Adversarial distillation: China’s campaign to extract American AI capabilities

Centre for a New American Security: Left unaddressed, adversarial distillation represents a strategic vulnerability for the U.S. AI ecosystem. U.S. companies have invested heavily in protecting their model weights from theft through insider threat programs and cybersecurity measures.A dversarial distillation circumvents these defenses because it does not require access to the model’s weights. By exploiting U.S. model responses at each stage of training, Chinese and other adversarial developers can make faster and larger capability gains than they would independently. Once one Chinese developer has extracted and internalized these gains, other Chinese developers can in turn freely distill from those models. Finally, because adversarial distillation generates data by leveraging U.S. infrastructure, it spares Chinese developers’ own limited compute for other uses. Together, they give China’s AI ecosystem a reliable means to remain an even faster follower…