Amida/Insights/News/The mother of all ‘zero-days’ — immortal flaws in semiconductor chips

The mother of all ‘zero-days’ — immortal flaws in semiconductor chips

Dark Mode

WASHINGTON – Aug. 27, 2022 – The Hill — Washington, DC

The CHIPS Act of 2022 was signed into law on Aug. 9. It provides tens of billions of dollars in public support for revitalization of domestic semiconductor manufacturing, workforce training, and “leap ahead” wireless technology. Because we outsource most of our device fabrication — including the chips that go into the Navy’s submarines and ships, the Army’s jeeps and tanks, military drones and satellites — our industrial base has become weak and shallow. The first order of business for the CHIPS Act is to address a serious deficit in our domestic production capacity.

Notoriously absent from the language of the bill is any mention of chip security. Consequently, the U.S. is about to make the same mistake with microelectronics that we made with digital networks and software applications: Unless and until the government demands in-device security, our competitors will have an easy time of manipulating how chips function and behave. Nowhere is this more dangerous than our national security infrastructure.

For the first quarter-century of ubiquitous internet access, policy makers and industry leaders did not imagine — literally could not conceive — a deliberate electronic intrusion from an ideological adversary.

Now they hit us almost at will.

Deterrence has proven to be an obviously insufficient policy alternative. Western civil societies — our power stations, waste processing facilities, and hospitals — are paying a heavy price for their porous defenses and cyber naivete.

Every chip starts life as a software program before it is fabricated, mostly in Asia, and mostly in Taiwan, into a chip. The process that transforms design code into “sand in the hand” silicon is just as vulnerable today as consumer applications were in the early 2010s, and for all the same reasons. The impact is deeper and more penetrating because once a chip is compromised, it is nearly impossible to patch. It might be in space or under an ocean. Our enemies know this too.

Undetected vulnerabilities, called “zero-days,” are endemic to and ubiquitous in all digital systems. They remain dormant until activated by someone who is trying to ransom data, steal data, or insert false instructions into a computer. They target electric grids, water supplies, financial clearinghouses, supply chains, and transportation fleets. The people who operate critical infrastructure have no time — literally zero days — to fix them. They exist because it is impossible for designers and manufacturers to test every possible combination of paths in or out of a device. Zero-days enable destructive cyberattacks on physical systems.

Non-technical people may assume that cybersecurity is just “secret stuff that is getting handled behind the scenes.” It is not, or at least not-nearly well enough. And if our experience with consumer applications and industrial control systems is any indication, we urgently need to bolster our cyber defenses on semiconductor chips. Policymakers and industry leaders in the U.S. have not yet connected digital theft and intrusion to kinetic danger and violence in a way that the general public can understand.

Leading manufacturers will soon be mass-producing devices whose internal geometric features are measured by angstroms, 20 to be exact, the orbit of an electron around a hydrogen nucleus. Our ability to build chips so compact, so small, and so potent means we could dramatically improve surveillance for deviant behavior and respond proactively when it occurs.

Chips, of course, rarely live in isolation. There are communication chips, graphics chips, sensory chips, memory chips, pacemaker chips and the iconic microprocessor. They are the workhorses of our networked health, energy, water, financial, agricultural, supply chain, retail, transportation and national security infrastructure, and they are connected to each other. An infection in one can easily spread to another, like a biological virus.

Semiconductor industry icon Joe Costello and Levin recently argued that chips are the next frontier of exploitation and will have zero-day problems that cannot be patched because they are literally baked into the hardware; this is why we need much better defense there, too.

In 2017 Russia used an NSA-created zero-day, in their hands called “NotPetya,” in what Nicole Perlroth characterized as “the most destructive and costly cyberattack in world history.” She reported that after an earlier disruption of a Ukrainian electric grid, operators “[recognized] that things could have been a lot worse,” because “the attack had stopped short of the kind of deadly calamity that could derail passenger jets and planes or ignite a deadly explosion of some kind.” They were a premonition of bad things to come.

“You know,” one of Pelroth’s sources told her, “if they switch off the lights here, we might be without power for a few hours. But if they do the same to you …”

It is difficult to read these words in the summer of 2022. They are already doing the same to us. Will we stop them with tit-for-tat cyber offense and threats of escalation, or will we build a breakwater against the surges we know are coming? Unless and until we unravel this queer policy imbalance — near defenselessness against hardware zero-days, reliance on offensive capabilities as defensive deterrence, and the incessant intrusions we already endure because we know less about our exposure than our enemies do — we could find ourselves in a hot war we could have avoided with better imagination and real alternatives for our leaders.

The CHIPS Act begins to solve the problems of geography and geometry. Unless and until we systematically address on-chip cybersecurity, as the NSA recently highlighted, we will build devices that are vulnerable by design, deploy them to the field, and be helpless if an adversary takes control. Chips are on the vanguard of our digital defenses. They need to be protected with thoughtful policy and common-sense requirements of how they are secured and what happens if they are breached.