BALTIMORE: The Pentagon has fallen in love with Silicon Valley — though it’s largely unrequited — but traditional defense firms argue there are some things only they can do. One striking example: this Northrop Grumman factory, where the company makes its own microchips “from sand” with unique security features that are not available from commercial vendors.
If a technology is available on the open market, by definition potential adversaries can buy it as well. They can then take it apart, reverse engineer it and find weak points to exploit. That means, Northrop told visiting reporters here, that commercial cybersecurity solutions may be adequate against casual hackers and criminals, but not against a nation-state that can devote thousands of trained personnel to reverse engineering. Since Northrop builds electronics for military command systems, radars, radios, and weapons, it needs an edge the enemy can’t just buy.
“You cannot get this commercially,” said Northrop cyber expert Vern Boyle, showing reporters a thumb-sized processor. “Our government is the only one that can get this.”
“A lot of people think, I have to run to Silicon Valley to find my solution,” Boyle said. “I assure you the solution is not going to come from Silicon Valley. It is not going to come from commercial vendors. It’s being developed right here in the state of Maryland,” home to the National Security Agency, Cyber Command and a wide array of government contractors. “We must come up with our own specific solutions that only the government has access to,” he said.
Hardware vs. Hacking
Northrop Grumman’s Baltimore plant embodies a kind of vertical integration that is deeply unfashionable in this age of outsourcing. At this single facility, the company can make its own microcircuits “from sand,” build them into radars or jammers or other electronics, install them on a testbed aircraft, and taxi next door to BWI airport for flight tests.
Most companies nowadays import electronics. But by making its own chips on-site, Northrop ensures it knows exactly where key parts are coming from, which keeps its supply chain uncontaminated by counterfeit or bugged hardware from, say, China. And by making those chips to its own designs, the company can build in security features at the hardware level, which offers a degree of protection that software can’t match by itself.
What’s different about the chips? Sorry, Boyle replied, telling you more would tell the bad guys too much.
But the government is buying your chips by the thousands, I protested. Surely at some point someone will slip up — an overtired 18-year-old maintainer leaving a spare part in his pocket, perhaps — and let one of them fall into unauthorized hands? “I wouldn’t be walking around with it like this if I couldn’t guarantee that wasn’t a problem,” he said mysteriously.
Buying Northrop’s custom microchips doesn’t lock you into using only their microchips, Boyle emphasized. You can build them into a “hybrid architecture” with conventional chips, allowing a system to use the latest from Silicon Valley while the Northrop chip polices the system. (What kinds of instructions get routed through which chip and how is, of course, secret). You can also use conventional programming tools to write software that runs on the chips, he said: “There’s not a unique custom environment for coding.”
That said, the chips also run special software that’s specifically designed to keep a system operating as designed even after it’s hackers have fought their way inside. Of course, it’s best to keep the enemy out altogether, Boyle said, but you’d better not count on that.
Software & Scale
Generally, Boyle and his colleagues said, military applications require unique software, not repurposed commercial code. Security is one reason but another is scale. Yes, commercial giants like Google can write software to handle millions of users at once, but those millions are acting independently of each other, My ability to check email doesn’t depend on your ability to successfully download cat pictures. In a military network, however, you have thousands of users whose work does depend on each other, particularly when it comes to distributing, say, an incoming missile alert or targeting data across the system.
“Most of the commercial products, out of the box, fail in government markets,” said Chris Valentino, Northrop’s director of joint cyberspace programs, whose main client is Cyber Command. Commercial vendors do produce some software that’s designed for large organizations where everyone’s work depends on everyone else’s, he said, but “they’re designed at max for a Fortune 400 company, (where) the maximum number of things that you have to deal with is about 1/100th of what you find in one of our customers.”
That said, Northrop is willing to learn from the commercial world where it thinks it’s appropriate. Valentino’s unit, for example, runs STEM scholarships and an incubator, Cync, that helps promising start-ups “figure out how do you break into the government market,” he said. And they use commercial programming techniques as well, he said: “(We do) the same things Google does, Apple, Facebook — the methodologies they use to build software (are) exactly the same set of methodologies we use.”