These companies lack the government’s unique tools, authorities, and resources to counter nation-state threats. Previously, in similar situations, the federal government has addressed such threats with initiatives to counter economic espionage, protect the defense industrial base, and secure sensitive research. The White House’s forthcoming AI Action Plan is also an excellent opportunity to start addressing the security of internal models and the broader AI and advanced computing supply chain.
The U.S. government must start by deepening engagement with AI developers to understand internal AI models and their capabilities, including those never intended for public release. A dangerous asymmetry could emerge, in which Chinese hackers targeting internal models have more knowledge of advanced U.S. AI capabilities than American national security leaders themselves. It would be a strategic failure if U.S. leaders only learned about powerful internal models after their compromise and weaponization against American interests. To address this, the Federal government needs both the institutions and experts to engage with AI developers and understand emerging capabilities.
Second, the US intelligence community must identify nation-state efforts to target AI developers, especially their research and internal models. The government should then share this information expediently with industry through both classified and unclassified channels. This collaboration could be modeled after programs like the Critical Infrastructure Intelligence Initiative, which provides critical infrastructure entities with timely and actionable threat information through classified threat briefings.
Federal agencies must support developers by creating best practices and guidance for securing internal models. Agencies such as the Cybersecurity and Infrastructure Security Agency, National Security Agency, and Federal Bureau of Investigation, should regularly publish and update detailed voluntary guidelines for internal model security. These guidelines could build on successful precedents, such as the CDC’s Biosafety in Microbiological and Biomedical Laboratories guidelines, which recommend best practices for securing dangerous biological agents. The U.S. government can also take steps to secure internal models being stored or trained abroad. The previously proposed export control rules require companies to secure models stored or trained overseas. The new administration should consider working with industry on similar requirements.
Policymakers must also drive collaborative defense by designating a lead federal agency to support the security of AI and the advanced computing sector. The president should designate AI and Advanced Computing (AIAC) as a critical infrastructure sector and assign a federal agency as a Sector Risk Management Agency. This agency could coordinate federal support efforts and technical assistance, and provide tailored security services to AI developers, similar to how the Department of Energy’s Cybersecurity Risk Information Sharing Program (CRISP) supports the eclectic sector. Additionally, the federal government should encourage industry to establish an AI-Information Sharing and Analysis Center (AI-ISAC). Already endorsed by the Senate Bipartisan AI working group, an AI-ISAC would create trusted channels for industry to share threat intelligence and best practices.
The time for action is now. As China rapidly advances its AI capabilities, protecting America’s internal AI models becomes increasingly critical for maintaining U.S. technological superiority and national security. The policies and partnerships established today will determine whether the United States can effectively safeguard these vital national assets for tomorrow.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to [email protected] for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
