Hardware Security in the U.S.-Indian Cyber Dialogue

Now is the time for India and the United States to expand the Indo-U.S. cyberdialogue to include hardware security.

Much like the Indo-U.S. strategic partnership, Indo-U.S. cyberengagement appears to have plateaued and could benefit from a tailored reset. Since the 2001 establishment of the Indo-U.S. Cyber Security Forum, India and the United States have sought to partner on various cyberissues of collective importance: cybersecurity, cybercrime, cyberforensics and cybersecurity norms, among others. Apart from a 2013 goal of supply-chain security, Indo-U.S. cybercooperation is largely software-based. This ignores a mutual, more incipient cyberhardware threat, which permeates broader defense issues. A failure to address the issue of hardware security could have a highly deleterious impact on India’s defense apparatus. The time is ripe for India and the United States to expand the Indo-U.S. cyberdialogue to include hardware security.

The weapon platforms that are critical to state security and deterrence—nuclear weapons, cruise and ballistic missiles, fighter jets and any number of other systems—are dependent on semiconductor integrated circuits, or chips, which make up the hardware of the system. The semiconductor supply chain has become increasingly globalized, and as John Villasenor at the Brookings Institution has noted, tampered or malicious chips, which operate as hidden ‘back doors’ for espionage or sabotage, have likely heavily contaminated the global supply chain. Malicious hardware can be inserted into a chip after the design phase but before it is manufactured and placed in a product, thus making it challenging to detect. Should a malicious chip be placed in a critical weapon system, that platform could cease to operate.

At present, while India does design its own semiconductor chips, it lacks the capacity to manufacture its semiconductors domestically. As the East West Center notes, most of India’s integrated circuit design work is done for various multinational corporations, who transfer the design for manufacturing elsewhere, often to locations such as Shenzhen, China. So long as India’s chips are manufactured externally, India risks placing compromised circuits in their indigenous weapons systems, thus exposing them to potential sabotage or espionage. India needs a secure supply of ‘trusted’ semiconductors for its domestically produced systems.

Last October, the former Union Minister for Communications and Information Technology, Kapil Sibal announced at the Observer Research Foundation (ORF) and Federation of Indian Chambers of Commerce and Industry (FICCI), India Conference on Cyber Security and Cyber Governance, that imported computer hardware posed a serious security threat to India. The Indian government had decided to invest in manufacturing semiconductor chips. Four months later, on February 14, former Prime Minister Manmohan Singh, sanctioned the construction of two semiconductor wafer plants, or ‘fabs’, in cooperation with two different business consortiums. Construction is expected to begin in September.

While India has announced the creation of two ‘fabs’, it is unclear what leverage the Indian Ministry of Defense (MoD) will have manufacturing ‘trusted’ chips for its critical defense systems. If the U.S. model sheds any light on potential defense microelectronic trajectories in these two semiconductor plants, it might prove to be very little.

Like U.S. semiconductor plants, India’s proposed semiconductor plants will be run by private enterprises; and the requirements of commercial semiconductor development do not necessarily overlap with those for Defense.

In the U.S., total government consumption of domestic semiconductors was below .5 percent in 2000 (one can expect it to be lower today), providing the government, and more notably the U.S. Department of Defense (DoD) with little leverage to directly influence the commercial semiconductor marketplace. Furthermore, given the extensive time it takes to field new weapons platforms, from research and development (R&D), to production, testing, and finally fielding, the semiconductors underlying those weapons systems tend to lag at least two generations behind commercial state of the art integrated circuits. Finally, the semiconductors that meet DoD requirements are often unique from commercial products, requiring reliability, robustness, and at times radiation hardening to perform in highly contested or extra-atmospheric environments. Despite these constraints, the U.S. has developed a program to help ensure that ‘trusted’ chips underlie their critical weapon systems.

India’s MoD will likely encounter the same clash of interests between their microelectronic needs and commercial semiconductor production. The U.S. ‘trusted’ semiconductor program, could be used as a potential model for future indigenous MoD weapons production.

While there are multiple components to the U.S. DoD Trust Program, the two main programs of potential interest to India should be the Trusted Foundry Program at IBM and the Trusted Supplier Accreditation Program performed by the DoD Defense Microelectronics Agency. In essence, the trusted foundry and trusted supplier program ensures that the DoD has access to cost-effective, cutting-edge, low-volume semiconductors, which have been vetted for integrity during the design and manufacturing phase. Through a contractual agreement with IBM in Vermont, the U.S. government can ensure that part of the IBM foundry can be used to produce trusted chips for critical systems. Furthermore, the government purchases the equipment and intellectual property (IP) of the chip design after IBM ceases to make those chips, ensuring the chips underlying critical weapons systems against future obsolescence. At present, IBM is in talks about potentially selling off their foundry, which presents potential complications for U.S. ability to ensure ‘trust’.

The Trusted Supplier Accreditation program certifies companies according to rigorous, pre-established criteria. These companies self-fund the security infrastructure needed for accreditation, including security clearances involving security personnel, data collection, and staffing to maintain their accreditation.

India will need to develop its own mechanism to ensure trust in the semiconductors underlying its indigenous systems, but the parallels between current U.S. challenges and potential future Indian challenges are instructive. Adopting various measures to ensure trust in defense hardware is essential to both India and the United States, and should therefore be explored as a mechanism for deeper cooperation.

 

Jennifer McArdle is a Fellow in the Center for Revolutionary Scientific Thought in the Potomac Institute for Policy Studies and a former Visiting Fellow at the Observer Research Foundation, New Delhi.