Call for a global HBOM standard

Microelectronics Are the Next Battlefield

Within the next decade a major city, or even an entire country, will likely find the power grid shut off causing a spiral of daily services we’ve all come to rely on to grind to a halt.  There is a simmering  “Chip War” driven by China/US geopolitical tension.  This “War” over semiconductor innovation and supply chains that has sprouted from U.S. and Chinese economic and geopolitical competition.  It is impacting the hardware upon which the future of AI and next-gen wireless depend, and with them security and social stability.  Despite the increase in the availability of information and the prevalence of advanced technology–almost every human has a smartphone (~85%) – supply chain data and hardware cybersecurity information has remained largely unchanged over the last decade.  This means that our, and most other countries, have a vulnerable power and technology network endangering everything from hospital operating rooms to power plants.  

Great power competition has spilled into economic conflict for centuries; but never before have technical innovation and information cycles moved as quickly leaving policy behind and out of synch.  This “technical debt” is beginning to have meaningful and potentially catastrophic impacts as warfare also becomes digital with immediate global reach.  Both nation states and non-state belligerents now employ tens of thousands of hackers and cyberwarfare specialists, who daily probe global information technology and critical infrastructure for vulnerabilities in both hardware and software.

Creating Security Through Transparency

We leave ourselves extremely vulnerable to this hacking as we have lost the ability to understand, track, and comprehend what is on our public and private networks. Supply chain and cybersecurity technology has not kept up with technology itself and the physical hardware at the center of modern technology is a core part of this threat matrix.  

The path to addressing the hydra of threats to technology leverages the very technology to enable the solution.  With many products the manufacturer includes a bill of materials, which allows a customer to understand what it is that they are buying.   Most hardware manuals and marketing materials already identify the components within products, this data is generally not secret or privileged. Aggregating these simple bills of materials across the global semiconductor supply chains that enable AI and connected media creates a Hardware Bill of Materials (HBOM) framework. This framework allows an end user to understand what they have purchased and have placed on their system. Compiling HBOM data permits a user to quickly track and understand what components are within the devices that make up their network and address any vulnerabilities that might exist.   

HBOMs are currently organized in JSON or Text files and are easily transmitted, but not easily standardized or aggregated.  HBOMs transforms the relevant hardware and component data into a machine readable format that provides the structure required, for manufacturers to provide attestations as to the accuracy of the relevant data and the relevant cybersecurity vulnerability information.  In addition, standardized and machine-readable digital bills of material data permits complex analytics to track and address vulnerabilities.  This tracking of the “semiconductor genealogy” highlights design issues or design shops or fabs that require remediation via firmware or other solutions. This means problems can be identified and addressed before gear is placed in sensitive systems. 

Following the Path Blazed by SBOM

What’s more, the key foundational elements needed to promote an equitable HBOM data governance methodology on a global scale are falling into place.  The United States is leading the development of a SBOM standard that will provide a road map for the globally connected software supply chain.  By June 11th, 2023, all organizations that sell software to the U.S. federal government will be required to provide a Software Bill of Materials (SBOM) as part of enhancing supply chain security.  The federal requirement has provided the regulatory motivation for organizations at all phases of the software supply chain to move towards a common standard.  Standardization of the data will increase the capacity of governments and other organizations to use, regulate, and promote emerging technologies by improving transparency.  

Basic compliance with this SBOM policy is within reach, but a dynamic end to end solution that includes attestation as well as an uniform method of transmittal and storage is necessary and still under development.  It looks unlikely that most contractors will meet the June 2023 deadline; despite the efforts of the Department and of Homeland and Department of Defense, waivers will likely be necessary for critical suppliers.  

We must pursue a similar strategy with the development of HBOM standards and be leaders in international cooperation that supports improved security in the semiconductor supply chain. The SBOM policy the federal government is pursuing outlines the key requirements for the implementation of a similar HBOM standard.  This will not only improve security it will also improve the path to innovation.  A SBOM solution implemented alone addresses only half of the cybersecurity problem, patching an operating system or basic input/output system (BIOS) allows a user to identify software vulnerabilities for patching, but a user or network operator will still have a range of hardware related vulnerabilities hidden from view by incomplete or hard to manage component information.  Deploying both HBOM and SBOM solutions allows for full understanding of a system, its software, hardware, and component level profile.

HBOM is an Immediately Deployable Solution

Today we have almost no idea what is inside the ubiquitous smartphones that we carry around in our pockets.  These simple devices are made up of semiconductors sourced from around the world and have brought massive productivity gains, but efficiency has also placed complexity and vulnerabilities into our pockets as well.  Hardware vulnerabilities are unlike software vulnerabilities, in that they are physical and more difficult to address.  The cybersecurity community can no longer afford to kick the can down the road with respect to bills of materials and component level vulnerability tracking.  The microelectronics supply chain has simply become too globally complex and it is evolving into a battleground of great power competition.  The time to put the foundational elements of a HBOM standard in place is now, we don’t have another day to spare, the future is coming and it is full of evolving threats.