Supply Chains May Pose Weakest Security Link
The changing character of war requires capabilities delivered without compromise.
Adversaries are exploiting the inherent vulnerabilities of U.S. military supply chains that involve tens of thousands of private sector providers from all over the globe. Attack operations include stealing valuable technical data; striking critical infrastructure, manufacturing and weapon systems control systems; corrupting the quality and assurance across a broad range of product types and categories; and manipulating software to access connected systems and to degrade systems operation integrity.
The United States must respond holistically to these modern threats and can do so by placing a risk score on supply chain liabilities. This approach would require independent risk scores of all suppliers, much like financial institutions use credit scores to quantify the financial risk of individual companies. Fair Isaac Corporation, or FICO, and others are exploring the idea of a cyber scoring system for businesses, which is a solid approach.
The scoring of entities—individual services or components providers—can and should be handled outside of the U.S. government. However, agencies, and particularly the U.S. Defense Department, must actively work to understand their contractors’ entire supply chain. This process would include internal or external monitoring and continuous assessments of the cumulative third-party security risk posed to the end product or service.
For example, many types of combat systems increasingly rely upon sensors, actuators and software-activated control devices; a modern aircraft has more than 10 million lines of code. Last year, Defense Department officials testified before the House Armed Services Committee that “Deliver Uncompromised” was the basis of a strategy to address increased losses of defense weapon and information systems that had fallen prey to attacks.
Following the department’s lead, a MITRE Corporation’s report, titled “Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War,” offers numerous recommendations the Defense Department could employ to address the challenges it currently faces in this realm.
In developing the report, the organization’s experts examined options that span from legislation, regulation, policy and administration to acquisition, oversight, programs and technology. It proposed near-, mid- and long-term actions that could be taken to address the problem. Following the report’s publication, the Government Accountability Office and the Defense Department’s Inspector General published reports outlining increased losses of critical space and weapons systems and large-scale lack of attention to supply chain security.
Earlier this year, news articles described the mounting losses the U.S. suffers in this asymmetric era. For example, in March, the Navy Times cited an internal Navy review that declared the service and its contractors were “under cyber siege by a host of nefarious actors—including Chinese government hackers—who exploited critical U.S. cybersecurity flaws to steal troves of national security secrets from the defense industry.”
Simultaneous to the disclosure of the Navy review’s results, Congress and the executive branch became increasingly concerned about cyber threats and passed several key pieces of legislation, with more likely on the way.
But surprisingly, limiting third-party risk in acquisitions is still not an official U.S. government or Defense Department policy, even though massive integration of information, software and manufacturing systems layered onto a global economy enable sabotage at scale. Adversaries place the Defense Department’s vast ecosystem of private sector suppliers under incessant attack. They use a variety of tactics to introduce vulnerabilities into the military’s industrial supply chains to steal intellectual property, develop intelligence collection networks, disrupt and deny operation of a system at critical times, or reduce reliability and assurance by inserting counterfeit or degraded components.
Today, procurements are based on three pillars: cost, schedule and performance. These ignore the danger to warfighters and others when they use systems purchased that overlook what should be the fourth acquisition pillar: security.
Making security a true fourth pillar of acquisition requires an independent means of measuring and assessing contractors and subcontractors. Because not all contractors offer equal levels of security, basing contract awards solely on the lowest price reduces their incentive to monitor and protect their enterprises and supply chains. Consequently, the products they deliver to the U.S. government may not be secure.
Although security is fundamental, it should be presumed that a prime contractor with sufficient security could sell its products and services to the Defense Department, but not all contractors are equally strong in all dimensions. Security monitoring must take place well beyond contract award because the supply chain typically isn’t in place until after the contract is awarded; however, prime contractors ultimately still must be held accountable for security. To address asymmetric warfare, the U.S. government must minimize third-party risk in its acquisitions by refusing to accept third-party risks from contractors.
Introducing cybersecurity as a discriminator among companies will not harm the competitive bid process especially in an era where news headlines and government reports incessantly declare massive losses of Defense Department weapon systems’ details to nation-state adversaries.
Ensuring security after the contract award also requires the entire supply chain to be continuously mapped out and risks closely monitored throughout the life cycle of the program, which calls for professionals skilled in defining and measuring uncompromised acquisitions.
Although information sharing among contractors and subcontractors can be a reason for concern, it is unlikely that making security a contract requirement would cause companies to stop sharing cyber threat information. Many industries already compete in the free market while sharing this information, including the financial, automotive and health care sectors, which have far tighter profit margins than the defense industry.
Threat information must be shared because every contractor is a target and none of them is equally strong in all attack spaces. By openly communicating about dangerous activity, the overall security posture of the entire industrial base will grow.
Because of the recent increase in consolidation of tier-one contractors, a great amount of overlap exists in the utilization of lower-tier suppliers across many contract awards. As a result, competition for multiple contracts will be a force multiplier as individual security improves.
Although contract privity limits prime contractors’ ability to see into their supply chain beyond their immediate subcontractors, designating trusted third-party intermediaries between the protected subcontractors and prime contractors would address this issue. This third party would monitor the supply chain via contract flow-down clauses. The members of the supply chain would report individual and collective risk levels to the third party that would share them with the prime and the government contracting office. While the third party would be privy to the entire supply chain for each contract, the supply chain members’ identities would be protected.
In addition to these tactics, the government should seek to protect contractors that make good faith, informed reports on cyber and supply chain attacks from third-party lawsuits. This protection might require new legislation to create a National Supply Chain Intelligence Center. The center would warn contractors about strategic threats and provide all-source information sharing, much like the National Counterterrorism Center did after 9/11. It also would give contractors a legal “safe harbor” to share threat information.
Other options to improve supply chain security include tax incentives and low or no-cost loans for small companies to improve their security posture. In addition, supply chain insurance may motivate the defense industry to improve cyber and supply chain security. This could be especially important for the smaller subcontractors, who are the most vulnerable targets.
A consistent risk scoring system across the U.S. government is essential as a measurable differentiator, so the agencies responsible for protecting the U.S. supply chains—Defense Department, National Counterintelligence Security Center and Department of Homeland Security—must work closely with Congress and the private sector. In addition, multinational cooperation will be key because of the international nature of system compromises.
The character of conflict is changing, and the responses to it must change with it. It is clear that the military’s mission readiness and its ability to project force are at grave risk from attacks on supply chains, lowering the safety and security of nations and citizens. Focusing on security from the assembly lines to the front lines is one way to address this threat.