Upload
ryan-andersen
View
200
Download
0
Embed Size (px)
Citation preview
To: Will LeviFrom: Ryan AndersenRe: Labeling “Kill Switches” Date: July 15, 2015
Will:
You asked me to look into computer chip integrity and the possibility that “kill switches,”
or hardware built into microprocessors that allow a remote user to access a device without the
operator’s consent or knowledge, could present a national security concern and a liability for
individual consumers. The Department of Defense drafted a report on the topic in response to
Senate Report 113-85 and S. 1429, and identified issues like large volume of microprocessors it
uses and the difficulty in detecting kill switches as areas of ongoing vulnerability. The
Department devised several plans, however, to correct that vulnerability including the
development of hardware able to detect kill switches and other microprocessor defects. Dr.
Phillip M. Adams also wrote a memorandum on the issue, suggesting that the Consumer
Products Safety Commission could use its regulatory power to require microprocessor
manufactures to so label their products if they include a kill switch. It is unlikely, however, that
such an action would fall within the Consumer Product Safety Commission’s scope of authority.
You also asked me for recommendations for future actions. The Defense Department’s
report indicates that its complex supply chain, the volume of microprocessors it regularly
acquires, and the difficulty in detecting kill switches makes it somewhat vulnerable to an attack
utilizing kill switches. Therefore, such a scenario should be included in national security
contingency plans. It would also be prudent for the Department of Defense to coordinate with
private entities to ensure the safety of critical infrastructure as it works to minimize the
vulnerability to kill switches and regularly inform Congress of its progress in that direction.
Discussion
Kill switches pose a potential threat to both national and consumer security. Generally,
they are difficult if not impossible to detect before they are activated. California is currently the
only jurisdiction with law related to kill switches. That law requires smartphones to have a kill
switch in order to shut down a device in the event it is stolen in order to protect the owners’
personal information. Consumer rights groups argue that engineering back-door access to a
device could allow a hacker to use that same door to remotely shut down a device as well, thus
allowing cybercriminals another avenue of action.
This concern also applies to government agencies, particularly the Department of
Defense. Because the vast majority of microprocessors are manufactured in Taiwan and China,
there is concern that military or other critical components contain kill switches manufactured by
the Chinese for the purpose of sabotage. While some military equipment uses custom-built
electronics, the Department purchases a substantial amount of off-the-shelf equipment that could
be vulnerable. In 2003, the Department of Defense began reviewing its acquisition process and
developed protocols for future actions including protecting a domestic microprocessor
manufacturing base, working with the National Security Agency to fully identify related
vulnerabilities, and accrediting trusted providers. The Department is also developing hardware
able to detect a kill switch. The sheer volume of microprocessors the Department regularly
acquires, however, and the difficulty in detection makes the task of combating kill switches
problematic. The Department’s report states that conventional methods of detection “will not
uncover intentional and surreptitiously implanted flaws” within a microprocessor.
Recommendations
The difficulty in detection is one reason why labeling microprocessors if they contained
kill switches would be ineffective. Without means of verifying compliance, a statute requiring
manufactures to label their products would rely solely on manufacturers’ assertions that non-
labeled microprocessors did not contain kill switches. This creates a regulatory environment
where the regulators cannot verify compliance unless a kill switch is activated. Therefore,
labeling could not prevent any harm a kill switch might inflict; regulators’ only actions would be
in reaction.
If, however, labeling microprocessors could be effective the Consumer Products Safety
Commission does not possess the regulatory power to force microprocessor manufacturers to
label kill switches. The Consumer Products Safety Commission derives its authority from 15
USCS § 2058. In order for something to fall within the Commission’s scope of authority, it must
incur the “risk of injury.” This is defined as “a risk of death, personal injury, or serious or
frequent illness.” While it is not inconceivable that a kill switch could, depending on the nature
of the affected device, cause physical actions to occur, remotely accessing and shutting down
most computer systems does not produce the risk of injury defined in 15 USCS § 2058.
Therefore, the Consumer Products Safety Commission does not likely possess the regulatory
authority to force manufacturers to label kill switches.
Despite these challenges, there are proactive measures that can be taken in response to
kill switches. Both consumers and the military should prepare for an event related to kill
switches. One promising development is the Department of Defense’s ongoing development of
hardware that will detect kill switches. The Department should be encouraged to share this
technology with critical infrastructure when it becomes available, and continue to update
Congress as to its progress on the issue.