Also - unrelated to anything in this article: Any plans to do a piece on the I-SOON leaks? I thought that was a great behind the scenes look at how Chinese cyberintelligence ops are farmed out to private companies.
Writing in from a software perspective - I didn't agree with a lot of the points raised about hardware based controls for restricting AI. IME hardware based controls around things like licensing end up being translated as FPGA code, which is well, code. Then you need controls around only allowing properly signed FPGA images, and preventing bypasses of that, it's turtles all the way down. You can make it harder to do training with large networks of chips, but people can just come up with new tricks to get around building large clusters, such as having different subdivisions that get combined at the end.
Zooming out a little, and tied to the discussion around safely storing cryptographic signing keys, the final product of AI training is a set of weights. These weights are huge (in terms of file size) and being the product are constantly being accessed. With crypto signing keys the best-in-class solution is to use special hardware (HSMs) to store the keys and perform limited operations on them that do not expose the key. These are hard enough for companies to use correctly, assuming the HSM is even fulfilling it's responsibilities of not leaking the key, and applying the equivalent hardware to AI weights just doesn't exist right now. Companies like OpenAI are heavily relying on their weights remaining private as their moat for consumers using them. In many ways I am reminded of the classic IRA quote on to Margaret Thatcher: "We only need to be lucky once. You need to be lucky every time" as applied to the problem of securing these high value assets. One leak is all it takes for those weights to be out there, forever.
The idea of private weights as a moat isn't scalable though. It's much more expensive to train models than to run them. Today places like HuggingFace contain large repos of open model weights, some of which can come quite close in performance to cutting edge private weights. These are further optimized to run on simpler platforms, such as someone's personal computer.
As the gap between public and private models narrows a better question in my mind is to ask what can be done to prepare for a world in which the average person has access to open weight models. The nuclear era (Restricted Data by Alex Wellerstein is a great read on this) focused on preventing the dissemination of knowledge (results could be "born secret" and not published) and making research onerous. Even then people managed to find better, cheaper, and easier ways to create nuclear devices.
This played out in the 90's already with cryptography as well. When the primary item being blocked is knowledge - people can find ways to transmit it. No amount of laws were able to prevent the spreading of cryptographic knowledge outside of the US and eventually laws restricting it had to be repealed because they were not effective and were holding back US innovation. I predict something very similar is going to play out with AI as well.
Also - unrelated to anything in this article: Any plans to do a piece on the I-SOON leaks? I thought that was a great behind the scenes look at how Chinese cyberintelligence ops are farmed out to private companies.
Writing in from a software perspective - I didn't agree with a lot of the points raised about hardware based controls for restricting AI. IME hardware based controls around things like licensing end up being translated as FPGA code, which is well, code. Then you need controls around only allowing properly signed FPGA images, and preventing bypasses of that, it's turtles all the way down. You can make it harder to do training with large networks of chips, but people can just come up with new tricks to get around building large clusters, such as having different subdivisions that get combined at the end.
Zooming out a little, and tied to the discussion around safely storing cryptographic signing keys, the final product of AI training is a set of weights. These weights are huge (in terms of file size) and being the product are constantly being accessed. With crypto signing keys the best-in-class solution is to use special hardware (HSMs) to store the keys and perform limited operations on them that do not expose the key. These are hard enough for companies to use correctly, assuming the HSM is even fulfilling it's responsibilities of not leaking the key, and applying the equivalent hardware to AI weights just doesn't exist right now. Companies like OpenAI are heavily relying on their weights remaining private as their moat for consumers using them. In many ways I am reminded of the classic IRA quote on to Margaret Thatcher: "We only need to be lucky once. You need to be lucky every time" as applied to the problem of securing these high value assets. One leak is all it takes for those weights to be out there, forever.
The idea of private weights as a moat isn't scalable though. It's much more expensive to train models than to run them. Today places like HuggingFace contain large repos of open model weights, some of which can come quite close in performance to cutting edge private weights. These are further optimized to run on simpler platforms, such as someone's personal computer.
As the gap between public and private models narrows a better question in my mind is to ask what can be done to prepare for a world in which the average person has access to open weight models. The nuclear era (Restricted Data by Alex Wellerstein is a great read on this) focused on preventing the dissemination of knowledge (results could be "born secret" and not published) and making research onerous. Even then people managed to find better, cheaper, and easier ways to create nuclear devices.
This played out in the 90's already with cryptography as well. When the primary item being blocked is knowledge - people can find ways to transmit it. No amount of laws were able to prevent the spreading of cryptographic knowledge outside of the US and eventually laws restricting it had to be repealed because they were not effective and were holding back US innovation. I predict something very similar is going to play out with AI as well.