Technology is at the forefront of economic and societal progress and will define the next generation with the promises of artificial intelligence. Yet, the recent Microsoft and CrowdStrike outage highlighted both our increased reliance on technology, and how fragile that infrastructure can be. Just one failed software update led to global panic and left some serious economic scars, most notably with Delta Airlines reportedly losing roughly $500 million .
While such an event will not cause us to revert to pen and paper recordkeeping, it does raise questions about our dependence on technology and emphasizes the need for proper security controls. As our adversaries look to wage war on the digital battlefront and exploit any technological vulnerabilities, policymakers must address our cyber security defenses and weaknesses.
Thankfully, the CrowdStrike outage was not an act of cyber terrorism carried out by one of our adversaries. But the damage was still staggering, from global air travel being grounded to hospitals left unable to conduct surgeries or even complete simple tasks such as prescribing medicines or taking patient notes.
If a routine software update provided by world-class companies can cause so much chaos, it’s hard to imagine how crippling a targeted, large scale cyber-attack from one of our adversaries could be.
Rick Switzer, a national security expert and Senior Fellow with the Special Competitive Studies Project, has specifically raised concerns about the growing national cybersecurity risks of open source hardware, including computer chips. According to Switzer, chips that run on open source hardware – whose architecture is available to anyone, as opposed to chips that run on proprietary architecture built by trusted tech companies – creates a host of cyber security vulnerabilities.
What is even more concerning is that these chips – which utilize open source tech and are often made in China – are used in just about everything, from your smart watch to military hardware and computers that power our critical infrastructure.
One example that is growing in popularity and receiving attention from the U.S. Government is an open source semiconductor architecture called RISC-V.
RISC-V was developed at the University of California Berkeley as a tool meant to simplify chip design via an open source architecture. While its initial funding came from the Pentagon’s Defense Advanced Research Programs Agency (DARPA), it has since gained significant attention from the People’s Republic of China (PRC). Notably, RISC-V moved its headquarters from the United States to Switzerland in 2019 to ensure that members – specifically technology firms from China – would not be subject to U.S. tech regulations.
Dr. Jose Marquez What threat do RISC-V chips pose to our national security? When most people think about a cyber-attack, we often talk about hackers exploiting a vulnerability in the software that runs our computers. However, attacks on hardware, by exploiting vulnerabilities in chip architecture, are less common but can be much more severe and harder to detect. While the Crowdstrike issue could be resolved with a software patch, hardware issues can take much longer to patch and in some places may require replacing physical parts. This was demonstrated recently in China, where a RISC-V chip was found to have significant vulnerabilities that were difficult or impossible to fix.
As one article states “[t]the root of these issues lies in the open-source nature of RISC-V, which allows for customization and innovation but also introduces challenges in maintaining consistent security standards.” Imagine if these chips had found their way into US systems. Given the complexities of the semiconductor chip supply chain and the nature of open source chips like RISC-V, it would be nearly impossible to identify the source of an attack.
Couple these vulnerabilities with China’s strategic goal of ridding itself of western technology and passing the United States for economic dominance, and you have a recipe for disaster. Earlier this year, U.S. National Cyber Director Harry Coker told a conference that Chinese military hackers are targeting U.S. interests at an “unprecedented scale” and would “wreak havoc” on our infrastructure in a conflict scenario.
As we advance further into an era dominated by digital infrastructure, the significance of cyber and national security cannot be overstated. The recent Microsoft and CrowdStrike outage should serve as a stark reminder that our systems, no matter how advanced or trusted, are not impervious to failure.
One crucial aspect that needs immediate attention is the regulation and oversight of open-source technology like RISC-V. Without stringent security protocols, these projects can become a backdoor for malicious actors such as the PRC to compromise this essential underlying hardware. An attack on a single component, such as one within a power grid or communication network, could cripple entire sectors.
This interdependency underscores the necessity for robust, multi-layered defense mechanisms that can thwart both software and hardware attacks. As we march towards a future where technology further underpins every facet of our lives, fortifying our cybersecurity framework is not just an option; it’s imperative. The stakes are high, and the cost of inaction by the U.S. Government and global community could be catastrophic.