White House OSTP calls out China: Industrial-scale AI distillation attacks violate security protocols, four-step counter-sanctions to be launched

The White House Office of Science and Technology Policy (OSTP) issued the NSTM-4 formal declaration on April 23, naming Chinese AI companies for targeting major U.S. firms with "industrial-scale" distillation attacks, and warning that these cloned models have been systematically stripped of safety protocols—the White House has launched a four-step countermeasure plan. (Previous coverage: Anthropic accuses Chinese AI firms like DeepSeek of stealing from Claude, using 24,000 fake accounts to conduct 16 million queries) (Background: U.S. lawmakers propose "AI Theft Act"; Chinese firms distilling models face potential sanctions! DeepSeek and MiniMax listed as primary targets) National Security Memorandum NSTM-4 confirms for the first time in the name of the government: Chinese AI companies are launching "industrial-scale distillation" attacks against top U.S. model developers, rather than isolated hacker incidents—this is a critical turning point in the ongoing battle, escalating from OpenAI’s copyright accusations and congressional proposals for the "AI Theft Act" to the White House level. The White House has officially declared war. On April 23, the OSTP released a statement on distillation, which is originally a legitimate machine learning technique: allowing small models to "learn" from large models to compress them into lightweight versions with performance approaching the original. The problem arises when this method is used to systematically extract knowledge from competitors' closed-source models without authorization, turning an academic tool into industrial espionage. OSTP Assistant and Assistant to the President Michael J. Kratsios explicitly stated in the NSTM-4 declaration: "Intelligence indicates that foreign entities—primarily in China—are deliberately targeting major U.S. AI firms for model distillation." His original wording more precisely described the nature of these attacks: "Models developed through such surreptitious, unauthorized distillation actions do not fully replicate the performance of the original models. However, they do allow foreign actors to launch products that appear to perform comparably on specific benchmarks at a very low cost." This statement by Kratsios precisely punctures the structural problem behind the narrative that "Chinese AI is cheap and good": it is cheap because there is no R&D cost; it is "good" only as a facade on selective benchmarks, while safety guardrails have been secretly uninstalled. The OSTP added in a post on its official X account: Distilled cloned models "strip away safety protocols, deviating from the goals of neutrality and truth-seeking." Attack methods include using "tens of thousands of proxy accounts" and "jailbreaking techniques" to systematically expose proprietary information from closed-source models. The OSTP declaration did not come out of nowhere. In February of this year, Anthropic formally accused three Chinese AI companies—DeepSeek, Moonshot, and MiniMax—of using approximately 24,000 fraudulent accounts to conduct over 16 million conversations on its Claude model, attempting to systematically extract Claude's core capabilities, including agentic reasoning, coding and data analysis, rubric grading, and computer vision. This is the largest publicly recorded accusation of an AI distillation attack, and the NSTM-4 declaration is equivalent to a formal confirmation and characterization of this attack pattern at the government level. The White House announced four directions for action in NSTM-4: First, proactively share intelligence on large-scale distillation attacks with U.S. AI firms so they know they are being targeted and understand the specific nature of the attacks. Second, assist the private sector in strengthening defense coordination mechanisms to stop fragmented efforts. Third, collaborate with the private sector to build higher-intensity defenses to block the technical entry points for distillation attacks. Fourth, explore means to hold foreign actors accountable. The "means" in the fourth point is the variable that outsiders are most concerned about. Retired U.S. Army four-star general, former NSA Director and Commander of U.S. Cyber Command Paul Nakasone pointed out potential directions in an interview: export controls, diplomatic protests, and tailored technology restrictions. A notable timeline: The NSTM-4 declaration was released weeks before the Biden-Xi summit. Regardless of whether the summit ultimately takes place, this declaration has set the bottom line for negotiations—AI distillation attacks are now an official concern of the U.S. government, not just a copyright dispute between private companies. To understand this battle, the numbers are the most straightforward. Currently, Claude Opus 4.6 is priced at $5 per million tokens, while ChatGPT-5.4 Pro is as high as $30; in contrast, DeepSeek V3.2 is positioned as a mid-tier model at only $0.26 per million tokens—less than one-twentieth of Claude and less than one-hundredth of GPT. This price gap is the core economic incentive for distillation attacks. Spending a few thousand dollars in API fees to gain hundreds of millions of