As the importance of semiconductor technologies continues to grow, so does awareness of the risks associated with
global supply chains. Organizations are increasingly confronted with the question of how much trust they can place in
the design and manufacturing processes of critical components.

One of the concepts emerging in this discussion is auditability—understood as the ability to verify the course of
technological processes. In practice, however, both its role and effectiveness raise significant doubts.

Below we present an expert commentary by Professor Romuald B. Beck, addressing these issues from both a
practical and systemic perspective.

“I will begin with a rhetorical question: would any reasonable person agree to help carve a stick that could shortly
be used to strike him? Hardly anyone would. If that is the case, why are we surprised that, during the
manufacturing of many microelectronic integrated circuits, undisclosed backdoors and various types of supercontrollers
are embedded—accessible only to the security apparatus of the country in which the chip is produced?
To be clear, this does not occur exclusively in factories in China; it happens everywhere, as it is both logical and
aligned with the national interests of the producing country.

I recently heard the argument that this risk can be mitigated if the “technology is auditable at the place of its
implementation”. I am convinced that anyone presenting such a claim—suggesting that the security of integrated
circuits can be guaranteed simply by designing them in a controlled environment (within a specific country, by
designers holding appropriate security clearances)—does not fully understand the issue. What would such
“technology auditing” actually entail? Who would allow external parties onto a production line to observe closely
guarded trade secrets?

In theory, modifications introduced into an integrated circuit could be detected by inspecting all lithographic masks
used in the manufacturing process. But how can one be certain that the masks made available for verification are
exactly those used in production? Moreover, it is possible to introduce additional structures that are not present on
the masks themselves.

Another approach would be to verify the finished integrated circuit. However, in both cases, such verification is far
from trivial—it resembles searching for a proverbial needle in a haystack. Locating a small, covertly added supercontroller
within a system containing tens, hundreds of millions, or even billions of transistors is an extremely
demanding task. It requires significant time, highly specialized (and rare) expertise, and access to advanced
laboratory equipment. While there are specialized firms capable of performing such analyses, the associated costs
and time requirements render their use for this purpose largely impractical.

Furthermore, even after a successful verification, one can only be certain that the specific chip tested is secure.
Other chips —even from the same production batch—may not be.

It is also important to note that the risk of interference does not end with the fabrication of the chip itself.
Subsequent stages, such as assembly and packaging, also create opportunities for unauthorized modifications
affecting the functionality of the system. It is no coincidence that Intel’s plans included not only a chip fabrication
facility in Magdeburg but also an assembly and testing line in Miękinia (near Wrocław). The intention to localize
the entire production process within Europe was, among other reasons, a significant value proposition for
customers that Intel sought to address.

What conclusions can be drawn from this? Simply put, the ONLY method that ensures the SECURITY of
microelectronic integrated circuits is to both design and manufacture them—including fabrication, assembly, and
testing—within the same country, in institutions specifically prepared for this purpose.”

The above analysis leads to a clear conclusion: the concept of auditability of production processes is, in practice,
largely illusory and cannot serve as an independent guarantee of security.

In practical terms, this implies the need for a broader perspective on risk—one that encompasses not only control
mechanisms but also deliberate decisions regarding the location and organization of the entire value chain, from
design through manufacturing to testing.

In the context of growing geopolitical tensions and the increasing strategic importance of semiconductor
technologies, this issue will continue to gain significance for both the public and private sectors.