WASHINGTON: Joyce Corell of the Office of the Director of National Intelligence told the public and private sectors today that the past year has been a “wake-up call” on the “fragility” of US information and communications tech (ITC) supply chains. It’s not just the weaknesses in domestic and international supply chains that were laid bare during the pandemic, Corell said. It’s also the recent, aggressive cyberespionage campaigns conducted by Russian and Chinese intelligence services against US public and private entities.
Corell, assistant director at the National Counterintelligence and Security Center, told a virtual event hosted by the Institute for Critical Infrastructure Technology that, “Everyone in the US and worldwide has learned about supply chain resilience since the pandemic. Supply chain issues are now dinner table conversations. We all saw how fragile some [supply chains] were and how resilient others were.”
Corell noted that the SolarWinds campaign, in particular, demonstrated how “determined, persistent, agile, and stealthy” US adversaries are. (The Cybersecurity and Infrastructure Security Agency yesterday released a detailed description of SolarWinds threat actor tools, techniques, and procedures mapped onto MITRE’s ATT&CK framework.) Faced with such adversaries, Corell urged the public and private sectors to adopt a risk-based management approach to supply chains, focusing on “criticality, prioritization, accountability, and transparency.”
Corell highlighted the Biden administration’s recent executive order to review American supply chains, which gave special attention to semiconductors, high-capacity batteries, rare earth elements, and pharmaceuticals.
Corell spoke on the same day the Defense Advanced Research Projects Agency and Intel Corp. announced a three-year partnership to develop and domestically manufacture new structured Application Specific Integrated Circuit (ASIC) platforms for defense and commercial aviation electronics systems. DARPA and Intel’s partnership announcement arrives amid a global shortage of semiconductors, although the shortage is not the primary driver behind the partnership.
The DoD currently uses Field-Programmable Gate Arrays (FPGAs) in a variety of defense applications. DARPA’s SAHARA (Structured Array Hardware for Automatically Realized Applications) partnership with Intel is specifically focused on converting FPGAs used today to structured ASICs. SAHARA is seeking to optimize the relative costs and benefits associated with three chips: ASICs, structured ASICs, and FPGAs. These trade-offs include performance, power consumption, per-unit manufacturing cost, and security.
Serge Leef, program manager in DARPA’s Microsystems Technology Office, told Breaking Defense, “A decade ago, many DoD applications moved to FPGAs and away from ASICs because FPGAs were viewed as a reasonable replacement. ASICs design and manufacturing costs were viewed as a poor match for DoD’s low-volume use cases.”
But today, he said, “Intel’s structured ASICs offer a compelling mid-point between ASICs and FPGAs. This gives the DoD a path to chips with higher performance and lower power consumption at lower design costs while minimizing unit costs. It may be worth noting that the structured ASIC concept has been around for 20+ years, but until recently, there was not a viable DoD supplier like Intel behind this technology.”
There are several advantages to structured ASICs relative to FPGAs. Leef explained, “Structured ASICs are compelling chip implementation vehicles as they offer ~50 percent advantages in performance and power as well as lower unit costs relative to FPGAs, which are commonly used in defense applications today. The amount of power consumed by FPGAs is becoming increasingly unsuitable for defense applications, such as Night Vision.”
There are, however, security risks with moving from FPGAs to structured ASICs, which SAHARA and Intel aim to solve. “A challenge is that structured ASICs, unlike FPGAs, contain the design information at the manufacturing time,” he said. “This is why SAHARA is working to address the need for security mechanisms to protect the designs during manufacturing in zero-trust environments.”
By contrast, Leef explained, “FPGAs are manufactured as ‘blanks.’ The design information is injected when the FPGA is in the hands of the end user or customer. The design information isn’t revealed to the manufacturer at any stage of the process. Structured ASICs, on the other hand, have the design information embedded into them. This design information can be accessed or compromised during the manufacturing, assembly, and test phases. Those are the stages of the process that SAHARA mechanisms are working to address.”
The nature of information accessible to structured ASICs manufacturers is one reason why Intel, a US-based advanced semiconductor manufacturer, is the commercial partner for chips to be used in defense applications. “It’s all being made within the US from beginning to end,” noted Intel’s José Roberto Alvarez, senior director, CTO Office, Intel Programmable Solutions Group.
SAHARA will also look at ways to secure structured ASICs in “zero-trust environments” by developing “countermeasure technologies that enhance protection of data and intellectual property from reverse engineering and counterfeiting.”
The SAHARA partnership includes academic researchers from the University of Florida, University of Maryland, and Texas A&M.
ICT supply chain risks have really only begun to get serious attention over the past several years, Corell observed during her ICIT keynote. Almost no one talked about supply chain risk management more than a decade ago. The conversation has broadened in recent years to emphasize the inherently intertwined nature of US national security and economic security, Corell noted. This led to multiple initiatives to shore up the ICT supply chain over the past four years, including a flurry of executive orders and Congressional legislation.
But there is still more work to be done to secure American supply chains, especially in the defense industrial base. A Defense Department report to Congress in January specifically highlighted supply chain issues. The report called for a “defense industrial strategy,” specifically calling attention to microelectronics (including semiconductors) and shipbuilding.
Hudson Institute Senior Fellow Bryan Clark and Adjunct Fellow Dan Patt recently wrote, here on Breaking Defense, on the need for a robust US strategy for microelectronics.