“`html
CNBC AI News – August 10th – Just weeks after the U.S. greenlit NVIDIA’s export of its H20 AI chip to China, Beijing has reportedly summoned the tech giant to discuss potential security risks, specifically surrounding purported “backdoors” embedded in the silicon. The Cyberspace Administration of China (CAC) raised concerns about vulnerabilities in the H20 chip’s computing power.
NVIDIA, in a statement, defended its technology, asserting, “Cybersecurity is of utmost importance to us. NVIDIA’s chips do not contain ‘backdoors’ and do not allow anyone to remotely access or control these chips.”
However, state-backed media, including the People’s Daily, countered, suggesting that NVIDIA’s assurances aren’t enough. The publication argued that to regain the trust of Chinese users and alleviate concerns about “tracking and location” and “remote shutdown” capabilities, NVIDIA must provide irrefutable proof of the chip’s security, complying with the CAC’s demands.
Now, China’s state broadcaster, CCTV, through its social media arm “Yuyuan Tantian,” has published an exposé detailing the alleged methods employed by the U.S. to implement these “backdoors” in chips.
Let’s start with the basics.
Back in May, U.S. Representative Bill Foster, a physicist with chip design experience, introduced a bill advocating for the Department of Commerce to mandate the inclusion of “backdoors” in exported, controlled chips. Foster firmly believes the technology is mature and readily implementable.
Essentially, Foster’s proposition seeks to achieve two key objectives: "tracking and location" and "remote shutdown" capabilities.
Sources cited by Yuyuan Tantian confirm Foster’s assessment: both functionalities are technically achievable.
These “backdoors” fall into two primary categories: hardware and software.
Hardware “backdoors” are physical devices embedded during the chip’s design or manufacturing phase, essentially logic circuits designed for covert access.
Software “backdoors” involve embedding instructions within the software to disrupt the user’s system, steal confidential information, and more.
Consider the NVIDIA H20 chip as an example.
From a hardware standpoint, “remote shutdown” features are reportedly feasible. The H20 chip comprises multiple components, including the GPU core and a power management module. By integrating a “remote shutdown” circuit into the power management module and configuring appropriate trigger mechanisms, this functionality can be activated even without external conditions.
For example, the chip can be designed to trigger a shutdown when usage time reaches a predetermined threshold or when temperature and voltage parameters align with set levels. The power management module would then sever power to the chip core or force the voltage outside stable operating margins. In its simplest form, chips sold to China could be programmed to automatically shut down after 500 hours of use, essentially rendering them useless.
Another hardware-based "remote shutdown" method involves modifying the H20 chip’s firmware bootloader. Upon startup, the bootloader would check for specific criteria, such as geolocation or authorization status. If these criteria are unmet, the chip could refuse to boot, disable advanced features, or limit performance. Since the H20 is aimed squarely at the Chinese market, a backdoor embedded in the chip would have a high degree of specificity, minimizing unintended consequences.
Qi An Xin Threat Intelligence Center security experts informed Yuyuan Tantian that, from a technical perspective, hardware backdoors that implement dedicated denial-of-service features are relatively simple to implement during production. However, this approach is costly. The most flexible approach is to implement backdoors using software or a combination of hardware and software.
A critical component for software-activated “backdoors” is CUDA (Compute Unified Device Architecture), NVIDIA’s parallel computing platform and programming model. It’s not a product but an ecosystem.
Over 4 million developers globally utilize CUDA, and it covers 90% of AI research institutions. This has generated a positive feedback loop over the last two decades:
The more developers use CUDA, the more CUDA-based applications appear, drawing in more developers and users.
As a result, when new CUDA features are released, the operating system that contains the chip may be instructed to install a “backdoor” when the driver is updated. In this case, the backdoor performs numerous functions.
If an internet connection exists, “tracking” capabilities can be enabled by deciphering and executing data dynamically. More common “backdoor” capabilities include file theft, keystroke logging, and screen capture. Software and hardware backdoors can work together to easily leak information.
Security experts at Qi An Xin Threat Intelligence Center explained that the United States is creating AI supremacy through hardware and software ecosystems. Other nations must aim for hardware replacements and develop their own independent software ecosystems.
To achieve these goals, the U.S. government has designed a “governance mechanism on chips,” which involves establishing an agency to oversee chip design, production, and manufacturing at all stages, including coordinating with businesses and allies to control AI chips.
The “governance mechanism on chips” has several possible uses:
First, license lockout: If a violation is discovered, the manufacturer will immediately stop issuing new licenses, and the chip will no longer function because it cannot be updated.
Second, tracking: The rate at which the target chip interacts with many landmark servers suggests its rough location. The chip itself can conduct proactive queries by only running in specific geographic areas.
Third, usage monitoring: Internal hardware can record essential details like chip status, training tasks, and computing load after requiring users to verify that chip use complies with U.S. regulatory requirements.
Fourth, usage limitation: The on-chip governance mechanism restricts the use of chips in large computer clusters and supercomputers, shields sensitive data access, and only permits chips to run code or models that have been approved.
According to a study describing the "governance mechanism on chips" in detail, NVIDIA’s AI chips already have most of the features required for on-chip governance widely implemented, although some have yet to be enabled.
According to a New American Security Center study titled "Secure, Controllable Chips—Managing the National Security Risks of Artificial Intelligence and Advanced Computing," many of the features needed for on-chip governance have been widely applied to various chips, including cutting-edge AI chips.
The report also noted that if chips do not already have these features, the US and its allies would still be able to exert control because they have the most sophisticated production chains for AI chips. All that is needed is for the US to “coordinate” these allies to guarantee that hardware is embedded into these chips.
To encourage chip firms to comply, the research also suggested a few “incentives,” such as “pre-market commitments,” under which the U.S. government would remove businesses from export control if they complied with the U.S. government’s requirements for installing “backdoors.” Specifically, it described relaxing exports to “low-risk Chinese customers.”
Given this information, it is unsettling to examine the US government’s approval of NVIDIA’s H20 export to China.
The H20 is not a secure chip for China from any angle.
Finally, Yuyuan Tantian affirmed that the H20 is not sophisticated as well.
According to data from related organizations, the H20 only has roughly 20% of the overall computing power of the H100, the H20’s standard edition. Its GPU core count is 41% lower and its performance is 28% lower than the H100, rendering the H20 incapable of meeting trillion-level big model training demands.
In addition to being unadvanced, the H20 is unenvironmentally beneficial.
The National Development and Reform Commission and pertinent departments jointly released a document in July of last year called the “Special Action Plan for Green and Low-Carbon Development of Data Centers.” The “Action Plan” states that by the end of 2030, the nation’s data centers’ average power consumption efficiency, per-unit computing power energy efficiency, and carbon efficiency will have reached globally advanced levels.
Generally speaking, the energy efficiency ratio for server GPUs using processes below 14nm must be 0.5TFLOPS/W for energy-saving levels and 1.0TFLOPS/W for sophisticated levels.
According to calculations performed by the relevant organizations, the H20 has an energy efficiency ratio of around 0.37TFLOPS/W, which is less than the 0.5TFLOPS/W energy saving level.
We all know that computing power is, to some extent, electric power, and the development of AI will create a lot of new energy demand. These new demands must fall within China’s green transition as well.
From this perspective, the H20 is not a wise decision.
When a chip is neither safe nor ecologically friendly, we can absolutely decide not to buy it as a consumer.
“`
Original article, Author: Tobias. If you wish to reprint this article, please indicate the source:https://aicnbc.com/6829.html
