Counterfeit components: The stakes are rising
One of the greatest risks to the welfare of not only U.S. service members, but all citizens around the world, is the proliferation of counterfeit electronic components into the military and aerospace supply chain. With the growing adoption of Internet of Things (IoT) technologies within practically every conceivable market segment, this risk is growing by orders of magnitude. Every person in the component supply chain should be doing their best to put an end to the counterfeit scourge before we find ourselves face to face with a systems failure or breach, driven either by greed or maliciousness, that could cause irreparable harm. All segments in the supply chain of things must take responsibility to eliminate this challenge.
In December 2015, three Chinese nationals were arrested in the state of Connecticut and charged with theft of sophisticated military-grade semiconductors. The trio had conspired to replace 22 military-grade Xilinx semiconductors in inventory for the U.S. Navy with fake components that would “look the same” but were “not ok for function.” Fortunately, the naval official with whom they were attempting to conduct this illicit transaction was actually an undercover agent with the Department of Justice (DoJ).
The DoJ had been tracking the trio’s criminal activity since 2012, when they received a tip from an employee of a manufacturer of counterfeit integrated circuit (IC)-detection equipment who met one of the defendants at a trade show and was troubled by the “suspicious and unusual questions” he was asking about the detection equipment. Had this individual not followed his gut and reported the peculiar activity, there is no telling how deep this counterfeit ring could have penetrated into the naval supply chain, or how many lives may have been lost as a result of the installation of those malfunctioning chips into critical defense systems.
Despite the billions of dollars in economic loss reportedly tied to the sale of counterfeit electronic components each year, the level of awareness and willingness to “get involved” demonstrated by that detection-equipment representative remains regrettably rare.
Perhaps it is because the losses are generally deemed part of the “cost of doing business,” like pilferage in a candy store. This thinking, however, is not just short-sighted, but dangerous, and getting more so every day.
According to Interpol, the world’s largest international police organization, “a clear link has been established between the trafficking of illicit goods and transnational organized crime.” These criminal enterprises use the profits they “earn” from the sale of counterfeit products to fund other nefarious activities such as drug trafficking, human smuggling, and arms dealing. These are not hapless con men selling cut-rate components out of the back of a truck. We are talking about seriously ruthless and highly organized criminals.
Of course, many say that any professional purchaser would be able to tell if a parts broker was really a front for organized crime. Well, as the saying goes, the devil wears many masks, and when it comes to disguises, counterfeiters can be masters of deceit. For example, in 2004, counterfeiters set up an entire bogus company using the NEC brand. They carried NEC business cards, signed production and supply orders, and even developed their own line of consumer electronic products marketed as NEC merchandise. Although most of the fake NEC products were finished goods, as opposed to board-level components, it is easy to see how one could be fooled into thinking they were dealing directly with legitimate NEC sales representatives.
This is why buyers must constantly be on alert, especially when sourcing from online parts brokers or from suppliers in regions that do not have the same rigid intellectual-property protections and enforcement that we take for granted in the U.S. Any organization that is honestly committed to maintaining the integrity of the electronics supply chain will take the time to scrutinize an unknown source, insist on documentation of a part’s lineage, and always test parts before installing them in a design. This is as crucial for members of the commercial supply chain as it is for those in the military/aerospace sector. The industry cannot protect the high-reliability supply chain without protecting and securing the commercial supply chain as well.
Bad to the bone
Further complicating the counterfeit dilemma is the fact that economic gain is not always the primary motive for parts tampering. We are hearing more and more about the risk of malicious counterfeits making their way into the supply chain. Unlike “traditional” counterfeit parts that are reclaimed, remarked, reengineered, or otherwise fraudulently represented, malicious counterfeits are intentionally altered during the IC design process to insert malignant functionality – hardware Trojan horses, kill switches, etc. – into the code before it is manufactured. This tainted code may be triggered to launch a cyberattack in order to intercept classified intelligence, compromise critical infrastructure capabilities, or disable weapons systems. What makes these devices so insidious and difficult to identify is that they typically function as they should and are likely to be produced and sold by the original manufacturer; hidden within, however, is malicious functionality that is unlikely to be detected via standard inspection and testing protocols.
So while in the past hackers labored to exploit security gaps that might exist in corporate IT and homeland-security networks or strategic weapons systems, today the gaps they are exploiting are instead in the integrity and security of the supply chain. For the most part, current anti-counterfeit defenses often prove inadequate against these backdoor threats, as the vast majority of the safeguards within the supply chain are predicated on the assumption that profit is the end game of these perpetrators; therefore, detection strategies focus on the identification of parts that have been reclaimed, remarked, re-engineered or otherwise fraudulently represented.
With widespread adoption of IoT-enabling technologies increasing the connectivity between the systems in which these components are deployed, the potential for extensive economic and health and safety losses due to deliberately corrupted components increases by orders of magnitude.
Efforts to better protect ICs from tampering during the design and manufacturing process, such as the Department of Defense’s Trusted Foundry initiative and the European Commission’s Project UNIQUE have made great progress toward the development of an integrated approach to protect hardware systems against counterfeiting, cloning, reverse engineering, tampering, and insertion of malicious components. However, these are small steps in a very long and arduous journey.
One step forward, two steps back
DoD initiatives, including the Defense Federal Acquisition Regulation Supplement (DFARS) Case 2014-D005, for the detection and avoidance of counterfeit or suspect counterfeit electronic parts in the defense supply chain, have also made some inroads. Like all too many bureaucratic programs, execution often falls short of expectations. In fact, according to a February 2016 report from the United States Government Accountability Office (GAO), a significantly lower number of counterfeit parts reports have been submitted to the Government-Industry Data Exchange Program (GIDEP) since the DoD implemented the landmark section 818 of the National Defense Authorization Act (NDAA). The report cites insufficient “department-level oversight to ensure that all defense agencies are reporting in GIDEP,” as a major flaw in the current process.
The GAO recommends that the DoD more actively “oversee its defense agencies’ reporting efforts, develop standard processes for when to report a part as suspect counterfeit, establish guidance for when to limit access to GIDEP reports, and clarify criteria to contractors for their detection systems.”
While there is no doubt that rules without enforcement are generally ineffective, the solution may not lie in the establishment of even more regulation. In fact, ill-advised government policy is at least partially responsible for the poor results from the DFARS rule to date; specifically, the practice of “goaling,” which, according to the Small Business Administration, is designed to “ensure that small businesses get their fair share of work with the federal government.” (See Table 1 for a sampling of the statutory goals established by federal executive agencies.)
Small and minority-owned businesses play an important role in the U.S. economy; this is not to suggest that these enterprises should be precluded from participating in government contracts. However, there is much pressure placed on these small businesses, which the DoD must address for these companies to be successful at supporting the government.
No more excuses
If there is one thing that will guarantee that counterfeit components continue to infiltrate the electronics supply chain, it is inertia. Whether due to a fatalistic belief that nothing can really stop these criminal networks or as a result of overwhelming scheduling and budget pressures, too many members of the supply chain continue to engage in risky sourcing behaviors without consideration for the long-term consequences. Until that changes, nothing else will.