One of the unique features of the secure processor offered by CPU Tech is its origin from the IBM Trusted Foundry in East Fishkill, New York. While there is a general awareness of what this means (the average person will essentially equate the claim to ‘Made in the USA’), there is not a general understanding of the real threats and vulnerabilities inherent in manufacturing overseas. As electronic devices become more complex and sophisticated, this threat increases. Therefore, the issue of ‘trusted electronics’ and ‘trusted components’ will only increase in volume.
The US Government has been aware of and concerned about this threat for some time, and has begun to address it for their most critical defense and national systems with the ‘Trusted Supplier’ program.
History of Trusted Supply Program: Up until the 1990’s, the US Department of Defense operated some of its own miniature foundries – capabilities, yields, locations are often classified. The purpose of these fabrication sites is to produce highly sensitive circuits for intelligence and national defense equipment. Some of these foundries operate today in unknown capacities.
As semiconductor manufacturing became a mass-quantity business with billion-dollar R&D budgets to sustain smaller chip geometries, US national foundry capabilities became unsustainable. However, the need to produce highly sensitive circuits has not changed. As a result, the Department of Defense initiated a ‘Trusted Foundry’ program, intended to give themselves more cost-effective chip fabrication options than the small national foundries.
Some facts about this ‘Trusted Foundry’ program:
- Managed by a DoD group called ‘Defense Microelectronic Activity’ and the NSA
- Put IBM on ten-year contract (2003-2012)
- DMEA claims thousands of chip prototypes, tens of thousands of wafers made
- 454 unique designs
- Designs brokered into Trusted Foundry through a ‘Trusted Access Program Office’ (TAPO)
Threats from ‘Non-Trusted’ Manufacture: The Defense Microelectronics Activity (DMEA) has spoken widely on a variety of threats they are addressing with the Trusted Supply program. A summary of these threats from overseas manufacturing is described below.
- Counterfeiting: foreign power can produce cheap, low quality/reliability counterfeits
- Overproduction: foreign power keeps surplus parts, competes with customer
- Tampering: foreign power inserts hardware malicious ‘backdoor’ circuits
- Steal IP: foreign power reverse-engineers designs and processes to gain IP
- Technology Denial: foreign power reserves top technologies for trade advantage
Trusted Design Chain: The DMEA is now expanding their Trust program to include more than just manufacturing. There are now six categories of services related to electronic components:
- Mask Making
These categories have been designated because the DMEA realized each of these steps could be a vulnerability point for the aforementioned threats of counterfeiting, tampering, and IP theft. The theoretical goal of this Trusted Design Chain program is to require selection of only Trusted providers for every step of a critical defense program. The DMEA currently claims to have 29 accredited Trusted Suppliers that provide 62 of the services identified above in different combinations.
Elevated Importance of Trusted Supply Chain: On 2 March 2010, White House Cyber Security Coordinator Howard Schmidt declassified portions of the Comprehensive National Cyber Security Initiative (CNCI). This initiative, which takes the first steps in identifying significant security holes and vulnerabilities in our national infrastructure, outlines plans to address these holes. I blogged about this recently after visiting the RSA Conference.
One of these holes in our Federal and Defense acquisitions infrastructure, addressed by initiative #11 in the CNCI, is the ‘Global Supply Chain’. This refers to the process of sourcing materials, tools, and components that make up pieces of our critical infrastructure. This process has become so globalized that we can quickly lose track of where our technology is coming from. This creates opportunities for malicious actors to create backdoors, malware, and faulty hardware that make its way into our weapon systems, internet infrastructure, banking systems, and personal computing devices. The CNCI will require careful tracking of participants in the supply chain, which will steer more and more buyers towards Trusted Suppliers.