DARPA probes tech to solve supply chain uncertainty

DARPA and private companies are looking to improve supply chain security through the use of tiny chips and diamonds that can authenticate IT parts used by the government.

processor and code (bestfoto77/Shutterstock.com)
 

The federal government is worried about possible consequences of vulnerabilities in the global electronics and IT supply chain. The Department of Homeland Security and the intelligence community are leading efforts to persuade tech companies to fundamentally alter the way they do business to better protect the integrity of their parts and products.

Parallel to those efforts, the Defense Advanced Research Projects Agency is looking to develop technological solutions to the problem of tracking and authenticating computer hardware and parts as they are manufactured, shipped and assembled around the globe.

"Right now, it is really difficult to tell the difference between recycled parts and new parts," said Serge Leef, program manager of DARPA's Supply Chain Hardware Integrity for Electronics Defense program. "They just end up back in our supply chain and get purchased without people really knowing."

SHIELD is looking to a novel hardware solution to track and authenticate the integrity of integrated circuits and microchips that are used in virtually all electronic equipment. DARPA is working on a number of prototypes of tiny chips no larger than 100 microns a side -- approximately the diameter of a strand of human hair -- called dialets that can be placed inside electronic devices or attached to individual components.

DARPA spent three years researching and designing the underlying technologies for SHIELD, Leef said, and is now testing two prototype dielets.

DARPA designs technology with DOD in mind, but Leef said the project's fruits could easily be applied to similar problems at civilian agencies and in the private sector.

Parts and components are first "enrolled" in a database -- the earlier in the production lifecycle the better -- and given a unique ID number that can later be queried through a radio frequency wand.

The wand can also ping the dielets, which contain a number of passive sensors, for a range of information. When activated by radio frequency, dielets share data on temperature changes, light exposure and other signs that a device has been opened or had parts removed, whether through brute force or more delicate manipulation of circuit boards.

Resold and recycled components degrade the reliability and security of many defense systems used by DOD. The department has known about the problem for decades, and in 2012, then acting Undersecretary of Defense Frank Kendall issued comprehensive guidance to DOD program and procurement managers to crack down on the problem, with a particular emphasis on electronic parts and components.

However, the increasingly complex nature of the global supply chain means that even primary government contractors have difficulty keeping track of subcontractors they rely on for many products. No one knows just how many recycled or counterfeit parts the government uses.

Rethinking policy

The new Supply Chain Task Force created by DHS is looking at whether tweaks need to be made to Federal Acquisition Regulation rules that require the government to purchase certain IT and communications products from the original manufacturer or authorized resellers. However, Bob Kolasky, the co-chair of the task force, told FCW in December that the group's focus will be on building better risk management decision-making protocols in the private sector and less on technological solutions like identity and authentication.

Late last year, Bill Evanina, director of the National Counterintelligence and Security Center, told FCW that rather than attempt to unwind the supply chain at a macro level, national security officials are instead telling manufacturers and contractors that they will be held responsible for any defects or vulnerabilities in their products, no matter how far down the chain they go.

Leef said DARPA designed its dielets to address supply chain hardware compromises that stem from economic motivations as well as counterfeiting for intelligence gathering purposes.   

To effectively serve as a practical solution for manufacturers, SHIELD must overcome a number of hurdles. Current technologies, like barcodes and RFID tags, are either ineffective or expensive to use at scale, meaning production costs for the dielets must be extremely low.

Leef said the project is targeting a price point of one cent per dielet.

"If you think about it, attaching this thing that costs one penny to an object whose provenance you want to track seems like an attractive value proposition," he said.

A private-sector company is also working on similar technology, but with a twist. While SHIELD's dielets are silicon-based, DUST Identity, a startup founded in 2018 by former MIT Media Lab researcher Ophir Gaathon, aims to accomplish the same kind of authentication for IT hardware using a different material: diamonds.

More specifically, the company is working on developing unclonable security tags composed of microscopic diamond dust that can be applied in a variety of ways (spray coating, dipping or even stickers) onto devices, parts and components that creates a "a very complex fingerprint" that can be used to catalogue and scan items for identity and provenance.

Why diamonds?

"You really want a material that lasts forever … where there's no concern about degradation of the technology over time," Gaathon said.

To be clear, Gaathon told FCW the company purchases bulk "waste" diamond dust from the abrasive industry -- ones too small to be of value -- that are later purified and nanoengineered to contain defects that can store unique identifying information. It's the same principle underlying a 2017 study by MIT researchers that found diamond-defect optical circuits could store information to advance the development of quantum computing.

Gaathon said projects like SHIELD and solutions like his are coming to the forefront now for two, interconnected reasons. First policymakers have only recently begun to give supply chain security the level of attention it deserves. Second, the incorporation of electronic components into everything from industrial control systems to election equipment and other forms of critical infrastructure over the years has created an ever-increasing attack surface for hackers and nation-states to probe.

"People just realized that we don't really know where things are coming from, and we don't have good measures and good processes to secure the supply chain," Gaathon said.