America’s Semiconductors Supply Chain Faces Big Cybersecurity Risks

Mar 23 2017 |
Photo by Dwayne Madden via Flickr

Government and industry must work together to address these risks — and help keep us safe.

The following blog post was written by Brig. Gen. John Adams, (U.S. Army, Ret.), who served more than 30 years on active duty, retiring in 2007. He is the president of Guardian Six LLC, a national security consulting firm, and the lead author of the 2013 report Remaking American Security.

Most of us don’t think about semiconductors that often, but they play a major role in our lives. Semiconductors allow us to use our electronic devices, after all — there would no televisions, computers or smartphones without them.  

But semiconductors are also vital to our national security, as they power many of the high-tech tools used by the U.S. military to keep us safe.

The military needs access to leading-edge semiconductors that our adversaries lack. Yet in an increasingly globalized semiconductor supply chain, the cybersecurity of the U.S. semiconductors industry is increasingly vulnerable to disruption from malware and other production defects.

Most concerning is the continued offshoring of semiconductors production, research & development (R&D) and intellectual property (IP) to potential adversaries such as China. Loss of American control of this vital component and its attendant supply chain raises the risks of compromise of one of our most important technologies. This national security threat demands close coordination between government and industry to address it effectively.

U.S. government purchasers of semiconductors, including the U.S. military, must be able to mitigate risks to the semiconductors supply chain, with regard both to integrity and availability. The Defense Department requires semiconductors that are produced per Military Specification (Mil-Spec) – specialized and custom-produced devices specifically for secure computing functions – for which there is no commercial demand. The domestic knowledge base needed to produce these specialty components in a secure setting may eventually disappear if the United States cannot maintain its domestic semiconductor base.

The risks of malware and defective semiconductors are real. For example, a 2012 Senate Armed Services Committee investigation found 1,800 incidents of counterfeit electronic parts in defense equipment. Many more likely are unreported or intentionally masked by malware. These defective parts have the potential to endanger both mission accomplishment and the lives of service members.

Moreover, if the current offshoring trend in the semiconductors industry continues, semiconductor R&D might soon follow manufacturing overseas, thereby diminishing the United States’ ability to design and produce innovative technology, jeopardizing national security.

Brig. Gen. John Adams (U.S. Army, Ret.) at a 2013 press conference for the unveiling of Remaking American Security. Adams warns that it is essential to our national security that we address risks to our semiconductors supply chain.

Although a small proportion of military and other sensitive semiconductors are securely produced in trusted foundries located in the United States, application of this protective measure to the entire value-chain is economically unfeasible.

Originally implemented in 2003 as a long-term arrangement between the Defense Department and IBM to secure access to leading-edge foundry technology, IBM since then has provided the Defense Department and National Security Agency with output from its trusted foundry fabs, producing small runs of highly specialized chips that perform reliably.

However, the 2016 sale of IBM’s semiconductor business (including its trusted foundries in the U.S.) to Global Foundries, a company owned by Abu Dhabi, dilutes U.S. control of this vital supply chain.

In the aftermath of this and other business events, it is unclear whether the Defense Department can still oversee production of sensitive chips without requiring that chips be produced by cleared U.S. citizens. Such clearances help assure that the requisite IP will be protected, and retain confidence that a foreign entity will respond to defense requirements for highly specialized chips for sensitive devices that may be used against that foreign entity or its allies.

How can government and industry reduce the cybersecurity risks to our semiconductors supply chain?

First, industry, supported by government, should require that semiconductor manufacturers adopt a need-to-know partitioning of information regarding details of design and production. Designers working on a portion of a chip devoted to one function do not need access to the internal details of chips that perform other functions. In many firms, the barriers that separate design access are simply too low.

Second, government and industry must recognize the significant threat from defective and malicious chips. Scrutiny of third-party suppliers is critical, as well measures to reduce the odds of compromise in the design and production process.

Third, China’s push to reshape the semiconductors market, using mercantilist policies backed by billions of dollars in government funding, threatens the competitiveness of the U.S. semiconductors industry. We need a coordinated federal effort to influence and respond to Chinese industrial policy, strengthen the U.S. business environment for semiconductor investment, lead partnerships with industry and academia to advance semiconductor innovation, and ensure the cybersecurity of our semiconductors supply chain.

Fourth, we should enlarge the statutory scope of the Committee on Foreign Investment in the U.S. (CFIUS). The organization’s current mandate is to review transactions that could result in control of a U.S. business by foreign entities to determine the effect of such transactions on our national security. This mandate should be expanded to address potential loss or compromise of IP. Fortunately, CFIUS reform is being championed by the Trump administration, as well as Senators on both sides of the aisle.

Although it is impossible to eliminate the cybersecurity risks to our semiconductors supply chain, the above measures would significantly reduce the risks. Only a focused effort on behalf of both government and industry can reverse the damage caused by a combination of offshoring and the growing sophistication of cyber-attacks, and restore the integrity and availability of the semiconductors upon which our national security depends.