安全、可治理的芯片：利用片上機(jī)制管理AI和先進(jìn)計(jì)算帶來的國(guó)家安全風(fēng)險(xiǎn)（英文版）

JANUARY2024

Secure,GovernableChips

UsingOn-ChipMechanismstoManageNationalSecurityRisksfromAI&AdvancedComputing

OnniAarne,TimFist,andCalebWithers

YCNAS

15YEARS

AbouttheAuthors

OnniAarneisaconsultantwiththecomputegovernanceteamattheInstituteforAI

PolicyandStrategy.HepreviouslyconductedcomputegovernanceresearchatRethink

Priorities,anotherresearchnonprofit

organization.HehasaBScincomputer

scienceandanMScindatasciencefromtheUniversityofHelsinki.

TimFistisaFellowwiththeTechnology

andNationalSecurityProgramattheCenterforaNewAmericanSecurity(CNAS).

Hehasanengineeringbackgroundand

previouslyworkedastheHeadofStrategy&GovernanceatFathomRadiant,anAI

hardwarecompany.Priortothat,heworkedasamachinelearningengineer,buildinganddeployingAIsystemsin

commercialsettings.HeholdsaB.A.(Honors)inaerospaceengineeringandaB.A.inpoliticalsciencefromMonash

University.

CalebWithersisaResearchAssistantfortheTechnologyandNationalSecurityProgram

atCNAS.BeforeCNAS,heworkedasa

policyanalystforavarietyofNewZealandgovernmentdepartments.HehasanM.A.insecuritystudiesfromGeorgetownUniversity,

concentratingintechnologyandsecurity,andaBachelorofCommercefromVictoriaUniversityofWellington,majoringineconomicsandininformationsystems.

AbouttheTechnologyandNationalSecurityProgram

TheCNASTechnologyandNationalSecurityprogram

exploresthepolicychallengesassociatedwithemergingtechnologies.Akeyfocusoftheprogramisbringing

togetherthetechnologyandpolicycommunitiesto

betterunderstandthesechallengesandtogetherdevelopsolutions.

AbouttheArtificialIntelligenceSafety&StabilityProject

TheCNASAISafety&StabilityProjectisamultiyear,

multiprogrameffortthataddressestheestablishedand

emergingrisksassociatedwithartificialintelligence.The

workisfocusedonanticipatingandmitigatingcatastrophicAIfailures,improvingtheU.S.DepartmentofDefense’s

processesforAItestingandevaluation,understandingandshapingopportunitiesforcomputegovernance,

understandingChinesedecision-makingonAIandstability,andunderstandingRussiandecision-makingonAIand

stability.

Acknowledgments

TheauthorswouldliketoacknowledgetheCNAS

PublicationsTeamsfortheirsupport,design,andediting.

TheauthorsalsowouldliketothankPaulScharre,ExecutiveVicePresidentandDirectorofStudies,forreviewsof

variousiterationsofthiswork.ThisreportwasproducedincollaborationwiththeInstituteforAIPolicyandStrategy.

Theauthorswouldalsoliketothankthelargenumberofreviewersandexpertsconsultedaspartofthisproject,especiallySamuelHammond,BradyHelwig,andGabrielKulp.Thisprojectismadepossiblewiththegenerous

supportofOpenPhilanthropy.

Asaresearchandpolicyinstitutioncommittedtothehigheststandardsoforganizational,intellectual,and

personalintegrity,CNASmaintainsstrictintellectual

independenceandsoleeditorialdirectionandcontroloveritsideas,projects,publications,events,andotherresearchactivities.CNASdoesnottakeinstitutionalpositionson

policyissues,andthecontentofCNASpublicationsreflectstheviewsoftheirauthorsalone.Inkeepingwithitsmissionandvalues,CNASdoesnotengageinlobbyingactivityandcompliesfullywithallapplicablefederal,state,andlocal

laws.CNASwillnotengageinanyrepresentationalactivitiesoradvocacyonbehalfofanyentitiesorinterestsand,to

theextentthattheCenteracceptsfundingfromnon-U.S.

sources,itsactivitieswillbelimitedtobonafidescholastic,academic,andresearch-relatedactivities,consistentwith

applicablefederallaw.TheCenterpubliclyacknowledgesonits

website

annuallyalldonorswhocontribute.

TABLEOFCONTENTS

01ExecutiveSummary

05Introduction

09WhatWouldEffectiveOn-Chip

GovernanceLookLike?

10PoliciesthatOn-ChipGovernance

MechanismsCouldEnable

13TechnicalUnderpinnings

17ChallengesforImplementation

21ImplementationTimelines

23Recommendations

25LimitationsandConclusion

26AppendixA:

GlossaryforAICompute

28AppendixB:

AdditionalSecurityConsiderations

On-chipgovernancemechanismscan

safeguardthe

developmentand

deploymentofbroadlycapableAIand

supercomputingsystemsinawaythatis

complementary

toAmericantechnologyleadership.

1

ExecutiveSummary

roadlycapableAIsystems,builtanddeployed

usingspecializedchips,arebecominganengineofeconomicgrowthandscientificprogress.Atthe

B

sametime,thesesystemsalsocouldbeusedbyirre-

sponsibleactorstoenablemasssurveillance,conduct

cyberattacks,anddesignnovelbiologicalweapons.ThismakessecuringandgoverningthesupplychainforAIchipsimportantformitigatingriskstoU.S.national

security.Buttoday’ssemiconductorexportcontrols

arelacklusterasastand-alonesolution.Tobeeffective,theyneedtobefar-reaching,whichharmsthecompeti-tivenessofU.S.firms,risksthe“de-Americanization”ofchipsupplychains,andrisksalienatingcommercialAIdevelopersandpartnernations.Far-reachingcontrolsarealsohardtoenforce:AIchipsmugglingisalready

happeningtodayandcouldsignificantlygrowinvolumeoverthecomingyears.1

TheuniquechallengesofAIgovernanceandthe

opportunitiesaffordedbymodernsecuritytechnologiessuggestalternativeapproachesarebothnecessaryandpossible.WhatifpoliciesconcerningAIchipscouldbeimplementeddirectlyonthechipsthemselves?Whatifupdatestoexportregulationscouldbedeployedthroughasimplesoftwareupdate,backedbysecurehardware?Thisreportintroducestheconceptof“on-chipgover-

nancemechanisms”:securephysicalmechanismsbuiltdirectlyintochipsorassociatedhardwarethatcouldprovideaplatformforadaptivegovernance.Itskey

findingsareasfollows.

On-chipgovernancemechanismscouldhelpsafeguardthedevelopmentanddeploymentofbroadlycapableAIandsupercomputingsystemsinawaythatiscomplementarytoAmericantechnologyleadership.

Oneespeciallypromisingnear-termapplicationisexportcontrolenforcement,whereon-chipmechanismscouldpreventorplaceboundariesaroundunauthorizedactors’useofexport-controlledAIchips.Implementedwell,

thiswouldgreatlyaidenforcement,andreducetheneedfortop-downexportcontrolsthatharmthecompeti-

tivenessoftheU.S.chipindustry,insteadenablingmoresurgicalend-use/end-user–focusedcontrolsifdesired.

Laterapplicationsincludeenforcingthetermsof

futureinternationalagreementsorotherregulations

thatgovernthelarge-scaletraininganddeployment

ofAImodels.Here,on-chipmechanismscouldwidenthespaceofpossibleagreementsandpoliciesbypro-

vidingatrustworthyverificationplatform.Forexample,

2

@CNASDC

on-chipgovernancemechanismscouldallowAIdevel-operstocrediblyreport“trainingruns”thatexceed

certaincomputationthresholds,ascalledforbya

recentWhiteHouseExecutiveOrder.2Theexistence

ofthesemechanismscouldallowforflexibleandeffi-

cientinternationalgovernanceregimesforAI,allowingpolicymakerstothinkbeyondthelimitationsofslowandcomplexstructuressuchastheInternationalAtomic

EnergyAgency(IAEA).3

Muchoftherequiredfunctionalityforon-chipgovernanceisalreadywidelydeployedon

variouschips,includingcutting-edgeAIchips.

ChipssoldbyleadingfirmsAMD,Apple,Intel,and

NVIDIAhavemanyofthefeaturesneededtoenablethepoliciesdescribedabove.Thesefeaturesareusedtodayinawidevarietyofapplications.OntheiPhone,on-chipmechanismsensurethatunauthorizedapplications

can’tbeinstalled.Googleuseson-chipmechanismsto

remotelyverifythatchipsrunningintheirdatacentershavenotbeencompromised.Manymultiplayervideo

gamesnowworkwithahardwaredevicecalleda

“TrustedPlatformModule”topreventin-gamecheating.IntheAIspace,thesefeaturesareincreasinglyusedtodistributetrainingacrossdifferentdevicesandusers

whilepreservingprivacyofcodeanddata.4

On-chipgovernancedoesnotrequiresecretmonitoringofusersorinsecure“backdoors”onhardware.On-chipgovernanceisbetterimplementedthroughprivacy-preserving

“verification”and“operatinglicenses”forAIchipsusedindatacenters.

“Verification”involvestheuserofachipmakingclaimsthatareverifiablebyanotherpartyaboutwhattheyaredoingwiththechip.Forexample,verifyingthequantityofcomputationorthedatasetusedinaparticular

trainingrun.5Secureon-chipverificationofthiskindismadepossiblebya“TrustedExecutionEnvironment”

(TEE).BecauseoftheTEE’ssecurityproperties,the

verifiercantrustthatinformationreceivedfromtheTEEhasnotbeen“spoofed,”withoutthechip’suserneedingtodivulgesensitivedata.6

“Operatinglicenses”provideanenforcementmech-anism.Thisisusefulincaseswhere,forexample,the

chip’sownerisfoundtohaveacquiredthechipin

violationofanexportcontrolagreement,orifthechip’suserrefusestoparticipateinalegallyrequiredverifica-tionprocess.Operatinglicenseswouldbebestenabledusingadedicated“securitymodule”thatlinksthefunc-tioningofthechiptoaperiodicallyrenewedlicensekey

fromthemanufacturer(oraregulator),notunlikethe

productlicensesrequiredtounlockproprietarysoftware.Hardwareoperatinglicensesofthiskindarealreadyusedinsomecommercialcontexts.

ThesemechanismsshouldprimarilybeusedonthespecializeddatacenterAIchipsthataretargetedbythecurrentAIchipexportcontrols.However,somelimitedmechanismsonconsumerGPUsmaybeusefulif,inthefuture,thesedevicesareexport-controlled.7

Existingtechnologiesneedtobehardenedbeforetheycanberelieduponinadversarialsettingssuchasexportcontrolenforcement.

On-chipgovernancemechanismsareonlyusefulinsofarastheyreliablyworkevenwhenadversariesareactivelyattemptingtocircumventthem.8Commercialversionsofthesetechnologiesarenottypicallydesignedtodefendagainstawell-resourcedattackerwithphysicalaccess

tothehardware.Investmentsinhardwareandsoftwaresecuritywillberequiredforon-chipgovernancemecha-nismstofunctionreliablyinthesekindsofenvironments.

Thespecificdefensesrequiredtoadequatelysecureon-chipgovernancemechanismsdependonthecontextinwhichtheyaredeployed.Thisreportexploresthreecontexts:minimally,covertly,andopenlyadversarial.

Astagedapproachtothedevelopmentandrolloutofon-chipgovernancefordatacenterAIchipsispossible.

IntermediatestagesofR&Dcouldstillbeusefulinpro-ductioncontexts.Intheshortterm,firmwareupdates

couldbedeployedtoexportedAIchipsimplementing

earlyversionsofahardwareoperatinglicenselinkedtothetermsofanexportlicense.Thiswouldbeusefulas

anadditionalcautionarymeasureforalready-plannedAIchipexportstohigh-diversion-riskgeographies.

Apromisingandrelativelyfeasiblenextstepwouldbetomakedevices“tamper-evident”(attemptstotamperwiththechipswouldleaveindelibleevidence).This

couldbeasufficientlevelofsecurityincaseswhereocca-sionalphysicalinspectionsofthehardwarearepossible.

ForsubsequentgenerationsofAIchips,hardware

securityfeaturescouldbefurtherhardened,workingtowardfull“tamper-proofing”tomakephysicalinspec-tionslessnecessary.

3

TECHNOLOGY&NATIONALSECURITY|JANUARY2024

Secure,GovernableChips:UsingOn-ChipMechanismstoManageNationalSecurityRisksfromAI&AdvancedComputing

Tomotivatefurtherinvestigationofon-chipgover-

nance,thisreportsketchesanexamplearchitecturefordatacenterAIchipsthatcouldprovideaflexibleplatformfordynamicallyimplementingdifferentgovernance

mechanisms.Thecoreofthisproposalisahardened

securitymodule,includedonallhigh-performancedatacenterAIchips,thatcanensurethatthechiphasvalid,up-to-datefirmwareandsoftwareand,whereapplicable,anup-to-dateoperatinglicense.Iftheseconditionsarenotmet,itwouldblockthechipfromoperating.

Thisvalid,up-to-datefirmwareandsoftwarethen

couldhelpenforcelimitsontheusesofthesechipsandoffersophisticated“remoteattestation”capabilities

(remoteauthenticationtosecurelyverifydesiredprop-ertiesofthechipandthesoftwareitisrunning).The

securitymodulecouldensurethatiffirmware/softwarevulnerabilitiesarefound,userswouldhavenochoicebuttoupdatetopatchedversionswherethevulnerabilityhasbeenfixed.Thesecuritymodulealsocouldbeconfiguredtorequireanup-to-date,chip-specificoperatinglicense.

CurrentAIchipsalreadyhavesomecomponentsofthisarchitecture,butnotall.Thesegapslikelycould

beclosedwithmoderatedevelopmenteffortasexten-sionsoffunctionalityalreadyinplace.Theprimary

technicalchallengewillbeimplementingadequate

hardwaresecurity,particularlyfortamper-evidenceandtamper-proofing.Thisreportestimatesthiscouldbe

achievedwithaslittleas18monthsofinvolvedtechnicaleffort(andupto4years)fromleadingfirms.

BecauseasmallnumberofalliedcountriesencompassthesupplychainforthemostadvancedAIchips,onlyasmallnumberofcountrieswouldneedtocoordinatetoensurethatallcutting-edgeAIchipshavethesemech-anismsbuiltin.On-chipmechanismswouldneedtobesupportedbyawaytotracktheownershipofdatacenterAIchips,andsomeformofinspectionstoensurethesechipsarenottamperedwith,whererequired.

On-chipgovernancemechanismspresentaprom-

isingareaforfurtherresearchforcomputerengineers,computerscientists,andpolicyresearchers.ThisreportoffersthefollowingrecommendationstoU.S.policy-

makerstomovetowardaworldwhereallleadingAIchipsaresecureandgovernable.

Establishgovernmentcoordination

Recommendation:TheWhiteHouseshouldissueanexecutiveorderestablishingaNIST-ledinteragency

workinggroup,focusedongettingon-chipgover-

nancemechanismsbuiltintoallexport-controlleddatacenterAIchips.

Background:Foron-chipgovernancetoreachcommer-cialscale,long-termcollaborationbetweengovernmentandindustrywillberequired.Forprogresstobemadequickly,anexecutiveordercouldbeanappropriate

forcingfunction.TheNationalInstituteofStandards

andTechnology(NIST)wouldmakeasuitablelead

forthiseffort.ExpertiseandstaffalsoshouldbedrawnfromtheDepartmentofEnergy,theDepartmentof

Defense,theDepartmentofHomelandSecurity,the

NationalScienceFoundation,andtheU.S.intelligencecommunity.Theworkinggroupshouldalsobeinformedbyatechnicalpaneldrawnfromindustryandacademiatohelpdirecttechnicalstandardsandresearch.

Createcommercialincentives

Recommendation:TheDepartmentofCommerce(DoC)shouldincentivizeU.S.chipdesignersto

conductnecessaryR&Dusing“advanceexportmarketcommitments.”9

Background:Giventhaton-chipgovernancemecha-

nismsneedtobeimplementedoncommercialchips,

muchofthenecessaryR&Dwillneedtohappenin

anindustrysetting.Toincentivizethiswork,theDoCshouldconsidermakingcommitmentsrelatedtofutureaccesstoexportmarketstoU.S.chipfirms,conditionalonfirmsimplementingaspecificsetofsecurityfeaturesoncontrolledproducts.SuchcommitmentswouldbeaneffectivewayofincentivizingthenecessaryR&D

withoutspendingpublicmoney,giventhelargeamountoflostrevenuetochipfirmscausedbyexportrestric-tions.10Exportmarketcommitmentscouldinclude

notextendingexportcontrolstonewjurisdictions,

relaxingthe“presumptionofdenial”licensingpolicyforchipexportstolower-riskcustomersinChina,ormovingtowardmoresurgicalend-useorend-user-

basedcontrols.TheDoCshoulddeveloptherequiredfeaturesetsbyanalyzingspecificattackerthreat

modelsindifferentexportcontexts,incoordination

withtheU.S.IntelligenceCommunityandDepartmentofHomelandSecurity.

4

@CNASDC

AcceleratesecurityR&D

Recommendation:NISTshouldcoordinatewith

industryandrelevantgovernmentfundingbodiestoscope,fund,andsupportR&Dthatcanbeconductedoutsideleadingchipcompaniesandintegratedlater.

Background:WhilethelargemajorityofR&DwillneedtobeconductedbythefirmsbuildingandsellingAI

chipsatscale,someworkmaybeusefullyconducted

outsideofthesefirms,especiallytechnologiesthatwouldbenefitfrombeingstandardizedacrosstheindustry.

NISTshouldcoordinatewiththeSemiconductor

ResearchCorporation,relevantDefenseAdvanced

ResearchProjectsAgency(DARPA)programmanagers,andotherrelevantgovernmentfundingbodiestoscopeandfundusefulR&Dtobeperformedbyacademicand/orcommercialpartners.Forexample,workonspecial-izedtamper-proofenclosures(physicalhousingsfor

chipsthatpreventthechipfrombeingmodifiedwithoutcompromisingitsoperation)forhigh-endchipscouldbepotentiallyoutsourcedtoacademicandcommercialhardwaresecuritylabs.Tosupporttheseprojects,NISTshouldcreatetechnicalstandardsandreferenceimple-mentationsforon-chipgovernancemechanismsthataredesignedforwideadoptionbyindustry.

Planforastagedrollout

andfundextensivered-teaming

Recommendation:Toensurethaton-chipgovernancemechanismsareproperlydesignedandsafelyintro-

duced,theDoCandDepartmentofHomelandSecurity(DHS)shouldestablishflexibleexportlicensingandred-teamingprograms.

Background:On-chipmechanismswillrequiresubstan-tialtestingbeforebeingrelieduponinmoreadversarial

environments(e.g.,exportsofcontrolledchipstoChina).Tofacilitateastagedrolloutapproachwheremechanismscanbedependeduponinsuccessivelymorechallenging

operatingcontexts,theDoCshouldcreateexportlicensingarrangementswherelicensescanbeflexiblygrantedfor

differentgeographiesbasedonthesecurityfeaturesonthedevicetobeexported.Intandem,theCybersecurityandInfrastructureSecurityAgencywithinDHSshouldestab-lishred-teamingandbugbountyprogramstohelpfindandpatchanysoftwareandhardwaresecurityvulnerabilities.Apromisingnear-termstartingpointissettingupapublicprizeforfindingvulnerabilitiesinhardwaresecurity

featuresontoday’sAIchips.

Coordinatewithallies

Recommendation:TheStateandCommerce

Departmentsshouldcoordinatewithalliesonpoliciesandstandardsforon-chipgovernance.

Background:Aswithmanyotherformsoftechnology

governance,on-chipgovernancewillbeoflimited

effectivenesswithoutinternationalbuy-in.TheStateandCommerceDepartmentsshouldincludethepotential

roleofon-chipgovernancemechanismsindiplomaticdiscussionswithcountriesthatoccupyimportant

positionsinthesupplychainforcutting-edgeAIchips(especiallyTaiwan,theNetherlands,SouthKorea,andJapan),includingpotentialnewmultilateralcontrol

regimes.11Lookingbeyondexportcontrolcoordination,usingon-chipgovernancemechanismstofacilitateAIgovernancecooperation(e.g.,internationalagreementsoncomputeusagereporting)wouldbenefitfromclosecoordinationwithlike-mindedallies,suchastheUnitedKingdomandtheEuropeanUnion.

EncourageAIchipfirmstomoveearly

Recommendation:Chipfirmsshouldbeencouragedtomoveearlytobuildandhardenthesecurityfeaturesrequiredforon-chipgovernance.

Background:TheUnitedStateshassignaledinterest

inon-chipgovernanceinarecentrequestforcommentissuedbytheDepartmentofCommerce.12Chipsuppliersthataremoreabletoapplyandbuildonexistingtech-

nicaleffortswillhaveaheadstartondemonstratingandrealizingcompliance,withpotentialbenefitsintermsofaccesstomarketsthatarethesubjectofexportcontrolsorotherrelevantregulation.

Developinganddeployingthemechanismsdescribedinthisreportwilltaketime(monthsinthemostoptimisticcase,yearsinthemostlikelycase).IfthecapabilitiesandnationalsecurityrisksofAIsystemscontinuetogrowatthepaceobservedin2022and2023,theneedforhighlyeffectivecontrolscouldbecomeacuteinseveralyears.

Thissuggeststhatpolicymakersconcernedaboutthis

issueshouldbeginformulatingpoliciesandincentivizingthedevelopmentofappropriatetechnologiesnow.OncetherelevantsecurityfeatureshavebeenmandatedinthemostpowerfulAIchips,theyneednotbeusedimme-

diately:Themechanismsoutlinedinthisreportwouldallowforrapidandflexibleresponsestonewdevelop-mentsandthreatsonceinstalled.

5

TECHNOLOGY&NATIONALSECURITY|JANUARY2024

Secure,GovernableChips:UsingOn-ChipMechanismstoManageNationalSecurityRisksfromAI&AdvancedComputing

Introduction

testedanewhigh-yieldthermonuclearweapondesign

nFebruary25,2022,Russianforcesattacked

theUkrainiantownMelitopoland,afteraweekofheavyfighting,iteventuallywascaptured.

O

Thankstoitsrichsoil,theregionhasbeenanagriculturalhubforover200years,afactthatwasnotlostonthe

invaders.Intheweeksthatfollowedtheinvasion,localsnoticedthatgrainwasdisappearingfromtheirsilos.

Butitwasn’tjustgrainbeingstolenfromtheoccupied

town.Overthecourseofseveralweeks,combinehar-

vesters(farmequipmentusedtoharvestgrain)began

togomissing.Areviewofsecurityfootagelaterwould

revealthemachinerybeingloadedontomilitarytrucks,conspicuouslymarkedwithwhite“Z”s.13Inall,around

$5millionworthoffarmequipmentwasstolen.GPS

trackingfeaturesontheharvesterspaintedastartling

picture:Thesestolenassetshadembarkedona700-mileodysseytoZakhanYurt,aremotevillageinChechnya.

Butwhentheinvaderstriedtousethestolenharvesters,theyrealizedtheycouldn’tturnthemon.TheharvestershadbeendisabledbytheU.S.manufacturer,JohnDeere,whohasrevealedthatthoughtheyrarelyuseit,theyhavetheabilitytoremotelyshutdownanyoftheirmachines.14

Toolsbuiltintosensitivetechnologiescanenable

policiesnotonlyforrestriction,asinthepreviousstory,butalsoforverification.In1954,theUnitedStates

atBikiniAtollinthePacificOcean.ItremainsthemostpowerfulnuclearweaponeverdetonatedbytheUnitedStates,aroundonethousandtimesmorepowerfulthanthoseusedonHiroshimaandNagasaki.Thetest(named“CastleBravo”)causednuclearfallouttospreadover

fourthousandsquaremiles,resultinginsometimeslethaldosesofradiationforpeopleonneighboringislandsandnearbyfishingvessels,andincitingastronginterna-

tionalreaction,includingcallsforacomprehensivetestban.15InMarchof1960,theUnitedKingdom,theUnitedStates,andtheSovietUnionwerenegotiatingthetermsofsuchanagreement.Thesediscussionsledtothe1963PartialNuclearTestBanTreaty,which123countries

havesinceratified.Itwasapartialbanratherthanacom-prehensiveoneinpartduetoakeyproblemforverifyingcompliance:itwas,atthetime,impossibletoreliably

remotelydetectundergroundtests.Consequently,the

banwaslimitedtotestsconductedintheatmosphere,

underwater,andinouterspace.Twoyearslater,signifi-cantprogresshadalreadybeenmadetowardssolvingtheproblemofreliablydetectingundergroundtests,usingtheideaofanetworkofseismometers(devicesusedtomeasureseismicactivity)combinedwithanewefficientalgorithmfordifferentiatingbetweennucleartestsandotherseismicactivity.Butatreatyhadalreadybeen

signed,anditwasn’tuntilmanyyearslater,in1990,that

theUnitedStatesandSovietUnionratifiedatreatyinvolvingunder-

groundtests:the“ThresholdTest

BanTreaty”,whichprohibitedall

nucleartestsexceeding150kilotons.Thistreatywasenabledbymutualagreementbetweenthetwocoun-triesonaspecifictechnicalprotocolfortheverificationofundergroundtestsbasedontheapproach

describedabove.Ofcourse,verifica-tionisonlyonepartoftherationalebehindarmscontroltreaties,but

thisstoryshowstherolethatver-ificationtechnologiescanplayin

enablinginternationalagreementsandgovernancestructuresthatmaynototherwisebeabletoexist.

Boththesestorieshighlight

someofthechallengeswithtech-nology-basedsolutionstopolicyproblems.Thefirstisachieving

sufficientreliability.Althoughthecombineharvesterswereremotely

JohnDeereisoneoftheworld’slargestexportersoffarmequipmentandspendsaround

$2billionannuallyonresearchanddevelopment.Thishasledtoacomplexhardwareand

softwarestackfortheirequipment,allowingremotecontrolofnewervehicles.Here,UkrainianfarmerMykhailoPalahniukpointstowardaJohnDeereharvesterunderrepair,onhis6-hectarefarmwherehegrowscropsofwheat,barley,andsoy.(ScottPeterson/GettyImages)

6

@CNASDC

disabled,it’slikelythatRussiantroopseventuallywereabletobypasstheprotection,provideditwasworththetimeandmoneytodoso.Thesecondistiming.Thoughitturnedouttobepossibletoverifyundergroundnucleartests,thisdevelopmentcametoolatetobetrulyusefulfornuclearnonproliferation.

ThisreportconsiderstheapplicabilityofthesekindsoftechnologicalsolutionstoAIpolicy.WhatifpoliciesconcerningAIchips,acrucialinputfordual-useAI

systems,couldbeimplementeddirectlyonthechips

themselves?Whatifupdatestoexportregulationscouldbedeployedthroughasimplesoftwareupdate?Such

“on-chipgovernancemechanisms”couldhelpflexiblyaddressmanyofthenationalsecurityissuesposedby

futureAIsystemsinawaythatdoesnotpresupposeanyspecificrisks.However,thisapproachraisesdifficult

questionsabouthowdangeroustechnologiesshould

begoverned.Thisreportlaysoutthepolicyobjec-

tivesthatcouldbeachievedwithon-chipgovernance

mechanisms.Itthenexaminesthetechnicalandsocialchallengestotheirimplementation.Finally,thereportprovidesasetofrecommendationsforU.S.policymakerstomovetowardaworldwhereallleadingAIchipsaresecureandgovernable.

TheNationalSecurityRisks

PosedbyArtifi