Federal authorities need to shift more of their attention to computer chips as a platform for a well-organized attack on the United States by would-be saboteurs, warns a well-respected professor in the field of integrated circuits.Several administration officials are scheduled to testify in front of two House committees Wednesday as Capitol Hill works with them to enact landmark cybersecurity legislation by the end of the summer.
One little-discussed area that they all need to more thoroughly examine is the security measures that should be adopted against malicious hardware that can be secretly implanted in the integrated circuits that control much of the world around us today, John D. Villasenor, professor of electrical engineering at the University of California, told TPM.
“There are literally thousands of people engaged in addressing software security concerns, but there’s very little awareness of the enormous exposure we have with respect to hardware security,” he said. “Chips are in almost everything these days, and in the commercial sector very little effort is directed to making sure they are free of malicious circuitry.”
Chips can be a security risk because a saboteur can slip in one component of hardware into a design that could contain thousands. Modern computer chips can power anything from the flaps of airplanes to the entire electricity system itself.
Integrated circuits pose a particular risk because they have become so complex. They are sourced and put together by suppliers all around the globe, and so it’s difficult to control the process of creating every single part that goes into them.
Villasenor estimates that there are about 1,550 companies around the world involved in designing integrated circuits.
Saboteurs could implant parts that are triggered by certain events to freeze hardware, or they could build in ‘back doors’ that could perform secret actions on devices as it, or whatever system it’s part of, keeps running.
While it all might sound like something out of The Bourne Conspiracy, French chipmakers and defense contractors have apparently already built such capabilities, an industry source told engineering magazine IEEE in 2008.
The Defense Advanced Research Projects Agency has already embarked on a project to address the issue with chips powering military equipment. Villasenor said that perhaps industry could take a look to see if they could learn any lessons.
Federal authorities could also exert pressure on industry to change its design practices to lower the likely success of such attacks.
“It’s hard to force people to adopt security measures for chips, but you can certainly
create economic and perhaps legislative pressure,” he said.
The administration needs to create some sort of protocol to cope, if such attacks do occur, he added.
And chips should be more thoroughly tested for potential corruption before they are shipped, and companies should bake more built-in defenses right into their designs.
The professor first wrote about his concerns in an August 2010 edition of Scientific American.
But his ideas really got noticed by those in a position to take action in the administration and on Capitol Hill when he published another version of the article at The Brookings Institution this month.
He’s spending June in Washington, DC to meet with policy makers about his ideas, he said.