A few days ago, the Cyberspace Administration of China held a meeting with NVIDIA regarding the security risks associated with the H20 computing chip's backdoor vulnerability.$NVIDIA (NVDA.US)$company.
In its subsequent statement, NVIDIA mentioned that the chips do not have a 'backdoor,' and they specifically referenced the 'Clipper chip' incident.
In 1992, AT&T$AT&T (T.US)$launched a hardware device for business professionals in the United States. This device could encrypt voice transmissions over the telephone to ensure information security.
This sparked dissatisfaction from the U.S. government. Soon, they demanded that AT&T install a new microchip in the device—the 'Clipper chip.' This chip used an encryption algorithm developed by the National Security Agency (NSA) and was produced by a contractor designated by the U.S. government, containing an 'encryption backdoor.'
The 'encryption backdoor' allowed the U.S. government to 'decrypt' the communication information on the device.
After the 'Clipper chip' was introduced, it faced resistance from various parties, and the project was terminated within less than three years. The U.S. government learned from this experience and began to handle 'encryption backdoors' discreetly, without public discussion.
However, this year, the U.S. government has once again openly discussed 'encryption backdoors.' Since the Americans have brought this up, we need to delve into the technical aspects of how the U.S. installs 'backdoors' in chips.
In May this year, U.S. Representative Bill Foster led the introduction of a bill requiring the U.S. Department of Commerce to mandate that U.S. chip companies include 'backdoors' in chips subject to export controls.
Bill Foster, who holds a Ph.D. in physics and has experience in chip design, stated with confidence that the relevant technology is mature and entirely feasible.
In summary, Bill Foster aims to achieve two things: 'tracking and location' and 'remote shutdown.'
According to professionals, Bill Foster's assessment is accurate; these two functions are technically achievable.
"Backdoors" are primarily divided into two types: hardware backdoors and software backdoors.
Hardware backdoors are physical devices left in the design or manufacturing of a chip, mainly consisting of logic circuits with backdoor functions.
Software backdoors can be understood as instructions embedded in software that have backdoor functions, which can cause damage to the user's system or steal confidential information when the software is running.
Take the NVIDIA H20 chip as an example.
From the perspective of hardware backdoors alone, it is entirely possible to implement functions such as "remote shutdown."
The H20 chip has multiple components, including: GPU core, power management module, etc. By implanting a "remote shutdown" circuit in the power management module of the H20 chip and setting the corresponding trigger mechanism, this function can be achieved without relying on external conditions. When the chip meets the following Indicators:
Activation time reaches the pre-set Indicators;
Physical conditions such as temperature and voltage meet the pre-set Indicators.
The power management module of the H20 chip can perform corresponding operations, including: directly cutting off the core power supply of the chip; adjusting the voltage to an unstable region, causing the chip to malfunction. For example, the simplest and most direct operation is that chips sold to China can be set to automatically shut down after 500 hours of use.
In this way, the chip becomes unusable, and it is not an exaggeration to say that all investments would be wasted.
Another method to achieve 'remote shutdown' through a hardware 'backdoor' is to modify the firmware boot program of the H20 chip. When the chip starts up, the boot program checks specific conditions (such as geographic location information, authorization status, etc.). If these conditions are not met, the chip can be prevented from starting, or some advanced features can be disabled, or the performance of the chip can be restricted. Currently, the H20 chip is almost exclusively supplied to China. If a 'backdoor' is set in the chip, its function will be highly targeted, and once activated, there will be no 'collateral damage'.
A security expert from Qianxin Threat Intelligence Center told the author that, from a technical perspective, a hardware 'backdoor' with specific denial-of-service functionality is relatively easy to implement during the production phase. However, this method is relatively costly and expensive. Installing a 'backdoor' through software settings or a combination of software and hardware is the most flexible approach.
One important lever for activating a 'backdoor' through software is CUDA. CUDA (Compute Unified Device Architecture) is not a product but an ecosystem.
More than 4 million developers worldwide use CUDA, covering 90% of global artificial intelligence research institutions. Over the past nearly 20 years, it has formed a positive feedback loop:
The more developers who use CUDA, the more applications based on CUDA are created, which in turn attracts more developers and users to join the CUDA ecosystem.
This means that when you want to use the latest features of CUDA, you need to import updated software into your system. During this driver update process, the system where the chip is located may receive instructions to activate the 'backdoor', and this method of installing a 'backdoor' can achieve various functions.
If an Internet connection is present, the 'tracking and location' function can be achieved by dynamically receiving and decrypting data. Even more conventional 'backdoor' functions such as file collection, keylogging, and screen capturing can also be realized. In other words, with the cooperation of software and hardware 'backdoors,' information leakage becomes effortless.
A security expert from Qianxin Threat Intelligence Center told the author that the U.S. has two main levers for shaping AI hegemony: hardware and the software ecosystem. For other countries, it is not only necessary to strive for hardware substitution but also to build a controllable and autonomous software ecosystem.
To achieve the above arrangements, the U.S. once systematically designed a mechanism — the on-chip governance mechanism. This mechanism mentions that the U.S. government needs to establish relevant departments to coordinate various stages of chip design, production, and manufacturing, including coordinating with companies and allies to gain control over AI chips.
The on-chip governance mechanism can achieve the following functions:
First, license locking. If any violations are detected, the manufacturer will immediately stop issuing new licenses, rendering the chip inoperable due to the inability to update.
Second, tracking and location. The response speed of the target chip when interacting with multiple landmark servers can indicate its approximate location. The chip itself can perform active queries, restricting its operation to specific geographic regions.
Third, usage monitoring. Built-in hardware can record key information such as the chip's status, training tasks, and computational load, requiring users to verify the way the chip is used to ensure compliance with U.S. regulatory requirements.
Fourth, usage restrictions. On-chip governance mechanisms limit the use of chips in large cluster computers and supercomputers, protect access to sensitive data, and only allow the chip to run approved code or models.
In a detailed report on 'on-chip governance mechanisms,' it is mentioned that NVIDIA's AI chips already widely deploy most of the functions required for on-chip governance, although some have not yet been activated.
The Center for a New American Security (CNAS) report, 'Secure, Controllable Chips: Using On-Chip Governance Mechanisms to Manage National Security Risks in AI and Advanced Computing,' mentions that many of the functions required for on-chip governance are already widely deployed across various chips, including cutting-edge AI chips. Leading companies such as AMD, Apple, Intel, and NVIDIA sell chips that possess many of the functionalities required by these policies.
If these functionalities are not yet present on the chips, the report also specifically notes that the U.S. and its allies control the Industry Chain for the most advanced AI chips. Therefore, the U.S. only needs to 'coordinate' with these allies to ensure that the necessary hardware is built into the chips, thereby achieving control.
To gain the cooperation of chip companies, the report also suggests implementing some 'incentive' measures, such as 'advanced market commitments'—if companies comply and meet the U.S. government's requirements for setting 'backdoors,' the U.S. government can exempt them from export controls. The report specifically mentions relaxing export restrictions for 'low-risk Chinese customers.'
Combining this information, the U.S. government's decision to allow NVIDIA to export H20 to China raises significant concerns.
From any perspective, the H20 is not a secure chip for China.
In addition to being insecure, the H20 is not advanced.
According to data from relevant institutions, compared to the standard version H100, the overall computing power of H20 is only about 20%, with a 41% reduction in the number of GPU cores and a 28% decrease in performance. This also means that H20 cannot meet the training requirements for trillion-scale models.
In addition to not being advanced, H20 is also not environmentally friendly.
In July last year, the National Development and Reform Commission, in conjunction with relevant departments, issued a document called the 'Special Action Plan for Green and Low-Carbon Development of Data Centers.' The Action Plan states that by the end of 2030, the average energy efficiency, computational power efficiency, and carbon efficiency of data centers nationwide should reach internationally advanced levels.
Generally, for server GPUs using a process below 14nm, the energy efficiency ratio for energy-saving standards should be 0.5 TFLOPS/W, and for advanced standards, it should be 1.0 TFLOPS/W.
According to calculations by relevant institutions, the energy efficiency ratio of H20 is approximately 0.37 TFLOPS/W, which does not meet the energy-saving standard of 0.5 TFLOPS/W.
We all know that, to some extent, computing power is also electrical power. The development of artificial intelligence will create a significant increase in energy demand. These new demands must also align with China's green transition.
From this perspective, H20 is certainly not a good choice.
When a chip is neither environmentally friendly, nor advanced, nor secure, as consumers, we can, of course, choose not to buy it.
Editor/Jeffy
