Tom Garrison: Hi, and welcome to the Cyber Security Inside podcast. I’m your host, Tom Garrison, along with my co-host Camille Morhardt. Camille, how are you doing?
Camille Morhardt: Hi, Tom. I’m doing well today.
Tom Garrison: Well, we have a very interesting topic in store for today. What we’re going to talk about the CHIPS Act and also about the implications of how technology nationalism is going to be playing out in the years to come.
Camille Morhardt: I really appreciate this conversation just to get a grounding and kind of a level set on what is in the CHIPS Act and sort of what does it mean and how has it kind of parsed out. But what I really loved was after that, just having this conversation about what are the implications going to be down the road and, you know, kind of geopolitically in this kind of race that the world is in right now, that humanity is in for Artificial Intelligence and new kinds of technologies.
Tom Garrison: Yeah, it is a very rich conversation. I think our listeners are really going to appreciate, not only just getting smarter on something, they have heard of like the chips act, but as you said, what are the implications? And how’s this going to play out over the years to come?
So it’s a great talk. What’d you say we’d jump right into it.
Camille Morhardt: Let’s jump in.
[00:00:00] Tom Garrison: Our guest today is Ollie Whitehouse. He is a Group CTO for NCC Group, responsible for group technical strategy, product management, and R&D functions. He has over 25 years of experience in information and cyber security, working in consultancy and applied research in engineering. So welcome to the podcast, Ollie.
Ollie Whitehouse: Thank you. Thank you for having me.
Tom Garrison: So Ollie, can you just walk through a little bit, I just touched on your background, but maybe a little bit more detail about what it is that you do and what you’ve done over your career.
[00:00:33] Ollie Whitehouse: Yeah, of course. Yeah. So I’ve been very fortunate in that I have had 25 years in cyber birth of an industry some way argue. So mine started in the 90s during the.com boom, where we identified that we could make more money breaking into networks legally than building them. And so had I had a terrible amount of fund during that period, and I actually went on and worked in applied research and the likes Blackberry and Symantec, really understanding and identifying flaws and technology, a software level. And then lastly joined NCC Group, which is a UK-headquartered, but multinational cyber security services, um, working for the largest technology and wider companies on the planet, helping them protect their estates and their technology.
[00:01:16] Tom Garrison: Well, the focus for today’s podcast is we’re talking about sort of government and government, uh, activities and actions. And one of the things certainly insiders within the industry know about, but maybe not so many people on the outside is the same call the CHIPS Act. And so let’s just start with what is the CHIPS Act?
[00:01:40] Ollie Whitehouse: So the CHIPS Act is a, is a proposal within the US to affectively create tax breaks to allow the US to, I guess, wean itself off of foreign supply and ensure that it has a robust domestic capability and ability to manufacture and fully supply demand around Central Processing Units, as we all know and love, but also wider semiconductors.
[00:02:03] Tom Garrison: And so the focus is building indigenous capabilities here, but the manufacturing elements of that, but not just a silicon aspects of it’s things like packaging, testing, basically all elements. Is that correct?
[00:02:17] Ollie Whitehouse: Exactly. I think what we would recognize is that clearable supply chains are now truly global. And so we rely on both in Europe and the US, increasingly a supply base for some of the latter parts of the production outside of, I think what we would define as a friendly territories these days. And so the aspiration is to bring all of that on shore. The US is obviously leading the charge here, but we can see that Europe is following up, um, behind with similar aspirations.
[00:02:46] Camille Morhardt: Ollie, does this extend all the way to raw materials or will those be kind of geo located wherever they are currently?
[00:02:55] Ollie Whitehouse: Yeah, that’s a great question. So I think, you know, what we would recognize is that there is a scarcity in certain elements of the raw materials. And I think, you know, there is wider geopolitical activity in that space. And when we look to where the suppliers are, that will be done through foreign policy more so. So I think, you know, the US and Europe cannot supply necessarily all the raw materials itself; it will need to have friendly partners where those assets are located in the ground. But supposing one has secured the supply of those, this is to ensure then that we can actually produce the volume, the quality with the, I guess, chains of trust that we require now, increasingly to secure that supply for our domestic markets.
[00:03:35] Tom Garrison: And is that the idea? I assume you’re going to say both, but let me see if I can try to tease this out a little bit, is the idea mostly that we want to make sure that if there is any interruption in supply because of maybe geopolitical issues, a war, a natural disaster, that we can source chips here locally on US soil; or is it more about the fact that because the world is so tied to technology, that it is in our best interest from a security standpoint, that we build these things in facilities that we trust that we know that they haven’t been tampered with.
[00:04:20] Ollie Whitehouse: Uh, it’s both of those. And it’s more actually. So there’s a couple of things. We have current generation computing, which I think we’re all familiar with both general purpose computing, but then also increasingly application specific optimized computing. And, um, you know, we can see future generations in terms of neuromorphic, that there is both the kind of the suppliers security, the integrity, the ability to service demand, all of those. But there is increasingly in argument around ensuring that as we come with next generation manufacturing techniques and next generation CPU designs that that intellectual property, shall we say, is not used to bootstrap foreign economies, where they haven’t done necessarily the respective R&D investments that we have done in the West historically.
And so it’s about maintaining economic competitive advantage as well as all of the, kind of the very valid points which you raised.
[00:05:15] Camille Morhardt: Are you basically saying IP protection?
[00:05:20] Ollie Whitehouse: Yeah. Sorry. Yeah. So, so that’s a very simple way of staying IP protection and making sure that we gain the economic advantage for the investment effort we put into R&D.
[00:05:30] Tom Garrison: Is the CHIPS Act formulated in such a way that there is upfront investment to pay for companies to build facilities upfront?
[00:05:41] Ollie Whitehouse: No. As I understand it is all tax; it’s benefits for firms to incentivize the investment for them. So it is going to create policy, existing companies, huge economic incentive.
[00:05:51] Tom Garrison: And is there back in incentive as well? Meaning like a built in demand that’s going to come from the CHIPS Act.
[00:06:00] Ollie Whitehouse: I think that the demand is already there. You know, I think we are seeing why the activities, which are precluding certain technologies manufactured from certain regions from being able to use indigenous core critical national infrastructure. And we will only expect that. And so that will ultimately continue to drive demand from trusted partners.
And then I spoke the basic sort of again, I think, where you recognize is the US establishing a robust supply chain means it can service the demand from allied countries, including the UK, Australia and continental Europe.
[00:06:37] Tom Garrison: Yeah. I, um, I’m curious maybe if you could just walk us through it because that was very helpful, by the way–just sort of exploring what the CHIPS Act actually is. Maybe we can learn a little bit more, too. We don’t have the CHIPS Act right now. So how do things work today? How things work with say critical infrastructure, critical components, the military.
[00:06:59] Ollie Whitehouse: I think that varies today if I’m being entirely transparent. So there’s obviously the ability to do a degree of domestic production in the US today. Um, but it can not meet all of the demand. And so the reality is, is that there are some components, some CPU, some chips, which are manufactured overseas and the likes of China and other states. And obviously Taiwan is a friendly state, but is another example. And then those are, those are imported.
And, you know, having worked for a hardware manufacturer in a former life that no longer makes smartphones, but you know, one of the challenges that we had specifically is when we wanted to introduce key materials to those devices, we had to get them shipped to one country, ingest them inject them with key material and then ship them some manufacturing plants back into the country of origin, which obviously adds, you know, substantial costs and round-trip delays and various other things. And so, so today, effectively we are relying in part on that foreign supply chain.
[00:07:59] Camille Morhardt: Do you think there’s risk that we kind of go backwards in this kind of philosophy of, we have quote unquote “perimeter security” or, you know, we’re building on shore and so we understand exactly what’s happening and we let down a guard, for example. And instead of realizing that vulnerabilities could be anywhere or attacks could be attempted anywhere? Or do you think this is accompanied with this greater sense of the need for like digital assurance no matter where you’re building?
[00:08:31] Ollie Whitehouse: It’s a great question, because I think, you know what, we’re seeing more broadly as balkanization of technology. You know, we are starting to see fractures. We are starting to see countries increasingly distrust each other, and a desire for sovereignty, in terms of technology production. I think the rationale for this act and this aspiration actually makes quite a lot of sense. So one is, it is such a critical component, you know, in that it sits at the root of trust to pretty much all software layers, just top of it. And so you want to ensure the integrity of that.
And then I think, you know, more importantly as we are experiencing, now, there are massive supply constraints and that is holding back everything from the manufacturing of electric vehicles through to God knows whatever else. And we don’t want that as we increasingly become dependent and demand is not going to shrink. So I think. Yes. An argument can be made that it’s kind of quite introspective and kind of recoiling from the globalization of the economies. But I think, you know, it makes terrible sense when you think of actually how important the chips are, to the core fabric of the security models we rely on today.
[00:09:38] Tom Garrison: So what are the mechanics of getting this thing passed? Like where is it currently? When do we expect that it does get passed?
[00:09:49] Ollie Whitehouse: So I was reading up on this today and where are we? So, uh, it is currently, we’ve got nine governors pressing for it to be passed. So at the moment, you know, we are in the final throws and the pressure of being applied there, being a thing in the US. Um, so when it passes, you know, I, I’m not familiar enough with how, how quick or slow the US legislative system will actually respond to that pressure. But, you know, it seems to be, uh, a body of weight of activity behind it, for sure.
[00:10:20] Tom Garrison: Okay, so momentum behind it. And then is there any legislative action that would be required from, let’s say the UK as an example. So once the CHIPS Act passes in the US, is there anything that needs to happen in other allied countries for them to align behind the CHIPS Act or is it kind of understood built-in?
[00:10:41] Ollie Whitehouse: Other countries will naturally gravitate towards these trusted supply base. And so it is true, there may be follow up legislation or regulation in those markets if they want kind of further control and supply, but it’s not necessary for it to actually happen.
[00:10:55] Tom Garrison: I’m curious if you fast forward, let’s say a year or two, three in the future. So the CHIPS Act passes and now we have this supply of local computer technology chips and so forth. How do you see that playing out within the industry and ecosystem?
And to me is what is interesting is it gets back to how do you market security? Because you can say, for example, if you bought from this particular manufacturer, this is a trusted chip; it’s built in a facility that you have much higher trust with whatever. And therefore if you’re building a car, you’re building a power grid or you’re building a pipeline or whatever, “Boy, you really want to use these things because these are chips that you can trust. Or you could save a few bucks maybe, and you can buy it from these other guys.” It feels to me like once you have these quote unquote “trusted supplies,” how could you ever justify buying from an untrusted source?
[00:12:00] Ollie Whitehouse: Well, I think you’re spot on. Your crystal ball is, is, is very accurate naturally when the supply is there and they’re all viable cost effective, you know, unconstrained supply options, people are going to naturally start to gravitate towards those supplies; Because we know the kind of the digital substation is in our near future. And so highly connected substations, electricity distribution, one would be, um, short-sighted I think, to build off of foreign supply l technology, I think at that point.
So you’re right. That that’s the way that we will go. And people will just naturally kind of drift away for critical national infrastructure aspects from those foreign suppliers.
[00:12:45] Camille Morhardt: So then like a follow on to that is do we end up with more and more divergent technology around the world? So like as different groups of in the industry are designing and optimizing around new use cases for Artificial Intelligence and Machine Learning, are we going to see kind of more discreet solutions for those things that become more and more specific and differentiated from one another?
[00:13:13] Ollie Whitehouse: Yes, I think we do. And I think, you know, there are a couple of things at play here because, you know, we, we have the open RISC-V architecture and there’s momentum getting behind that. I think, you know, and again, I’ve touched on it, but neuromorphic computing, we can see that one of the kind of poster child use cases with neuromorphic, is it can’t be it’s all machine learning or facial recognition, but it can be embedded with the ability to recognize new faces because it has a core understanding of what a face looks like. And so we’re going to see increasingly utility specific age compute style, these cases emerge. And I think that is going to lead to outside of general purpose computing a much more complex. And then, then you factor in kind of indigenous technologies from the likes of China and India. And then I think we’re going to see a natural divergence from technologies emanating from those geographies where isn’t all originally Western originated.
[00:14:07] Tom Garrison: Uh, if I’ve got this right, what I, I hear you painting is a picture of nationalistic supply. So you’ll, you’ll end up with, let’s say at the very basic level, kind of an East versus West supply of these kinds of chips and, um, both will try to build up their capabilities in those respective supply pools. And it will be a competition about who can build the best technology the best chips. Barring one group, just running away from the other. You’ll see, sort of an ecosystem building up on each side. If one side gets drastically ahead of the other, then I guess the losing geography, even though they don’t like it, they’re going to have to use the other guy’s chips. Is that kind of how you see it?
[00:14:58] Ollie Whitehouse: Very much. So that competition is going to be fought on a number of levels, you know? So I think that there will obviously be quality. It’ll be function, it’ll be cost. And then obviously the supporting software. And I think, you know, what we recognized is that some of the activities that have happened such as ?NTT list? kind of placement of certain firms has accelerated some of those endeavors in order for them to become similarly, domestically self-sufficient.
You know, we’re seeing this and what played out as well in the quantum rates. Right. You know, we’re already seeing some of this and everyone’s racing for the prize and whoever wins properly, people understand it’s for proper table stakes.
[00:15:38] Camille Morhardt: You’re making me think about really, what is our definition of “critical infrastructure.” We’ve been talking about, you know, power grids and the kind of obvious traditional critical infrastructure, but the more you’re kind of segmenting populations geographically, I’m wondering if you know, our own consumer devices become part of our critical infrastructure because they have so much insight into just populations.
[00:16:05] Ollie Whitehouse: I think, you know, you’re so spot on. Historically we define critical national infrastructure is almost the core, the kind of the lifeblood, the big iron of the country. But I think what we all recognize is supply chains are increasingly complex. We actually don’t know often where the pinch points are. I know that my country, at least, I think the UK would struggle significantly if internet banking collapsed for any period of time, as well as the digital benefit system, as well as the track and trace app for kind of COVID management.
And so you can see if we worked as a firm on the smart meter project, right, which was assessing the smart meters that were going to go into everyone’s home is actually that edge device. If they could be co-opted on masks, could absolutely wreak havoc without going anywhere near the center.
[00:16:55] Tom Garrison: Yeah, I think this is just to me, it’s fascinating because it starts with, you know, our conversation on the CHIPS Act, but then you start playing it forward and what’s likely to happen. And you know, my understanding of the computer chip ecosystem–and it’s pretty detailed. I mean, I’ve been in the industry for a long time–is that the majority of the R&D the majority of the sort of expertise and everything else derived from Silicon Valley and the West more broadly, right? And the manufacturing elements–principally because of cost–moved over to Asia.
And so you now have this really interesting dynamic because the R&D still is largely in the West, I would say more generically. And so pulling that manufacturing over to the West. Now, what does the East do? They don’t have a history of building the capability, of designing, of invention. If you’re in their shoes. It’s very interesting. Like, what do you do if the West now is saying the figuratively, you know, “I’m taking my ball and I’m going home,” what does the East do?
[00:18:15] Ollie Whitehouse: Well, And I think they they’ve already indicated what they will and are going to do, and it is going to build it around RISC-V you know? And so the first indigenous–broadly speaking–comparative CPUs to probably our mid-range, started to emanate domestically based on open, open design. It’s not as if they have to start entirely from scratch in this area. There is a body of work out there in, in open source with the right licensing, which allows them to build on it effectively for current modern ways of doing computing.
Obviously the features unwritten and certain other aspects. And so I think they’re less encumbered with that lack of domain knowledge because we’re all striving to kind of do the R&D. And so it’s a costly catch up, but it’s not insurmountable. I think it’s probably really my assessment at the moment.
[00:19:18] Tom Garrison: We have a segment on our podcast. So we’d like to do we call “Fun Facts” and it’s just that it’s suppose meant to have a little bit of fun. Share some sometimes useless facts, sometimes more interesting, but I wonder, do you have something that you would like to share with our listeners?
[00:19:36] Ollie Whitehouse: I do. Um, and so it’s often cited that the original “Italian Job” is the first movie in which there is a hacker where Benny Hill takes over the traffic lights in “The Italian Job.” And actually that movie is beaten to the punch by a small British movie, which people never hear of, cause it’s only if you go digging, do you get it? So the first movie in which hacking occurred was moving called “Hot Millions,” which featured Peter Ustinov. And so for all your listeners or watchers, gum, dig it out and see the glorious 1960s impression of what modern hacking would look like.
[00:20:11] Tom Garrison: Uh, what did they break into? What was it?
[00:20:14] Ollie Whitehouse: Naturally, it was, for millions, it was for money. It was a banking computer, which, uh, so it’s still the punchline: “if the light was blinking, they knew what the computer was doing.” And so you can kind of work how the plot is going.
[00:20:28] Tom Garrison: Deep plot.
Ollie Whitehouse: Indeed.
Tom Garrison: Ok so Camille.
[00:20:33] Camille Morhardt: So my fun fact is my dad is actually an artist. So the painting behind me is a sanderling that he painted. So I was looking up sanderlings and they’re these incredible little birds. They actually breed in the Arctic Tundra and then they fly anywhere from 3,000 to 10,000 kilometers for the rest of the year. So they’re one of the largest sort of migration distances species out there. And they’re these tiny little things and you’ll see them, they eat invertebrates at the shoreline. So you’ll see them, they kind of gathered together and flocks and they all run together and they run out when the wave goes out and they run up when the wave comes up and out and up and out and up. And they’re just these cute little things.
[00:21:20] Tom Garrison: Yeah, that’s shocking that a bird that small could travel that far. I’ve seen them. They’re everywhere on the Oregon Coast.
[00:21:28] Camille Morhardt: I always wondered where they went, you know, and now I know it’s to the Arctic Circle Tundra to lay three or four eggs.
[00:21:34] Tom Garrison: Wow. Very cool. All right. Well, my fun fact, this week through the magic of working remotely, uh, last week, I actually worked–for real, I did work–over in Hawaii. I just woke up hellishly early, like 4:00 AM. And I would do my meetings from 4:00 AM until 2:00 PM because of the magic of time zones. And then at two o’clock, I was free to do whatever I wanted. And then I had the weekends on either side.
So I went to the volcano there on the big island and that was erupting. And so my fun fact, I had to find something interesting about volcanoes based on the fact that I just saw one for the first time in my life, actually erupting. And you can walk relatively close. You know, you’re within maybe 400 yards or so of where the lava’s coming out. So it’s kind of cool. S o my fun fact. Is that there are 18 volcanoes in the us currently with a potential to erupt. again. All of those are in either Alaska, Hawaii or the US West Coast. The tallest volcano on earth is Hawaii Mauna Kea. It has an elevation of 4,207 meters– whatever that is 12,000 plus feet. However, Mauna Kea actually rises up from the bottom of the ocean. The elevation when we calculate it from sea level up, but it actually rises from the bottom of the ocean. So if you could measure the Mauna Kea from its base, on the ocean floor to its peak. Its true height would be 10,203 meters. And that folks is taller than Mount Everest.
Ollie Whitehouse: Wow.
[00:23:42] Camille Morhardt: That’s a good fun fact. I like it.
[00:23:43] Tom Garrison: That’s my fun fact for the day. So Ollie, thank you so much for joining us today. The conversation on the CHIPS Act, you know, it’s in the news. I thought it was a great way for our listeners to learn about it. I think Camille and I both learned some stuff from it as well. So thanks for spending the time with us.
[00:24:00] Ollie Whitehouse: My pleasure. And thank you for having me.