RUTHFULLY YOURS

There are three primary causes of America’s pernicious cyber vulnerability: manufacturing economics, advances in microfabrication, and new design paradigms. For the past 25 years, industry’s focus has been on compliance to behavioral specifications—on doing things right. Now it has to consider whether the chips designed at home but built overseas are doing the right things. A deliberate manipulation by a foreign enemy could be worse than a viral infection, and would dramatically reshape great-power competition.

U.S. supply chains are fragile and not secure. And no one seriously considered the possibility that factories themselves could, or would, manipulate the product to a foreign power’s advantage. But for modern devices composed of 40 billion transistors, the opportunity for mischief is tremendous. Each transistor can be in one of two states: on or off. That means the number of possible states for the most complicated processors is the inconceivably large number of 2 raised to the 40 billionth power. Checking every transistor, every possibility, for malfeasance is a hopeless task.

The challenge with embedded “Trojan horse” viruses is that they exist outside of the host’s design specification. The technical problem isn’t to reduce the number of examined states that indicate compliance with device instructions, but to detect additional states that you may not even know to look for. If a chip has been modified, it can leak information (like targeting coordinates), behave improperly (by turning itself off, ignoring instructions or following someone else’s instructions), or become unreliable (such as erroneously computing its GPS-based position). There is no vaccine for these kinds of viruses.

On the front lines, inside the device, there are two approaches to these kinds of threats: First, engineers can harden designs so that if a Trojan attacks, it can be detected and the chip can be defended. Second, engineers can assume, paradigmatically, that devices have already been infected, and focus on post-attack integrity and countermeasures. Both strategies depend on the ability to identify vulnerable points in the design, insert test Trojans, and observe how the chip responds.

As pilots train on stationary equipment before they are licensed to fly, engineers can perform what-if experiments on chips before their designs are sent across the Pacific for manufacture. Scenarios of deliberately compromised designs can be explored quickly, comprehensively and affordably.

End users usually can’t see into the manufacturing process. They assume either that their hardware isn’t compromised or that they can live with the risk if it is. Neither assumption is sustainable, and both engender serious hazards, particularly with regard to weapons systems.

The U.S. needs its own foundry at the most advanced nodes of production. Concerns about market interference are far outweighed in this case by the national-security threat. Depleting domestic manufacturing capability further will increase America’s vulnerability to manipulation in overseas factories, where we have little ability to screen employees or closely observe what they do. A new semiconductor facility would cost billions of dollars.

The National Defense Industrial Association reported that the Pentagon expects to spend about $2 billion between 2019 and 2023 on “a new program called microelectronics innovation for national security and economic competitiveness,” or Minsec. A Defense Science Board review recently recommended $5.9 billion in federal investments over the next decade. The Pentagon’s 2019 microelectronics technology report anticipates that China will spend four to five times that on computer memory alone over the same period.

The U.S. leads the world in emulation platforms, the training systems that semiconductor engineers use to test devices. It is time to align the country’s academic research agenda and commercial product innovation to secure the supply chain and prepare it for the next generation of naturally mutating viruses.

Mr. Scher is a U.S. Army officer. Mr. Levin, a co-founder and CEO of Amida Technology Solutions, is a senior adjunct fellow at the Center for a New American Security.