A recent story in the San Jose Mercury News states that a growing deluge of millions of counterfeit chips is posing peril to the military and the general public. A California company admitted importing 13,000 bogus chips altered to resemble those from legitimate companies, including Silicon Valley firms Intel, Atmel, Altera and National Semiconductor.
Separate studies this year by the Commerce Department and the Government Accountability Office concluded that the armed forces—which use chips in everything from communications and radar systems to warplanes and missiles—is alarmingly vulnerable to fakes.
A more interesting problem is that of genuine parts with hidden functionality that is either running all of the time or can be triggered by a remote command or a specific event. Sometimes these are called “Easter Eggs.” The name of the designer might be etched into the chip, or in the case of several early Apple Macintosh models, pictures of the development team that were stored in the system’s read only memory (ROM) could be displayed when a specific key combination was pressed. But what if the hidden functionality is to “phone home” or just stop working when a specific condition is met?
It scares the heck out of me that the US military is buying components, or products built from components, that come from companies in other countries that may not be friendly to us. For example, what if an encryption chip comes from a company that can be influenced by an unfriendly government? And what if that encryption chip is used to secure communications between soldiers on the battlefield? What if flash drives newly-approved by STRATCOM for use within the department of defense contain encryption chips with a back door that could allow an unfriendly government to either read the contents, or worse, inject a virus when they are connected to a secure system?
“Assembled in USA” does not mean the same thing as “Made in USA,” and even products made in USA can contain foreign parts. Of course, some of this is our own fault because we spent years outsourcing most manufacturing to other countries with cheaper labor costs. But I digress. If a component or system is going to be used for national security applications, price should be the last requirement on the list.
The mandatory first requirement should be, “designed and manufactured by cleared employees in controlled facilities using cleared and controlled components.” And this has been the SPYRUS philosophy since day one. Even though we use a part in our products that has its own cryptographic algorithms built in, we know that we cannot trust them so we don’t use them. SPYRUS wrote our own cryptographic algorithms under controlled conditions in a secure facility and this is what we use in our products.
Whether you are a government purchasing agent or work in private industry, part of your job should be to ensure that the products you are buying for secure, mission-critical applications are truly secure and free from the influence of an unfriendly foreign government—and that means having a very frank talk with your suppliers.
Comments?
