Al Crouch Layton Ellington Peter L. Levin Maria Spasojevic
Amida Technology Solutions, Inc.
July 2021
IBM just announced that they have created the world’s first 2-nanometer chip.1 This is a breathtaking accomplishment. We now know how to create semiconductor devices whose structural features are measured by a few baker’s dozens of atoms. Twenty-five years ago, when the United States and Europe dominated chip manufacturing, the industry produced components at the 250-nanometer node, more than 100 times larger.2,3 The United States still holds a significant edge in the software tools for semiconductor design, and many of the manufacturing innovations in materials science and photolithography come from our laboratories. However, practically all advanced electronics are physically fabricated in Asia. The 2-nanometer breakthrough will certainly migrate there as well, and far more quickly than our R&D, commercial, and trade policies currently anticipate.
Asia’s emergence in device manufacturing traces back to 1994, when then-Defense Secretary William Perry mandated4 that services use “commercial specifications and standards instead of military standards.”5 At the time and in historical context, this was a natural, even celebrated, decision. The United States had little apprehension of resurgent – never mind revanchist – Russian influence. Even more importantly, China’s economy was less than a tenth of ours, and their technology base was dependent upon absorption, adoption, and occasional theft from the West.
Despite deep cultural differences and almost no intellectual property protection, the labor-and-facilities arbitrage made China a particularly attractive host for new factories. Their high educational standards sealed the deal for many high-tech investments, including capital-intensive semiconductor manufacturing facilities. Now, in the waning days of the Covid-19 pandemic, we need to better understand that offshoring our semiconductor supply chain created problems that seriously threaten our national security, economic liberty, and even personal freedoms.
1994 was the year before Netscape went public. There was no general awareness, never mind fear, of cybersecurity. Fifteen years later, most chip companies outsourced their most-advanced manufacturing expertise to Asia. This is directly analogous to how book publishers compete on author reviews and customer awareness but contract out the actual assembly to content-agnostic printers who compete on paper, energy, ink, and low labor costs.6
In other words, we conceive the chips at home and send the circuit schematics to foundries overseas. The physical devices are tested and inspected by the “publishers,” but the focus is on compliance to the functional specifications. Until recently, no one seriously considered the possibility that the factory itself could, or would, change the product. Now we know that they can, and sometimes do.7,8,9,10,11
Even as the last administration raised tensions and lowered credibility with insouciant name-calling, China’s calm response to U.S.-instigated tariff wars and international trade restrictions12 was to raise the priority of their digital self-sufficiency and “so-called third-generation chip development.”13 Nicholas Christakis wrote, “Before the pandemic, the emphasis was on just-in-time production, with parts being delivered just when they were needed in the manufacturing process. . . But in the post-pandemic period, the emphasis could shift to just-in-case supply chains.”14 China is investing in capacity that we are not.
For semiconductors, any contingency plan must focus on reliability and trusted sources. While efforts to repatriate physical plants are part of the solution, they require far more coordination than we have, and will take years to complete. According to the White House’s just-released supply chain report,15 “In 2019, of six new semiconductor production facilities in the world, none were in the United States, while four were in China.” It correctly captures the acute problem, which is that “[The] United States produces none of the leading-edge (under 10-nm) chips, while Taiwan accounts for 92 percent” — yet another flashpoint on the most essential place in the semiconductor supply chain.16
As C. Raja Mohan recently pointed out, finding the right balance between ideological confrontation, commercial competition, and scientific cooperation “will not be easy.”17 Because of their complexity, deeply interwoven and interdependent flows, and billion-dollar facility costs, this will be especially complicated for semiconductors. Making matters worse – as Jared Cohen and Richard Fontaine masterfully describe – is the West’s dangerous disunion while China has become ascendent in facial and voice recognition, 5G technology, digital payments, quantum communications, and the commercial drone market — all cutting-edge technologies irreplaceably enabled by semiconductors. In their words, “the United States and its allies have stepped away from their tradition of collaboration.”18
The consequence, according to the Semiconductor Industry Association, is that Asia will “capture nearly all manufacturing growth” this decade, while the U.S. – on its current trajectory – will gain almost none. China alone is investing $100 billion into the sector and “funding the construction of more than sixty new semiconductor fabs” in order to have “the single-largest share of chip production by 2030.”19 Recently, with bipartisan support, the Senate passed the Innovation and Competition Act of 2021,20 which includes $52 billion over five years to “bolster domestic semiconductor manufacturing.”21
How, then – without adding even more tension to our relationship with China – can we collectively respond to this lethal threat in a way that both directly addresses the challenge and better promotes the health, vitality, resilience, and vibrancy of this core industry? Virology suggests a promising approach.
Earlier generations of semiconductors contained no ability to detect, never mind heal, anomalous function. Basically, we knew something was wrong when the device did not work. The root causes of error were assumed to be design flaws, a then-safe assumption because it is mathematically impossible to check for every combination of behaviors, and the design paradigms of the last quarter century never seriously considered that an adversary would deliberately contaminate or infect a device.
Chips that are clandestinely modified with “Trojans” can leak information (e.g., targeting coordinates), behave improperly (e.g., turn themselves off or follow inauthentic remote instructions), or be/become unreliable (e.g., erroneously compute their GPS-based position). Even though we cannot anticipate every conceivable misbehavior, industry is starting to consider how automated tools can identify vulnerabilities and threat surfaces that human designers will miss. We can model where hardware Trojans might go, what they might be able to do, and, crucially, how we would know if they were active.
The current approach to hardware cybersecurity largely falls in the realm of forensic analysis — that is, the search for and mitigation of exploits after the compromised hardware is delivered from the manufacturer, distributor, or other links in the supply chain. In contrast, one could apply predictive analysis, much like T-cells in our bodies.22 Progress here is borne of recent advances in machine learning and artificial intelligence, and from our already-deep understanding of the downstream impact of unexpected changes. Knowledge of just some of these attack modes can inform new algorithms (that assert “don’t ever let this happen” rules or anticipate “what an adversary might want to do”) to expose and potentially remediate hardware security weaknesses during the design phase.
These new strategies depend on our ability to identify vulnerable points in the chip before it is built, insert our own Trojans, and observe the response. We can experiment with specialized surveillance instruments and bit-level anomaly detection. These immune system-like explorations are remarkably similar to real-life biological systems and can even evolve better chip-level defenses.23 The difference is that nature has had four billion years to experiment with alternative defenses and error correction techniques; even at the lowest technology nodes available today, there is practically nothing inside a chip that protects it.
The primary problem is that the economic incentives are misaligned, even perverse. Manufacturers have historically loathed the insertion of “overhead” in their devices, for fear of being commercially uncompetitive. Every square nanometer is devoted to enhanced functionality. Semiconductor immune systems take time to integrate in the lab, require space on the device, and consume power in the field. When an alternative supplier can provide all the (apparently) same features faster, in a smaller and more energy-efficient package, reliability and trust are unceremoniously defenestrated.
Moreover, official recognition of cyber-physical systems24 as a national security threat largely ignores the more-pernicious vulnerability we face in semiconductor manufacturing. Although software breaches are reported with horrifying regularity, the general public and elected officials are largely unaware of the challenge that transcends ransomware and data center hacks. The new threat – bad actors inserting Trojans directly into chips that can be activated to cause malfunction – is especially dangerous because we depend on semiconductors for both national security and the everyday services of civil society.
Since a huge fraction of our supply will come from Asia for at least the next decade, we need to take chip security far more seriously. Given the inadequacy of U.S.-sourced choices, we believe that the Administration must level the competitive playing field, especially in the defense domain, and demand that suppliers provide the user-controlled ability to detect intrusion on every device and electronic system. Congress can, simultaneously, ensure that the country has an appropriate level of investment – at least in universities and government laboratories – to maintain our edge in the semiconductor software design tools that enable this level of “immune response.”
The good news is that there is bio-mimicking technology under development that can significantly reduce or eliminate this new and unprecedented vulnerability. Indeed, the country urgently needs to re-prioritize this “problem from hell” before we experience a scaled and massive attack on our infrastructure25 and security apparatus.
1“IBM Introduces the World’s First 2-nm Node Chip,” by Dexter Johnson, IEEE Spectrum, May 6 2021 (https://bit.ly/3gKvpDX)
2 “The Global Route to Future Semiconductor Technology: An Overview of the 2001 International Technology Roadmap for Semiconductors,” by Paulo A. Gargini, IEEE Circuits and Devices Magazine, March 2002 (https://bit.ly/3gDDICO)
3 In fact, the performance difference goes as the square of the node; today’s devices have about 10,000 times more transistors on them.
4 “Specifications and Standards: A New Way of Doing Business,” Defense Secretary William J. Perry, 1994
5 “Completing U.S. Navy Military Specifications & Standards Reform (MSSR): Issues and Problems,” RAND presentation, December 1998 (https://bit.ly/3cVigqw)
6 “Cheap Words,” by George Packer, The New Yorker, February 9 2014 (https://bit.ly/2ScuunA )
7 “Securing the Information Highway,” by Wesley K. Clark and Peter L. Levin, Foreign Affairs, November 2009 (https://fam.ag/3xuGWP3)
8 “Can DARPA Fix the Cybersecurity ‘Problem From Hell?’ ”, by Adam Rawnsley, Wired, August 5 2011 (https://bit.ly/2UDRkVS)
9 “Compromising Device Security via NVM Controller Vulnerability,” by Sergei Skorobogatov, IEEE Physical Assurance and Inspection of Electronics, 2020 (https://bit.ly/2TSiNDp)
10 “Chinese Hackers Have Pillaged Taiwan’s Semiconductor Industry,” by Andy Greenberg, Wired, August 6 2020 (https://bit.ly/3AEQ5qh)
11 “Vulnerabilities of U.S. national security are automatically classified, as this topic certainly is,” private correspondence with a former high-ranking national security official: July 2021
12 “How ASML Became Chipmaking’s Biggest Monopoly,” The Economist, Feb 27 2020 (https://econ.st/2SGLbbc)
13 “Xi Jinping Taps Top Lieutenant to Lead Third-Generation Chip Development in Battle Against U.S. Sanctions,” South China Morning Post, June 17 2021 (https://bit.ly/2UjbCUK)
14 Apollo’s Arrow, by Nicholas A. Christakis, Hachette Book Group, October 2020, page 273
15 “Building Resilient Supply Chains, Revitalizing American Manufacturing, and Fostering Broad-Based Growth,” 100-Day Reviews under Executive Order 14017, June 2021 (https://bit.ly/2TPrQEE)
16 “The Future of Taiwan in U.S.-China Technology Competition: With its Semiconductor Might, Taiwan will not be Overlooked,” by Alexa Lee, Stanford Cyber Policy Center, April 6 2021(https://stanford.io/36pKRAU)
17 https://foreignpolicy.com/2021/01/15/biden-china-asia-allies-strategy-pivot/#
18 “Uniting the Techno-Democracies,” by Jared Cohen and Richard Fontaine, Foreign Affairs November/December 2020 (https://fam.ag/3xx7Oxm)
19 “Strengthening the U.S. Semiconductor Industrial Base,” SIA online publication, (https://bit.ly/3gP0OVJ0)
20 S.1260 — United States Innovation and Competition Act of 2021 (https://bit.ly/2UfM36R0)
21 “Senate China Bill to Add $52 Billion for U.S. Chip-Making,” by Daniel Flatley, Bloomberg, May 18 2021 (https://bloom.bg/3cTWeoj)
22 “Human T-Cell Development, Localization, and Function Throughout Life,” by Brahma et al, National Library of Medicine, Feb 2020 (https://bit.ly/36rZCD0)
23 “The Hope and Challenge of Synthetic Biology,” by Jay J. Schnitzer and Peter L. Levin, IEEE International Symposium on Technology and Society, 2018 (https://bit.ly/2UkrdmZ)
24 https://www.nist.gov/el/cyber-physical-systems
25 “Cybersafety Analysis of the Maroochy Sire Sewage Spill,” by Nabil Sayfayn and Stuart Madnick, Cybersecurity Interdisciplinary Systems Laboratory, MIT, May 2017 (https://bit.ly/3jXA7RZ)
