Security experts wary of the Pentagon’s new microchip supplier
To provide computing power for the U.S. arsenal of advanced weaponry, satellites and information systems, the Pentagon has entered into a seven-year deal with Globalfoundries Inc, an Abu Dhabi-owned microchip manufacturer.
The move serves to diversify the Defense Department’s microchip supply chain — an issue of particular concern for some defense officials — which has been dominated by a short list of sellers led by IBM for over a decade.
A microchip is a small, wafer-thin semiconductor used to relay information through an electrical grid, thereby making an integrated circuit. Almost every modern digital device is chock-full of microchips.
With an increase in allowed suppliers, however, some observers are worried about the risk of tampering and hidden backdoors on microchips intended for sensitive military systems. In such a scenario, hackers may be capable of shutting off and even infiltrating affected hardware.
Last month, researchers at the University of Michigan demonstrated how to create such a backdoor that would ‘evade known defenses’ and allow attackers to take over a computer in which a tampered microchip was installed.
Strategic Cyber Ventures CTO Ann Barron-DiCamillo, a former director of the U.S.-Computer Emergency Readiness Team, told FedScoop the Senate Committee on Armed Services had “pushed the DOD to extend beyond one vendor.”
She added that “third party robust vulnerability testing on both domestic and international chips is [now] paramount to address the cybersecurity concerns [tied to microchips].”
While the Pentagon launched an official microchip-vetting program in 2004 — which specifically named 70 verified companies and about 20 “trusted foundries” — just two former IBM factories in Vermont and upstate New York produce the mass majority of custom-made microchips used in complex, current American weapons systems.
Globalfoundries Inc. now owns both of those facilities.
Steven Chen, the CEO of microchip auditing technology developer PFP Cybersecurity, wrote in an email to FedScoop: “Like it or not, chip manufacturing is moving toward a global supply base. Protection through local geographical sole-source production cannot be economically viable in the long run and ultimately will fall behind the rapidly improving technology curve.”
Recognizing this, the Pentagon has stated that it plans to identify more non-U.S. chip suppliers and will explore other technologies to ensure that merchandise is safe.
“Opening the military market to more producers of the most advanced commercial chips, would allow the Pentagon to keep pace with technology developments,” an unnamed DOD official told The Wall Street Journal.
[Read More: DARPA’s VAPR program: u2018Like Snapchat for hardware’]
As the microchip industry has evolved and shifted its manufacturing base to Asia, demand from the burgeoning smartphone market and other civilian sectors has eclipsed that from the defense industry, and the Pentagon’s influence on microchip manufacturing has declined as a result.
The Trusted Access Program Office, which coordinates technology acquisition for the Pentagon and intelligence agencies, told The Wall Street Journal that military users account for less than 0.1 percent of global chip demand today.
“Volume-wise, the US military economic power in the semiconductor industry has become the flea wagging the tail on the dog. The only hope of ensuring the supply chain is through technologies that can detect tampering regardless of where the product is manufactured,” Chen added.
Chen’s company is part of a small but growing group of technology startups focused on detecting counterfeit, altered and virus-laden microchips. Earlier this year, the Vienna, Virginia-based brand attracted a $2-million investment from private backers. Similarly, the Defense Advanced Research Projects Agency is reportedly working on a tiny tagging device that would fit on processors to accomplish the same goal.
William Chappell, director of the Microsystems Technology Office at DARPA, said his team is working to develop technology that will be able to determine where a microchip is specifically manufactured and programmed — two factors relevant to determining a unit’s authenticity.
But such technology likely wouldn’t find the proof-of-concept backdoor developed last month by researchers at the University of Michigan, which sits on a computer chip, virtually undetectable, enabling a ‘remotely-controllable privilege escalation.’
Among other things, the project spotlighted the difficulty associated with detecting this sort of hardware security vulnerability.
Shortly after publication of the university’s report, SANS course author and Rendition Infosec founder Jake Williams wrote that it is a great example of “the problems we currently have with supply chain integrity for digital devices. With few current detection methods, such a backdoor could exist comfortably in the wild today … The good news is that such a backdoor is costly to design and deploy and would likely only be used by nation states to go after very important targets.’
But in the eyes of nation-state actors, U.S. military control systems likely fall into the category of “very important targets.” And that’s what is worrying some insiders.
To contact the reporter on this story you can send him an email via chris.bing@fedscoop.com or follow him on Twitter at @Bing_Chris. Subscribe to the Daily Scoop to get all the federal IT news you need in your inbox every morning at fdscp.com/sign-me-on.