“According to the GAO, the number of F-35 parts delivered late skyrocketed from less than 2,000 in August 2017 to upward of 10,000 in July 2019. At one point in 2019, Pratt & Whitney stopped deliveries of the F135 for an unspecified period due to test failures, which also contributed to the reduction of on-time deliveries.
And those supply chain problems could get even worse as Turkish defense manufacturers are pushed out of the program, the Government Accountability Office said in a May 12 report.“
“Lockheed Martin’s F-35 Joint Strike Fighter is on the verge of full-rate production, with a decision slated for early 2021. But a congressional watchdog group is concerned that as the company ramps up F-35 production, its suppliers are falling behind.
The number of parts shortages per month also climbed from 875 in July 2018 to more than 8,000 in July 2019. More than 60 percent of that sum was concentrated among 20 suppliers, it said.
“To mitigate late deliveries and parts shortages — and deliver more aircraft on time — the airframe contractor has utilized methods such as reconfiguring the assembly line and moving planned work between different stations along the assembly line,” the GAO said.
“According to the program office, such steps can cause production to be less efficient, which, in turn, can increase the number of labor hours necessary to build each aircraft,” which then drives up cost, the GAO added.
Those problems could be compounded by Turkey’s expulsion from the F-35 program, which was announced last year after the country moved forward with buying the Russian S-400 air defense system. Although Turkey financially contributed to the development of the F-35 as a partner in the program, the U.S. Defense Department has maintained that Turkey cannot buy or operate the F-35 until it gives up the S-400.
Ellen Lord, the Pentagon’s undersecretary for acquisition and sustainment, had hoped to stop contracting with Turkish suppliers by March 2020, but in January she said that some contracts would extend through the year, according to Defense One.
While the Defense Department has found new suppliers to manufacture the parts currently made in Turkey, it is uncertain whether the price of those components will be more expensive. Furthermore, as of December 2019, the new production rates for 15 components were lagging behind that of the legacy Turkish producers.
“According to program officials, some of these new parts suppliers will not be producing at the rate required until next year, as roughly 10 percent are new to the F-35 program,” the GAO said.
“Airframe contractor representatives stated it would take over a year to stand up these new suppliers, with lead times dependent on several factors, such as part complexity, quantity, and the supplier’s production maturity. In addition, these new suppliers are required to go through qualification and testing to ensure the design integrity for their parts.”
The F-35 Joint Program Office disagreed with the GAO’s recommendation to provide certain information to Congress ahead of the full-rate production decision, including an evaluation of production risks and a readiness assessment of the suppliers that are replacing Turkish companies.
In its statement, the JPO said it is already providing an acceptable number of updates on the program’s readiness for full-rate production.
Hard times for the F-35’s engine supplier
Not all F-35 production trends reported by the GAO were bad for the aircraft. Since 2016, Lockheed has made progress in delivering a greater proportion of F-35s on schedule, with 117 of 134 F-35s delivered on time in 2019.
However, one of the biggest subsystems of the F-35 — the F135 engine produced by Pratt & Whitney — drifted in the opposite direction, with a whopping 91 percent of engines delivered behind schedule.
At one point in 2019, Pratt & Whitney stopped deliveries of the F135 for an unspecified period due to test failures, which also contributed to the reduction of on-time deliveries.
According to the Defense Contracts Management Agency, “there have been 18 engine test failures in 2019, which is eight more than in 2018, each requiring disassembly and rework,” the GAO wrote. “To address this issue, the engine contractor has developed new tooling for the assembly line and has established a team to identify characteristics leading to the test failures. Plans are also in place for additional training for employees.”
“The Navy has been awarding contracts faster since the start of the coronavirus pandemic, but one of the biggest gains have been systems that can assess supply chain weaknesses, according to James Geurts, the Navy’s acquisition chief.
Geurts said doing that allows the Navy to “see what suppliers are at risk. When we understand that, we can start managing those potential delays into our supply system.” That information is then used to inform continuing operations, move supplies if needed and understand when suppliers are back online.
Geurts also said the Navy has geographically networked all of its 3D printers, which provides insight into where the need is on the local levels, “ensuring that we’re not competing or conflicting with each other.” Many organizations are using 3D printers to fabricate parts for medical devices and other needed materials that are not readily available through existing supply chains.
With contracts going out faster than anticipated, Geurts also said the Navy has been examining its business practices, learning how to better collaborate, reduce backlogs and not duplicate functions. All of that will hopefully aid in a faster recovery from the coronavirus, he said.
“Ships still have to come out on time, we’ve got to do the maintenance and continue to supply lethal capabilities to our sailors and Marines, and we can’t afford to lag the recovery.”
“Although the U.S. government is working to prevent foreign telecommunications firms like Huawei from building 5G networks in the U.S. and abroad, there are still few answers on how to secure the government’s technology supply chain, according to federal Chief Information Security Officer Grant Schneider.
“Could [a company] come under the influence of a foreign adversary in any way shape or form? Is there quality where we need it to be? … How do we ensure their supply chain and the parts that they’re taking in and putting inside their box are actually the parts they’re expecting?” Schneider said at the Fortinet Security Summit, produced by FedScoop and StateScoop. “I don’t think we have an answer on what are the solutions to all those [questions.]”
The administration also isn’t clear yet on whether the government itself should be assessing which contractors are meeting requirements, or whether that assessment should be completed elsewhere, according to Schneider.
“As we look at our supply chain and we look at what our supply chain programs need to have, there’s going to be a variety of due diligence,” Schneider said. “And I think one of the things we’re looking at in the government is how much of that do we put on our providers.”
As far as whether the pendulum is swinging in the direction of government involvement or contractor control over supply chain decisions, Schneider does not think the government is in a position to presume suppliers and subcontractors are meeting supply chain requirements upfront.
“I’m probably not going to directly trust you’ve done them all,” Schneider told CyberScoop on the sidelines of the event.
It’s not just the tech that the government needs to worry about. When it comes to a recent case of two former Twitter employees who were charged with spying on Saudi dissidents on behalf of the Saudi Kingdom, Schneider indicated the private sector has a large role to play. When asked what the Trump administration should be doing to thwart tech companies being allegedly used for foreign espionage, Schneider pointed to Twitter.
“I think everyone has … a responsibility for their workforce and to know the actions that their workforce is taking and need[s] to have ways to be sure that they … have the proper controls in place,” Schneider said.”
“It’s often said that the U.S. Department of Defense is the biggest buyer in the world. But the DoD also has among the most expansive networks of consumers of parts and supplies.
And the Defense Logistics Agency is charged with managing the bulk of those — from raw materials to spare parts; to fuel and sustenance; to the reutilization of military equipment and infrastructure; to the storage and tracking of inventories and suppliers.
With that in mind, securing the supply chain can seem like a game of whack-a-mole involving cyberthreats, counterfeit goods and a shrinking industrial base.
In the words of the DLA director, Lt. Gen. Darrell Williams, the supply chain “simply cannot afford to not be protected.”
Defense News spoke to Williams during a panel discussion and a one-on-one interview at the annual meeting of the Association of the United States Army in October.
How does supply chain security fit into the mission of the Defense Logistics Agency?
I just want to start the whole conversation by saying our motto at DLA is “war fighter first.” And so this whole discussion is all about how do we take care of our war fighters. And with that in mind, and understanding what a big problem security is, not just for the DLA but for the entire Department of Defense, we do in fact take it very, very seriously.
That’s the mindset that we have when we start talking about this issue on supply chain security. It obviously has several different levels for us. It’s our relationship with the over
12,000 suppliers that DLA deals with. It’s obviously all of our customers — foremost among them being the war fighter. But we also have other customers that we work with, like the whole of government. And so anytime you see hurricane and disaster relief operations that are happening that involve the Federal Emergency Management Agency, or FEMA, there’s a DLA component to that.
And so from our standpoint, the business of supply chain security is every bit as important as the actual support that we provide.
Talk about vetting suppliers. How do you ensure suppliers are who they say they are and don’t pose a risk?
It’s definitely a daily challenge, there’s no doubt about that. But we do have a very, very strong vetting process. I will say that nefarious actors are constantly challenging our ability to do that. As they change their tactics, we have to stay ahead of those. One of the tactics that was being used a few years ago was an issue of them trying to provide nonconforming parts. We had to find out who exactly those vendors were, stop that within the supply chain, and then find new vendors who could provide the types of products that our troops deserve and need.
And now they have moved on to yet another tactic, what we call “CAGE siphoning,” where they attempt to steal the identity of a legitimate actor [using the Commercial and Government Entity code] and have the funds transferred to their accounts. And so this is the challenge that we do face within the supply system. We’re doing everything we can in combination with the services that we interface with — with Cyber Command, and with others — to stay ahead of these kinds of issues. But no question about it, it is a persistent problem.
How far down in the supply chain is the biggest risk?
I mentioned that we deal with about 12,000 different suppliers. A vast majority of those suppliers are small businesses. A vast majority of those are second- and third-tier suppliers. And so often times it’s not the prime — the large businesses that we do business with. It is those feeder companies that are much, much more difficult to certify, and that is where the challenges come in.
How do we get both the subs and the small business primes that don’t have the resources of some of the larger businesses cyber compliant? Because this is coming, and they’re going to be essentially forced to do so in fiscal 2020. What happens when we have a small business supplier who does not meet National Institute of Standards and Technology standards, but becomes a sole-source supplier for a major weapon system?
I’ve talked with a lot of the larger businesses, and they feel pretty good about the suppliers that are in their down trace. They’re working with them on a daily basis, they’re getting them there. Many of them have already made it a qualifier to do business with them and, in effect, do business with DLA. But it’s the list of independent [suppliers] who don’t fully understand the requirement or don’t have the resources to get there and still remain very, very critical to DLA support to the war fighter.
Are Chinese investments in U.S. companies a threat?
You know, we focus a lot on China, and we focus a lot on some other countries, but what I would tell you is that technology has become so sophisticated that often times it’s difficult to decipher where the business is that you’re dealing with. You think you’re dealing with a company in the United States, but as you pull the string on it, by routing through three or four different areas, we [discover] they’re actually operating from somewhere else.
The other issue is, oftentimes, it has nothing to do with that country itself. It may be a nefarious actor operating from that country. And so it’s becoming increasingly difficult to isolate who the vendors are that you’re actually working with. That is one of our persistent problems.
How has new technology transformed how you manage logistics for the military?
New technology is part and parcel of what DLA does. We’re always looking for better ways to do business, to bring value to the Department of Defense and then more importantly, as I talked about earlier, to improve our performance so that we get what’s needed to the war fighter even faster. DLA operates nine different supply chains, and we provide almost all of the subsistence or food that our war fighters need, and we provide almost all of the bulk petroleum that they need. All of that involves some element of technology.
The DLA invested in [computer-programmed robotic process automation] more for our internal processes. We have three “bot teams,” each one of them capable of — after we have identified what we want them to do — putting in place and then monitoring about 25 different bots within the DLA processes.
We’ve found them extraordinarily helpful. It has the ability to increase production. We’ve used them primarily in inventory, in inventory reconciliation, reconciliation against our financial systems.
Another area where we’re experimenting with the bots is going from the person having to be sitting there the entire time to now having several of them that are able to operate on a 24-hour basis unassisted, with monitoring. We do also think it does have some applications to security. It can do much more, along with the artificial intelligence, of helping to monitor our network, and identifying patterns, for example, of nefarious actors that would then bring them to our attention and allow us to take further action in a way that perhaps, from a human standpoint, we would not be able to do so.
Is technology a necessity for managing the inventory?
DLA operates a network of about 24 distribution centers on a global basis, and the technology that we are using to run that global network of warehouses that feeds into and supports all of our military services is quite old, 25 or 30 years old.
And so one example is a new warehouse management system that we want to put in place that is going to improve our accuracy, it’s going to improve our accountability, it’s going to improve our support to the war fighter. That’s an example of a piece of technology that we will roll out over the next two to five years that will enhance that.
We would like to use an off-the-shelf capability, and we’re going to try to not customize that as much as we possibly can, but it does have to meet all of the cybersecurity standards that are required.
We’re also starting to use artificial intelligence primarily in the area of demand planning, making [that process] a bit more accurate. And the impact of that is it will eventually allow us to reduce the cost of our services to the military services and to the war fighter. Why? Because it’s going to allow us to reduce the amount of inventory that we have to hold on the shelves.
All of that are the types of things that DLA is using from a technology standpoint to improve our support.
It sounds a lot like lessons learned from Amazon.
Amazon certainly is one of the standards, and when you talk about Amazon, you’re really talking about a capability that others in the industry provide as well. But to your point, yes, we certainly look at that as one of the standards by which we benchmark how well DLA is doing business.
I’ve actually personally visited an Amazon fulfillment center to try to take some of the industry best practices and bring them back to the Defense Logistics Agency. But that’s one of many different capabilities that we benchmark ourselves against industry to make sure that we are keeping pace with the best things that are happening in academia, happening in the industry, to allow us to deliver the best possible support at the lowest possible price to our war fighters on the front line.
Cybersecurity is a priority in logistics and the supply chain. How is DLA approaching cyberthreats?
Cybersecurity is way up on our list of priorities and something we’re taking a hard look at. One of the things that we have done in DLA in just this past year is stand up an enterprise risk-management framework. And then subordinate to that, we’ve stood up a supply chain security component of that, and then within supply chain security we’re looking very, very closely at cybersecurity.
A couple of things we’ve done specifically is appoint a chief risk officer. One of their primary responsibilities is to look at the impact of cyber on our entire supply chain. Another thing we’ve done dating back to the last three or four years is we’ve looked at the number of logistics applications that are required to operate the Defense Logistics Agency. And we have dramatically reduced that number of applications.
The DLA reduced the number of vulnerabilities on the network.
Absolutely. We’ve also tried to take all of our business and placed it behind the defense firewall where it’s even more protected; and now we’re trying to move it in accordance with the rest of the Department of Defense into the cloud, where it can be even more protected.
I don’t think a day goes by that we don’t get 200-300 phishing attacks on the network, so training our people not to respond to those things that come across is a constant training challenge for us, but there’s also, we found, so much more practical things to do that don’t have a lot to do necessarily with technology.
We’re not completely there yet, but this will be a major effort for us this year to not just talk about this in pockets, to identify all of our critical areas of vulnerability, and to monitor those areas on a daily basis and see what impact they’re having on the supply chain. We want this to be systemic and not episodic.”
“An end-to-end approach to supply chain risk management, also called SCRM, examining technology trends, emerging threat vectors, and what vendors new to the federal government must keep in mind to mitigate supply chain risk.“
“As technology advances, supply chain risk management challenges are going well beyond the world of producing physical products such as IT hardware. While ISO-based standards provide clear guidance on supply chain management in the private sector, federal government suppliers must think more broadly.
To become a trusted supplier to the federal government, vendors must understand supply chain risk management trends affecting manufacturing.
Technology evolution and globalization
As technology has continually evolved from hardware to software, it has introduced new aspects of supply chain management. While software innovation offers new capabilities, it also brings vulnerabilities that are more easily exploited than with hardware. That exploitation introduces supply chain risks (more on this later).
Of course, hardware is still a significant part of infrastructure, including government services. Most hardware is built for a long lifecycle, and once deployed this legacy technology is not likely to be unseated, because of the capex costs tied to its original implementation.
With globalization, the main hardware risk comes through offshore contractors and suppliers. The widespread acceptance of globalization makes it harder to be certain of the integrity of your hardware supply chain.
What’s more, as software attack vectors become more sophisticated, they are also likely to be adapted to hardware. The installed hardware base is large, and therefore attractive to bad actors. The evolution of technology may provide a false sense of security that existing hardware is not susceptible to new forms of supply chain risk.
For federal government agencies, where data security is paramount, vendors will encounter more stringent compliance requirements than in the private sector. The supply chain must be protected to ensure product quality, and to protect against the ever-evolving onslaught of cybersecurity threats.
Shift towards software
With cloud replacing traditional hardware infrastructures, and software becoming more cloud-based, SCRM needs to shift focus from tracking physical components to the programming code used in cloud-based applications.
Cloud service providers all have some form of shared responsibility model for security, in which users are still responsible for securing their individual applications and services; the CSPs are responsible for the security of their infrastructure and the code used in their services.
Without tightly controlling the supply chain, malicious code could be introduced into cloud services. Most software applications, whether cloud-based or not, utilize significant open source code. A strong product development lifecycle ensures that open source code in a CSP’s infrastructure or cloud service offerings will be handled securely.
To that end, there are two best practices to apply to meet security responsibilities in the cloud:
Establish a technology import process that allows software to be imported in a trusted manner, and to be used securely in products and service applications. Discovery and inspection processes must deliver a baseline understanding of what the technology is doing, how it is structured, and its level of maturity. Architecture review, code analysis and a security design review are also recommended. These factors would feed into a risk assessment of potential threats, including known vulnerabilities. Only if these threats are deemed acceptable would a piece of technology be pulled into an application or service released to the market.
Securely manage risk in software and cloud-based applications with a software bill of materials (BOM). The BOM should outline all components feeding into a software application. Using this documentation, CSPs can list the tools used in their application development – as well as any third-party components. Both the IT and R&D departments therefore can apply software patches and updates more efficiently and effectively.
The four main classes of supply chain threat
With government agency purchases becoming more software-based, associated threats can be harder to recognize. This is particularly true of cloud-based software solutions, where communication channels are truly borderless and information can flow seamlessly from anywhere in the world.
A comprehensive approach to SCRM addresses four classes of threats:
Intentional Threats. These are deliberate actions, intending to be malicious or to gain an unfair competitive advantage. Competitors may inject malware or viruses to undermine your product or to attack your end customer. Prohibited or pirated software may be used to keep production costs down. Black market or counterfeit components may also be used instead of OEM to cut costs and time to market.
Unintentional Threats. These are poor quality control practices or events beyond the vendor’s control. Enforcement of quality standards may be lax. Information with outside contractors may be unclear or incomplete. Human error around data security may make the supply chain vulnerable to future cyberattacks. Poor work conditions could disrupt network operations and throw the process into chaos.
Internal Threats. These may be either intentional or unintentional. Disgruntled or turncoat workers may undermine your production from the inside. The same is true of careless workers, through human error or lack of awareness of data security practices. Weak policies and procedures to control access and grant privileges for sensitive data.
External Threats. These deliberate, well-targeted threats come from outside your organization. Downstream supply chain partners may try to steal IP to disrupt production, often prompted by competitors. Individual hackers may find a vulnerability in your supply chain, which could lead to malware, phishing, fraud, extortion, ID theft, and more. You may even be exploited by state-sponsored actors on behalf of hostile governments.
SCRM means balancing cost and supply chain vulnerabilities
The wide range of supply chain vulnerabilities described here adds up to a risk profile that goes well beyond conventional hardware manufacturing. As production of software and software-based hardware becomes more decentralized, the supply chain becomes more complex and convoluted.
Globalization may create cost benefits for vendors, but creates an interconnected ecosystem where supply chain threats can be almost impossible to detect or control. Vendors, therefore, must apply SCRM best practices, balancing the benefits of globalized software production with the attendant risks caused in developing a federal business practice.
In becoming a trusted supplier to federal government agencies, vendors must align with the requirements in NIST’s Cybersecurity Framework. More specifically, for IT decision-makers, vendors need to follow NIST’s Cyber Supply Chain Risk Management processes (https://csrc.nist.gov/Projects/cyber-supply-chain-risk-management). This will help mitigate risk pertaining to data security applications.
Compliance with long-standing ISO certifications does not translate into airtight security with federal government agencies. An end-to-end approach to SCRM will be needed to succeed in this sector going forward.”
Specifically, the program wants software that can provide real-time logistics and supply chain situational awareness “at unprecedented scale and speed.” ______________________________________________________________________________
“Imagine trying to coordinate hundreds of airplanes charting the globe on a daily basis, as United Airlines or FedEx do. Multiply that several times, and you have the logistical workload for the U.S. military.
It takes special tools to track all those aircraft and the related supply chains, and the Defense Advanced Research Projects Agency is now reaching out to industry for ideas on upgrading the military’s existing technology, which is managed through the Joint Logistics Enterprise.
“The DoD Joint Logistics Enterprise is immense,” John Paschkewitz, DARPA program manager in the Strategic Technology Office, said in a news release announcing LogX in May. “The supply chain inventory to sustain the Air Force fleet has been estimated to be as large as multiple Fortune 500 companies combined. Add the Army, Navy, and Marine Corps’ needs, and you see how enormous the department’s global logistics and supply systems are, dwarfing any commercial logistics system.”
The logistics enterprise still uses legacy technology, according to the request. LogX is looking for research approaches “that enable revolutionary advances in science, devices, or systems,” the request states.
The request goes on to describe the logistics enterprise as a triple-decker layer of networks. There is the physical supply chain, information networks that inform the physical mobilization of supplies and finical networks. LogX will focus on improving the information network, according to the request.
Part of the information network changes the DOD hopes to implement is a migration to cloud-based data storage. LogX is expected to be implemented during the next 10 years, over which new technologies will further change the logistical landscape.”
“Today’s U.S. defense-industrial base is reliant on a globally integrated supply chain. Over the last 20 years, an embrace of the “free market” has created a fragile network of supply for countless critical materials that are the backbone of many major defense systems.“
“Over the past few decades, through an intentional dominance of the global rare earth market, China has cultivated immense leverage over the United States. As the current trade warescalates, China is poised to capitalize on its strategic plan — and indeed recent brinkmanship via Chinese President Xi Jinping’s visit to a major rare earth processing facility suggests it may.
If China’s rare earth leverage over the U.S. is one part strategic foresight, it is two parts American strategic miscalculation and shortsightedness. Today’s U.S. defense-industrial baseis reliant on a globally integrated supply chain.
A failure by the U.S. to take the long view of history — as has been taken by the Chinese for centuries — is manifesting itself in an uncomfortable realization that past industrial policy has left our military glaringly susceptible to supply chain disruption. As Chinese philosopher Sun Tzu wrote: “He will win who, prepared himself, waits to take the enemy unprepared.” Alarmingly, U.S. lack of preparation is now evident in the latest rare earth crisis, the second of the past decade.
The first crisis occurred in 2010 when a dispute over the Senkaku Islands resulted in an “unofficial” embargo on rare earth exports from China to Japan. That embargo shocked global supply chains, spiking rare earth prices. However, confident that trade ties between the U.S. and China would obviate any direct threat to the U.S., administration officials adopted a policy to “reduce, reuse, recycle and substitute” rare earths, while waiting for Wall Street to leverage the price spike into a “mine to magnets” supply chain. To promote this strategy, the U.S. government awarded a few small research and development contracts, conducted studies, and filed a World Trade Organization case against China.
In retrospect, this light-touch strategy was a national security disaster. Reduction, reuse and substitution efforts arguably took some of the best materials away from our defense engineers and resulted in no new domestic production. Relying on private investment resulted in over 200 rare earth “projects” on stock exchanges, the vast majority never producing anything.
The U.S. exception, Molycorp, imploded in less than five years, crashing from a $6 billion market cap to a bankruptcy worth less than $500 million (where most of its technology was dismantled or sold off, including to Chinese interests). The WTO case seemingly accelerated the Molycorp implosion by driving down Chinese rare earth costs, undercutting fledgling American and Australian producers.
Since 2010 I have been arguing that the U.S. needs to adopt a national security and production-focused strategy to break the Chinese monopoly. This strategy would secure the defense supply chain by producing enough to sustain limited defense demand, creating new supply to support future commercial demand. The steps are simple.
Mine-permitting reform would improve the predictability and economics of the mining industry, allowing investments to occur immediately, rather than years or even decades after a crisis. Rare earth investment evaporated after the Molycorp collapse, in part because of mine-permitting delays. Reducing bureaucratic hurdles would lower barriers to entry, making U.S. mining more attractive to private investors, ultimately reducing government cost.
The government should encourage — either through direct investment, tax incentives or tariffs — the development of high-value-added domestic oxide and metal production. Commentators lament the Chinese monopoly on rare earth mining but fail to recognize China has even greater dominance in the separation of oxides and metal making. Addressing only one aspect of the supply chain would be ineffective.
Direct government investment in items used by the U.S. military, starting with rare earth magnets, is also necessary. Novel rare earth magnet recycling techniques show significant promise in the near term. Last year, Congress recognized the importance of sourcing domestic magnets by prohibiting U.S. Defense Department use of Chinese magnets (and tungsten) — Section 871 of the National Defense Authorization Act is stimulating defense demand and encouraging upstream growth of non-Chinese alloys and metals as well. These were steps needed to reinvigorate an entire supply chain.
The current administration and Department of Defense are taking welcome steps to finally address the issue, pursuant to Executive Order 13806; they should work with Congress to fully resource the Defense Production Act Title III program as well as assist new producers in securing needed qualifications, in addition to other actions to incentivize production.
Implementing these recommendations will significantly reduce supply chain risk for the military, improve manufacturing strength and mitigate vulnerability. All these steps can be implemented but will require readdressing old assumptions about how to maintain our industrial base in a global economy.
While heeding the lessons of Sun Tzu, today’s Pentagon might find inspiration from former U.S. Marine Corps Commandant Robert Barrow — “Amateurs think about tactics, but professionals think about logistics” — and take the steps necessary to secure our supply chains against a vulnerability of our own making.”
” Infiltrating the defense supply chain is one of the most insidious means by which attackers can compromise our nation’s communications and weapons systems.
The Department of Defense’s new “Deliver Uncompromised” security initiative is designed to tackle this problem at its root cause: third-party suppliers. In essence, the DoD is requiring its suppliers to bake security into their applications from the beginning of the production process. A “good enough” approach that just clears the bar for minimal security criteria is no longer good enough. Security must be ingrained in the very fabric of the entire production process.
Security starts with people
The process starts with people. They are responsible for ensuring that the solutions that comprise the supply chain work as designed and are inherently secure. They work closely with highly sensitive and proprietary information that is attractive to enterprising hackers. They are the first line of defense.
Unfortunately, those same factors make people the most attractive attack vector. When a malicious actor wants to gain access to a component or system, it’s often easier to just steal someone’s credentials than it is to try and find their way around a firewall. Obtaining a simple password is often enough to gain access to a critical system that can then be compromised, or information that can be exploited.
Consider the well-publicized Sea Dragon hack. In that incident, Chinese hackers obtained sensor data, signals data, an electronic warfare library and more. The hackers targeted a contractor of the Naval Undersea Warfare Center, a research and development organization that is part of the Defense Industrial Supply Chain. They used that person’s credentials to access the treasure trove of data on the NUWC network, and the supply chain was compromised.
Behavioral analysis can mitigate risk
The incident may have been avoided had there been a mechanism in place to monitor users’ behavioral patterns. Being able to detect a change in human patterns — unusual access to sensitive information, for example, as was the case with Sea Dragon — can help suppliers prevent unauthorized access to information and systems. It’s an added layer that can help the supply chain remain clean and less susceptible to vulnerabilities.
The supplier can set up a system that monitors risk based on user behaviors, which can be measured against an established baseline. For example, a person might ordinarily access a particular subset of information, or have rights to make certain modifications to a solution within the supply chain. A deviation from this normal pattern of behavior could set up a trigger that signals that an anomaly has been detected. That anomaly could indicate a potential security threat — for instance, perhaps the user’s credentials have been compromised. In this scenario, the user could be automatically blocked from accessing information or performing further actions that could compromise the supply chain.
Being able to detect anomalous user behavioral patterns can be essential in protecting Controlled Unclassified Information, which many contractors are using to create new defense programs and solutions. CUI is information designated as unclassified information that must be protected from public disclosure.
For example, a supplier could be working on key components for a new aircraft. The information pertaining to those components may not be classified, but it may also not be something that the Air Force wishes to disclose for public consumption. An enterprising hacker could potentially access the credentials of a user working on this program and obtain its CUI data. They could then infiltrate the supply chain network that feeds into the program, potentially putting the entire effort at risk — even the pilots who will eventually be operating the plane.
Security: the top supply chain priority
A risk-adaptive behavioral analysis approach exemplifies the type of extensive effort that Deliver Uncompromised proposes. Deliver Uncompromised warns against doing the bare minimum when it comes to security. Indeed, it elevates security as a “4th pillar” of the acquisition process, making it equivalent to cost, schedule and performance.
In fact, the collective message the DoD is sending out with Deliver Uncompromised and its counterpart, the Defense Federal Acquisition Regulation Supplement, is that securing the supply chain must be a top priority.
Those companies’ most valuable assets are their people. But those same assets can also be a vulnerable point of entry. Supply chain security must start and end with them. The DoD should consider partnering with organizations that show a commitment to securing their people as much as their technologies. “
Starting and operating a business is difficult. This is particularly true for a small business. According to the U.S. Small Business Administration, roughly half of all establishments will fail within the first five years of operation and two-thirds will cease operations within 10 years. The reasons for business failures are varied.
Poor supply chain management is one factor that contributes to business failures. The supply chain is composed of many elements that function, in combination, to take raw material or information inputs and develop these into products that are delivered by a business to its customers. The specific makeup of the supply chain can be unique to different industries or businesses.
However, one commonality across all supply chains is that there are key elements within the chain that, if not appropriately protected, add risk to the business. Therefore, when considering all the different ways businesses might fail, experienced leaders manage risk within the supply chain, enhancing the probability that a business will not only survive, but thrive.
Assessment of Risks in the Supply Chain
Before you can manage supply chain risk, you need to identify where it exists. This is accomplished by conducting a risk assessment. The first step in the risk assessment is mapping the complete supply chain.
The supply chain will vary depending on the specific industry and business. Start with a comprehensive mapping from the acquisition of raw materials or the development of the initial intellectual property and trace the processes all the way through the delivery of the final products to the customers. This is often the most difficult part of the assessment and can appear overwhelming at first.
If the supply chain map is too large or complex to tackle in total, you can break the flow into logical parts for assessment. There are often points in the flow that serve as natural breaks, such as material or product hand-offs to different vendors, unique manufacturing processes, or movement of goods or information via traditional transportation modes or information technology networks.
There are a number of risk assessment methodologies in use by businesses and governments. Any methodology with which the organization is comfortable can typically be applied to the supply chain risk assessment.
Essentially, risk assessment methodologies all have a similar goal. That is, to identify the likelihood that an asset will be lost or compromised, and if that occurs, to identify the impact suffered by the organization.
To successfully conduct the risk assessment, it is necessary to understand the reasons that an asset could be vulnerable, the types of threats to the asset, who is threatening the asset, the probability that the threat will be successful and the value of the asset to the organization.
The ultimate goal of the assessment is to provide business leaders with a decision-making framework. Understanding what the business stands to lose when facing likely loss scenarios allows leaders to invest an appropriate level of resources to mitigate the potential loss.
The organization can consider many ways to lower the supply chain risk and improve the chances that a business will successfully deliver to its customers what it promised. The universe of potential actions includes, but is not limited to, ensuring that there has been an effective due diligence process applied to crucial business partners or vendors; that contracts and purchase orders appropriately define expectations for quality, timeliness, cybersecurity protections and business continuity measures; that manufacturing facilities, warehouses, transportation modes and distribution channels have effective physical security countermeasures; and that threats from “trusted insiders” are understood and addressed.
Businesses can also engage in procurement practices such as “blind buys” to lower the risk of supply chain compromises. When conducting a blind buy, the supplier has no idea who is purchasing the materials and has no incentive to compromise them. These types of measures are only necessary in high-security contracting environments and typically are used to protect against nation-state adversaries or other sophisticated threat actors. Mitigating supply chain risk in high-security environments, such as with U.S. government contractors, can be particularly challenging.
The alleged compromise of Supermicro server components publicized in fall 2018 is an excellent example of a potential vulnerability that is beyond the capability of most businesses to mitigate. Efforts are underway to utilize various technologies such as blockchain to improve security within the supply chain.
There are also process-related and regulatory approaches to managing supply chain risk, such as the Customs-Trade Partnership Against Terrorism (CTPAT) and corollaries within other countries, including the authorized economic operator (AEO) schema. Both CTPAT and AEO serve as public-private partnerships between governments and the international trade community. Through collaboration, the international supply chain is strengthened, and security processing time is reduced at ports of entry.
A chain is only as strong as its weakest link. The same is true for the supply chain. Effective management of supply chain risk requires constant evaluation and vigilance.”
“Vendors that don’t fully understand federal cybersecurity contracting standards along with the inability of large defense contractors to monitor into their own supply chains have led to widespread targeting and theft of U.S. economic and national security secrets by nation-state hackers, industry experts told Congress. “
“Less than 60 percent of small and medium-sized defense contractors responding to a survey conducted by the National Defense Industrial Association said they read the Defense Federal Acquisition Regulation Supplement (DFARS) that lays out minimum security standards for contractor information systems. Nearly half of those who did said they found it hard to understand. About 45 percent of respondents hadn’t read National Institute of Standards and Technology guidelines for protecting controlled unclassified information.
The research found that many small and mid-sized contractors tend to have “uneven awareness of cybersecurity risks and prevention” and are more likely to view requirements as just another regulatory box to check to win government business. There is also a perception of uneven enforcement of DFARS regulations, with complaints that poor metrics for measuring compliance do not do enough to reward companies that align their practices to DFARS over those that don’t.
Christopher Peters, CEO of the Lucrum Group and co-author on the NDIA report, told lawmakers at a March 26 Senate Armed Services Committee that while large defense contractors typically have “robust” security measures in place, the smaller and medium-sized companies with whom they subcontract do not, making them “prime targets” for nation states. This is particularly true when it comes to industrial control systems and software that run machinery on the plant or shop floor.
“Manufacturers have to have confidence that their investments in cybersecurity are going to meet DOD requirements,” Peters told the committee. “Large manufacturers also need a means to quickly and cost effectively assess the cybersecurity readiness of each manufacturer in their supply chains. That requires the establishment of meaningful metrics that can be readily certified, whether by a customer, the government or an independent third party.”
The big five defense contractors — Boeing, General Dynamics, Lockheed Martin, Northrop Grumman and Raytheon — frequently subcontract out portions of their work to smaller firms, who in turn subcontract further with other entities. At a certain point, prime contractors lose visibility into who their third-, fourth- or fifth-tier subcontractors are, a challenge that the Office of the Director of National Intelligence has encountered while examining supply chain security threats.
Michael MacKay, CTO for defense contractor Progeny Systems, told the committee there were a variety of reasons for that lack of visibility, ranging from a reluctance of prime contractors to lay out the details behind their proprietary supply-chain business strategies to a lack of transparency inherent in a contracting field that is often fluid and opaque.
“If I hand a document over to somebody to create a part, then I have to make — I have to ask them how they are going to managing that document and who they are going to give it to,” said MacKay. “They could lie to me … they could say, yes, we’re going to do this and at that last minute, hand it off to somebody that came in at a lower bid and not tell me.”
Policymakers have long fretted over the potential for adversarial nations to steal U.S. secrets by targeting contractors. However, two incidents over the past year have spurred greater urgency around the topic: reports that in 2018, Chinese hackers stole “massive” amounts of sensitive data from the unclassified networks of a contractor working for the Naval Undersea Warfare Center, and a 2019 internal review by the Navy that found Chinese hackers were pilfering so much Intellectual property and classified secrets from the defense industrial base that it was “materially eroding” U.S. economic and military advantages.
Sen. Joe Manchin (D-W.Va.) called the lack of visibility down the supply chain “absolutely unbelievable” and said Congress needed to rewrite contracting standards to ensure subcontractors are held to the same security requirements as primes.
“Somebody has to be held accountable,” Manchin said. “A blind person can follow this. We wonder why we’ve been hacked so much, why they’ve copied everything? You all just explained it. There’s no checks and balances .… It looks like to me that we’re … protecting a business model more than we are the security of our country.”