To: Will LeviFrom: Ryan AndersenRe: Labeling “Kill Switches” Date: July 15, 2015

Will:

You asked me to look into computer chip integrity and the possibility that “kill switches,”

or hardware built into microprocessors that allow a remote user to access a device without the

operator’s consent or knowledge, could present a national security concern and a liability for

individual consumers. The Department of Defense drafted a report on the topic in response to

Senate Report 113-85 and S. 1429, and identified issues like large volume of microprocessors it

uses and the difficulty in detecting kill switches as areas of ongoing vulnerability. The

Department devised several plans, however, to correct that vulnerability including the

development of hardware able to detect kill switches and other microprocessor defects. Dr.

Phillip M. Adams also wrote a memorandum on the issue, suggesting that the Consumer

Products Safety Commission could use its regulatory power to require microprocessor

manufactures to so label their products if they include a kill switch. It is unlikely, however, that

such an action would fall within the Consumer Product Safety Commission’s scope of authority.

You also asked me for recommendations for future actions. The Defense Department’s

report indicates that its complex supply chain, the volume of microprocessors it regularly

acquires, and the difficulty in detecting kill switches makes it somewhat vulnerable to an attack

utilizing kill switches. Therefore, such a scenario should be included in national security

contingency plans. It would also be prudent for the Department of Defense to coordinate with

private entities to ensure the safety of critical infrastructure as it works to minimize the

vulnerability to kill switches and regularly inform Congress of its progress in that direction.

Discussion

Kill switches pose a potential threat to both national and consumer security. Generally,

they are difficult if not impossible to detect before they are activated. California is currently the

only jurisdiction with law related to kill switches. That law requires smartphones to have a kill

switch in order to shut down a device in the event it is stolen in order to protect the owners’

personal information. Consumer rights groups argue that engineering back-door access to a

device could allow a hacker to use that same door to remotely shut down a device as well, thus

allowing cybercriminals another avenue of action.

This concern also applies to government agencies, particularly the Department of

Defense. Because the vast majority of microprocessors are manufactured in Taiwan and China,

there is concern that military or other critical components contain kill switches manufactured by

the Chinese for the purpose of sabotage. While some military equipment uses custom-built

electronics, the Department purchases a substantial amount of off-the-shelf equipment that could

be vulnerable. In 2003, the Department of Defense began reviewing its acquisition process and

developed protocols for future actions including protecting a domestic microprocessor

manufacturing base, working with the National Security Agency to fully identify related

vulnerabilities, and accrediting trusted providers. The Department is also developing hardware

able to detect a kill switch. The sheer volume of microprocessors the Department regularly

acquires, however, and the difficulty in detection makes the task of combating kill switches

problematic. The Department’s report states that conventional methods of detection “will not

uncover intentional and surreptitiously implanted flaws” within a microprocessor.

Recommendations

The difficulty in detection is one reason why labeling microprocessors if they contained

kill switches would be ineffective. Without means of verifying compliance, a statute requiring

manufactures to label their products would rely solely on manufacturers’ assertions that non-

labeled microprocessors did not contain kill switches. This creates a regulatory environment

where the regulators cannot verify compliance unless a kill switch is activated. Therefore,

labeling could not prevent any harm a kill switch might inflict; regulators’ only actions would be

in reaction.

If, however, labeling microprocessors could be effective the Consumer Products Safety

Commission does not possess the regulatory power to force microprocessor manufacturers to

label kill switches. The Consumer Products Safety Commission derives its authority from 15

USCS § 2058. In order for something to fall within the Commission’s scope of authority, it must

incur the “risk of injury.” This is defined as “a risk of death, personal injury, or serious or

frequent illness.” While it is not inconceivable that a kill switch could, depending on the nature

of the affected device, cause physical actions to occur, remotely accessing and shutting down

most computer systems does not produce the risk of injury defined in 15 USCS § 2058.

Therefore, the Consumer Products Safety Commission does not likely possess the regulatory

authority to force manufacturers to label kill switches.

Despite these challenges, there are proactive measures that can be taken in response to

kill switches. Both consumers and the military should prepare for an event related to kill

switches. One promising development is the Department of Defense’s ongoing development of

hardware that will detect kill switches. The Department should be encouraged to share this

technology with critical infrastructure when it becomes available, and continue to update

Congress as to its progress on the issue.