#69 Silicon Shackles: Assessing Avenues for On-Chip Compute Governance
Assessing the Viability of Hardware-Based Compute Governance, “unCERT-in” Times - Technology regulation as a game of whack-a-mole
Today, Satya Sahu shines a light on the on-chip governance mechanisms proposed by a report from the Center for A New American Security as a way to regulate specialised AI chips.
Rijesh Panicker highlights the challenges before India’s regulators, like the CERT-In, as they face off against cryptocurrencies.
Also,
We are hiring! If you are passionate about working on emerging areas of contention at the intersection of technology and international relations, check out the Staff Research Analyst position with Takshashila’s High-Tech Geopolitics programme here. For internship applications, reach out to satya@takshashila.org.in.
Technomachy: Assessing the Viability of Hardware-Based Compute Governance
— Satya S Sahu
The US Bureau of Industry and Security is actively considering the concept of hardware-enabled governance mechanisms to help achieve AI governance goals. A recent report by the Center for a New American Security (CNAS) titled "Secure Governable Chips: Using On-Chip Mechanisms to Manage National Security Risks from AI & Advanced Computing" proposes a "novel" approach to mitigating national security risks associated with Artificial Intelligence and advanced computing. It argues for implementing on-chip governance mechanisms—secure physical features built directly into the design of AI chips to enforce export control and allow for control of how and by whom these devices can be used, in a bid to maintain American technology leadership.
The recommendation for on-chip governance in AI chips is based on the premise that integrating control mechanisms directly into the hardware can effectively allow US export controls and licensing regimes to manage the risks associated with such chips being used by its technological adversaries for advanced computing and AI development. China is mentioned as a clear example of such an adversary. This approach, according to the authors, would ensure that AI chips, particularly those used in sensitive or high-risk applications, adhere to predefined policies and restrictions, thereby mitigating potential national security threats as well as limiting their use for "mass surveillance, cyberattacks, and designing novel biological weapons".
The report highlights the current semiconductor export controls as inadequate, either due to the existence of diversion risks via smuggling or cloud computing providers in third-party jurisdictions or concerns over US semiconductor firms losing market access to China. It suggests that on-chip governance could offer a more adaptable and effective solution for implementing controls on hardware. This is because such a mechanism could detect the application for which the chip is being used and, based on whether it crosses thresholds set by US export controls, can be used to either limit the chip's capability or brick it even after possession of the hardware has passed to the purchaser. The authors also point to existing technologies in chips made by Intel, AMD, and Nvidia (ranging from Trusted Platform Modules (TPMs) to examples of Software Defined Silicon technology), which they say exhibit features that could be used to enable some aspects of the proposed policies today.
Quite a few criticisms can be levelled at this "novel" approach. First off, the overestimation of regulatory effectiveness; The CNAS report implies that governments can effectively regulate AI chip usage despite acknowledging the complexities of the global semiconductor supply chain. Long-term effective regulation can be rendered ineffective if hardware progress and algorithmic advances steadily decrease the number and sophistication of chips needed to train an AI model of a given capability.
Second, the report suggests that existing technologies from major firms already possess features that could facilitate on-chip governance. Functionalities like TPMs could be adapted for on-chip governance. Historically, TPMs were separate entities on motherboards but have now evolved into being emulated by firmware, such as AMD's fTPM. TPMs have been primarily designed for securing safe states during device booting, storing secure keys, and ensuring software integrity. However, their role does not involve real-time monitoring or sophisticated remote attestation that could disable or modify chip functionality based on compliance with specific policies or licenses. Real-time monitoring and the ability to dynamically adjust chip functionality pose significant technical challenges. Such features will likely introduce considerable performance overhead, complicating their implementation and potentially impacting the chip's efficiency and desirability for consumers. Additionally, getting a standardized hardware security module accepted across different vendors is a substantial hurdle. Without a global consortium agreement, the adoption of such technology across the industry seems improbable.
The transition from current capabilities to a standardized, universally adopted system of governance is, therefore, fraught with challenges. These include the need for extensive collaboration between industry, academia, and governments and the development of new standards and protocols to establish trust and the effectiveness and security of these mechanisms.
This leads us to the third point: the report concedes that "on-chip governance will be of limited effectiveness without international buy-in." The real driving force behind US allies' potential acceptance of such mechanisms lies in the United States' predominant role in the semiconductor ecosystem's supply chains, much like the dynamics of existing export controls. The report's emphasis on US leadership in AI and semiconductor technology is a point of contention. While it's crucial to sustain a competitive advantage for national security and economic prosperity, the proposed strategy in the report could potentially create tensions with allies and other countries striving to develop independent resilience in their semiconductor supply chains. Implementing on-chip governance could also be perceived as a protectionist move, potentially leading to retaliatory actions and trade disputes in multiple jurisdictions.
Most AI chip consumers have generally accepted existing export controls targeting China, as these controls do not impinge upon their ownership rights after acquisition. However, the implementation of on-chip governance mechanisms across leading-edge chips, even if done via a staged rollout for different geographies, invariably introduces a persistent concern among international consumers and governments. They may be uneasy about the possibility that their hardware's advertised capabilities could be modified remotely and without their consent. Securing international consensus for this approach is a far more challenging endeavour.
The report acknowledges that these mechanisms could initially be limited to export-controlled chips but also mentions the possibility of extending them to consumer GPUs and other devices. However, chip companies may be reluctant to adopt such measures, particularly if updates to export regulations require changes to be flashed onto the chip over-the-air, amplifying apprehensions regarding U.S. overreach into other nations' sovereignty and could also adversely affect chips’ advertised performance. This approach raises concerns about consumer confidence, especially if chip-specific operating licenses enable manufacturers to disable chips remotely. It also defeats the objective of ameliorating US firms’ concerns of losing access to global markets. Imagine a scenario where a hyperscaler in another jurisdiction rents out cloud computing time slices, and a client from China violates export control thresholds set for workloads on the chips, leading to a bricked chip. This would burden the hyperscaler more to monitor usage in real-time or limit the kind of workloads allowed on its infrastructure. Clients would undoubtedly seek to purchase compute chips that do not pose this risk, potentially providing Chinese semiconductor manufacturing firms with a new market for their products.
Furthermore, the technological feasibility and associated security risks of on-chip governance are significant concerns. Implementing secure and reliable governance mechanisms is a complex task. There is a risk that such mechanisms could introduce new vulnerabilities, potentially undermining the very security goals they aim to achieve.
On-chip governance might also inadvertently hinder innovation. The imposition of usage restrictions on AI chips could constrain their application in novel and unexplored research areas, crucial for driving scientific and technological advancements.
The global context in which AI chips are developed and used further complicates the implementation of on-chip governance. The semiconductor industry is highly international, with supply chains and collaborations spanning multiple countries. Any governance mechanism imposed by one nation or a group of nations could have far-reaching implications for the global AI ecosystem. It could lead to fragmentation, trade disputes, and challenges in international cooperation on AI research and development.
Hopefully, the U.S. Bureau of Industry and Security will consider the broader implications of this governance approach while formulating it: the potential for international friction, the impact on consumer trust, and the risks to innovation.
India is set to host the Quad Leaders' Summit in 2024. Subscribe to Takshashila's Quad Bulletin, a fortnightly newsletter that tracks the Quad's activities through the Indo-Pacific.
Your weekly dose of All Things China, with an upcoming particular focus on Chinese discourses on defence, foreign policy, tech, and India, awaits you in the Eye on China newsletter!
The Takshashila Geospatial Bulletin is a monthly dispatch of Geospatial insights for India’s strategic affairs. Subscribe now!
Cyberpolitik: “unCERT-in” Times - Technology regulation as a game of whack-a-mole
— Rijesh Panicker
Regulating technology is a tricky business, requiring regulators to be aware of their limitations in stopping or banning the use of technology and the spillovers and unintended consequences due to the networked and combinatorial nature of today's technologies.
A recent report in the Wall Street Journal details China’s struggle with banning cryptocurrencies. Despite a complete ban on crypto trading since 2019, Chinese traders received $86 billion worth of cash from crypto trading between July 2022 and June 2023, including a gross trade value of $90 billion in just one month in 2022 on Binance. This trading has been facilitated by using VPNs, WeChat and Telegram groups to meet and transfer crypto addresses in person-to-person meetups.
Even as crypto trading continues unabated, bitcoin mining in China has collapsed since a crackdown on bitcoin mining in 2021. From a 75% share of all bitcoin mining capacity in 2019, bitcoin miners in China now account for a fifth of the share in 2022. The lesson to be learnt is that it's a lot easier to control operations with a physical and tangible presence as opposed to purely digital.
India now appears to be coping with a similar set of challenges. Following a recommendation from the Financial Intelligence Unit (FIU) that major cryptocurrency exchanges, including Binance and Kucoin, be banned for non-compliance with India’s Prevention of Money Laundering Act (PMLA), the government blocked these URLs and apps. However, tech-savvy users have continued to use these exchanges using VPN services to bypass these blocks.
As a classic example of unintended consequences and overlaps, readers may remember that in April 2022, The Indian Computer Emergency Response Team (CERT-In), which is the government-appointed nodal agency tasked with performing cybersecurity-related functions in the country, passed new directives concerning various aspects of cybersecurity such as time synchronisation, maintenance of logs and information for cybercurrency exchanges and VPN providers.
Despite pushback and criticism from the industry around these directives, especially around technical feasibility, the vague nature of the guidelines and whether CERT-in had exceeded its mandate in issuing these directives, there haven’t been further clarifications or changes to the directives.
As a result of the directives, specifically on data storage and information sharing by VPN providers, most global VPN services (NordVPN, VPNExpress, etc) have removed their physical servers from India while continuing to service Indian customers through virtual servers with Indian IP numbers. As a result, it has become quite simple for a user to access VPN providers while simultaneously making it difficult for regulators to enforce any regulatory action on them.
Finally, a recent blog post from security researcher Sai Krishna Kothapalli serves as a renewed reminder that state capacity continues to be a problem. In his blog post, he describes how errors in the MCA portal led to a leak that exposed sensitive information like passport numbers and Aadhaar details of nearly 98 lakh directors of registered Indian companies. He also documents in detail how it took nearly 338 days for CERT-in to respond and fix the issue from the time of first notification. Given this, one wonders how CERT-in would cope with the deluge of information its directives from 2022 are likely to create for IT companies (by some estimates, the logs of a large size company for all its IT systems could run up to 1TB of data per day).
What regulators like CERT-in need is a little uncertainty in their mindset. Regulation of technology is an infinite and evolving game of moves and counter-moves, and what we should expect of our regulators is that they build the technical capabilities to create simple standards and rules that allow industry and citizens to participate as stakeholders, thus augmenting the state’s ability to respond.
What We're Reading (or Listening to)
[Podcast: All Things Policy] Police Chowki: What are the Lessons from Odisha’s Disaster Response Model? ft.Amitabh Thakur (IPS officer & Transport Commissioner, Odisha) and Javeed Ahmad (former IPS officer & DGP of Uttar Pradesh)
[Opinion] Playing the Long Game: Ukraine’s Approach to China, by Rakshith Shetty
[Working Paper] Hardware-Enabled Governance Mechanisms: Developing Technical Solutions to Exempt Items Otherwise Classified Under Export Control Classification Numbers 3A090 and 4A090