Skip to Content

Is RISC-V a National Security Threat?

Andrew O’Shei
December 18, 2023

As geopolitical tensions rise in the world today, many governments are re-evaluating their relationship with the digital world. Many of the technologies we rely upon have come under scrutiny by governments concerned by the security implications posed by tools we use everyday. Should we as tech professionals and enthusiasts be concerned?

As reported by Reuters on October 7th 2023, two US senators, Marco Rubio (Rep.) and Mark Warner (Dem.), issued a warning to the Biden administration. The senators advised taking action against RISC-V technology due to national security concerns. At first glance this might appear to be a reasonable proposition. After all, there are many restricted technologies such as missile guidance systems and nuclear reactors. However, the senators’ request is uniquely concerning as RISC-V is an open source technology with an international community of contributors (if you need a refresher on RISC-V see my previous article: https://labs.sogeti.com/risc-v-and-the-future-of-hardware/). A restriction on RISC-V would likely have widespread impacts on the open source community worldwide.

A Brief History of US Cryptography Regulation

Before we start a panic-driven reassessment of all the at-risk technologies in our stack I have some good news, we’ve been here before. In 1954, at the start of the Cold War of the last century, the US State Department classified all cryptography software as weapons grade technology. This made cryptography software and all forms of encryption fully restricted for personal and commercial use. However, by the 1960s banks began to digitize their ledgers on early mainframe computers. It quickly became clear that some form of commercial cryptography would be necessary to protect the banking sector’s newly minted digital assets.

In 1976, the US National Bureau of Standards adopted the Data Encryption Standard (DES) a symmetric-key algorithm for encrypting digital data. Developed by IBM in consultation with the US National Security Agency (NSA), the DES encryption algorithm was classified as dual-use technology (military and commercial). This lifted restrictions on DES for approved commercial use.

A Changing of Perspectives

In the 1970s the restrictions on cryptography software were relatively uncontroversial. Afterall, before personal computing, the only users with a real need for encryption were governments, military, banks and large corporations. But fast forward to the 1990s and these restrictions on cryptography software became a big problem. For users of the early internet there was no encryption and essentially all traffic was sent in plain-text.

However, the proliferation of computer technologies in the 1980s and 1990s brought a surge in individuals with the required skill set to develop their own cryptography software. Most notably, were a group of San Francisco Bay Area technology enthusiasts known as the Cypherpunks. Founded in 1992 by Eric Hughes, Timothy C. May and John Gilmore the Cypherpunks coalesced around an online mailing list which discussed mathematics, computer science, politics, philosophy and cryptography. As discussions among the group developed and their numbers grew there was a particular concern over the issues of online privacy and data security. Likewise, the Cypherpunks came to the conclusion that in order to guarantee security online it would require strong cryptography.

A Challenge to the Status Quo

A kink in the US Government’s control over cryptography appeared with the 1994 publication of Applied Cryptography, by Bruce Schneier an American Computer Scientist. This book had implementation details for DES encryption, Block Cipher algorithms, Stream Ciphers, One-Way Hash functions and Public-Key Digital Signature algorithms. All of which were restricted technologies at the time.

The problem for export control regulators was that the United States also has strong protections for the freedom of speech and expression. This prompted Cypherpunk Phil Karn, with help from the Electronic Frontier Foundation, to sue the US Government over cryptography export controls. An initial ruling in 1996 found that while, it was legal to restrict cryptography software if written to a floppy disk, the US Government could not legally restrict cryptography software printed in a book. This minor victory pushed Karn to challenge the ruling. Following several years of deliberation in courts and before the US Congress the wall fell. President Bill Clinton, realizing the futility of regulating open source technologies in the age of the internet, finally dropped nearly all export controls on open source cryptography software by executive order on January 14, 2000.

Navigating the Regulatory Landscape

What can we learn from this history lesson? For one, the US Government will try to regulate technologies it views as problematic. This is the essential duty of all well functioning governments to protect their citizens. However, the United States is a fundamentally an open society. Broadly the US values the free exchange of ideas more than its own specific national security interests. This is why the idea of regulating RISC-V is quite simply untenable. I believe RISC-V to be a critical technology for data center security. Furthermore, the transparency provided by open source is necessary to ensure this security. RISC-V is developed by an international community, freely available and by now countless copies of the RISC-V documentation exist. Simply put, RISC-V is a genie that cannot be put back into the bottle.

Yet, tech professionals must remain vigilant. Just because one particular government is incapable of regulating a well-established open source project should not imply that others will not try. This can create roadblocks and regulatory costs for business. At times it may even require an active legal defense of the technologies that we rely upon to best serve our clients. RISC-V is just one of many technologies currently undergoing re-evaluation by governments worldwide. Consequently, I urge that when you choose a technology for your stack, opt for technologies you are willing to defend. This is not only good for business, but it also serves to protect the open source communities that help drive our industry forward.

Sources:

About the author

Applications Consultant L1 – IOT and Robotics | France
As Technical Lead for Robotics & AI, Andrew combines his extensive experience in embedded systems and mechatronics with artificial intelligence to develop innovative technical solutions.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Slide to submit