Podcast: Conductive Discussions: Cybersecurity Threats to the Chip Industry
Ropes & Gray’s podcast series Conductive Discussions focuses on legal issues of interest to the semiconductor industry. In this episode, IP litigation partner Mark Rowland, and data, privacy & cybersecurity partner Ed McNicholas and associate Fran Faircloth discuss recent developments in cybersecurity, ranging from potential and actual cyberattacks to the government and industry responses to such cybersecurity threats.
Mark Rowland: Welcome to this episode of Conductive Discussions, a Ropes & Gray podcast series focused on legal issues of interest to the semiconductor industry. My name is Mark Rowland, and I am a partner at Ropes & Gray in our IP litigation practice, based in our Silicon Valley office. I'll be hosting this episode, which will focus on recent trends in data privacy and cybersecurity affecting the semiconductor industry. Today, we'll be hearing from an exciting group of practitioners on this topic. With us is Ed McNicholas, co-chair of our data, privacy and cybersecurity group—welcome, Ed. Also with us is Fran Faircloth, a data, privacy and cybersecurity associate—welcome, Fran. Both Ed and Fran are based in our Washington, D.C. office. Ed represents technologically sophisticated clients in litigation, investigations and counseling matters. He has developed unique experience representing clients in the midst of media-driven legal challenges and has worked on some of the largest breaches to date, including SolarWinds, Yahoo!, Equifax, Neiman Marcus, and hundreds of others. His crisis management skills are particularly useful in coordinating the swirl of complex litigation, congressional hearings, and federal and state investigations that can follow from major privacy and cybersecurity incidents. Fran will start us off with our Silicon Speak report of recent legal news.
Fran Faircloth: Thanks, Mark. In industry news, there have been several developments relating to cybersecurity. Tower Semiconductor, which is based in Israel and makes specialty integrated circuits such as wireless chips and camera sensors, was subject to a ransomware attack in September 2020. Cyberattacks, whether by economic attackers or nation states, can halt semiconductor production lines, as happened here. This attack stopped Tower Semiconductor's servers and manufacturing operations. Tower was able to obtain a release on its servers for several hundred thousand dollars, but more generally, a production stoppage can have financial implications worth millions of dollars. Based on incidents like these, key stakeholders all over the world, ranging from governments to private companies to trade groups, are realizing how crucial it is to address cybersecurity. Here are a few examples:
- In Taiwan, the National Communications Commission banned cable television providers from procuring semiconductors and other components made by Chinese companies for use in digital set-top boxes.
- The Standing Committee of the National People's Congress in China published a Draft Personal Information Protection Law (PIPL) for public comment, following up on its recent series of cybersecurity laws. If enacted, it will become China's first comprehensive national-level law regulating privacy and personal information. Notably, critical information infrastructure operators must undergo a security assessment in certain situations, as is already required under the cybersecurity laws there. The proposed law is extra-territorial in scope, covers cross-border data transfers, and imposes GDPR-level penalties. The buildout of China’s cybersecurity regime continues to merit attention not only for access to one of the world’s largest markets, but also for access to key materials and technologies flowing from it.
These laws can also be viewed as a response to risks in the semiconductor supply chain, which is truly global and complex. As an example, after a chip has been designed in the United States or Europe, a foundry in Taiwan manufactures it. The raw silicon wafers on which the foundry forms integrated circuits are processed in the U.S., Japan, and South Korea before reaching the foundry in Taiwan. For forming the circuits, the foundry uses highly advanced manufacturing equipment developed by companies in the U.S., Europe, and Japan. Individual chips are separated from the wafer and packaged in Malaysia, then shipped to China for incorporation into products. Thus, semiconductor supply chain security issues can have larger ramifications—as we've seen in recent months, fires disrupting production at chip makers such as Renesas have impacted companies worldwide.
Recent massive cybersecurity attacks highlight additional supply chain risks. The White House formally announced on April 15, 2021 that Russia’s Foreign Intelligence Service was responsible for one such attack that affected multiple compromised federal agencies and private companies. The Russian attackers leveraged multiple access points across several companies to attack the SolarWinds Orion Platform, that’s used by thousands of companies and many government agencies. Perhaps relatedly, Microsoft recently suffered an attack by state-sponsored Chinese hacking groups who exploited vulnerabilities in Microsoft's exchange server to infiltrate companies using that server. In both cybersecurity attacks, attackers took advantage of vulnerabilities in third party supplier software to infiltrate companies that use the affected software. These kinds of attacks using third party software are especially tricky for companies to thwart directly.
Recognizing these issues, DARPA (the Defense Advanced Research Projects Agency) selected teams from commercial, academic, and defense industries last year to increase security of the semiconductor supply chain by incorporating security defenses into chip designs while balancing economic considerations such as power consumption, die area, and performance. The teams will address four fundamental silicon security vulnerabilities: side channel attacks, hardware Trojans, reverse engineering, and supply chain attacks. One technique the DARPA program plans to use to protect chips throughout their lifecycle is distributed ledger technology, which provides for a high-availability, cloud-based system capable of managing keys, certificates, watermarks, policies, and tracking data to ensure that chips remain secure as they move through the design ecosystem.
Mark Rowland: Thanks, Fran, for that update on supply chain cybersecurity attacks in the news. Ed, we’ve certainly seen extensive cybersecurity attacks against U.S. infrastructure by foreign countries in the past year, right?
Fran Faircloth: It is interesting that these foreign attackers are using our own technological infrastructure against us. They aren’t attacking us using their systems and servers. They’re breaking into the underlying supply chain infrastructure first and pivoting from there to launch other attacks. They’re using things like malicious insertion to worm inside these key providers of basic services that are essential to both economic growth and national security, much like the semiconductor industry. It’s not surprising that earlier this year, President Biden issued Executive Order 14017 to conduct a comprehensive assessment of, and identify ways to strengthen, key industries deemed essential to U.S. economic and national security, including semiconductors, because it seems like their position in the supply chain could make semiconductors a key target for foreign attackers who are trying to use our infrastructure against us.
Ed McNicholas: What strikes me is the reason they’re using the American infrastructure is that the monitoring for attack traffic that we can do overseas is not allowed in the U.S. because we don’t want our intelligence services surveilling U.S. servers in the same way that we can surveil servers overseas. This is a bit ironic because we have this ongoing debate with the Europeans about whether there’s more privacy inside the U.S. or outside the U.S., and in fact, we have far greater protections inside the U.S. in terms of this sort of surveillance. That’s why we see this sort of attack using the U.S. infrastructure against us.
It will be up to the Biden administration to figure out a way of fighting the Russians and the Chinese and others who would do us harm inside the U.S., while of course at the same time, preserving our privacy and civil liberties. NSA leadership has made clear that they consider surveillance of the domestic servers to be a blind spot for our military and intelligence communities. The challenge is that we need to do it in a way that protects civil liberties to ensure that U.S. companies can feel comfortable working with other U.S. companies, and working globally without the fear of a threat of a cybersecurity attack from foreign nation states.
Mark Rowland: So what is the solution here? Are there proposals in place that can help bridge this gap?
Ed McNicholas: One of the key things that will be part of any solution is to adopt the recommendations of the Cybersecurity Solarium Commission. The Solarium Commission report is probably the leading document on cybersecurity strategy in the U.S. right now. One of the things this report emphasizes is the importance of defending forward and making sure we go after the attackers where they live. Equally important is that there needs to be robust cooperation between the public and private sectors to make sure that companies can share information with the government, and that the government will share information back with companies. Obviously the government needs to protect sources and methods, but there needs to be a robust interchange between the private sector and the government. Fort Meade has made clear that they do not seek new domestic surveillance authorities; instead, they want closer partnerships with the private sector. Having helped companies with these sorts of partnerships in the past, I certainly see the wisdom of using collegial relationships with the government to help secure the supply chain for both governmental and corporate protection.
Fran Faircloth: Absolutely, and also, companies using ISACs and ISAOs—that is Information Sharing and Analysis Centers, and Information Sharing and Analysis Organizations—have to be able to come together without fear of violating privilege or antitrust issues creeping in, that way they can share information about ongoing attacks and the methods that are successful in stopping them.
Ed McNicholas: Yes. If we have information sharing between companies, corporate information sharing with the government, and, this is the critical piece, the government sharing information back to companies, we can fight together, and that will go a long way towards stopping these attacks on our shared infrastructure. The vast bulk of the Internet infrastructure on which these global supply chains rely sits in private hands; we have no choice but to have a response, both from the whole of government and the whole of industry.
Mark Rowland: That concludes another interesting session. Again, thanks to Ed and Fran for joining us today and for sharing your insights. Subscribe to Conductive Discussions and other RopesTalk podcasts in the newsroom page of ropesgray.com. If you have any questions or comments, just drop us a line. For more information about our semiconductor practice, just type "semiconductors Ropes Gray" to get our semiconductors page. Thank you for listening, and we hope that you join us next time. Goodbye.