Might the Chinese language Communist Occasion “web page” U.S. servicemembers, the way in which the Mossad did to Hizballah on Sept. 17, 2024, in one of the vital daring deception operations in dwelling reminiscence? It’s doable.
The Division of Protection doesn’t absolutely perceive the breadth and depth of its provide chain. Former Underneath Secretary of Protection for Acquisition and Sustainment William LaPlante revealed how tough this drawback had develop into for the U.S. army companies and the protection business that helps it. An business govt first “thought he had 300 suppliers,” LaPlante reported in a September 2022 press briefing, “then he found no, when he counted all of his suppliers, he most likely had 3,000.”
Right now’s provide chains are more and more sprawling and complicated, with vital supplies and parts typically sourced from adversarial or single-source entities. Whereas there are some restrictions on sourcing from China, the restrictions don’t apply to all Protection Division techniques, so pervasive threat stays: An adversarial supply might tamper with a small, unassuming half to a weapon system or platform, as Israeli intelligence did by booby trapping Hizballah pagers.
Whereas the federal government and the protection industrial base have made some strides in studying in regards to the origins of their suppliers, present efforts quantity to little greater than reverse engineering — attempting to piece collectively provide chains after they’re constructed as an alternative of as they’re being constructed. It will be simpler to seize provider info whereas techniques are being developed and fielded, and whereas these suppliers are introduced into the fold.
Furthermore, present efforts intention to have a central repository of all provide chain knowledge. Whereas this strategy has advantages — reminiscent of visibility of shared suppliers throughout a number of techniques — it dangers proprietary provider knowledge and mental property being shared inappropriately, or worse, exposing vulnerabilities in Division of Protection provide chains to U.S. adversaries by means of cyber operations.
To deal with these shortcomings, the division ought to undertake a system that makes use of distributed ledger and blockchain expertise the place solely knowledge house owners (suppliers) can grant entry, controlling those that can see knowledge about their components and supplies. This may allow the division to conduct the availability chain evaluation it requires, whereas concurrently defending provider info from pointless publicity and lowering the chance of making vulnerabilities with dependence on overseas, notably adversarial, sources.
It’s time for the Protection Division to have the mandatory visibility into the supplies and parts its warfighters depend on to guard the nation — all the things from plane to vital munitions. The division can solely obtain this if knowledge is captured up entrance when suppliers are being recognized and introduced into the availability chains for the merchandise and applications underneath improvement. Till then, there may be fixed hazard of provide chain disruptions to vital protection operations, together with part tampering that would result in malfunctions of techniques and platforms. That is an unacceptable threat.
A Legacy of Provide Chain Opacity
Many years of globalization led to most of the Protection Division’s vital provide chains shifting off-shore — typically to unfriendly nations. In September 2018, the division issued the report Assessing and Strengthening the Manufacturing and Protection Industrial Base and Provide Chain Resiliency of america in response to Govt Order 13806, which, directed the secretary of protection to guide a government-wide effort to evaluate threat, determine impacts, and suggest suggestions to enhance the manufacturing and protection industrial base. The report shone a light-weight on a rising drawback: As sourcing points and persistent obsolescence issues mounted, it grew to become clear that business didn’t know sufficient about its suppliers.
To assist tackle this opacity, an business of provide chain “illumination” firms has emerged in recent times. Utilizing AI and machine studying instruments, these firms promise to map the entities, firms, and merchandise concerned in a program’s provide chain. Whereas modern and able to offering a place to begin within the absence of any provide chain knowledge, illumination makes use of knowledge inputs which are incomplete and unverified.
Provide chain illumination sometimes depends on publicly out there knowledge — information articles, social media posts, and authorities contracting and monetary knowledge — augmented by AI and machine studying to digest these inputs, looking for or set up linkages between suppliers and applications. For instance, Avionics Worldwide reported that the Air Drive had awarded Basic Atomics and Anduril contracts for his or her collaborative fight plane, so the availability chain illumination software program would hyperlink these firms as suppliers to this system.
However this strategy is like shining a flashlight down a darkish gap: You solely get a slender view. Data obtained from this methodology doesn’t come from the suppliers themselves and is often not verified. Though knowledge on provider monetary well being and overseas possession could be discerned, which is useful in assessing some facets of provide chain threat, no info is accessible for some vital metrics the Division of Protection wants when performing provide chain evaluation. This features a provider’s minimal sustaining charge, most capability, and surge functionality, or the opposite applications that the corporate is a provider for. As well as, the info is usually “time stamped,” that means it’s only correct in that second in time. For the reason that protection industrial base is consistently shifting, with suppliers coming out and in and shifting between applications, a linkage which may exist in the future could not the following.
Moreover, there may be additionally a threat of “false positives” in figuring out entities in a provide chain. Certainly, the article in regards to the collaborative fight plane highlighted that Boeing, Lockheed Martin, and Northrop Grumman didn’t win an award for this system. Nonetheless, the availability chain illumination software program could incorrectly hyperlink these firms as suppliers to it anyway. Some illumination firms have been in a position to acquire partial provider knowledge, both from business immediately or from the applications. However most haven’t, and even after they do, it’s often just for the primary few tiers of a provide chain, not your entire checklist of components, supplies, and suppliers. Main info gaps persist.
Illumination Is Huge Enterprise, However Not the Panacea for Provide Chain Danger Administration
Primes on any contract rely upon their sub-tier suppliers (“subs”) for details about the availability chains the subs use. However for the subs, that info is typically fiercely guarded and thought of proprietary — it’s the “secret sauce” that makes them aggressive, they usually don’t wish to share that info for concern that both it gained’t be protected or could also be misused. There’s additionally concern with defending mental property. The resultant lack of provide chain transparency has made illumination huge enterprise, with these firms jockeying to painting themselves because the panacea that may remedy the Protection Division’s provide chain threat administration issues.
As well as, these efforts are costing taxpayers some huge cash as every successive program pays the illumination firm to develop and implement an evaluation for his or her specific system. In 2019, the Navy paid the info analytics agency Govini $400 million “to ship knowledge, evaluation and insights into DoD spending, provide chain and acquisition utilizing a database it continues to compile.” What Govini discovered was deeply regarding: Over 40 % of the semiconductors used within the Protection Division’s weapons techniques and related infrastructure have been sourced from China. As troubling, from 2005 to 2020, the variety of Chinese language suppliers inside the protection industrial provide chain had quadrupled. Sadly, these findings usually are not shocking to anybody who has any information of the division’s provide chains.
At current, there are quite a few illumination firms analyzing a number of applications and gathering a number of units of knowledge, however there isn’t any central authority to cross-reference all the info, and no capacity to trace situations the place firms provide a number of protection applications. Put merely, nobody sees the entire image. This drawback turns into vital when there may be an obsolescence subject, because the Protection Division wants to know the whole affect, or when it desires to extend manufacturing, as these suppliers can develop into main bottlenecks. In my expertise, such obstacles have impeded the stream of U.S. protection supplies and parts to Ukraine.
For its half, the Division of Protection has tried to assemble some provide chain knowledge by itself and by working with interagency companions. Whereas well-intended, these efforts haven’t supplied what the division wants. For instance, the Protection Contract Administration Company performs provide chain evaluation, together with by means of amassing provide chain, functionality, and capability knowledge by means of surveys of protection business firms. But, the surveys are voluntary and inevitably some firms don’t reply. The company does, nevertheless, keep a provide chain database that’s cross-referenced to ascertain which entities provide a number of protection applications. The Division of Commerce conducts obligatory business surveys, however they’ll take years to finish. This is just too gradual for the Protection Division, which requires real-time provider knowledge to know and mitigate provide chain dangers. In 2023, whereas I used to be serving within the Workplace of the Secretary of Protection’s Industrial Base Coverage workplace, there was an effort that despatched a compulsory provide chain survey to the service program workplaces for 110 weapons techniques, which this system workplaces then needed to enlist business’s assist in answering. The survey requested for knowledge right down to “tier three” firms — ones which are three ranges under the prime contractor. Nonetheless, many issues reminiscent of inadequate capability and obsolescence happen at even decrease tier suppliers.
The largest problem with all these present provide chain illumination strategies, whether or not authorities or industrial, is that they search to reverse engineer the issue. They intention to piece collectively the availability chains after they’re constructed somewhat than as they’re being constructed. As an alternative, the person army service program workplaces, the prime contractors, and the Workplace of the Secretary of Protection ought to work collectively to construct full provide chain maps. This could happen throughout this system improvement part, utilizing correct knowledge that doesn’t need to be pieced collectively after the very fact and propped up by assumptions based mostly on unverified info.
All authorities applications ought to have the ability to entry this info, to allow them to perceive the potential impacts of obsolescence and shared suppliers. For her half, former Deputy Secretary of Protection Kathleen Hicks tried to start out a knowledge repository within the present Advana knowledge platform for superior analytics, however this system has been paused and is being recompeted.
As a substitute for a repository — through which mental property and proprietary knowledge might both be shared inappropriately, or worse, infiltrated by adversarial cyber threats — the Protection Division ought to undertake a system that makes use of distributed ledger and blockchain expertise. Such techniques have a number of attributes which make them ultimate for provide chain identification and evaluation: superior encryption to authenticate and shield knowledge alternate; verifiable credentials and safe id safety that permit suppliers to share delicate info solely with approved events; good contracts to automate the enforcement of agreements and compliance with rules; and assurance that suppliers retain possession and management over their knowledge, together with managing consent, knowledge entry rights, and the revocation of those rights. These attributes might assist tackle the primary objection that suppliers have for collaborating in knowledge illumination efforts by guaranteeing knowledge possession rights and offering a safe platform for the alternate of delicate knowledge, thus permitting for higher knowledge safety.
Whereas business would solely have entry to the particular knowledge wanted from its suppliers to make sure they meet the federal government’s necessities, the Protection Division would achieve higher entry to info. So, as an illustration, a chief contractor could require their first-tier provider’s part to fulfill a selected degree of efficiency. That first-tier provider can present efficiency check knowledge displaying it meets the requirement however will not be required to indicate who their sub-tier suppliers are, or the supplies used to construct the part. Nonetheless, the Protection Division, which is sure by the Commerce Secrets and techniques Act to not reveal business’s proprietary info, would have the ability to have extra entry to that granular piece of knowledge. The division wouldn’t obtain and retailer the knowledge right into a repository, however a choose group of provide chain analysts and managers who’ve obtained permission from the info house owners might use AI to do queries of all techniques to search out commonalities reminiscent of shared suppliers and supplies, in addition to different threat areas reminiscent of adversarial and sole/single supply suppliers, permitting for proactive mitigation.
Blockchain is already being utilized in many industries. As an illustration, meals firms use it for provide chain administration to trace the trail and security of meals all through the farm-to-consumer journey. This turns into vital when there may be an outbreak of E. coli or salmonella, as an illustration, and the businesses want to trace meals by means of every step it’s taken again to its origin. Traditionally, it has taken weeks to search out the supply of those outbreaks, however utilizing blockchain permits discovery a lot quicker, probably saving lives. The Division of Protection may gain advantage from the identical strategy.
In September 2022, the Protection Division quickly halted deliveries of F-35 fighters following the invention that an engine part had been made with cobalt and samarium alloy that got here from China. The usage of blockchain might have enabled the sooner detection of those uncooked supplies in a vital protection platform and allowed the division to determine which different techniques used the identical supplies.
The Division of Protection will most likely nonetheless have to incentivize business to take part in provide chain illumination efforts. Such incentives might contain monetary, contractual (contract necessities and/or preferences), and informational advantages (suppliers will achieve perception into points inside their provide chains they might not have had visibility of earlier than). Congressional language in Part 849 of the most recent model of the Fiscal 12 months 2025 Nationwide Protection Authorization Act could help with the trouble to induce compliance. It requires the secretary of protection to develop and implement methods to incentivize protection contractors to evaluate and monitor your entire provide chain of products and companies supplied to the division to determine potential vulnerabilities and noncompliance dangers.
Monetary incentives would possibly pay for themselves in value financial savings realized from higher provide chain visibility. The prices of manufacturing stoppages, system redesigns, and “lifetime buys” ensuing from half and materials obsolescence alone could be immense. When a part or materials turns into unavailable on account of different circumstances — for instance, China banning the export of germanium, gallium, and antimony, vital minerals crucial for a lot of protection techniques — the financial value could be even larger, as China is the most important or sole provider of most of the uncooked supplies the Protection Division at the moment makes use of. In these circumstances, the division ought to present funding to ascertain new suppliers after which run checks to make sure the brand new materials performs the identical — and that’s provided that there may be sufficient time to take action earlier than a provide shut-off.
Get Entry to All the Information
The present apply of reverse engineering the Protection Division’s provide chain to determine dangers and vulnerabilities doesn’t work. As a result of the knowledge is unverified, and as a result of lack of cross-program visibility into shared suppliers, it exposes the division — and, by extension U.S. nationwide safety — to potential hazards, from disruptions of sufficient provides of supplies to cyberattacks and sabotage by adversaries.
To deal with this drawback, the division and the protection industrial base ought to construct out provide chain knowledge whereas protection techniques are underneath improvement and keep databases as techniques are upgraded. All knowledge needs to be made out there to any Protection Division program to eradicate duplication of effort and to reduce value. Information needs to be accessed by means of a distributed ledger and blockchain system to make sure that all applications can use and cross-reference it. Solely then can the Division of Protection be assured that U.S. adversaries usually are not hiding within the division’s provide chains.
Dr. Christine Michienzi is a former senior protection official and is now the proprietor of MMR Protection Options LLC, in addition to a nonresident senior affiliate on the Middle for Strategic and Worldwide Research.
Picture: Toiete Jackson through DVIDS.
