The military supply chain is vast, multifaceted, and riddled with potential cyber vulnerabilities.

As a result, "there is [a] possible theft of data or proprietary information or classified information. There’s the ability through malware to sabotage activities or to destroy the confidence in the data,” said Daniel McGarvey, former director of information protection for the Air Force and a senior consultant to the federal Performance Accountability Council. “There’s the threat of putting embedded malware into a system that either takes control of or actually disables the system.”

In an increasingly digital battlefield, senior leaders, experts and analysts say supply-chain cybersecurity could be a weak point in the military’s armor. To remedy that, they urge closer oversight of contractors, and tighter coordination on cyber issues between military buyers and defense-industry suppliers.

Threat window

In a 2017 document, the Pentagon’s Defense Science Board said the complex relationships in the supply chain creates a window for bad actors. “The supply chain for microelectronics parts is complex, involving multiple industry sectors. Each sector sells to each of the others,” they noted. “Furthermore, parts may be returned to manufacturers or distributors and subsequently reenter the supply chain making both pedigree and provenance difficult to track using current procedures.”

As a result, “assuring that defense electronics are free from vulnerabilities is a daunting task,” they wrote. “Of particular concern are the weapons the nation depends upon today; almost all were developed, acquired, and fielded without formal protection plans.”

Analysts point to a number of factors working against the military’s interest here. Waning corporate loyalty has ratcheted up the insider threat in recent years. The sheer volume of electronic components makes detailed quality-control checks impractical. Contractual requirements can push suppliers to be more diligent – but only if they are acting in good faith to begin with. “That only works for suppliers who have no malicious intent,” McGarvey said.

Moreover, while the military controls prime contracts, it struggles to exert that control further down the food chain, said Ray Gagne, the Army’s director for Acquisition Program Information Protection.

“With the primes we have contractual understandings, but when they subcontract out, that is inherently a vulnerability,” he said. “There is activity ongoing to ensure that a piece of technical data is protected as it flows down the chain, but that is still a work in progress.”

Despite the hurdles, experts point to a number of steps the military and its partners could take to prevent or minimize cyber incursions in the production of military systems.

Rating the risk

In order to safeguard the cyber jewels, the military first needs to have a realistic understanding of what technical data and intellectual property is in play.

“We work with the respective program management offices to ensure they are knowledgeable about the information that is in the hands of industry,” Gagne said. “If it’s a program that we deem to be of a critical nature to the Army, we may ask the program managers to take additional steps to ensure sufficient security counter-measures are in place.”

This risk-based approach forms a critical first layer of defense, he said. Given the vast number of systems in the military portfolio, any realistic effort to close cyber gaps in the supply chain needs to start with a push to prioritize the vulnerabilities.

For systems deemed high risk, some exerts suggest a line of defense that focuses on the behavior of people, rather than cyber-health of specific systems. For any given production task, a manufacturer “can set a baseline of what is normal behavior, alerting security experts earlier when there are anomalies with how users are interacting with data,” said Eric Trexler, vice president for global governments and critical infrastructure at security firm Forcepoint.

By watching for suspect activity, he suggested, it might be possible to stop cyber disruptions before they occur. Others endorse this approach, saying the onus is on industry to adopt best practices.

“Some contractors have developed their own secure development and supply chain practices,” said Wayne Lloyd, federal chief technology officer of cybersecurity company RedSeal. “It’s in the best interest of defense contractors to validate that software and components have not been subverted or come from questionable suppliers. This also relieves the burden of effort on the [Department of Defense] to have to ensure the authenticity of components for weapons systems.”

Contractors could also be more active via human resources as a way to reduce the insider threat. “They could create a working group, for example, that cuts across legal, security, HR and management, with the aim of addressing employee wellness,” McGarvey said. “You want to develop individuals who are not going to be vindictive, who fit well into the social environment of the organization. Employee wellness creates organizational wellness.”

The military, for its part, might look to expand upon existing structures that help to ensure the validity of material in the supply chain.

Microelectronics DOD can trust

Take for instance the trusted supplier program managed by the Defense Microelectronics Activity (DMEA). That program accredits suppliers of integrated-circuit related products and services to ensure integrity in design and manufacturing.

“This 100-percent needs to be expanded to cover any microelectronics that are going into a critical weapons system,” said Jennifer McArdle, a professor of cyber defense at Salve Regina University and a non-resident fellow at the Center for Strategic and Budgetary Assessments. “We need to work more closely with industry to make sure we get microelectronics we can trust.”

McArdle would also like the military to do more to validate the components it puts into play. “You can’t test and evaluate everything, but if you can test and evaluate a small batch you can at least have some degree of assurance,” she said. “You cannot check every single connection, it would just take forever. The question is always, how much enough? If you can’t solve the problem, you at least have to mitigate the risk.”

The Pentagon could also leverage its sizable market muscle to steer providers toward better cyber practices.

In a strategy called “Deliver Uncompromised,” which has been adopted by the Defense Department, the Mitre organization laid out such a path. “Through the acquisition process, DoD can influence and shape the conduct of its suppliers,” the authors wrote. “It can define requirements to incorporate new security measures, reward superior security measures in the source selection process, include contract terms that impose security obligations, and use contractual oversight to monitor contractor accomplishments.”

While such obligations could help improve the process, military officials argue, success in the long run comes from forging a new cooperative working environment that recognizes the military need for security, on the one hand, and the potential financial and operational burdens of cyber hygiene on the other.

“We have to identify the things that are most critical, and then it has to be negotiated between the government and the contractor,” Gagne said. “For example, the contractor may have the ability to secure a system, and it’s just a matter of asking them to do it, or it may fall to the program manager to determine the level of risk the government is willing to take. They’ll have to make decisions together, based on both the risk and the cost.”

Where Gagne envisions a two-way street, some in industry are wary. They suggest that at the end of the day, securing the military supply chain may be, mostly, the government’s job.

“This a counter-intelligence game: What does our enemy want and what can we do about it? That process already exists and maybe you could build off of that,” said Bryson Bort, chief executive officer of the security firm Scythe and a fellow at the National Security Institute at George Mason University.

“In industry when we look at information [security], it’s ongoing. We do penetration testing, we do focused security hardening and testing, we introduce dynamic third part threat evaluations,” he said.

Wouldn’t it be expensive for the military to apply that same rigor across the supply chain? To answer, Bort referenced China’s J-20 stealth fighter, widely believed to be based on plans for a U.S. fighter that were stolen by hackers.

“Yes, it is expensive,” he said. “But is that any worse than when the Chinese show up with the J-20 instantly built, and they’ve skipped two generations of air warfare because they stole the plans? What’s the cost of that?”