The mother of all ‘zero-days’ — immortal flaws in semiconductor chips

The CHIPS Act of 2022 was signed into law on Aug. 9. It provides tens of billions of dollars in public support for revitalization of domestic semiconductor manufacturing, workforce training, and “leap ahead” wireless technology. Because we outsource most of our device fabrication — including the chips that go into the Navy’s submarines and ships, the Army’s jeeps and tanks, military drones and satellites — our industrial base has become weak and shallow. The first order of business for the CHIPS Act is to address a serious deficit in our domestic production capacity. 

Notoriously absent from the language of the bill is any mention of chip security. Consequently, the U.S. is about to make the same mistake with microelectronics that we made with digital networks and software applications: Unless and until the government demands in-device security, our competitors will have an easy time of manipulating how chips function and behave. Nowhere is this more dangerous than our national security infrastructure.

For the first quarter-century of ubiquitous internet access, policy makers and industry leaders did not imagine — literally could not conceive — a deliberate electronic intrusion from an ideological adversary.

Now they hit us almost at will.

Deterrence has proven to be an obviously insufficient policy alternative. Western civil societies — our power stations, waste processing facilities, and hospitals — are paying a heavy price for their porous defenses and cyber naivete.

Every chip starts life as a software program before it is fabricated, mostly in Asia, and mostly in Taiwan, into a chip. The process that transforms design code into “sand in the hand” silicon is just as vulnerable today as consumer applications were in the early 2010s, and for all the same reasons. The impact is deeper and more penetrating because once a chip is compromised, it is nearly impossible to patch. It might be in space or under an ocean. Our enemies know this too.

Undetected vulnerabilities, called “zero-days,” are endemic to and ubiquitous in all digital systems. They remain dormant until activated by someone who is trying to ransom data, steal data, or…