One of the major cyber threats to organizations that require high levels of security is the chance that commodity microprocessors, currently manufactured in places without adequate security oversight and inspection, may be installed into its servers. Such microprocessors would come with “back-door” openings already installed.
A longstanding fear has been that cyber attacks against the U.S. might result in disruptions to power, banking, and communications systems at a critical moment. Efforts by the Defense Advanced Research Projects Agency (DARPA) to improve verification capabilities highlight the limitations of current computer engineering skills in, for example, diagnosing cyber intrusions. Initial studies on the Trusted Integrated Circuit program, seeking to create a secure supply chain, were requested in 2007. As of late 2010, DARPA was still seeking new research proposals for determining whether a given chip was reliable, and whether it had been maliciously modified, as part of the Integrity and Reliability of Integrated Circuits (IRIS) program. *
A more recent worry is vulnerabilities “hardwired” into the physical infrastructure of the Internet. In the last several years, the FBI has warned that counterfeit computer parts and systems may be widespread. A growing concern is that a few countries that now manufacture most of the commodity microcircuits, can exploit their position to affect American and allied infrastructures.
The 2005 Defense Science Board Task Force on High Performance Microchip Supply identified the growing security problem of microchips being manufactured (and more and more often designed) outside the United States. The 2008 National Defense Industrial Association’s handbook “Engineering for System Assurance” provides a comprehensive overview of system assurance, which in turn highlights how difficult it can be to achieve that.
The vulnerability to corruption of system by means of disguised microprocessors can be overcome by means of Software-as-a-Service (SaaS) cloud operations. SaaS makes it possible to concentrate all transaction processing into a limited number of data centers operating only with circuit boards that were manufactured under close surveillance.
The world’s largest SaaS firm, Google, has its circuit-boards custom built. ** There are also firms that specialize in the manufacture of circuit boards subject to government inspection. *** NSA has the experience with manufacturing of high-security microprocessors.
There is no reason why the processing of critical transactions could not be done for defense operations. In fact, such increased security may become the primary driver to proceed with SaaS at an accelerate rate. Such as SaaS would be only a fraction of the size of the Google million plus server enterprise.