Goldberg – Supply Chain Vulnerabilities (VIF 02_01) (4:07)
How Can Supply Chain vulnerabilities Contaminate Computer Chipsets, and Enable them to Defeat Encryption?
The principle way is in the design of the chip, so when you get to the reticles, which is the masks and resists that create the pattern used to etch the topography on a chip. You can add features at that level and even after that level when you ship that design to a fab in China, Malaysia, or other places abroad it can be altered in the process of its installation and used in such that additional features are added to chips. We’ve seen that occur the proasic3 chip which is an encryption chip was examined by some folks at Cambridge University and while some people think what they found were features for debugging, others are much less about the ** nature of those features because those features were found at every quadrant of the chip, every layer of the chip, and where the chip had billions of transistors, there were millions of extra features that can’t be explained. So you might look at that as an example of where you might add access to it.
Generally, the way we describe it for our purposes of dialogue with the Government is that their size and location suggests that they are administrator addresses. In some cases they are a thousand lines of code long. If you are translated that into feature sizes we are talking about something that may be one hundred twenty atoms in length which are simply nothing more than addresses that are accessible by people who own that address, making them the administrator of privilege on the chip. When you have that, and you ping on that chip from abroad on that chip from using the internet or some other mechanism, but primarily the internet, and you approach that device via a server, router, or switch that houses the chip, the chip will recognize you, not withstanding the fact that you might have barriers such as multifactor authentication, whitelisting, by virtue of the fact that you own that address the chip recognizes you as the most privileged user of that device. Therefore encryption, firewalls, and other devices that we use to harden against access are meaningless. This is something we’ve known for quite a while. When we think about the nature of this, this is not a surprising event. We actually developed those capabilities for our uses many years ago.
As we shifted the manufacturer abroad, low and behold the enlighted self-interest of the nations to which we exported manufacturing were included on devices so they could harvest information and technology for their own benefit. The Chinese in private conversations with our own government make no bones about it. We have to live with that reality because it applies to us and everyone else.
If the chip shows up in Botswana its harvesting information there, if it shows up in Bolivia it harvests information there, if it shows up in Belgium it harvests information there. There is no exclusivity, there is no peculiar aim at the United States, it is aimed more broadly. Frankly you have to acknowledge that in hardware today. There are ways we can address that, but they are not easy.