It is a wide open secret that the Pentagon’s complex supplier base has become a huge target. The Pentagon’s nightmare scenario: An orchestrated campaign to not only sabotage U.S. weapon systems but also steal sensitive design data from American companies. “We see growing opportunities for bad people to get at our products,” said Undersecretary of Defense Frank Kendall, who oversees weapons acquisitions.I was interested in the comment, "The Pentagon funds a small number of “trusted foundries” that produce sensitive microelectronics for exclusive government use." It reminded me of the early years of government contracting in the United States, up to the early 20th century. My perspective of that was informed by the excellent book, "A History of Government Contracting" by the esteemed practitioner and professor, James F. Nagle. See a review of this book here.
The security gaps have widened over time, resulting from a combination of economic and technology trends — the globalization of electronics supplies and proliferation of counterfeits, the internet of things and the widespread use of software in military systems. The prospect of malicious tampering has become all too real, said Kendall. “What is my greatest fear? That we’ll find one day when we ask our systems to do something, they won’t work.”
These issues fall under the broad category of “supply chain security,” and they have put the Pentagon in a tight spot because it has limited visibility and control of the vast web of suppliers that design and produce equipment for the military. The security gaps have widened over time, resulting from a combination of economic and technology trends — the globalization of electronics supplies and proliferation of counterfeits, the internet of things and the widespread use of software in military systems. The prospect of malicious tampering has become all too real, said Kendall.
But only in recent years has the Pentagon seen substantial data and evidence of cyber attacks, tampering and other nefarious actions aimed at the defense industry. Without naming names, Kendall said there are mounting concerns about “things that are hidden in the things that we buy.” The Pentagon is taking steps such as increasing cybersecurity training for procurement officials and is trying to raise awareness of the risks, but the overwhelming responsibility for preventing and catching bad actors falls on contractors, simply because they are the first line of defense.
Dan Payne, director of the Defense Security Service, an agency that oversees industrial security, said suppliers are stepping up voluntary reporting on suspected spying. The defense industrial base is “facing a changing threat, one we’ve never faced before, a counterintelligence threat that is unprecedented in our history,” he insisted. “It’s bigger than anything we’ve ever seen.” And it’s all happening behind the scenes,” he said. “We’re in a knife fight and most people don’t know it.”
The DSS is rethinking its internal processes for dealing with industrial espionage. Many of the agency’s methods have not changed since the Cold War, said Payne. “We’re looking at prioritizing technology we truly need to protect, and looking at the companies that are producing those technologies,” he added. “Knowing how enemies are coming at us, we are working with industry on tailored security for each facility.”
In this frightening environment, Payne told executives at the Bloomberg forum, “We have to partner with industry. The nation’s top corporations can afford to spend a lot of resources vetting suppliers, but the majority of defense vendors lack such means. The U.S. government doesn’t have the resources to fight this battle alone.”
One way foreign actors can access U.S. defense industry products and data is by buying up companies. This is a “huge issue,” said Payne. “We’re never gong to be able to guarantee the supply chain 100 percent, it’s too vast.” As globalization has taken over the economy, foreign intelligence services are using businesses to get inside our supply chains to steal our secrets, our technology.”
With a globalized work force, there is a higher risk of “insider threats” that can be even harder to tackle than digital intrusions. “At no time have our adversaries ever had the access and the ability to come from different avenues as they do right now,” said Payne. “The Chinese are very good.” Having cornered 56 percent of the consumer microelectronics industry, the Chinese are in strong position to woo U.S. companies to partner with them. “This is tough one,” said Payne. “Never before have we seen the volume of joint ventures getting into our supply chain.”
The Pentagon admittedly has limited weapons to fight back, but it is slowly gearing up, said Kristen Baldwin, acting deputy assistant secretary of defense of systems engineering. “We understand security, but it’s not in our practices and processes to think about that,” she said. “We worry about quality and reliability.”
Defense program managers have to prepare to cope with counterfeit parts, malicious tampering, reverse engineering and infected software. And as much as the Pentagon needs contractors to share information about potential threats, she said, the government also needs to be more transparent with the industry.
Baldwin suggested the answer might be to rethink how weapon systems are designed so they are less vulnerable to single points of failure. “We should think about not only where the part comes from but also whether we need to design our systems so they are not completely degraded just because we don’t know what’s in that black box.” There is no way to guarantee the performance of every single component, she said.
The Pentagon funds a small number of “trusted foundries” that produce sensitive microelectronics for exclusive government use. But the majority of electronic components found in military systems come from commercial suppliers. “The fact is that we can’t afford to shut ourselves off the global supply chain nor do we want to,” Baldwin said. “That’s technology we need for our systems.”
Read more of the story at the link above.
As I recall what he wrote, in the earliest days of manufacturing, the US government took to making its own things because there was no defense industry, as such, to speak of, and what industry there was had not mastered the process of making and assembling interchangeable parts.
Nagle expressed the observation that the government's products, made in its own "trusted foundries", were widely admired and sought around the world. Today, we take the phrase, "good enough for government work", as a cynical statement that government cannot make anything worth its salt. But, back then, when the phrase was first used, it was an admirable statement of the gold standard. If a private supplier could lay claim to have products or services "good enough for government work", he or she could proudly peddle products any where in the world.
In a day when government is intent on outsourcing everything to private contractors, who very often have foreign ownership or other influence, we might find it useful to more often rethink the gold standard.