Supply Chain Vulnerable to Electronic Chip Tampering

By Dinah Wisenberg Brin

The defense supply chain is vulnerable to potential malicious tampering of electronic chips used in key military systems, a new report from a Brookings Institution senior fellow warns, noting that chips also are ubiquitous in the broader power, finance, communications and transportation infrastructure.

While policymakers are addressing the threat of counterfeit electronics, the report says, “the supply chain is almost completely unprotected against a threat that may turn out to be more significant in the long term: Chips could be intentionally compromised during the design process, before they are even manufactured.

“If placed into the design with sufficient skill, these built-in vulnerabilities would be extremely difficult to detect during testing. And they could be exploited months or years later to disrupt – or exfiltrate data from – a system containing the compromised chip.”

The report, written by John Villasenor, a Brookings senior fellow and UCLA electrical engineering and public policy professor, said the opportunity to insert “hidden malicious functionality” has increased as chips have become more complex and design teams have grown larger and more global. A cyberattack using a chip with compromised circuits not only could extract data while appearing to function normally or stop the chip from functioning, it also could corrupt data stored on the chip, it says.

Intentionally compromised hardware inevitably will end up in the defense electronic supply chain, so officials need to figure out how to maintain security when that happens, according to the report. Hardware-based cyberattacks are harder to conduct than software attacks, but also harder to fight against because replacing the corrupted components can be very difficult and costly, the report says.

Software security remains the bigger vulnerability, but isn’t the only exposure, as many believe it to be, the report says.

While the most sensitive defense-system chips are produced at a facility overseen by the National Security Agency, these components represent only a small fraction of the chips used in defense systems, according to Villasenor. “When purchasing computers, routers, navigation and communications equipment and most other electronics hardware, the Department of Defense is heavily reliant on the commercial supply chain – and therefore exposed to any associated vulnerabilites,” the paper says.

The security of the commercial supply chain needs more attention, considering its potential to be a “cyberattack vector,” according to Villasenor, who also recommends that design practices in the semiconductor industry be changed to address the possibility of malicious hardware insertion.

Manufacturing, traditionally the focus of chip security concerns, isn’t the weak link, the report says, pointing to the design phase as the key area of vulnerability.

“Designs are provided to manufacturers as descriptions of the shapes and locations of all the silicon and metal structures that must be built into the chip. It is possible, but very expensive and time consuming, to reverse engineer the full functionality of a chip from the information provided to a manufacturer. Attempting to insert malicious functionality by directly modifying the description of on-chip structures would be difficult, and in some — though not all — cases would create easily detectable defects. The task facing an attacker is much easier if he or she can get access at an earlier stage of the supply chain, when the design is still being created,” Villasenor warns.

Design corruption is a growing threat in part because of the high number of people and organizations involved in the design of a single large chip, the report says. More than 5,000 new chips are designed every year “in a globe-spanning ecosystem involving thousands of companies and hundreds of thousands of people,” it notes.

“The laws of statistics guarantee that there are people with the skills, access and motivation to intentionally compromise a chip design,” the report says.

The report recommends that defense systems should be designed to actively assess trust of their components throughout their service years, and that plans be developed in advance to respond to a hardware-based cyberattack on defense or other critical infrastructure systems, although the problem can only be managed, not completely solved.

Governments around the world, chip makers and design software companies will need to participate in addressing hardware cybersecurity, the report states. The paper represents the views of Villasenor, a senior fellow in governance studies and in the institution’s Center for Technology Innovation, and not necessarily those of Brookings’ staff, officers or board.

“Too often we wait for catastrophe to spur change,” the report says, noting that there hasn’t yet been a string of publicly disclosed examples of defense hardware with malicious design alterations. “But given the critical role of chips in nearly every defense systems, there are good reasons to be proactive as opposed to purely reactive with respect to hardware cybersecurity.”