Securing a Silicon Pathway: Addressing Supply Chain Risks in Strategic Field-Programmable Gate Array Chips

A. Kidd, C. Lee, and B. Schneier

Atlantic Council Cyber Statecraft Initiative, July 30, 2025.

EXECUTIVE SUMMARY: Field-programmable gate arrays (FPGAs) are specialized computer chips critical to the US economy and national security. FPGAs are vital components in American military systems like the Javelin anti-tank missile and F-35 fighter jet, American-built automobiles like Volvo’s EX90, and cloud computing systems like Microsoft Azure. However, the supply chain for FPGA chips designed and used by US firms faces serious risks, particularly around cost, availability, and security, which have not been analyzed in depth from a policy perspective.

Contemporary analysis has largely focused on leading-edge logic chips, relying on assumptions about semiconductors that are not valid for FPGAs due to their unique flexibility and longevity.

This report analyzes the FPGA supply chain for US firms and the trade-offs these companies make among risks to cost, availability, and security; assesses how those trade-offs will change given a shifting global environment; and recommends policy interventions for the US government.

Overall, US firms tend to prioritize cost while significantly underinvesting in addressing substantial security and availability risks. Security risks are high given FPGAs’ technical complexity. Availability risks are largely driven by geographic and supplier concentration. Over the medium term, the People’s Republic of China’s (PRC’s) ongoing build-out of lagging-edge semiconductor manufacturing capacity will reduce FPGA costs, but this incremental boost in capacity will carry additional availability and security risks. In short, firms will continue prioritizing short-term costs and create negative externalities from availability and security risks.

US government intervention is required to build resilience against availability risks and develop technical measures that mitigate security risks, especially given increased PRC involvement in the FPGA supply chain. We recommend that the US government secure the US FPGA supply chain, protect critical national security capabilities and substantial economic industries, and continue to support American global technological leadership through four linked policy interventions:

  1. Use existing government infrastructure as a data-sharing and analytics hub for FPGA supply chains to improve situational awareness and future policy interventions.
  2. Invest in long-term efforts to improve the technical security of FPGAs.
  3. Build a stockpile of critical FPGAs for military and commercial applications to provide bridge capacity in the event of supply disruptions.
  4. Launch cross-sector planning efforts for potential supply disruptions to accelerate recovery.

These initiatives, coordinated by the Department of Commerce or Defense, should serve as a pilot for developing supply chain interventions for other critical technologies and industries.

[full text – PDF (Acrobat)]

Categories: Miscellaneous Papers

Sidebar photo of Bruce Schneier by Joe MacInnis.