From Flame to the FBI's program of protecting users from the DNS Charger trojan, one critical component is often underappreciated amidst the deluge of coverage on cyber attacks -- hardware.
As its most basic level, the Internet is composed of a series of cables, computers, and routers. Innocent or malicious hardware flaws in this physical infrastructure can give rise to myriad vulnerabilities. As Richard Clarke and Robert Knake explain in Cyber War: "What can be done to millions of lines of code can also be done with millions of circuits imprinted on computer chips inside computers, routers, and servers." In other words, hackers can not only attack your computer system by sending you a virus-infected email, but also by altering a tiny circuit in a chip you'll very likely never even see.
Consider the recent findings of a University of Cambridge team that a computer chip in the Boeing 787 Dreamliner is vulnerable and could allow hackers to reprogram the chip or cause permanent damage over the Internet. Boeing is not alone.
The U.S. Department of Defense's commercial-off-the-shelf (COTS) program was intended to help drive down costs for proven technologies by using state-of-the-art commercial systems in lieu of the cost-plus-award-fee method that covered contractors costs and paid them a profit. The advantages of COTS are self-evident, but with a COTS item -- such as Dell computer hardware, which is widely used by the Department of Defense -- the government cannot monitor the manufacturing process. Thus, the true cost of COTS lies in the vulnerabilities that it introduces into critical national infrastructure. For example, DoD purchased 2,200 Sony PlayStation 3s in 2009 to provide cheap processing power for a military supercomputer. But these systems are often manufactured abroad, including in China. U.S. government reports have cited supply chain concerns for hardware, claiming that components embedded with security flaws have been found. Kill switches could be installed in Pentagon networks to power down critical systems by remote control as a prelude to an attack.
Once compromised, hardware is often in the hands of an unknowing user. Few hardware vulnerabilities are likely to be discovered and fixed -- and even fewer are likely to be attributed to a cyber attack. Circuits leave physical trapdoors, but as with code, most experts cannot easily detect flaws in a computer chip. Producing a microchip alone requires over 400 steps opening up numerous opportunities for exploitation.
Grasping best to how manage hardware vulnerabilities is difficult since the current supply chain involves many companies, operating in many countries. But there are not enough U.S. manufacturers to allow the Pentagon to buy domestically. Despite years of trying, still only two percent of the integrated circuits purchased by the DoD are made in the United States, with the majority coming from Asian nations with track records of "unambiguous, deliberate subversions" of computer hardware, according to a White House report.
What can be done then to secure U.S. critical hardware? New add-on security features are needed to safeguard systems, as is better quality control and more domestic sources of key components. The DoD, for example, should revise its COTS policy and make a longstanding commitment to U.S. firms to purchase critical electronic components domestically. This would have the duel benefits of being a boon to the U.S. electronics industry thereby creating good U.S. jobs as well as promoting cybersecurity. Though not a perfect solution since domestically produced hardware may still be vulnerable, it would be a vast improvement on the status quo.
There is some evidence that firms are beginning to take hardware vulnerabilities seriously. NBC and Google, for example, are planning "war games" ahead of potential hardware disruptions in Olympic Games streaming. Congress should take note. Partisan gridlock should not scuttle reform -- cybersecurity is not a liberal or conservative issue, and the time for action is now. Cybersecurity legislation being debated should include provisions for securing critical U.S. hardware such as amending COTS as a necessary first step toward enhancing cybersecurity and fostering cyber peace.
Scott Shackelford is an assistant professor of business law and ethics at the Indiana University Kelley School of Business. He is also author of the forthcoming Cyber Peace: Managing Cyber Attacks in International Law, Business, and Relations (Cambridge University Press).