1

Workshop Context and Issues

To help provide both context and focus for the workshop, several members of the workshop organizing committee (i.e., Craig Keast, Michael Ettenberg, Robert Latiff, Bernard Meyerson, and Paul Nielsen) framed the workshop discussions by highlighting that advanced electronic devices are critical for all U.S. national security systems, military or intelligence related. The increasing demands for performance of these systems have led to the adoption of ever more sophisticated devices for sensing, computing, control, and other critical functions. For several decades, the technologies for making integrated circuits and microprocessors followed Moore’s Law. This “scaling” had the virtuous benefit of making products that were faster, better (i.e., more functional and power efficient), and cheaper, stimulating an enormous information technology industry. Although the cost per transistor steadily decreased, the cost to build foundries for such devices grew in a commensurate fashion; a state-of-the-art foundry costs on the order of $5 billion to build.¹ Much of the manufacturing of this nature is in Asia. U.S. aircraft, missiles, ships, and ground vehicles, as well as radars and other sensors, depend on access to electronics components that are known to be reliable and to perform as designed. The primary goal of program managers and engineers in national security programs is to assure mission success of weapon systems, and access to reliable and trusted microelectronics are essential to assuring that success.

Many of the technologies critical to national security are dependent on leading-edge semiconductors and microelectronic devices that, in many cases, do not have a commercial market (see Figure 1-1). Another school of thought, expressed by one workshop participant, is that leading-edge semiconductors can only be made in high-volume commercial fabrication facilities.

As described by several of the workshop participants (e.g., Kristen Baldwin, Jimmy Goodrich, Terry Lewis, Bernard Meyerson, Celia Paulson, and Dustin Todd) over the 3-day workshop, the acquisition of electronic devices is a complex process that often defies simplification. It includes everything from the sourcing of raw materials, to wafer manufacture, to component design, to software development, to assembly, to testing and certification. The continued and accelerating globalization of the microelectronics industry presents national security program designers with a challenge of how to ensure that electronic components operate as designed. Off-shoring of parts manufacture, decreased Department of Defense (DoD) influence on the industry due to a small comparative demand, and diminished U.S. expertise are all contributing to a growing inability to either understand or assure system security and reliability. The electronics supply chain is complex and has many points within it that can present problems for the ultimate security and reliability of its products. Increasingly, end users demand to know the “pedigree” of the parts they are acquiring for high-priority national security systems. In general, it may be possible to insure greater supply chain trust and reliability of parts by implementing stronger community policies, information sharing on issues and solutions, and coordinated investments in research and development (R&D).

As shown in Figure 1-2, DoD identifies a spectrum of risks to the electronics supply chain. They include (1) quality escapes due to inadequate design or manufacturing quality control; (2) reliability failures; (3) insertion of fraudulent or counterfeit products; (4) insertion of malicious hardware, software, or computer

______________________

¹ Christopher Mims, “The High Cost of Upholding Moore’s Law,” MIT Technology Review, April 20, 2010.

code intended to cause mission failure; (5) reverse engineering of sensitive intellectual property or government information; and (6) outright theft of information that allows adversaries to achieve capabilities they would not otherwise obtain.

DoD’s strategy to ensure that critical and sensitive electronics remain viable includes (1) protection of microelectronics designs and intellectual property; (2) advanced hardware analysis capabilities; (3) physical, functional, and design verification and validation; and (4) a new trust model that leverages commercial state-of-the-art capabilities. As an example of this layered approach, the federal government has initiated investments in the development of new, trusted photomask capabilities, tools to enhance the ability to detect flaws, and increased academic and industry research in this area.^2,3 One workshop participant noted that the Trusted Access Program Office (TAPO) also plays a very important function in DoD strategy. TAPO currently manages the trusted part contract with Global Foundries U.S. and is speaking with other fabrication facilities and companies that are manufacturing field-programmable gate arrays (FPGAs) to develop trusted access solutions.

As described by at least one participant during the workshop, prior to the past two decades, the U.S. government had generally enjoyed a mutually beneficial relationship with its supply chain where the government could be assured of acquiring high reliability and state-of-the-art technologies, and suppliers could be assured of benefitting from the results of their R&D investments within a future commercial market. Today, trusted domestic suppliers increasingly find it necessary to forge and accept commitments with what the government may consider non-trusted sources to ensure their own corporate survival within a highly competitive global marketplace. A few participants commented that there are many reasons for this U.S.­supplier marketplace transition. Among them, and perhaps most relevant to the part of the “trusted” microelectronics industry dedicated to the government user, is the near-total loss of on-shore domestic capabilities to fabricate complex, state-of-the-art, highly reliable electronic parts.⁴ Another participant commented on the equally important concern stemming from an increasing dependency by the government on the obsolete electronic parts “grey market” where a counterfeit sub-industry has firmly established itself.

Throughout the workshop, several speakers and attendees reinforced the belief within the defense community that the trusted supplier or supply chain is the foundation of assurance for microelectronic parts. Without it, alternative methods to understand the integrity of the product need to be applied and may not achieve the same level of confidence as that won with the trusted supplier/supply chain. However, several participants noted that in lieu of having a trusted supplier or an end-to-end trusted production flow for certain microelectronics, there are efforts underway today to create what are thought to be acceptable alternatives, including broadening the acceptable use of otherwise untrusted sources. Some refer to this concept as establishing “tiers” of trust.⁵ Another method to reduce costs for obtaining assurance in lieu of a trusted supply chain that encompasses all electronic components is one that instead focuses the trust requirements only on mission critical parts. Unfortunately, as noted by several participants, more traditional approaches to assuring trust may prevail during more robust financial environments; however, today’s budget realities and

______________________

² “A photomask is a tool used for production of components including electronic devices (semiconductors), displays, PCB, and MEMS. It is a master copy for the patterning. Photolithography is used to form PCB circuits and display patterns. Photomasks are used to transfer the patterns on the baseplates. A photomask acts just like “negative film” in photography, and that makes the baseplates “printing paper” (See Filcon Photomask, “What is a Photomask?” http://filcon-photomask.com/en/product/photomask.php, accessed July 7, 2016).

³ “In the event that the GF Trusted Foundry closes, DoD would lose access to trusted photomasks for leading-edge designs” (Kristen Baldwin, Acting Deputy Assistant Secretary of Defense for Systems Engineering and Principal Deputy Assistant Secretary of Defense for Systems Engineering, presentation to the workshop on March 16, 2016).

⁴ There is U.S.-based, leading-edge manufacturing capability (e.g., Intel). The lack of a leading-edge technology supplier in the United States is more complicated than “they are all off-shore.” The current business model requires extremely large volumes, and this does not align with current government procurement practices and programs.

⁵ The Potomac Institute for Policy Studies is currently undertaking a major 1-year study for DoD to develop such a “tiered” system of trust.

limited trusted supplier base for certain devices are forcing managers to take greater programmatic risks.⁶ The risks incurred from the acquisition of bad electronic parts from a non-trusted source vary across the spectrum of technical failure modes. Risk impacts that may be realized can be mission-ending, disrupting failures, or life-compromising reliability issues. A poorly managed supply chain offers several points of intrusion or entry for bad actors to insert malicious or counterfeit hardware, software, or firmware.⁷ As government systems age, their growing dependency on obsolete parts subjects the buyer to a large, global vendor market of non-OEMs (original equipment manufacturers). An example may be that a vendor is based in the United States with claims of having a desired part, yet may, in fact, reach-back for the parts to unknown sources. Other bad actors may have interests in disrupting a system or compromising its mission life and may have very sophisticated techniques to fool the unsuspecting intake engineer into accepting the product.

An example of an organization that pays attention to electronics obsolescence and to supplier trust accreditation is the Defense MicroElectronics Activity (DMEA). In his presentation and the ensuing discussion, Dan Marrujo from the DMEA described the role of his organization in addressing many of the challenges that were highlighted during the discussions with Kristen Baldwin. DMEA is a key element in the assurance of continued access to obsolete parts and in certifying suppliers for trusted status. One element of the DMEA mission is to re-engineer and manufacture advanced microelectronics parts no longer available to program managers through their industry partners or through other standard commercial sources. Also, DMEA is currently the program manager for the DoD Trusted Foundry Program. Among other tasks, the program negotiates and manages trusted access contracts with state-of-the-art fabrication facilities (e.g., GlobalFoundries U.S.) and accredits sum-of-the-parts microelectronics companies for trust. DMEA accredits suppliers’ processes in the areas of integrated circuit design, aggregation, broker, mask manufacturing, foundry, post processing, and packaging/assembly and test services. DMEA is a member of the Joint Federated Assurance Center (JFAC) Working Group. Other members include the Office of the Under Secretary of Defense (Acquisition, Technology, and Logistics), the DoD Chief Information Officer, Military Departments, the Missile Defense Agency, the National Security Agency, the National Reconnaissance Office, and the Defense Information Systems Agency. The JFAC, created by the Deputy Secretary of Defense, identifies, promotes, and facilitates access to hardware and software assurance (i.e., verification and validation) capabilities across the DoD and other federal agencies throughout the system life cycle.)

Several of the workshop participants commented that the ongoing challenge in microelectronics evolution is sheer complexity: logic devices such as application-specific integrated circuits (ASICs) or FPGAs are so complex that determining how to best verify the integrity of the product when the parts may be fabricated in an untrusted foundry has been a more recent, and increasing, concern for programs. ASICs and FPGAs often provide the logic required to drive a critical function. They need to be reliable and tamper-free. Having a trusted supplier and ensuring end-to-end trusted production flow are not achievable goals for some programs. While many studies and innovative technical approaches are under way today to determine methods for achieving some level of confidence that parts will be reliable and can be trusted, no definitive comprehensive approach has been identified to date.

While understanding and attempting to assure the integrity of the supply chain is critical, at the end of the day, designers and system developers need to convince themselves that the delivered electronic products will actually function as advertised, for the length of time needed by the mission, under the conditions expected, and be free from tampering or malicious content. To do so requires rigorous testing and a well-designed certification scheme. Maintaining and assuring the complete integrity of the supply chain is difficult because of the complexity and interconnectedness of the supply chain elements. Items include the raw materials, development tools, facilities and their integrity (production and storage), and the complex machines used to produce parts and their associated programming.

______________________

⁶ One workshop participant noted that there are 72 suppliers on the DMEA accreditation list. This is not a small number, but only a limited number are, in fact, being used for U.S. government needs.

⁷ See U. Guin, D. DiMase, and M. Tehranipoor, A comprehensive framework for counterfeit defect coverage analysis and detection assessment, Journal of Electronic Testing 30(1):25-40.

The contractor community drives, and is driven by, system performance requirements. They need to balance demands for increased performance (e.g., decreased feature size, increased density) with strict security and reliability guidelines. Prime defense contractors have serious concerns about the health of the available industrial base, as well as the ability to obtain quality parts. Significant resources are expended by the industry in quality assurance, as most electronic component suppliers are now off-shore. The supply chain, and the ability to assure its integrity, becomes a very important issue for weapon system developers and electronic component manufacturers. Industry watchers are concerned with an accelerating rate of consolidation and closures that are taking place within the manufacturing sector.

In summary, the workshop presentations and discussions highlighted the observation that the national security electronics industrial base is being pulled in different directions. On the one hand, they are at the mercy of the electronics manufacturers and suppliers. On the other hand, the government program offices are making performance demands, security demands, and reliability demands that the industrial base is increasingly unable to guarantee. The problem is exacerbated by diminishing support by the government for expensive and unique test facilities and inconsistent requirements from the system designers. The industry is looking to the government for leadership and guidance and, in its absence, is having to make tough, sometimes non-optimum, choices. The industrial base for national security systems has significant concerns with the state of the microelectronics industry and its ability to supply the kind of high-quality, high-reliability systems needed for their products.