Regulation of Frontier Models, Confidential Computing & AI Alignment

Summary

Congressman Bill Foster presents a three-pronged approach to AI governance: secure digital IDs to prevent identify fraud, location-proving circuitry to prevent chip smuggling, and collaborative GPU licensing.

SESSION Transcript

Thank you. First, I'd like to state my disappointment. I've been working on this white paper trying to explain a bunch of things, and I thought I could just throw this into Claude or something like that and turn it into a nice PowerPoint. I was bitterly disappointed, so there's some additional work to be done there. I'm just going to be reading off of my notes.
What I've been working on—realistically, there are probably three things that Congress can do right now that will move the needle in important ways.
The first one is a secure digital ID for all Americans who want one. The problem with impersonation is huge for cybersecurity and fraud across the board. The EU is doing pretty well on this. I think by the end of next year, every EU citizen will have the ability to prove they are who they say they are online. The United States should not fall behind on that. The politics are improving on this, in large part because of the hundreds of billions of dollars of identity fraud that happened during COVID. That’s one thing I've been working on for five years, and I think there's a 50% chance that we'll get it done this session of Congress. A lot of the abuses of AI will be improved if we can get that to happen in the United States.
The second one is this business of smuggling chips to China. I believe that compute is going to remain very important. If everyone had AGI software today, then the question is how many copies of that can you deploy? And that's limited by compute. When the singularity hits, that's what's really going to matter. We're very fortunate that all of the choke points in producing these high-end AI chips happen to be in the free world, which is probably not an accident.
I believe it is a shared responsibility for the six or eight countries who own the choke points. You can just run down the list—it's the Dutch, it's the French, it's the Germans. As a physicist, I'm just blown away at what these giant lithography machines do, the ASML machines that are really the enabling technology, as well as a lot of the device physics that comes out of Korea, the photoresists and everything from Japan. All of these countries, the free democracies of the world, have a shared responsibility to make sure that this technology doesn't get into the wrong hands, by which I mean basically China, Russia, Iran.
That is why I've been so involved in trying to move the needle on hardware-enforced mechanisms. First, to determine whether or not a chip has been smuggled. And secondly, if it is determined to have been smuggled, to make sure that there's some sort of licensing mechanism in place where the chip will cease operating.
The political aspects of this: we have just introduced legislation in a bipartisan bicameral manner—meaning the House and the Senate, Democrats and Republicans have introduced an identical piece of legislation to mandate that high-end AI chips, GPUs, contain the necessary circuitry to prove they are where they say they are. I'll be talking about that in more detail. Secondly, it has a study but not a mandate for additional mechanisms by which I mean hardware-enforced time-limited licensing. This would mean that the owners and operators of these GPUs would, from time to time, have to go back and connect with some entity controlled by the trusted democracies of the world to say if they still have permission to run their chips.
This will certainly be necessary when we start deploying these into countries with intermediate levels of trust. You can make the argument if it's Google in the United States, you can kind of trust that they'll keep things under control. But then you get companies you might trust who are setting up in Malaysia—maybe we should look a little more carefully at exactly what they're doing.
The first step is: are these deployed where they claim to be? There are now famous instances where a data center in Singapore was set up, inspected by NVIDIA, and they said, "Yep, everything's good." Then the next week, the week after that, they came back and the data center was empty. Unless you have a way to first detect that that's happening and secondly take action that causes them to stop working.
So how does this work? There may have been some discussion of this earlier, but the basic mechanism for a GPU to prove that it's in a location is that you need what I call a trusted sentinel module—a trusted electronic sentinel module. This is a hunk of electronics that you trust and you know where it is, and it can communicate very rapidly with GPUs in its vicinity. In particular, it can query a GPU and send a cryptographic ping to it, and the GPU will very quickly sign it with its secret number that proves it is who it says it is and return that rapidly. If you can do that in under 10 microseconds, then you have an assurance based on the speed of light that that GPU is no more than one mile from the trusted sentry module. And so that’s the basic mechanism.
What you're asking of the GPU is simply the ability to have that secret number embedded in it, which they all do. The hardware root of trust is the buzzword that goes with it. Then it has to be able to rapidly sign a cryptographic challenge and return it. All of these high-end GPUs or the data centers have incredibly fast data networks inside of them. So once you're connected to the data network, you can very rapidly—in sub-microsecond times—get the information out of the GPU that you need to prove that you've done it.
For all of these things, you're immediately trying to anticipate the objections. The first one: "Oh, this is going to be a pain and it's going to be expensive." In terms of just saying what is the cheapest, simplest, plausible way of doing it, I believe you could do a good job on this with an iPhone—a managed iPhone that can't be jailbroken, connected to a fiber optic, connected to the network spine in the data center.
This would allow—and it would probably surprise no one in this room—that if you're operating an iPhone, many people have satellites up there that know pretty exactly where that iPhone is. You see this SOS that appears when you're on an airplane. The advertised accuracy of that is 100 meters, but it would not surprise you to find out that particularly if you have cooperating software in your cell phone, you can know quite exactly where that cell phone is located.
Once you know that cell phone is there, you verify that it has not been jailbroken, which can be done. There's been a tremendous amount of work over the last couple of decades making it pretty much impossible to jailbreak modern iPhones. So you have a pretty secure compute platform there. You know where it is because of the communications with the satellite. All it has to do is be able to do the roll call. If it's located on a data center with 100,000 GPUs, it has to be able to ping the GPUs one at a time and do a roll call effectively. Then the GPUs will one at a time return the cryptographic challenge. The iPhone will know that, yes, that is the GPU that is supposed to be here, and yes, it returned it in less than 10 microseconds, so it's within a mile of where I am. That tells you the chip hasn't been smuggled.
One of the things in the legislation that we have is a mandate for the manufacturers and distributors of these to maintain a list of where all of their GPUs are actually located, a database, and a mandate to report if all of a sudden the location measurement indicates that it's not where it should be.
That doesn't actually stop you from stealing the chips. You could still have the scenario where the whole data center disappears. That's the second element of this: hardware-enforced time-limited licensing. What this means is that every so often the chips, as part of the boot sequence for example, they will look and say, "Do I have a currently valid license to operate?" That means they have to get their hands on a source of timing that they trust, which can either be out on the internet with a trusted source of time or a trusted timer inside the GPU module. It turns out that at least the NVIDIA GPU modules have what they call a TPM, a Trusted Platform Module, that contains such a trusted timer.
This allows you to have what's called offline licensing, where you could get the license refreshed once every six months, and then every time the thing boots, it could look at its trusted timer, see that it has a license that's valid for the next six months, and then proceed to boot—and refuse if the license is not valid.
One of the delicate issues that I haven't absolutely resolved in my mind is this requires a mandatory secure boot on these things. This is like having iPhones that can't be jailbroken. If you read the NVIDIA documents, the public ones, they sort of go both ways on whether or not there's reference to a debug mode inside GPUs that appears to bypass the secure boot. That can't be allowed for chips that will be exported. It's a design choice they make. In fact, it's probably a firmware choice that they make to have a secure bootstrap sequence that cannot be bypassed. You need things called rollback protection to make sure that there are no ways to cheat on this. But it is something that NVIDIA has worked very hard on for what they call their confidential compute, which is something I'm going to return to at the end of the talk. It's something that we have to be really careful of.
That second part, as I say, is to be studied but not mandated. And that's something I think that is ultimately going to be important.
The two things—the ability to prove you are where you say you are, and having mandatory time-limited licenses—they're both independent and both really important. The features of having mandatory time-limited licensing on these is that most people believe there are going to be some responsibility to report what you're doing with these large arrays of chips. This provides a touch point for enforcement of that. Because if you say, "Okay, every six months you have to come back and make a report on what you're doing," if all of a sudden Elon Musk just decides he doesn't have to report anymore because he's Elon Musk, then you have a touchpoint. "Okay, let's talk about it next time your license is renewed." I think this is going to be very important.
It also elevates the discussion of who gets to issue licenses. The concept that if you listen to the White House, their concept is the great orange one is the ultimate decider on who gets to have these and who doesn't. That is not okay with the rest of the free world. There may have been a time—there was a famous instance back in 2001 when the United States presented evidence of weapons of mass destruction. I don't know if you're old enough to remember that. I think it was the French ambassador who said, "Oh, don't worry, the president of the United States said it, we don't need any more evidence than that." Well, those times have passed.
When I talk to the scientists that I know who have worked in Europe, worked in Asia, worked in the United States, the level of mistrust of the United States government is something I would have never believed, but that is, I think, representative of the public attitude toward this. We have control of the key technologies among these six or eight countries that really have the choke points for AI. But what we need to do is to have the rest of those six countries stand up and say, "We need to have a shared responsibility for governance."
The ability to issue licenses actually forces that discussion. Because it is not okay with the rest of the free world if Donald Trump unilaterally gets to decide who gets their licenses to keep operating their GPUs. But fortunately, the key thing is who owns the cryptographic key that allows you to issue licenses. And there are ways to split that key and reassemble it. For example, you can say, "Okay, of these six countries, every one of them gets a key and any four of them can issue a license." So if you don't trust—it gets you around having a single point of failure, what's called Byzantine fault tolerance in computing. But it allows you to not be subject to a single point failure of governance. If you're worried about some government that you may not trust forever, or a government, say Taiwan, that may not exist if military actions take place against it, you don't want to have that be a single point of failure, but you can get around this by this sort of mechanism.
This is my long game in pushing this. One of the big reasons that I've got involved in this particular angle here is because if we do this right, I think that we actually will start having AI safety conferences that mean something. Because the focus of those is: what are the conditions to be issued a license to operate your GPUs? That's my endgame on this.
The interesting thing about our legislation—my partner in the House is the China Select Committee, which is a group of people who have mostly been trying to make their careers by being tough on China. Fine. I actually agree with a lot of what they're doing. But then my partner in the Senate is Tom Cotton. I don't know how much you know, but he and I agree on approximately nothing. I actually had the pleasure of spending a weekend with Tom Cotton on a nuclear submarine underneath the North Polar ice cap, which is one of the coolest things. It turns out that every couple of years, the US and the Brits go underneath the North Polar ice cap and shoot fake torpedoes at each other. It's just really cool. If you're a member of Congress, one of the reasons you should run for Congress is that you may be able to do that. But then you have to listen to Tom Cotton for a whole weekend. But it's life in the US Congress, I guess.
There are lots of technical issues having to do with this time-limited licensing, but I think it's workable and it's really important. I spent more time than I really should have looking through NVIDIA and other manuals to see if this is actually going to work. I'm happy to answer questions from the hardware geeks here if there are some.
That's what I'm working toward, and at least the first part of that—getting a consensus that we at least have to know once smuggling has happened—has actually been like pushing on an open door. Everyone is creeped out and doesn't like the idea that AGI is going to be under the control of a country in which 20,000 people a year disappear into an undocumented court system, never to be seen again. This is not an okay situation for us to be in, and we have to take it very seriously. This is sort of the first important point there.