Three years ago, the prestigious Defense Science Board, which advises the DOD on science and technology developments, warned in a report that the continuing shift to overseas chip fabrication would expose the Pentagon's most mission-critical integrated circuits to sabotage. The board was especially alarmed that no existing tests could detect such compromised chips, which led to the formation of the DARPA Trust in IC program.

Where might such an attack originate? U.S. officials invariably mention China and Russia. Kenneth Flamm, a technology expert at the Pentagon during the Clinton administration who is now a professor at the University of Texas at Austin, wouldn't get that specific but did offer some clues. Each year, secure government computer networks weather thousands of attacks over the Internet. “Some of that probing has come from places where a lot of our electronics are being manufactured,” Flamm says. “And if you're a responsible defense person, you would be stupid not to look at some of the stuff they're assembling, to see how else they might try to enter the network.”

John Randall, a semiconductor expert at Zyvex Corp., in Richardson, Texas, elaborates that any malefactor who can penetrate government security can find out what chips are being ordered by the Defense Department and then target them for sabotage. “If they can access the chip designs and add the modifications,” Randall says, “then the chips could be manufactured correctly anywhere and still contain the unwanted circuitry.”

So what's the best way to kill a chip? No one agrees on the most likely scenario, and in fact, there seem to be as many potential avenues of attack as there are people working on the problem. But the threats most often mentioned fall into two categories: a kill switch or a backdoor.

A kill switch is any manipulation of the chip's software or hardware that would cause the chip to die outright—to shut off an F-35's missile-launching electronics, for example. A backdoor, by contrast, lets outsiders gain access to the system through code or hardware to disable or enable a specific function. Because this method works without shutting down the whole chip, users remain unaware of the intrusion. An enemy could use it to bypass battlefield radio encryption, for instance.

Depending on the adversary's degree of sophistication, a kill switch might be controlled to go off at a set time, under certain circumstances, or at random. As an example of the latter, Stanford electrical engineering professor Fabian Pease muses, “I'd nick the [chip's] copper wiring.” The fault, almost impossible to detect, would make the chip fail early, due to electromigration: as current flowed through the wire, eventually the metal atoms would migrate and form voids, and the wire would break. “If the chip goes into a defense satellite, where it's supposed to work for 15 years but fails after six months, you have a very expensive, inoperative satellite,” Pease says.

But other experts counter that such ideas ignore economic realities. “First and foremost, [the foundries] want to make sure their chips work,” says Coleman. “If a company develops a reputation for making chips that fail early, that company suffers more than anyone else.”

A kill switch built to be triggered at will, as was allegedly incorporated into the European microprocessors, would be more difficult and expensive to pull off, but it's also the more likely threat, says David Adler, a consulting professor of electrical engineering at Stanford, who was previously funded by DARPA to develop chip-testing hardware in an unrelated project.

To create a controlled kill switch, you'd need to add extra logic to a microprocessor, which you could do either during manufacturing or during the chip's design phase. A saboteur could substitute one of the masks used to imprint the pattern of wires and transistors onto the semiconductor wafer, Adler suggests, so that the pattern for just one microchip is different from the rest. “You're printing pictures from a negative,” he says. “If you change the mask, you can add extra transistors.”

Or the extra circuits could be added to the design itself. Chip circuitry these days tends to be created in software modules, which can come from anywhere, notes Dean Collins, deputy director of DARPA's Microsystems Technology Office and program manager for the Trust in IC initiative. Programmers “browse many sources on the Internet for a component,” he says. “They'll find a good one made by somebody in Romania, and they'll put that in their design.” Up to two dozen different software tools may be used to design the chip, and the origin of that software is not always clear, he adds. “That creates two dozen entry points for malicious code.”

Collins notes that many defense contractors rely heavily on field-programmable gate arrays (FPGAs)—a kind of generic chip that can be customized through software. While a ready-made FPGA can be bought for $500, an application-specific IC, or ASIC, can cost anywhere from $4 million to $50 million. “If you make a mistake on an FPGA, hey, you just reprogram it,” says Collins. “That's the good news. The bad news is that if you put the FPGA in a military system, someone else can reprogram it.”

Almost all FPGAs are now made at foundries outside the United States, about 80 percent of them in Taiwan. Defense contractors have no good way of guaranteeing that these economical chips haven't been tampered with. Building a kill switch into an FPGA could mean embedding as few as 1000 transistors within its many hundreds of millions. “You could do a lot of very interesting things with those extra transistors,” Collins says.

The rogue additions would be nearly impossible to spot. Say those 1000 transistors are programmed to respond to a specific 512-bit sequence of numbers. To discover the code using software testing, you might have to cycle through every possible numerical combination of 512-bit sequences. That's 13.4 × 10153 combinations. (For perspective, the universe has existed for about 4 × 1017 seconds.) And that's just for the 512-bit number—the actual number of bits in the code would almost certainly be unknown. So you'd have to apply the same calculations to all possible 1024-bit numbers, and maybe even 2048-bit numbers, says Tim Holman, a research associate professor of electrical engineering at Vanderbilt University, in Nashville. “There just isn't enough time in the universe.”

Those extra transistors could create a kill switch or a backdoor in any chip, not just an FPGA. Holman sketches a possible scenario: suppose those added transistors find their way into a networking chip used in the routers connecting the computers in your home, your workplace, banks, and military bases with the Internet. The chip functions perfectly until it receives that 512‑bit sequence, which could be transmitted from anywhere in the world. The sequence prompts the router to hang up. Thinking it was the usual kind of bug, tech support would reset the router, but on restart the chip would again immediately hang up, preventing the router from connecting to the outside world. Meanwhile, the same thing would be happening to similarly configured routers the world over.

The router scenario also illustrates that the nation's security and economic well-being depend on shoring up not just military chips but also commercial chips. An adversary who succeeded in embedding a kill switch in every commercial router could devastate national security without ever targeting the Defense Department directly.

A kill switch or backdoor built into an encryption chip could have even more disastrous consequences. Today encoding and decoding classified messages is done completely by integrated circuit—no more Enigma machine with its levers and wheels. Most advanced encryption schemes rely on the difficulty that computers have in factoring numbers containing hundreds of digits; discovering a 512-bit type of encryption would take some machines up to 149 million years. Encryption that uses the same code or key to encrypt and decrypt information—as is often true—could easily be compromised by a kill switch or a backdoor. No matter what precautions are taken at the programming level to safeguard that key, one extra block of transistors could undo any amount of cryptography, says John East, CEO of Actel Corp., in Mountain View, Calif., which supplies military FPGAs.

“Let's say I can make changes to an insecure FPGA's hardware,” says East. “I could easily put a little timer into the circuit. The timer could be programmed with a single command: ‘Three weeks after you get your configuration, forget it.' If the FPGA were to forget its configuration information, the entire security mechanism would be disabled.”

Alternately, a kill switch might be programmed to simply shut down encryption chips in military radios; instead of scrambling the signals they transmit, the radios would send their messages in the clear, for anybody to pick up. “Just like we figured out how the Enigma machine worked in World War II,” says Stanford's Adler, “one of our adversaries could in principle figure out how our electronic Enigma machines work and use that information to decode our classified communications.”