President's Commentary: A Chain That Is Its Own Weakest Link

The electronics supply chain is the aorta to the global economy. Both the military and the commercial sectors rely on it to provide the lifeblood necessary to flourish, yet the security of that same supply chain, with its ubiquitous importance, potentially holds the key to their demise.

Various threats menace the security of the electronics supply chain. It is susceptible to attacks from many different vectors and from a diverse set of actors. These attacks can serve any number of purposes and take on many guises.

Sabotage is one threat. A nation-state adversary or a nongovernmental group with enough money could discretely alter chips, rendering them insidiously ineffective or incorporating back doors for nefarious operations, just to name a couple of examples. These back doors could lead to data being altered and systems being damaged or shut down. It could render information inaccurate. This threat has been extant for a long time, and it shows no signs of going away.

Counterfeit technology is another problem. The aviation industry, for example, has had to deal with an influx of fake electronic aircraft parts that failed to conform to the original specifications and imperiled people onboard the aircraft. In the information technology sector, fake chips might be developed and sold for a fraction of the original versions’ cost and not meet the stringent standards of the industry, leading to altered performance. Even the suspicion that a system is operating with counterfeit chips could cast widespread doubt on the data it generates.

The intellectual property or proprietary information that traverses the supply chain has a value of its own, and it can be pirated or altered in a number of ways. Networks are the entrée to many devices and systems, and there is a low barrier to access for those trying to tamper with information.

The entire supply chain is subject to interruption. A break in the silicon pipeline would cripple commerce and communications, as well as hamstring the military and other critical national security elements.

This problem is likely to grow as artificial intelligence and the Internet of Things become more pervasive and we become more connected while the potential attack surface widens. Not only will chips and systems increase in complexity and integration, but we will become more vulnerable.

Trying to protect the supply chain is challenging because of its diverse yet pervasive design. Different suppliers develop varying elements of this chain. Ultimately, it will take a whole-of-society approach to secure it. This encompasses industry, government, academia and the individual public. We must do a better job of educating everyone to the threat.

Industry is at the heart of the solution, as it is largely responsible for the global supply chain. In virtually all aspects of electronics technology, it is less expensive to incorporate security from the start-of-system design than it is to build it in later in the process, and the supply chain is no exception. Supply chain security can take the form of quality control, design security, continuous monitoring, protection and detection, ensuring that chips are not tampered with throughout their life cycle. Any of these efforts likely will lead to increased cost, and therein lies the rub. Lower cost at the expense of increased risk is often the driver in a global economy.

Government also has a role to play, actively developing, coordinating and adopting technical standards for supply chain security—including international standards—that supplant the diverse proprietary solutions often employed. All government departments and agencies must join forces on this effort. Developing mutual trust is a big factor in the government’s ability to join forces with other groups.

Government also must bring the issue of supply chain security to the attention of the people. Citizens need to know and understand the importance of a secure supply chain. In addition to providing support for legislative measures to improve policy where appropriate, consumers can apply economic pressure on companies that do not maintain competent security. Opting to buy only from those firms whose technology is trustworthy and effective, consumers can implement economic Darwinism on the marketplace.

Implementing security drives more expensive cost models, so there will be a price to pay. However, that price will be a bargain compared to the losses caused by a coordinated attack through a weak link in the electronics supply chain. The cost of an attack on any element of national power might be immeasurable. With supply chain security, you pay now, or you pay later.