Can DARPA secure the electronics supply chain?
- By Derek B. Johnson
- Jan 14, 2019
To better protect the global electronics and IT supply chain, the Defense Advanced Research Projects Agency is looking at solutions that can track and authenticate computer hardware components as they are manufactured, shipped and assembled around the globe.
Resold and recycled components degrade the reliability and security of many systems used by the Defense Department. The Pentagon has known about the problem for decades and in 2012 issued comprehensive guidance to DOD program and procurement managers to crack down on the problem, with a particular emphasis on electronic parts and components.
However, the increasingly complex nature of the global supply chain means that even primary government contractors have difficulty keeping track of subcontractors they rely on for many products. No one knows just how many recycled or counterfeit parts the government uses.
Additionally, "it is really difficult to tell the difference between recycled parts and new parts," said Serge Leef, program manager of DARPA's Supply Chain Hardware Integrity for Electronics Defense program. "They just end up back in our supply chain and get purchased without people really knowing."
SHIELD is looking to a novel hardware solution to verify the integrity of integrated circuits and microchips that are used in virtually all electronic equipment. Prototypes of "dielets," tiny chips no larger than 100 microns a side -- approximately the diameter of a strand of human hair -- can be placed inside electronic devices or attached to individual components.
DARPA spent three years researching and designing the underlying technologies for SHIELD, Leef said, and is now testing two prototype dielets.Parts and components are first "enrolled" in a database -- the earlier in the production lifecycle the better -- and given a unique ID number that can later be queried via a radio frequency wand.
The wand can also ping the dielets, which contain a number of passive sensors, for a range of information. When activated by radio frequency, dielets share data on temperature changes, light exposure and other signs that a device has been opened or had parts removed, whether through brute force or more delicate manipulation of circuit boards.
Leef said DARPA designed its dielets to address supply chain hardware compromises that stem from economic motivations as well as counterfeiting for intelligence gathering purposes. DARPA designs technology with DOD in mind, he said, but the project's fruits could easily be applied to similar problems at civilian agencies and in the private sector.
To effectively serve as a practical solution for manufacturers, SHIELD must overcome a number of hurdles. Current technologies, like barcodes and RFID tags, are either ineffective or expensive to use at scale, meaning production costs for the dielets must be extremely low.
Leef said the project is targeting a price point of one cent per dielet.
"If you think about it, attaching this thing that costs one penny to an object whose provenance you want to track seems like an attractive value proposition," he said.
A private-sector company is also working on similar technology, but with a twist. While SHIELD's dielets are silicon-based, DUST Identity, a startup founded in 2018 by former MIT Media Lab researcher Ophir Gaathon, aims to accomplish the same kind of authentication for IT hardware using a different material: diamonds.
More specifically, the company is working on developing unclonable security tags composed of microscopic diamond dust that can be applied in a variety of ways (spray coating, dipping or even stickers) onto devices, parts and components that creates a "a very complex fingerprint" that can be used to catalogue and scan items for identity and provenance.
"You really want a material that lasts forever … where there's no concern about degradation of the technology over time," Gaathon said.
To be clear, Gaathon told FCW the company purchases bulk "waste" diamond dust from the abrasive industry -- ones too small to be of value -- that are later purified and nano-engineered to contain defects that can store unique identifying information. It's the same principle underlying a 2017 study by MIT researchers that found diamond-defect optical circuits could store information to advance the development of quantum computing.
Gaathon said projects like SHIELD and solutions like his are coming to the forefront now for two interconnected reasons. First, policymakers have only recently begun to give supply chain security the level of attention it deserves. Second, the incorporation of electronic components into everything from industrial control systems to election equipment and other forms of critical infrastructure over the years has created an ever-increasing attack surface for hackers and nation-states to probe.
"People just realized that we don't really know where things are coming from, and we don't have good measures and good processes to secure the supply chain," Gaathon said.
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at firstname.lastname@example.org, or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.