Microelectronics Supply Chain and US Legislation

The increasing complexity and global interconnectedness of microelectronics supply chains not only present logistical concerns for the United States’ government and private sector organizations, but more pressingly, cybersecurity challenges. The hardware that moves through these supply chains provides entry points for exploitation by malicious actors, but organizations lack tools to properly conduct hardware vulnerability management. At Ceritas, we are passionate about addressing this gap by providing organizations with actionable data to mitigate hardware vulnerabilities and harden their attack surface.

Hardware is present in every IoT device powering our personal lives, businesses, and governments, which creates a large cybersecurity threat in the aggregate. At Ceritas, we are particularly focused on domestic critical infrastructure. Ukraine is not the only country vulnerable to critical infrastructure cyber security attacks. Increasingly, US critical infrastructure sectors have been targeted and malicious actors can exploit unmitigated hardware vulnerabilities to wage severe cyber attacks causing catastrophic physical damage.

As private sector organizations create solutions to mitigate cyber threats, it is important to also understand the context of current US domestic policy efforts to reduce risk.

Under the Trump Administration, microelectronics supply chain challenges were seen as purely a “China and Huawei” issue – and it was thought that limiting Huawei (and others) from the US domestic supply of microelectronics would mitigate potential threats. The Biden Administration furthered this agenda, signing an executive order in June of 2021 to prohibit Americans from investing in 59 Chinese companies (predominantly within the microelectronics industry) and essentially ban their products from being sold in the United States.^[1]

Securing the microelectronics supply chain has been a top priority in the Biden Administration’s policy agenda so, in July of 2021, the Administration passed a National Security Memorandum (NSM) on “Improving Cybersecurity for Critical Infrastructure Control Systems.”^[2] Additionally, in October of 2021, the Biden Administration passed the Secure Equipment Act. This law “requires the Federal Communications Commission (FCC) to no longer review or approve any authorization application for equipment that poses an unacceptable risk to national security.”^[3] Lastly, as part of the latest infrastructure plans, the Administration plans to allocate $37 billion to the U.S. semiconductor industry, specifically funding the Trump Administration’s CHIP Act. This money will be used to increase US domestic semiconductor manufacturing capacity.^[4] While the US is a leader in microchip design and research, it lags behind in microchip manufacturing and production. Currently, 75% of microchip production occurs in East Asia, with Taiwan (and more specifically TSMC), producing 90% of global microchips^[5].

While these actions have the potential to mitigate microelectronics supply chain threats, they do not solve the broader cybersecurity threats facing critical infrastructure operators. At Ceritas, we recognize the work of US domestic policymakers and seek to supplement their efforts. As policymakers to address supply chain security, Ceritas helps organizations act now to shrink and harden their attack surface.