Semiconductors had their moment in the spotlight during the worst of the pandemic-induced supply chain disruptions. The shortage of semiconductors wreaked havoc on the industries that rely on them, opening up devices to potential threats.
“The semiconductor supply chain remains one of the most complicated and most critical supply chains that underpin the entire global economy,” said Ted Miracco, CEO at Approov. “As we witnessed last year, interruptions in the semiconductor market can have long term consequences that impact everything from automobiles to the price of food.”
This shortage has been compounded by the ongoing “chip war” between the United States and China, and this could have a devastating impact on overall cybersecurity.
Currently, most hardware is manufactured in China and Taiwan. Political tensions between China and the U.S., as well as threats of a Chinese invasion of Taiwan, have escalated the need to move semiconductor manufacturing, which was a driving factor behind the Biden Administration’s CHIPS Act . However, thanks to bureaucratic red tape and other obstacles , U.S.-based semiconductor manufacturing will happen later rather than sooner, and this will further escalate the chip war.
The Role of Chips in Cybersecurity
“The U.S. semiconductor industry plays a critical role in modern cybersecurity as it provides most of the hardware components for devices and systems that are essential to the functioning of our digital infrastructure, as well as that of other nations,” explained Miracco.
Semiconductor security is multi-tiered, explained Joseph Gow in a Semiconductor Engineering article . “Securing the supply chain starts early in the system-on-a-chip (SoC) design process to provide the security assets, which are the foundation of chips, as well as supply chain security,” Gow wrote. The integrity of the chips is at risk as they go through testing, packaging and distribution.
Securing chips and the supply chain is an ongoing project; security issues didn’t arise just because of the pandemic. But add in the chip war between the U.S. and China, and the impact on cybersecurity is significant.
“China is attempting to develop their own domestic semiconductor industry , which is leading to increased competition and greater vulnerabilities in the software supply chain,” Miracco said in an email interview. This could result in increased attacks on the U.S. supply chain and attempts to gain access to U.S. suppliers’ networks and facilities to both exfiltrate intellectual property (IP) and introduce malicious code or components into the supply chain.
“Another potential risk is that this increased competition could lead to the fragmentation (or Balkanization) of the global cybersecurity ecosystem, with different regions using different standards and technologies,” said Miracco.
The Role of Users in Securing the Semiconductor Supply Chain
Every war has its innocent victims, and in the chip war, it is the user–the organizations and consumers who rely on semiconductor chips for day-to-day business and lifestyle operations. The security of the chips and their supply chain are something the user depends on being in place, something they don’t have to think about, but it is the user who is at the most risk when security fails.
While companies and developers may not have control over the semiconductor industry, there are still several steps they can take to address potential vulnerabilities and flaws that put the supply chain at risk.
“Companies and developers should conduct a comprehensive risk assessment of their software supply chain to identify potential vulnerabilities and risks,” said Miracco.
This should include an evaluation of third-party components, dependencies and supplier security practices. Ongoing monitoring of the software supply chain should be implemented to detect potential vulnerabilities and risks as early as possible, using tools such as vulnerability scanning and threat intelligence monitoring.
“While none of these actions will directly address vulnerabilities and flaws in the semiconductor industry,” said Miracco, “they can help to mitigate the risks posed by these vulnerabilities and provide a means for recovering more rapidly from the existential threat at hand.”