Lawmakers are worried about the vulnerabilities of the Defense Department’s supply chain and the risk of adversaries inserting malicious material into Pentagon weapons systems.
“For a sophisticated adversary, this complex, multi-tiered supply chain offers numerous targets for attackers to potentially subvert the design, integrity and resilience of key national security assets,” Sen. Gary Peters (D-Mich.), a member of the Senate Armed Services Committee, told The Hill.
“As our military systems become increasingly interconnected, the implications of a compromised hardware or software component could have significant, wide-ranging impacts — impacts that may not be realized until a serious emergency scenario.”
“The vulnerability that we don’t talk about much … [is] the supply chain and the ability to perhaps embed things in hardware prior to the manufacturing of the actual equipment. I go back to, for example, the GPS signal that we put in an airplane or a radio system that we put in an airplane,” Rep. Austin Scott (R-Ga.) said at a House Armed Services Committee hearing this month.
“Could it be preprogrammed to stop working at a certain point in time, in which case that would give your major adversaries and your peer adversaries a distinct advantage over you if they knew that you were going to lose radio communications at a certain point in time?”
The Pentagon has been implementing policies to address cyber and other threats to the supply chain since 2011, including steps to prevent counterfeit parts from ending up in American weapons systems. Still, experts warn that more needs to be done to safeguard systems throughout their lifecycle.
“We need better threat assessments,” said Donald Robinson, chief technology officer for the defense group at CSRA, a D.C.-based IT services company that contracts with the federal government. “We need to understand what are the threats to the supply chain. Unless we can understand how it can be compromised, we can’t mitigate it.”
“The risks in our supply chain for our current defense posture is increasing, and if we don’t do anything differently, then yes, it’s going to become an increasing threat to our readiness and ability to defend our country,” Robinson said.
A federal advisory committee recently concluded that the U.S. military’s weapons systems are at risk from what is called “malicious insertion” — when something is deliberately inserted into a system for a malicious purpose — and exploitation of undiscovered vulnerabilities.
Of particular concern are weapons currently in the field, which were not covered by the Pentagon’s current procedures for mitigating supply chain risks, the Defense Science Board’s cyber supply chain task force said.
Supply chain vulnerabilities could be anything from lax security measures for shipping products, to a disgruntled program administrator, to an actual vulnerability in the technology itself, Robinson said.
The challenge is minimizing vulnerabilities in the supply chain as much as possible so adversaries cannot exploit them.
Peters noted that the sheer size of the defense industrial base — a network of hundreds of thousands of companies and suppliers — increases opportunities for adversaries to infiltrate it.
“We need comprehensive strategies to advance the development and integration of end-to-end risk management processes for our mission-critical national security functions at every level,” Peters said. “This includes investing in innovative quality assurance and testing methods, as well as increased collaboration and information-sharing between Department of Defense and our defense industrial base partners to identify and mitigate potential cybersecurity threats.”
While supply chain risks are nothing new, lawmakers have demonstrated more interest in them as the U.S. military has become more reliant on high-tech weapons systems and networks.
Peters said that WikiLeaks’ recent release of purported CIA hacking tools and other leaks of classified information from federal contractors — like NSA whistleblower Edward Snowden — “without a doubt” increase his concerns about the potential for insider threats to the supply chain.
Lawmakers are likely to continue to press the issue of supply chain risks, as nations such as Russia increasingly use cyber tools to achieve their strategic objectives.
The biggest hurdle to securing the supply chain, Robinson noted, could be funding, given the multitude of ways to attack it.
“There are so many points of penetration in a supply chain that it’s almost impossible to secure them all within the budgetary constraints we have,” Robinson said. “Ultimately, I think one of the best strategic gains we can get in this area is to make sure that we’re building resilient systems that we can live without or have backups for.”