It’s about supply chain cybersecurity too, not just pride.
On 10 April 1963, while on a deep test dive about 200 miles off the northeast coast of the United States, USS Thresher (SSN-593) was lost at sea when a small mechanical component failed to work as designed. All souls onboard perished.
This tragic event launched the Navy’s SUBSAFE program; a Quality Assurance (QA) and component level certification program, with traceable quality evidence from the point of manufacture to that of installation within special submarine systems’ boundaries. Unique amongst the multiple programs designed to keep submarines safe and ready to defend the United States of America from any impending conflict, this program was designed to focus on the individual material components that together comprise the ship’s vital operational systems.
No component, mechanical or otherwise, makes it into a submarine’s SUBSAFE system unless its pedigree is known and certified true. Should this approach not be true for all integrated circuit (ICs) and boards being installed on routers, switches, and all electronic devices that are used to control our critical infrastructure including business’ networks? Assuming that critical infrastructure or business networks security is not as important as that of our high value military assets can be a fatal mistake, one that our enemies may be counting on.
In recent weeks it has been publicly confirmed that Chinese manufacturers had installed malicious ICs on computer boards sold to US manufacturers; and those boards, and the equipment they were installed into, made it to networks in use by some of our largest blue chips. It is safe to assume that said ICs have also made it to networks used to manage our electrical grid, our air traffic control systems, our telecommunications and utilities, and even our medical records. We should be worried, and we should act…now.
The number of US “fabs” and foundries is decreasing and more commercial sourcing of microelectronics, computer components, and chips is shifting to “anywhere but the U.S” in spite of the U.S. Trusted Supplier Program. We are just not moving fast enough to keep up with the demand for these components and source domestically the technology components we depend upon to run our critical infrastructure and businesses.
I can’t attest to all semi-conductor industry trends and activity behind the scenes, but I would like to think that if there is a topic that is critical to our safety for years to come, it is the issue of being self-sufficient and independent from other countries when it comes to the manufacturing of computer technology. Dare I say, even more so than being oil independent.
Supply Chain security is both critical to protect national assets such as US submarines and defense IT networks; and mandated in the form of Unified Capability Requirements (UCRs). These guide the procurement of network, data, voice, and other assets introduced into the DoD Information Network (DoDIN) by enforcing the use of an Approved Products List (APL). If it is important for DoD entities to procure interoperable and cybersecurity certified components, shouldn’t critical infrastructure and businesses procure components follow a similar approach?
“Made in the USA” shouldn’t simply be a phrase of pride. It should become a cybersecurity certification requirement. The last thing that I want to read about is a preventable tragic event hitting the USA because a computer chip controlling a multi-billion-dollar power grid “made it” go dark, or about our banking system stalling (especially if I am doing online retail “therapy”) because a Trojan horse in a chip was activated by an enemy nation. I don’t want a $650BN defense budget to be “all for nothing” because we saved $0.01/chip by making it overseas.
Make it and assemble it all, soup to nuts, in the USA!
Contribution from Pete Dowdy, PHD
Wikipedia “SUBSAFE” page