Supply Chain Security Is the Whole Enchilada, but Who’s Willing to Pay for It?

I’m not a protectionist, but we need to start looking USA-based semiconductor supply capacity as a national security imperative. We should never lose our ability to manufacture these critical components, even it means policies that might be viewed as “protectionist”.

The DOD has been paying it through the Trusted Foundry Program. Probably not enough use of that, though. ;)<p><a href="https:&#x2F;&#x2F;www.dmea.osd.mil&#x2F;trustedic.html" rel="nofollow">https:&#x2F;&#x2F;www.dmea.osd.mil&#x2F;trustedic.html</a>

“If it’s a core business function — do it yourself, no matter what.”<p>­— Joel Spolsky, talking about Not-Invented-Here programming<p><a href="https:&#x2F;&#x2F;www.joelonsoftware.com&#x2F;2001&#x2F;10&#x2F;14&#x2F;in-defense-of-not-invented-here-syndrome&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.joelonsoftware.com&#x2F;2001&#x2F;10&#x2F;14&#x2F;in-defense-of-not-...</a>

Can someone explain why a semiconductor production facility would be “punishingly” expensive to operate in the US?<p>Maybe the cost of electricity, but it seems like the labor cost wouldn’t make a huge difference since most of the production work (I presume) is automated.

Once upon a time computers came with a full schematic diagram and enthusiasts could actually verify what they received. My point isn&#x27;t so much the diagram as it is the culture of [showing&#x2F;]knowing what&#x27;s inside your black box.

This seems like as good an excuse as any to post a link to the seminal “Reflections on Trusting Trust”:<p><a href="https:&#x2F;&#x2F;www.archive.ece.cmu.edu&#x2F;~ganger&#x2F;712.fall02&#x2F;papers&#x2F;p761-thompson.pdf" rel="nofollow">https:&#x2F;&#x2F;www.archive.ece.cmu.edu&#x2F;~ganger&#x2F;712.fall02&#x2F;papers&#x2F;p7...</a><p>It’s an absolute classic that I’m sure 97% of HN readers are familiar with, but for the 3% that aren’t it’s a really great meditation on just how difficult it is to trust any computing system, without somehow recursively assessing the trustworthiness of everything that has ever happened before.

This is the kind of attack that the trustless.ai guys are fighting. They&#x27;ve secured their supply chain down to the silicon vendor at a fab in Italy. Really cool project.

Is Apple willing to pay for supply chain security? Could they afford it?<p><pre><code> Writing for this week’s newsletter put out by the SANS Institute, a security training company based in Bethesda, Md., editorial board member William Hugh Murray has a few provocative thoughts: 1. Abandon the password for all but trivial applications. 2. Abandon the flat network. 3. Move traffic monitoring from encouraged to essential. 4. Establish and maintain end-to-end encryption for all applications. 5. Abandon the convenient but dangerously permissive default access control rule of “read&#x2F;write&#x2F;execute”</code></pre>

This is going to be a huge problem. If that backdoor exists, someone will find it and use it. Not necessarily the people who put it there.

The supply chain is secure. But that’s not FUD that sells. The gap between mainstream news and tech news is closing.

&gt; Indeed, noted security expert Bruce Schneier calls supply-chain security “an insurmountably hard problem.”<p>Centrally, yes. But supply chain verification &amp; tracking is one thing blockchains are genuinely good at. There are actual blockchain-based products on the market for that.<p>Imagine a company such as Apple forcing their suppliers to authenticate each production step from raw material to shipped good on a proprietary blockchain. It&#x27;s certainly doable from a technical standpoint, and Apple&#x27;s suppliers are probably eager enough not to lose Apple&#x27;s business to comply.