The security of third-party intellectual property in semiconductor chips has become a major concern for the U.S. government, particularly within the Department of Defense and other agencies that rely on them for critical microelectronics applications.
Semiconductors are the backbone of nearly all electronics and their complexity requires the use of third-party IP, a pre-designed component that has been licensed from an external vendor and integrated into a chip’s design. Third-party IP is increasingly common as it allows for faster time to market and reduced costs.
RELATED
However, the reliance on external IP also introduces potential security risks, as the integrity and trustworthiness of the IP provider cannot always be guaranteed. And those risks are not limited to a single sector. They have far-reaching implications across the government, as compromised semiconductor chips could lead to vulnerabilities in weapons systems, communications networks, and other vital infrastructures, hindering essential functions that could undermine national security.
Congress has taken steps toward addressing the challenges posed by third-party IP. The National Defense Authorization Act for Fiscal Year 2024, signed into law in December, includes language that recognizes the need for increased transparency and collaboration between IP vendors and the government. This legislation comes after the ratification of the CHIPS and Science Act of 2022, which aims to onshore semiconductor chip production and secure the supply chain while marking an important milestone in the effort to tackle this long-standing problem.
There are still many gaps that must be addressed to provide the government the highest levels of assurance regarding third-party IP. To further mitigate delays, cost overruns, and potential security risks associated with using third-party IP in semiconductor chips for critical applications, IP vendors could document and provide their security requirements and safeguards at the onset.
This would provide transparency for the user of the IP — the system-on-a-chip, or SoC, developer, or in this case, the U.S. government — and allow it to better vet the IP, regardless of how many months or years down the line a review is needed. This evidence should be measurable to provide quantifiable security assurance. By providing that higher level of visibility, the government, or any other user, can more easily assess whether the IP meets necessary program security requirements.
Unfortunately, vendors often provide their IP without any accompanying security evidence as part of their documentation, leaving users in the dark about potential risks and the level of assurance to assign to the IP. Vulnerabilities can be assessed and mitigated through a security “sign off” process that relies on meeting security requirements established early on in the development process.
The vendor rarely knows what the end application is, so SoC developers must be able to evaluate the IP in the context of their specific requirements. Having the necessary security evidence to review as part of the IP documentation package provides the microelectronics design community with IP that has been “signed off” for meeting security assurance requirements. It demonstrates that specific security weaknesses and vulnerabilities have been mitigated, security features implemented, and potential risks averted. Programs exploring the viability of third party IP could then determine whether said IP suits their needs — or if additional information or modifications are necessary to further ensure the security of the final product.
IP vendors want to offer their customers all of the necessary assurances they require, just as long as it doesn’t involve giving access to the inner workings of their IP. They have a legitimate desire to safeguard their IP to maintain a competitive advantage and a predictable revenue stream. For the sake of providing a higher level of assurance and transparency, the IP provider can’t be required to give up their most sensitive information.
So, to address those concerns, vendors and developers — the U.S. government — should adopt a proactive, cooperative approach that prioritizes solutions that maintain the confidentiality and integrity of the IP. It needs to be grounded in a shared commitment to national security and the integrity of critical systems.
Likewise, a further step toward enhancing trust and mitigating risks would be to have independent security verification of the third-party IP. This objective evaluation would generate verifiable security evidence from the IP provider that could be used by the SoC developer to ensure secure integration, configuration, and use.
This independent verification would also help meet various compliance requirements, which often mandate a security assessment. By having an impartial entity validate the security claims and documentation provided by the vendor, the government could gain greater confidence in the trustworthiness of the IP.
Ultimately, the only way to truly address the mounting concerns — today, chiefly those from the U.S. government — that critical systems may be susceptible to failure due to compromised third-party IP components is for the vendors and developers to work together to comprehensively validate their security proactively. This will ensure these chips and the devices, products, and programs that rely upon them will operate as intended without the risk of being hacked by an unknown entity.
Jason Oberg is CTO and co-founder of Cycuity, a cybersecurity company that offers security assurance for semiconductor chip development.