US Flag made out of software code.

Episode 249: Intel Federal CTO Steve Orrin on the CHIPS Act and Supply Chain Security

In this episode of the Security Ledger Podcast, Paul speaks with Steve Orrin, the Federal CTO at Intel Corp. Steve talks about his work representing Intel and its technologies to the Federal Government and the impact of the recent passage of the CHIPS Act, a huge federal investment in promoting domestic manufacturing of semiconductors. We also talk about the growing focus within the federal space on software supply chain security and how firms like Intel are responding to calls for greater scrutiny of federal software and services.

[MP3] [Transcript]

In August 2022, President Biden signed into law the CHIPS and Science Act, one of the biggest federal investments in science and research and development in recent memory. The bill includes a 52.7 billion appropriation over five years to fund grants, loans, loan guarantees, and other programs to incentivize semiconductor manufacturing in the United States, “tax credits to spur the construction of semiconductor fabrication plants in the US and it limits the ability of chip makers to expand operations in China. 

Episode 214: Darkside Down: What The Colonial Attack Means For The Future of Ransomware

The CHIPS Act: a game changer

Steve Orrin is the Federal CTO and Senior Principal Engineer for Intel Corporation
Steve Orrin is the Federal CTO and a Senior Principal Engineer for Intel Corporation.

CHIPS is expected to spur investment in the U.S. semiconductor industry, which has long taken a back seat to countries like Taiwan, where most of the world’s advanced semiconductors are manufactured. It’s a boon for companies like Intel, the United States most recognized semiconductor manufacturer. But what about the larger supply chain issues affecting U.S industry and the U.S. government? Including software supply chain? How are the CHIPS Act and other federal initiatives, like President Biden’s cyber Executive Order, changing the way that the federal government is looking at and procuring software, hardware and services from its own suppliers? 

To help answer these questions we invited Steve Orrin into the studio to talk. Steve is the  Federal CTO and Senior Principal Engineer for Intel Corporation, a job that has him representing all of Intel’s technologies and capabilities to the federal government and the broader public sector.

New IoT Security Regulations on Tap in U.S., U.K.

In this conversation, Steve and I talk about Intel’s extensive work as a supplier of software, hardware and services to Uncle Sam, and about some of the initiatives Intel is working on – from confidential computing, to supply chain security and artificial intelligence.


Steve Orrin (Intel): So I am Steve Orrin. I’m the Federal CTO and Senior Principal Engineer for Intel Corporation. And in that role, I basically represent all of Intel’s technologies and capabilities to the federal government and the broader public sector ecosystem. So that civilian military intelligence, the large system integrators, the federal OEMs and cloud providers really help them to figure out how to adopt and use commercial Intel technologies to advance mission and enterprise needs.

And so in some respects, I translate Intel technology into government requirements, admission requirements. And then the other half of my job is to turn around and translate government requirements back into Intel features and needs. As well as the ability to do custom capabilities in order to advance the federal government’s use cases as they have very specific requirements, whether it be on scale, on security, or in the tactical domain.

And so really I become that focal point for the technology innovation that’s working with the federal government. My background is in cybersecurity, having done multiple security startups throughout the nineties and two thousands, and I ran security path finding for Intel for about nine years prior to taking on the federal role.

Paul Roberts (Security Ledger): So Intel’s relationship with the federal government? Pretty sleepy job. Really not a whole lot of stuff going on there.

Steve Orrin (Intel): It’s fascinating. There’s so much going on in the federal government

Paul Roberts (Security Ledger): yes.

Steve Orrin (Intel): It it always keeps you on your toes.

Paul Roberts (Security Ledger): Biggest technology buyer in the world as if I’m not mistaken

Steve Orrin (Intel): And the scale that you find in the federal government is really unique. The VA the largest healthcare provider in the world, as well as the largest insurer in Medicaid, Medicare.

One of the interesting things that I’ve always found about working with the federal marketplace in the federal government is you can find every possible vertical that you’d find anywhere else in the federal government.

Do you wanna talk finance and credit card fraud? You have cms, you have irs, you wanna talk healthcare, obviously a va. You wanna talk about smart cities and that infrastructure, you have smart bases, literally everything you’d ever want to do anywhere else. You’re gonna find it in the government and you’re gonna find it at a huge scale.

So if you can solve it for the government, financial services, healthcare, retail, manufacturing, you’ve got those in the bag.

Paul Roberts (Security Ledger): I think when folks think about Intel as a, supplier to the federal government their assumption may be like Intel chips are in stuff that the federal government buys. And maybe, in the defense contexts, there are, more direct, they need specialized types of chips for specialized types of, weapons or something like that.

It’s actually a much broader relationship than that. So talk about what are some of that you talked about translating Intel technology for government purposes and also translating government, mandates for Intel. What types of stuff do you get dragged into?

Steve Orrin (Intel): So that’s a really good question, Paul, and one once starting out with one assumption. Most people know Intel for the chips, and that is a lot of what we do is build chips that go into quite literally everything from the edge to the cloud, the network, and everything in between. But Intel is actually so much more as part of the platform.

Other components like FPGs and GPUs, other hardware parts as well as a lot of the software that you take advantage of, whether you’re running commercial products or open source, was either developed by or optimized by Intel engineers. . And so we actually have one of the larger in software development organizations globally working on developing software.

So when we look at the, to your question of how do we help the government, when we look at things like containers in a cloud-based architecture or being able to do end-to-end, so edge sensors to backend cloud infrastructure across the dynamic. Network environment. We have hardware, software and ecosystem partners at each stage of that.

So a lot of it is helping them to adopt the best parts of technology and to integrate it into their existing infrastructure. So we’ll do a lot of advisory role, cuz in most cases, the government and really for that matter, most industry doesn’t buy direct from Intel. They don’t go buy it from, they go to Delaware, HP, or they get their services from Amazon or Azure or Google.

And so in that respect, we play a lot more of an advisory role where we help them pick the right technology to meet their needs, but also we’re on the forefront of advancing innovation. So the next generation of computing capabilities, one example right now that’s really hot is confidential computing which is the ability within the cloud or even in a bare metal system to protect the data and the application, even from physical adversaries or from rogue admins from other tenants with hardware enforced security. And we’re seeing this become pervasive in the cloud architecture, helping the government figure out not only how to adopt and skill it in their specialized environments, but also figuring out what mission applications need and how will you transition something that may have been designed 10 years ago and now just made it to the cloud. How do we move it into a confidential computing container? And so we’ll work closely with them to figure out the, both the architectural needs as well as what’s the right ecosystem partners. Should they go an open source route with something like Gramine to do a wrapper?

Should they buy a product from one of the various vendors that are doing confidential computing services, helping them adopt the right technologies? A lot of what we do and in some really fun cases, we actually get to be able to do direct innovations. Let’s jointly figure out the right solution together to help scale it within that enterprise environment.

And so a lot of times it’s not just the conversations, we actually, can get engineers on task to go, build a customized prototype to be able to show the art of the possible there.

Paul Roberts (Security Ledger): When you’re interacting, when you’re talking about these cross-government initiatives who are you interfacing with? Who are you talking to and is there a decider ultimately in terms of shaping or directing government, acquisitions, technology, investments, and so on.

Steve Orrin (Intel): So Paul, it’s very interesting and you’re right the federal government doesn’t operate like a bank where there’s one CIO and he or she makes the call, they have the budget. Maybe there’s one CISO who creates the requirements at the same

Paul Roberts (Security Ledger): Many cooks in the kitchen.

Steve Orrin (Intel): Many cooks in the kitchen. But it really comes down to is understanding first and foremost, there’s sort of two major buckets in the federal, especially in the DOD space. And many of the agencies even on the civilian side is there’s the mission area and the enterprise. So the enterprise area is the what you would typically expect from a corporate in entity. Email communications being, storage database, enterprise applications, hr, the stuff that runs the business side of the operation, whether that be, communication out to the field, making sure you can get onto your system.

So all of that kind of work is typically housed in a CIO like office. And there’ll be the macro like DISA under DOD, the defense inform. Security agency will own the architecture and then the individual services will have their CIO organization that will manage the enterprise side.

The other side of the camp is the mission, and that’s honestly we’re a lot more of the activity and the customization and a lot of those silos are cuz you know, what you need to do for a joint strike fighter is different. What you need to do for a radar station, which is different from a ship as well as different from what you would do on, on, on shore at a base.

And so you’ll have very specific requirements and technology architectures for those mission needs. And so you, in that environment you’re talking to the program leads, the tech directors, the, the s e s the civilian executive. That is in charge of the program, and they’re the ones who actually have the budget.

So when you think about, you know, Joint Strike Fighter as an example, that’s owned by the, by a particular program office that’s driving the budget and the requirements and that you wanna be talking to their architectural leads and technical directors there’s gonna, there’s a blurred line there because a lot of times the things you want to do at a particular location are managed by, or hosted by enterprise, but then deployed by mission.

So you talk to both sides, you wanna make sure they’re both working together. but in the government, you definitely go where the money is because they’re the ones who ultimately have the say. The other thing to keep in mind is that the oftentimes you think I’m gonna go to who’s currently spending dollars.

The key thing in government is to remember that when, that by the time they’re spending the dollars and they’re buying or deploying things, the des, you know that’s already of a complete design. There’s opportunities for future refreshes, but really the design for things that are getting deployed happens years in advance.

so it’s getting there early and helping them understand what’s coming. So when they’re ready to deploy, they’re ready with the right technology at that right time. So it’s a very different sales motion or in the, in my case, more of a advisory motion and technology insertion motion.

Paul Roberts (Security Ledger): You need to be a little bit of a futurist in some ways. You’re thinking not just about what things are today, but actually where we’re gonna be four or five years from now, when the gears actually start turning on this.

Steve Orrin (Intel): Absolutely. And then realizing that some of these platforms exist for 20 years beyond, we’re still flying F 22s, and so they have a long life.

Paul Roberts (Security Ledger): Yes, Ukraine has really brought all of that to the fore, right? You’ve got hardware and software out there that’s 20 or 30 years old. That is still pretty important.

Steve Orrin (Intel): and still operating.

Paul Roberts (Security Ledger): And still operating. Yeah. Yeah. So one of the things I think that, that has really and I’ve been covering cybersecurity for a couple decades now and obviously writing about it in the federal context but one of the things that strikes me that is really changed in the last five or six years is this shift to talking about software supply chain sort of shift left in terms of the focus in cyber. For many years it was really just focused on keeping bad guys off of government and military and intelligence networks with solar winds, right? That whole conversation changed and I think it was a real awakening. Obviously supply chain security, both on the hardware and software side is probably something that is not a new topic to a company like Intel.

How do you see that evolution in the conversation in the government space? And then what is your message really to, your federal partners and also back to Intel on what changes need to happen? What needs to get done?

Steve Orrin (Intel): And Paul you hit on it. Right there. SolarWinds was a wake up call for the industry and for the government on the what could happen. And then we shortly thereafter Log4j just, put the nail in the coffin on being able to keep your head in the sand on supply chain security.

Paul Roberts (Security Ledger): It should have been HeartBleed but , you know, sometimes you need a few reminders.

Steve Orrin (Intel): The good news is that it’s wasn’t for the folks on the government security side, they’ve been talking about supply chain security and looking at it for some time. And it, the idea of supply chain is not new. There’s long, long history of supply chain risk management. The challenge had been is that a lot of it had been mostly focused on things, not even the chips side of it, but the physical. Where did the wing come from? Where did those, the rubber for those tires come from? So looking at supply chain, and a lot of it was also availability, sustainability making sure it was the right quality.

So if you think about even the early examples of supply chain in the space race, knowing that you’re getting that, that screw from the right vendor so that it doesn’t break on those. And there were big examples of faulty equipment that was sourced from I illegitimate sources because they didn’t test it to the right or they didn’t use the right material.

So the idea of supply chain isn’t new. What was new is the hyperfocus on software and on the, and following that micro electronics and the whole technology. Supply chain. And so that sort raised the bar for the tech industry to come along for the ride that the other industries had been thinking about.

But it also changed how the acquisitions, so you think about acquisitions and what you would be buying. It was, you buy the product, you deploy it, and then you manage its security. You didn’t really ask the really hard questions of the vendors. What’s in the box? That never was a question that was part of the acquisition process.

It was I’ll look and see if there was some risks out there before, or if I’ve seen some known good practices and I’ll implement those on acquisition. But the switch besides requiring stronger visibility was, there’s a push now to change the acquisition rules so that supply chain risk management is one of the first steps and the vendor having to adhere to some requirements is part of contract language.

And it really comes down to you gotta put your money where your mouth is. And so that’s what the government’s doing in the executive order and the cybersecurity memorandums is, laying out the plan, but also in telling OMB and telling DOD acquisitions, there needs to be a change to the process for buying things and starting with software.

And it’s what we’ve seen is this really strong, and if you think about how long it normally takes standards to happen, The fact that we’re looking at a fairly mature looking SBOM being worked on right now, and the timeframe we’re talking about is a rapid move considering how long it normally takes standards to come up out.

The government has basically said SBOM is going to be, or something close, with these requirements is going to be the requirement and it’s gonna be incumbent on the industry that sells to the government relies on government funding to implement that. And what’s at the heart of SBOM m It’s this notion.

Visibility. That’s what they’re really asking for. Everyone gets wrapped up in the standard, but at the heart of it is you can’t secure what you don’t know.

Paul Roberts (Security Ledger): right.

Steve Orrin (Intel): And the I think it’s important to know that the idea isn’t that the government wants to know all your parts so they can replicate your product.

But at the end of the day, if I know what you have in the part taking Log 4j as an

If I know that your product has Log4j, the second that a Log4j 2.0 vulnerability is. I may not be able to patch it today because I’m still waiting for the vendors to do their job to patch it, which is normal.

But I can immediately implement mitigating controls. I could do product specific monitoring. I could set my sensors to 11 for that period of time to be able to mitigate that risk. At least partially until I’m a patch is available, cuz I have a known vulnerability that I’m able to identify. , and that’s the key.

The key is not that I’m going to not buy that product anymore. The key is I’m gonna be able to close that horrible window of exposure while the normal good process of validating and testing the patch and getting it deployed, happens. And that’s the aha of what Sbam really brings to the table. The challenge, of course, is that this kind of architecture is gonna, you don’t wanna fall into the trap of there’s a new artifact.

You get it shipped with the product and then somebody does a checkbox. Yep, we got the sbam and nothing else gets done. Cuz then no value is extracted. So

Paul Roberts (Security Ledger): There’s. right the checkbox security problem, right? Whether PCI or something else, anytime you’re boiling things down to you have to do, a, B, C, and D in some ways you’re disincentivizing people to look beyond A, B, C, and D, right?

Steve Orrin (Intel): Exactly. And that’s why the government took an initiative to publish guidance for both the developer community that’s building products to adhere to Sbam, but also for the consumer. The, not cuz we’re like a, an individual, but the organization or the customer of that software of how to operationalize sba.

And so we’re seeing documentation like from E s F and from. on not just the developer and supplier side, but also on the IT management side. Here’s what you do when this artifact shows up. Here’s how you integrate it into your asset management process, your vulnerability management and risk management processes, and here’s what it needs to do. Every update, every upgrade, that guidance is really at the heart of how do we actually get value out of this work that we’re all doing.

Paul Roberts (Security Ledger): Okay, so you raised a lot of really interesting points. A lot of this comes out, a lot of the guidance comes out of the President Biden’s executive order, May, 2021, what are the conversations there at Intel on how to comply with these new requirements. What role SBO M is going to play, how you are going to operationalize that across such a huge organization software, as you said, one of the largest software makers in the world, and then of course, you know your hardware business as well.

But where are things right now with it? I know just from reading, particularly in the sort of gov tech press, that a lot of vendors are pushing back against this self attestation thing and saying, hold on, before we self a test we don’t wanna get hung out to drive for this.

Give us some more guidance. Give us some more wiggle room around. Attesting to the security of our supply chain. And then maybe we’ll feel more comfortable doing it. So where I’m sure these are conversations Intel’s having where do things stand?

Steve Orrin (Intel): So it’s a really good question. And Intel, along with the rest of the industry, is looking to make sure that we are in compliance with the government requirements when they become mandated and are working directly with both government and our peers. Not just the ones that are our partners and our suppliers, but the broader ecosystem.

Our competitors are all in the same boat of trying to make sure we provide the right consistent capability to the federal government. Because if broad common Intel and Nvidia and a MD all do a different thing, it doesn’t help anybody. So we’re working together as an ecosystem to the federal government to make sure, number one, that the requirements they put.

Actually are achievable because there’s, how many times have we seen policies don’t actually equal technology to the self Fest Station is a good example. Make sure they’re very clear on what they’re asking for. A lot of times what they, the intent of what they want is something that where the custom the supplier saying, here’s what’s in the, what I’ve done for this particular software.

When you say the word self attestation, a lot of times that gets blown up into a lot bigger thing. I’m willing to put my badge on the line for your security, which no ones do because security is a constantly evolving thing. So a lot of it comes down to, understanding the terms that are used and making sure that the liabilities and the regulations mapped to what you actually will get.

Cuz there’s no piece of paper you’re gonna get from a vendor that’s gonna say you’re a hundred percent secure. Or this product will never have a vulnerability. And that’s making sure that those requirements filter to the very macro, high level. Cuz at the end of the day a a procurement requirement isn’t gonna go into the gory details of the intent.

They’re gonna say you should have a self at station. So it’s a lot of negotiations are getting the terminology right so that everyone’s a in agreement. The other, a lot of the other is making sure. The understanding of what needs to be in the sbo m it’s clear you need to have your dependencies, what your dependence, dependencies, how far down the rabbit hole is, needs to be defined.

And also where it gets to be really interesting is, so who’s responsible? Give you example. Let’s say I’ve, I’m using a software pro, an open source tool, so I referenced that and that open source tool uses three other open source tools as dependencies. Am I responsible for identifying those or can I rely on the open source tools?

So that sort of, again, it’s not just the rabbit hole, but the permutations down that rabbit hole is something that we’re still figuring out. Where do you, who’s responsible for it? The DA information’s there, and this is one of the things when I first brought up and a couple other folks that have involved in this, brought up the idea of s Bump Tel a while ago, number one, the data’s all there.

So as any mature organization knows what’s inside their boxes, you can go look at your source repositories.

Paul Roberts (Security Ledger): key term there is mature organization, but yes, you’re right. certainly Intel does. Yeah, . There might be some other ones that don’t.

Steve Orrin (Intel): And I can tell you, having been on the startup side, early in my career, you were immature until you were ready to be acquired, and then suddenly you need to know exactly. So a lot of companies are in that stage where they know what’s in the, if you’re gonna sell to the government, you have to be already a certain level of maturity.

The challenge isn’t knowing it. It’s about collecting it and getting into a place where you can actually create a document that comes along for the ride. It’s often siloed inside organizations as the developers are building their products. So a lot of it was not technical innovation, but the coordination of collecting the information at a proper gates.

And so you’ll see from Microsoft and Intel and all the big technical players is a statement. They’re gonna support Sbam at a certain date when the government. requires it. We’re gonna work together as an industry to give them something that’s not just standard compliant, but actually usable.

And I think that’s the other thing is making sure we get the interoperability testing and we figure out how you’re gonna do parsing a hashing. All those kind of things have to be worked out. And we’re, we and our peers are all on the consortium and the associations and the standards bodies working together to help the government achieve its goals.

Paul Roberts (Security Ledger): Because the information is only useful in so far as it’s actionable isn’t in, in so far as the people you’re handing it off to can say, okay, here’s the information we’re getting. What do we, then, what’s our response to it? Then either remediation or patching or what is, what have you.

Steve Orrin (Intel): And, but one thing that I have noticed on the government side is that there, there is a team, they’re, buried in the information assurance sides of those CIO offices that have the task for supply chain risk management. What’s interesting is that they’ve been elevated in essence by the mandate to be part of the acquisition process.

They’ll still sit in, so it used to be like there was a threat information feed that they’re making sure that it’s legitimate software from a legitimate. Supply chain risk management now becomes a much more important part. And so it’s those folks who are more actively involved now in this sbam documentation creation and working with the industry on the guidance, cuz they’re, they gonna be the receiving end of that ultimately.

So the acquisition person will get the document and they’re gonna just hand it right over and say, Hey, supply chain risk management… tell me about this. Is this good as the first step? And then that will get passed on to it to operationalize it, at. And so I think that’s, that’s part of what we are seeing inside the government is a real strong focus on getting those teams ready to rock and roll when this happens.

Because procurement by itself is contracts. The tech, the risk management side is really the part that’s gonna do that upfront analysis.

Paul Roberts (Security Ledger): Obviously, as we said, many cooks in the kitchen in the federal government IT space. And then every four to eight years, the head chef changes as well.

You might go from a Gordon Ramsey to a Jacques Pepin or something like that. , and then it might change again. And these executive orders, these days it’s much more common that we’re seeing, policy quote unquote in the form of an executive order rather than in passed legislation.

It’s tougher to get things through Congress. The Biden administration’s executive order would expire when well would need to be continued by the next administration. , and yet there’s some really big stuff in there, and companies are spending a lot of money complying with it even though there’s no guarantee that it will hang around.

So how do you deal with that? As a company like Intel, that again is investing significant resources in this, trying see the beyond. This is the executive order, but here’s the stuff that’s likely to stick around and here’s the stuff that maybe will go away.

Steve Orrin (Intel): So it’s a, it’s an interesting question. I think one of the things that was really what I like about the structure of the 14028, the executive order is it was more than “thou shalt go off and do good things.” This was, the one plus addendum and the memorandum that came out later. You need to have a plan and it needs to be executed or start executing that plan by a certain date. There needs to be far, federal acquisition regulation changes. So what they’re doing is not just saying, you’re gonna, we need to aspirationally do something here, but we are going to change the way we do business.

And once those changes into the far happen it’s not something you quickly just undo with an a new executive order. And it’s actually good practice. We’ve seen the agency heads all come online and say, yes, this is something we’re gonna support. And so the fact that you have the, the parts of DHS and the intelligence committee and DOD collaborating together at the doer level, not just at the executive office.

To go make this a reality means that it’s gonna be, by the time, if there’s a new administration, it will already be not just a nice piece of paper, but actually in flight. And so I think, and that’s one of the things that makes this more real than some of the other aspirational, which are still important to do, but there’s actually real teeth here is, or get this done.

Paul Roberts (Security Ledger): What are your big initiatives for 2023 and beyond?

You being Intel, not you being Steve. Although both are fine to throw in there , what are what are the big things you need to check off your list this year?

Steve Orrin (Intel): I think anyone who’s looking at the micro, the semiconductor industry, the CHIPS Act is the most exciting thing happening right now. It is a game changer for both the government taking a hyper focus on making sure that the domestic supply chain is sound available and at scale. And I think it it really showed the focus that we need to get ahead. COVID really lit the light. on what, how fragile some of the supply chains are across the industry. Not just semiconductor, but even the, the metal that wraps the servers. A lot of that. And having available access in domestic capability, both, both commercial and defense uses.

And so CHIPS Act is the game changer as far as really driving domestic foundry, domestic fabrication, domestic packaging for the broader semiconductor technology industry. Obviously Intel is a key player there, but so are the memory developers. So are the legacy node developers. There’s gonna be a lot of activity over the next year as commerce comes live with CHIPS Act. And other major initiatives really try to reinvigorate the domestic semiconductor industry, and it’s the broader the boards, the systems. It’s more than just the chips. Although we like the chips part. So I think that’s gonna be one of the biggest focuses as an industry is helping the US government be successful in its endeavor here.

I think for personally, one of the things that you know is exciting, you can’t, one of my social architects just sent me a list of all the news articles on Chat GPT just to say, here’s how, busy the news media has been. But I think it’s important to see that AI is changing the way we do things.

And I think ’23, we’re gonna start to see the glitz and glamor move to real world implementations that actually make a difference, whether it be in, chat bots to better facilitate he. To, better intelligence gathering better sensing. And so I think, the application of AI at scale.

Is really some of those things that we’re gonna see game changer starting in 23 as we move from the really cool proof of concept and pretty responses to, to article requests, to actually real world business and technical app applications where AI can make a difference in both people’s lives in, saving them and being able to affect mission and enterprise at scale and getting those efficiencies and the computing power that’s is there, whether it be cloud, high performance computing, edge computing to enable those kind of use cases. So that’s for me and where, a lot of my day-to-day isn’t gonna be solving, building a factory that’s, there’s a people who will do that.

I’m trying to see how can I help the government adopt these ne next gen technologies securely to be able to actually go from lab to real world.

Paul Roberts (Security Ledger): What do you get asked about? I what are you hearing when you go up on Capitol Hill or when you talk to people in, in DC in the departments? What are their questions? What are they asking you about?

Steve Orrin (Intel): It really, I think there’s three areas I get asked among most and honestly, top of the list is security. It is on everyone’s mind. You can’t, it, every system is targeted. Everybody’s being targeted. So I get a asked oftentimes, “How do I secure my systems better? How do we stop the next data breach, ransomware supply chain attack?”

And then of course, the buzzword du jour is zero trust. So what do I do about this thing? . And so a lot of the conversations are helping to educate on what the technologies can do for you today, what the technologies will do for you in the future. And where, and one of the things that’s in the last, say, six months that’s been really interesting is they’re at the point now where they’re ready to do something.

And so the first question they ask is, okay, where do I start? What’s the first thing I do? Because it’s, there’s too much. You get the read the documents on zero trust architecture and your head blow explodes. What do I, where’s the right place to begin? And then once you start, implementing what’s the next step?

And so how can we help them as an industry adopt the right technologies in the right order so they’re not trying to boil the ocean. And then supply chain is, that we wanna know where this, where are parts and pieces and technologies coming from. How are they being developed? How are they being packaged and giving them a level of comfort and like I said, that transparency, that visibility so they can make proper risk decisions.

And that’s been something that Intel and our supply chain and our peers have been working on is how do we give them the transparency they need to make better decisions about risk management.

Paul Roberts (Security Ledger): Okay. So if you were out talking to a, federal CIO or maybe even a, an enterprise CIO or cso, they’re asking you about the supply chain question. What would your advice be? What would you tell them where to start?

Steve Orrin (Intel): So the first place I tell them to start is ask your vendors until included for transparency, tell me what’s in the box. We have things like Sbam coming in, software. We’re a little bit further out on firmware and even further out on a standard from NIST on hardware. So Intel took an initiative to actually create something called Transparent Supply Chain, which is a certificate artifact for a server or a laptop where we can tell you what’s in the box, where the network card came from, where the F P G A or the, the controllers come from, where the memory come.

You basically pull that together with the firmware. That’s the key thing. Hardware comes with firmware, and it’s not just the bios, but every card in your computer has its own firmware. So linking that together

Paul Roberts (Security Ledger): And where did that come from? Right?

Steve Orrin (Intel): Exactly. And so just being able to give you transparency. What’s the bill of materials for the hardware you’ve got so that you have that information as part of your acquisition.

So that’s been something we’ve been pushing and helping to educate. So step one is transparency or visibility. So we give you visibility. They ask for . Two sides of the same coin. And then from there it start to. Risk decision. So plugging that information into your risk management, whether that be acquisition risk upfront, or more importantly, the ongoing operations risk management.

So it’s not that you’re gonna not buy a server from a particular vendor, but knowing what’s inside the box, you may make different decisions about the controls you put in place or the security, the encryption, the access control you need to do based on the that information and that, I’m not saying that anything, anyone is bad or good, but it’s more information is better in that.

And a lot of times, especially in this current environment, there’s, they wanna know what’s coming from Asia? What’s coming from Europe? They wanna know what, where, what region things are coming from. Because there is a hypersensitivity right now. I don’t, when I enlighten them on the fact that, it’s everything is in everything.

There’s no way to get a, a Virginia only sourced anything these days. It’s then about how do I, what do I figure out as the most critical components I care about. The thing that turns on the lead lights on the front of the server, is that important to be sourced only domestically? Maybe not. And those are the kinds of questions.

And so it really spurs a conversation, which is really what we want to have, and that’s the conversation we want to have, is help them understand the critical components that actually impact their mission, security and mission assurance.

Paul Roberts (Security Ledger): Let me, final question, let me ask you, put your kind of future goggles on and we were talking about that got very good. They got ’em on. We were talking about the CHIPS Act. On the one hand we’ve all become very accustomed to thinking of, globalized economy.

And, our iPhones are manufactured in China from components that are, really sourced all over the world. On the other hand, It was only a few decades ago, maybe two, two and a half decades ago that, Dell and HP were mostly making their, PCs and desktops, their laptops and desktops from components that they sourced here in North America. So are we gonna get back to that? Or not so much?

Steve Orrin (Intel): So I can’t speak to every vendor, but I can tell you the vision both from Intel, but also from what chips a and the other contracts that they, that the the d od and federal government put out are looking at that future vision where the key technology of that’s driving our infrastructure.

The cloud, your desktop computer, and even your mobile device could be manufactured wholly in the, in domestic. Maybe even domestic and Allied nations so that you could get a locally sourced product without spending a million dollars on an iPhone. That is the vision. That doesn’t necessarily mean that there won’t still be a couple of the, like small micro controllers that are sourced from other locations.

But they’d be known supply chain and they would still be manufactured and com and packaged in the US as an example. The other thing to keep in mind is that, and this is something our CEO had talked about in the announcements around his I D M 2.0 strategy. It’s when we talk about building factories and capacity in, in Ohio for example, it’s not just to build Intel chips.

Part of the whole vision of CHIPS Act is to be able to open that found. For the other chip manufacturers so that Apple could build its chips on us. So a M D and Nvidia could build their chips on Intel Foundry again to take advantage of that domestic capacity versus having to move everything over to Asia.

And while there’s obviously a government need for having domestic capability and availability, there’s also an efficiency in the sense that if the right structure’s in place, it’s faster cuz it’s already here and there may, and as far as the coordination and the complexity of your supply chain, having it local breeds efficiencies in the systems.

At the same time, the reason you, a lot of this stuff went overseas is obviously for the cost and so other factors.

Paul Roberts (Security Ledger): labor costs and so

Steve Orrin (Intel): And labor cost and other implications to service those markets. And I think what it, what the chips is truly trying to do, and this is my humble pigeon opinion, not necessarily that of Intel, is that it’s gonna open the door for bringing that efficiency onshore.

And I think that’s the aha. So in theory, in some future that you could get an iPhone fully created, package put together and sold to you from the. Source. And that I think is the ultimate vision of CHIPS Act and the other parts of, the SCIENCE Act and so forth to help enable not just the most state-of-the-art chips, but the broader ecosystem of semiconductors that’s necessary to make that happen.

It’s not gonna happen overnight, but that’s the where the investments in the breaking ground today is gonna get us to.

Paul Roberts (Security Ledger): Steve, is there anything that I didn’t ask you that you wanted to talk about or wanted to say?

Steve Orrin (Intel): No, Paul, I think this was a fascinating conversation. And thank you for the key leave behind is that the government is really trying to push the industry towards better supply chain risk management, better security to meet its needs. But it’s not trying to do this in a vacuum.

It’s working with industry so that collectively we raise the bar for every vertical market, not just for the federal government.

Paul Roberts (Security Ledger): Steve Orrin, federal Government, CTO at Intel. Thank you so much for coming on and speaking to us on Security Ledger Podcast. We’ll do it again.

Steve Orrin (Intel): Yes. Thank you very much, Paul, for having me today.


  1. Pingback: March 24 | cybersecurity update

  2. episode is much better than previous one, I like the voice quality too.