Latest security risk: AI’s hardware side

Artificial intelligence is the type of software that is finding its way into every domain. But AI also depends on specialized semiconductor circuits. One warning...

Artificial intelligence is the type of software that is finding its way into every domain. But AI also depends on specialized semiconductor circuits. One warning suggests that these chips, and the systems that use them, need protection from theft and misuse. For more, the Federal Drive with Tom Temin spoke with Onni Aarne, a consultant at the Institute for AI Policy and Strategy.

Link to report

Interview Transcript:  

Tom Temin And what is the issue? These are graphics types of chips that go into, specialized computers for AI. Tell us the dynamic here in terms of hardware and software. Because my question is, doesn’t a lot of AI just run on standard systems that everyone was already running applications on?

Onni Aarne So it is possible to run some limited AI system just on even your phone. For example, if you have a face ID, then that relies on face recognition that is running on your iPhone. But these more powerful systems, such as ChatGPT, are trained and operated in these huge cloud data centers that have tens of thousands of very expensive, very specialized chips. Those are the chips that are a part that’s mostly about.

Tom Temin So when I do say a Google search and it gives me one of its generated AI types of things it’s displaying on my computer, the calculation is done on a Google facility somewhere that probably has the specialized computing.

Onni Aarne Yes, exactly.

Tom Temin And you read a lot that Nvidia is the largest producer of these types of chips, but are there others?

Onni Aarne There are definitely other producers, for example, Google designs and makes their own AI specialized chips. AMD is another major chip designer that makes GPUs, but especially for large scale AI applications. Nvidia has most of the total market share.

Tom Temin And just maybe for a minute, before we get into the security aspect, just briefly describe what is the market dynamic. Say, I don’t know, I’ll make up an agency, Homeland Security, and I have an AI application that I need to run in fairly good scale. Do organizations such as that tend to buy their own hardware to run this, or do they just simply sign up for a cloud that already has it?

Onni Aarne Often, even quite large organizations do sign up for these very large cloud providers because they are specialized. They already have the existing facilities and know how to run them well. But it does sometimes happen that very large organizations can build their own data centers and on clusters.

Tom Temin All right. So what is the security question? You’ve raised in a pretty detailed article that these chips could fall into the wrong hands, or the subsystems could fall into the wrong hands. And therefore what could happen?

Onni Aarne Yes, exactly. So these chips have become strategically quite important because AI technology itself has become quite important in the general competition between the US and China. And so for that reason, the United States placed export controls on some of the most powerful GPUs in October of 2022. And now what this article is centrally about is ways of trying to make those export controls more targeted and more enforceable by having the chips essentially help enforce the controls.

Tom Temin So there are some functionality that could be put on the chip such that if it was misused or installed somewhere, put on a circuit board, it wouldn’t function.

Onni Aarne Yes. For example, the chip could potentially contact specific known servers computers essentially to test whether it can reach the right computers quickly enough and therefore demonstrate roughly where in the world that chip is. And so, for example, suppose that the chip was sold in Korea. If it can very quickly contact a trusted computer in Korea, then we can be quite confident that it is not in China. And this could be very useful for enforcing these export controls.

Tom Temin And how amenable do you think the chip manufacturers are to putting on this functionality?

Onni Aarne The chip manufacturers have expressed some concerns that it can take some time to implement these features, as they don’t already exist on the chips. And there are some concerns that some users would not want to buy these chips. But in this case, you could try to target the chips at those who would not be able to buy unlimited chips in the first place.

Tom Temin And if that self-revelation was built into the chip, then could someone say sniffing out chip activity over the wire, say, golly, I know where that data center is now.

Onni Aarne No, for complicated reasons. Essentially, these mechanisms would rely on complicated cryptographic schemes to ensure that only the people who are actually supposed to receive specific messages can read the messages and get only the information that they were supposed to get, and not other information.

Tom Temin Right. And export controls, of course, depend on the systems and compliance measures of the people making the chips, and they’re not going to fulfill an order they think might be from North Korea or from China, for example. What about chips just being stolen off the loading dock of the fab? There’s a whole box of them. And just someone on the loading dock could be bribed into saying, just give me that box or scoop out a handful of them for me.

Onni Aarne Yes, it’s almost inevitable that some handfuls of chips can be smuggled in this way. But again, because these chips are used by the tens of thousands, being able to steal even a single container doesn’t necessarily make that large of a difference. And so the more important question is being able to prevent very large scale operations.

Tom Temin And getting back to your idea that on chip governance could be implemented in some manner. Is there an architectural solution to make it easier for the chip manufacturers? For example, there are programable chips, and I’m presuming GPUs don’t have that field programable function to them. But could a chip be added into a substrate next to the GPU chip? And that’s where that functionality could be. But essentially for manufacturing it’s one chip.

Onni Aarne Yes. So essentially these large complicated GPU chips already have many, many modules on them. And one of the modules that they already have is something called a platform security processor. There is a security module on the chip that is responsible for specific security related and cryptography related operations. And this module could likely be expanded and reprogramed to be able to implement these mechanisms. But this would still require a significant redesign process that would take some time, but nothing that these chip companies are not already used to doing.

Tom Temin I mean, these are massively scaled chips, with several million transistors. Fair to say?

Onni Aarne I believe it’s much further in the billions rather than billions.

Tom Temin I’m dating myself. I remember when one transistor had three leads on it. And that’s what you put in a circuit board from Heath Kit. Well, is there a way that the intended customer could add something or have a key to unlock the chip in some manner, such that it becomes your proprietary chip? At that point, it could never be reused, but that particular client so that Google Cloud could unlock it in some manner.

Onni Aarne This is something that could potentially be done essentially by, as you said, supplying some kind of cryptographic license to the intended owner. And then if the chip somehow gets redirected on its way to the ultimate intended consumer, it would not work.

Tom Temin All right. And what should the government’s role be in all of this in encouraging the Nvidias of the world and I guess whoever else makes them, the Taiwan Semiconductor, I don’t know who makes them. But to get them to get on board with this. Is this something that should come through the State Department, through Homeland Security, through the DoD or what?

Onni Aarne Yes. In the report, we recommend that the National Institute for Standards and Technology establish a working group to help coordinate standards and define exactly what these mechanisms should do, and who should have what kind of control over them. And then agencies such as the Bureau of Industry and Security, which is responsible for export controls, could require chip companies to implement these mechanisms as standardized by NIST on chips that are then exported to, for example, risky countries from where they might get smuggled onward to China.

Tom Temin And is your sense from this from the standpoint of the center for New American Security that missed and State Department and the other mechanisms get this, that this is something they recognize.

Onni Aarne So the Bureau of Industry and Security recently asked for proposals for technical measures for making export controls more targeted when they updated the export controls in last October. So they are aware of these ideas. But this is still a very novel idea which we wrote this whole report about it.

Tom Temin All right. So the policy is the easy part to establish, but getting those chips reoriented to this trusted execution type of idea, that’s going to take some time.

Onni Aarne Yes. In general, the design process for these cutting edge GPU is take several years. And so even if Nvidia started on this now, at least they tell me that it would take several years for them to fully implement this, which is, of course, a different question of how quickly they could really do it if they really had to.

 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories