The Cloud Can Solve America’s AI Problems

And current export controls are too leaky to be a reliable method for slowing the proliferation of future high-risk AI systems. Actors prohibited from buying AI chips could still train these systems by smuggling chips or legally accessing cloud computing resources. Or they could simply acquire high-risk AI systems directly through theft or open-source models, adapting them for misuse.

The specialized hardware needed to efficiently produce the massive amounts of computation, or “compute,” that is required to build the most powerful AI systems remains a crucial asset to regulate, both to control risks and ensure widespread benefits. But the United States needs to embrace a new approach to such regulation: governing AI compute through the cloud.

Specialized AI chips should be accessed through secure, trusted, and widely shared cloud infrastructure maintained by law-abiding firms. This will enable better detection of misuse and enforcement against weaponization, improved cybersecurity to protect against high-risk AI models from being stolen, and a flexible platform for promoting positive uses of AI. Keeping this secure cloud infrastructure available to commercial Chinese users will help preserve the competitiveness of U.S. chip firms, while reducing the domestic user base available to their Chinese competitors, a crucial ingredient for Chinese firms looking to develop competitive homegrown chips.

The U.S. Commerce Department should track any advanced AI chips outside this well-regulated cloud infrastructure to ensure the chips only go to trusted actors. Ideally, these chips would also have hardware-level controls that allow verification of how the chips are used and an on-board “hardware license” to enforce those terms of use. Such mechanisms would reduce the need for the kinds of sweeping export controls that hurt U.S. industry, and they would allow for more targeted end-use- and end-user-focused controls. They could also be used to verify international agreements to govern AI development in the future.

AI systems are improving by leaps and bounds. Putting in place the right mechanisms for governance now will give the flexibility to regulate the powerful AI systems of the future, if needed. The United States and its allies should start laying the foundation for an effective hardware-based governance framework.

U.S. President Joe Biden takes part in an event discussing the opportunities and risks of artificial intelligence in San Francisco on June 20. Andrew Caballero-Reynolds/AFP via Getty Images

Compute-intensive general-purpose AI models at the frontier of R&D are inherently dual-use. Today’s frontier AI models show signs that their successors could be misused to enable cyber, chemical, or biological attacks. They also show nascent ability to autonomously replicate and cause harm.

Next-generation models will be trained on even larger numbers of more advanced chips. The capabilities of these models have steadily increased over time—following empirically derived scaling laws that show models steadily improve as they are made larger and trained using more computation. The amount of computation used to train state-of-the-art models has increased 10-billionfold since 2010 and is doubling every 10 months. Governing who can access the chips where this computation occurs and how these chips are used is vital for overseeing advanced AI systems. Specialized computer hardware is easier to control than intangible inputs into AI, such as data and algorithms, and thus can be a policy lever for equitably distributing the benefits of AI while safeguarding against misuse.

Working with the White House, leading AI labs in the United States have agreed to a set of voluntary commitments to improve the chances that next-generation AI models are safe, secure, and trustworthy. But globally, not all AI developers are bound by these commitments or by future domestic U.S. regulation on how AI systems can be developed and deployed. Significant incentives will exist for unlawful actors to misuse powerful AI systems. In governing these systems, policymakers must balance two competing interests: distributing the benefits of their use as widely as possible while simultaneously restricting malign actors’ ability to cause harm, given the models’ dual-use capabilities.

Current export controls are too blunt to effectively accomplish this balancing act. Today’s controls ban all advanced AI chips from going to China, even for benign uses. One key downside to this approach is that it risks boosting Chinese chip-making firms. Chinese commercial users may turn to inferior domestic chips whose supply is more reliable, even if they would prefer to buy chips with U.S. technology. This large user base will accelerate the development of competitive AI chips by Chinese firms. The case of U.S. firm Nvidia is instructive here: Nvidia does not manufacture its own chips but has the best chips on the market due in large part to the self-reinforcing network effects of its software ecosystem and large user base.

These shifts in the semiconductor industry won’t happen overnight, but the United States needs a strategy for governing AI hardware that is sustainable over the long term.

Broad U.S. export controls on chips also incentivize global companies to circumvent U.S. controls by designing out U.S. technology. The Chinese chip market is massive. At present, the market for banned chips in China is likely in the billions of dollars annually. If the technology threshold for banned chips stays in place, as U.S. officials have said it will, then this value will grow over time as today’s leading-edge chips become tomorrow’s legacy chips. There will be significant financial incentives for foreign companies to design out U.S. technology in order to sell to the Chinese market.

These shifts in the semiconductor industry won’t happen overnight, but the United States needs a strategy for governing AI hardware that is sustainable over the long term. This hardware will be more, not less, important in the future. And U.S. export controls have historically been leaky. Some amount of AI chip smuggling into China is already happening today. If the gap between AI chips legally available in China and those overseas grows, incentives to smuggle AI chips at larger scales will increase. Such a development should not come as a surprise: China has a long history of diverting U.S. technology to restricted end uses and users, despite U.S. export restrictions.

Even if enforcement of AI chip smuggling becomes much more effective, there are still other pathways that malign actors in China could use to access the capabilities of advanced AI chips. Actors who are prohibited from buying AI chips can legally access those same chips through U.S. or other foreign cloud services, which are not currently monitored or restricted. And Chinese labs do not even need to train their own models if they can use trained models that have been open-sourced. Today’s most capable open-source foundation models such as Meta’s Llama 2 can be downloaded by anyone. These models can be fine-tuned using a small amount of additional computation to remove safety guardrails and elicit dangerous capabilities that were previously not present. For example, a malicious actor could fine-tune a conversational AI model to autonomously carry out offensive cyberoperations. While the capabilities of today’s open-source models likely don’t pose significant risks, these models will become much more capable over time, following the same compute-driven capability scaling seen in the wider industry.

The Biden administration is reportedly considering updated export controls to close some of these loopholes, including expanding the current chip restrictions to cloud computing. This would be a mistake. Applying the same broad-brush approach to cloud computing would accelerate China’s steps toward chip independence.

More fine-grained and effective controls are possible. Both the U.S. government and U.S. companies should want more fine-grained controls on specialized AI hardware that more precisely target malign actors while permitting acceptable uses. Implemented well, such controls would further open the market to U.S. chip firms and permit more flexible controls on the provision of cloud computing. This would help preserve the United States’ long-term leverage over global AI hardware supply chains—leverage that is growing in importance over time.

Read More

AI’s Gatekeepers Aren’t Prepared for What’s Coming

What was once a diffuse technology is now increasingly controlled by a handful of tech companies. Governments need to catch up.

Essay

|

Paul Scharre

Insider

|

Washington Can Lead on AI By Paul Scharre

Washington Can Lead on AI

Both the private and public sectors need to play a part.

Insider

|

Paul Scharre

Artificial Intelligence Will Entrench Global Inequality

The debate about regulating AI urgently needs input from the global south.

Argument

|

Robert Muggah, Ilona Szabó

A cloud-computing data center at an unknown location in the United States. Christopher Morris/Corbis via Getty Images

Instead of denying advanced AI chips to all Chinese AI developers, they could be permitted to use these chips through the cloud, provided that the chips are not used for military purposes, human rights abuses, or to train dual-use models with dangerous capabilities. Why take a permissive approach to Chinese commercial cloud access? If U.S. AI cloud compute is readily available in China for commercial uses, Chinese AI chip providers will find it more difficult to attract the user base necessary to develop market-leading chips. This is especially crucial at the present moment, when U.S. AI chips still outmatch their Chinese counterparts. Retaining this leverage and visibility over Chinese AI compute access will be strategically vital for the United States as AI grows in importance for national security.

Of course, verification will be required. Direct monitoring of cloud customers’ data and code is neither practical nor desirable from a privacy perspective. Instead, cloud monitoring of AI compute access should focus on first identifying potential high-risk customers based on analytics and key metrics, such as account age, predicted location, and whether the customer is accessing sufficient compute to train a dangerous dual-use model (“compute accounting”). Cloud compute usage and workload categorization are both monitorable using today’s technologies without breaching user privacy. These risk categorizations can then inform customer screening, inspired by best practices in relevant industries: from player verification systems in the gaming industry to end-user verification approaches in export control compliance and “know your customer” checks in finance, which are used to tackle terrorist financing and money laundering. These measures will be useful not just for preventing the training of unregulated dual-use models but also for preventing existing models from being misused for criminal purposes, such as running widespread scams or disinformation campaigns.

These measures could be the initial building blocks for global standards for secure, trustworthy, and widely available cloud infrastructure as the primary access point for all AI chips. In addition to addressing AI weaponization and misuse using compute accounting and due diligence of customers, these standards should include adequate cybersecurity measures to prevent dangerous models from being stolen from their developers.

The flexible nature of the cloud also means that the benefits of AI chip access can be more easily shared.

Requirements on cloud providers could also be aligned with any future regulations of large-scale training runs for frontier models, along the lines of the current voluntary commitments that frontier AI labs have adopted. These commitments apply to generative models that are overall more powerful than the current industry frontier. Tracking compliance with these commitments would benefit from coordination with cloud providers, who could use compute accounting to validate that frontier model developers are complying with any reporting requirements for new models. Such standards could be encouraged in other nations by conditioning the provisioning of AI hardware—whether through the cloud or direct sales—on the adoption of similar safety standards. For any companies that both provide cloud computing and develop frontier models, internal controls analogous to those used in the financial industry should be implemented to ensure the integrity of auditing and reporting.

The flexible nature of the cloud also means that the benefits of AI chip access can be more easily shared. Indeed, this is the objective of the National AI Research Resource, a plan to make U.S. government-sponsored cloud resources available to researchers outside of well-resourced organizations. Looking outside the United States, national AI clouds from multiple countries could be combined to provide AI compute to researchers in poorer countries and promote buy-in to global standards for secure AI chip access via the cloud. Governments could even combine their resources to establish a CERN for AI to solve important problems (such as unsolved issues in AI safety) in an international setting. This approach would help offset the current trend of growing costs locking academics out of frontier models and would foster international collaboration in a safe and secure environment.

One important problem to address will be the concentration of computational power within big tech firms, which could be exacerbated by introducing AI hardware governance standards that raise the barrier to entry for smaller competitors. The United States should offset this by encouraging innovation and new market entrants with grants and by ensuring that standards do not unfairly favor any particular firm. The United States should also incentivize start-ups to innovate in AI governance solutions, building the software and hardware products required to securely govern AI while preserving user privacy.

The cloud also offers a more elegant approach to balancing the benefits and risks of open source. At present, open-source models such as Meta’s Llama 2 help to level the playing field for academics and small-scale innovators who don’t have the resources that big tech companies have to train massive models. But once open-sourced, the models can also be used for harm. An uncensored version of one of the Llama 2 variants was posted online one day after Meta’s release. Rather than releasing frontier models online to anyone, models could instead be hosted in the cloud, with tools for researchers to use and fine-tune the models for safe uses, including commercial applications. This approach could permit widespread beneficial use, including refining and adapting models and enabling new innovations, while guarding against misuse.

A boy points to an AI robot poster during a convention in Beijing on Aug. 18, 2022. Lintao Zhang/Getty Images

The U.S. government will also need visibility on where chips are going. Any chips shipped outside of secure and well-regulated data centers will be much less governable. Where—and to whom—these chips go could have profound implications for the future of AI. The U.S. government should institute a chip-tracking program for any chips at risk of being smuggled and used by unlawful actors. Ideally, this would consist of a chip registry and random inspection program, a cost-effective way to ensure that large numbers of chips have not been diverted.

Advanced AI chips outside of the secure cloud infrastructure should also be designed with security features for remotely monitoring and, if necessary, disabling the chip. Monitoring features should allow users to verify with an external party how they are using a chip in a privacy-preserving manner. Disablement should be implemented through a chip-specific time-based license that allows the manufacturer of a chip (or a regulator) to prevent the use of the chip if it is found to be used in violation of an export agreement. The core functionality to enable these policies is already present on many leading chips and does not require secret monitoring of users or insecure back doors to operate effectively.

If the capabilities and national security risks of AI continue to grow at their recent pace, the need for highly effective controls could be acute in several years’ time.

The primary remaining challenge to solve is hardware security: Specialized AI chips will need to be properly tamper-resistant or tamper-proof to ensure the integrity of these mechanisms. The U.S. government should work with leading chip makers, offer incentives to develop secure chip architectures with these features, and extensively test these chips in a controlled environment before depending on them in export markets.

If the capabilities and national security risks of AI continue to grow at their recent pace, the need for highly effective controls could be acute in several years’ time. The U.S. government should establish policies to proactively shape how global AI computing infrastructure develops to ensure it remains governable. Fostering the development of a secure AI computing infrastructure would provide the flexibility to guard against misuse while preserving access for beneficial uses. A secure, international cloud would allow better oversight of AI systems, more equitable benefits, greater transparency, and better international collaboration on AI governance.

There is a great deal of uncertainty about the nature of future AI risks. Hardware governance provides a flexible platform for responding to challenges as they arise. Developing a hardware-focused, secure foundation for AI governance will take time. The time to act is now.