Dmitri Alperovitch

The key is to keep the implementation as simple as possible (attestation via Intel Trust Authority or mTLS) and not include poison pills like kill switches and geofencing that would make this unworkable and too onerous for end-users and chip designers alike

END

Through this lens, the Chip Security Act or similar solutions would help accomplish the goal of identifying export control violators with minimal overhead to AI chip companies and exporters

The goal here would not be to identify and stop every AI chip export violation but to collect additional data that might help identify export control violators

In another scenario, if you have a customer that has purchased tens of thousands of AI chips which are not reporting in every month (accounting for typical chip failure rates, etc), it is also grounds for a BIS investigation of an importer

A typical hop between eg Shanghai and Singapore will add 40-300ms of consistent latency which can be easily detected. This would then be a clue for BIS to investigate further

To mitigate against this, the exporter's webserver can measure round trip time (RTT) for packets inside the mTLS connection and then compare it to pings to the IP from which the connection is originating

Of course, this is not full-proof. Chinese companies can purchase AI chips through shell companies elsewhere, reship the chips to China and then proxy their mTLS connections through VPNs and proxies in countries where the shell companies are based

Another way to accomplish this might to be use existing Intel Trust Authority for GPU remote attestation architecture that Intel and Nvidia have partnered on but that creates a requirement to use Intel CPUs, which may not be ideal in every case docs.trustauthority.intel.com/main/article...

GPU drivers can already do mTLS handshake operations like ECDSA signing, so this doesn’t even require any new code from the chip designers

The connection can be trivially initiated via a simple script from other parts of the environment where the AI chip is deployed, but just talk to the GPU driver for handshake initiation/client key exchange with the EXPORT_CERT. This minimizes the technical reqs for AI chips

The mTLS connection would not originate from the chip itself. In fact, it doesn’t even have to originate from the server that the chip is in

So if a chip is being sold to a data center in Singapore but the connection originates from an IP address in China (or anywhere else), well, that means you might have a potential transshipment on your hands that warrants BIS investigation

The US exporter would then have the country from where the secure mTLS conn is originating from and match it against the customer KYC and export info data that they had been collected during the export process to determine whether country of shipment matches country of use

US exporters would run mTLS webservers with public key versions of the EXPORT_CERTs loaded on them (they would get them from the chip designers) to record the IP addresses and their geolocation from where the connections are originating

Foreign end-users (wouldn’t apply to US customers or perhaps to trusted foreign govs) would then be obligated by BIS to use this cert for mTLS (mutual-auth) Client Key Exchange connection generation to the US exporter of the chip on a periodic basis (ex. once a week/month)

New AI chips going forward can incorporate a new certificate with a private key (EXPORT_CERT) in their Secure Enclave (they already have other certs for secure boot/attestation). So this is a very simple task

Here is one technical solution for chip location verification that can be easily implemented by AI chip designers, which is not onerous and won’t require GPS receivers or comms functionality inside the chip or significantly restrict its use in air gap environments👇

CSA bill should tell BIS to rely on NIST to come up with the appropriate technical solution that is as technically simple as possible for both chip designers, exporters, and end-users

CSA won’t solve every problem and it’s not full-proof (evasions can still occur although will be harder to pull off) but it does provide additional resources to identify malign actors that have gone undetected in opaque supply networks

The most important thing about the Chip Security Act and why it’s different from other proposals is that it is an investigative tool for enforcement, not an enforcement mechanism on its own

The idea behind CSA is not to prevent chips from working in banned locations like China but to simply expose more data to exporters of chips (and ultimately US BIS) on their end-users to enhance investigations of transshipping violators

It is also important that Congress avoid imposing a specific technical approach on the industry (it’s not good at that), nor require geofencing or kill switches built into chips that would turn this into an unworkable solution

The idea of chip geolocation is not new but various proposals have been plagued over the years with technical challenges, over-engineering complexity, and the perfect approach being the enemy of the “good enough”

By allowing China to procure advanced AI chips, such as those from Nvidia and AMD, we are literally arming our enemy for a potential conflict with us and this has to be addressed with tightening and stricter enforcement of chip export controls

Some have estimated that as many as 30% of American GPUs are being diverted to China today but real numbers are impossible to validate because of the current ease of diversion

AI chip diversion to China is a huge problem as it is not only helping CN companies in competition with US firms in the most important industry of the future - AI, but also helps them develop advanced weapons systems that we and our allies would confront in a potential conflict

Chip Security Act (CSA) is a new bipartisan bill in Congress that requires advanced AI chips to have location verification to combat illicit diversion of exports of these chips to banned countries like China.

A 🧵 on how this could work to enhance US export control enforcement

Malaysia, one of the top black market transshippers of AI chips to China, has just announced that "effective immediately, all exports, tranships and transits of high-performance AI chips of US origin are subject to a Strategic Trade Permit"

www.miti.gov.my/miti/resourc...

YouTube video by Dmitri Alperovitch Why America's Nuclear Deterrence Strategy Needs to Change

New Geopolitics Decanted episode about why the US nuclear force posture needs to change

Also Iran-Israel war, China’s new tactical nuclear arsenal, debate about counterforce vs countervalue targeting & extended deterrence, and why Pakistan wants ICBMs targeting America

youtu.be/tCVtes4dEUU

YouTube video by FDD THE IRAN BREAKDOWN | Assessing the U.S. Strikes on Iranian Nuclear Facilities

Worth listening to both of these, on Iran’s nuclear program and its future after the Israeli-US attacks

1.)
David Albright interviewed by @mdubowitz.bsky.social

www.fdd.org/podcasts/202...

2.)
@armscontrolwonk.bsky.social interviewed by @dmitri.silverado.org

podcast.silverado.org/e/assessing-...