Photographer: Rich Clement/Bloomberg

DOD in ‘knife fight’ over supply chain, security chief says

November 4, 2016 Andrew Clevenger

Foreign intelligence services are using globalization to get inside the Pentagon’s supply chain and steal U.S. technology, the chief of the Defense Security Service said Oct. 26.

“Right now, we are facing a counterintelligence threat that is unprecedented in our history,” said Dan Payne, director of the Defense Security Service. “It’s bigger than anything we’ve ever faced before. We’re in a knife fight, and most people don’t know it.”

For example, China controls 56 percent of the microelectronics market, Payne said at a forum on supply chain risk management held by Bloomberg Government in Vienna, Va. The potential of tapping into that market makes joint ventures with Chinese companies appealing, he said, but that also heightens the risk to the supply chain.

Department of Defense (DOD) officials increasingly view the Pentagon’s supply chain as a key vulnerability within the defense enterprise, with bad actors seeking to affect systems and steal innovative technologies. This risk extends beyond prime contractors, which have extensive resources to invest in security to medium and small contractors, which in turn may not have those resources.

The Pentagon’s emphasis on affordability often pushes suppliers to use commercial off-the-shelf (COTS) items, said Frank Kendall, the DOD’s undersecretary for acquisition, technology and logistics.

“All of this presents an opportunity for somebody with a nefarious purpose to get at our products,” Kendall said. “The thing that makes me most nervous is a high-end adversary who finds a way to hide something in our weapons systems and lets it sit there until it can be activated at the worst possible time.”

‘Huge Issue.’

The central issue for protecting the Pentagon’s supply chain is to ensure that a DOD product does what it is supposed to do; doesn’t degrade prematurely; and doesn’t do something it’s not supposed to, Payne said.
“We’re talking millions of products. We’re talking tens of thousands of businesses that we have to be concerned about,” he said. “It is a huge issue, and we’re never going to be able to guarantee the supply chain 100 percent. It’s too vast.”
Kendall and other DOD officials emphasized the key role that cooperation with industry plays in securing the Pentagon’s supply chain.

Carrie Wibben, director of the counterintelligence and security directorate within the Office of the Under Secretary of Defense for Intelligence, said critical program information needed to be identified early in the acquisition process so that it can be protected throughout.

“One of the areas where we have some work to do is on the threat side, making sure that we understand very clearly and are sharing with our partners what we are seeing on the threat side,” she said. “That ranges from the very infancy of a program” and includes constant refreshing.

And communication needs to go both ways, Payne said.

Can’t ‘Fight This Battle Alone.’

In 2015, industry reported 47,000 suspicious contacts—more than nine times the amount reported six years earlier—which led to the creation of 7,500 intelligence reports, he said. Those reports accounted for 19 percent of the DOD’s counterintelligence reporting that year, he said.

“We have to partner with industry,” Payne said. “The U.S. government writ large does not have the resources to fight this battle alone.”

Kristen Baldwin, acting deputy assistant secretary of defense for systems engineering, said her office is on the verge of producing an addendum to the DOD’s 5000 Series of regulations that govern the defense acquisition system. The addendum will emphasize the need to embed cybersecurity and the responsibility for security in weapons and tactical systems, she said.

Increased Vulnerability

Ethan Plotkin, CEO of GDCA, a California manufacturer that specializes in making “obsolete” embedded products and guaranteeing their future availability, said the internet of things increased the supply chain’s vulnerability by an order of magnitude. Companies should carefully consider the consequences before connecting machines to the internet and the world, he said.

“Prognostics, predicting when things need to come in for maintenance, is a huge, huge cost-saving potential. But you have to go ahead and flow all that information up,” he said, adding that data analytics are driving connectivity. “There’s a real drive to do it, but we’ve now just exposed ourselves to a lot more vulnerabilities.

Companies should be careful not to increase their exposure before they are sure they can protect it, he said.

CEOs now face a staggering level of complexity in trying to understand where to best allocate their company’s resources to protect their products and intellectual property, said Harvey Rishikof, senior counsel at Crowell & Moring who has served as a senior policy adviser to the National Counterintelligence Executive. Software, hardware, employees and internet service providers all represent increasing vulnerabilities, he said.

Lawsuits are driving heightened attention to security, given what’s happening in the regulatory liability litigation space, he said.

“CEOs are looking at what have I done that has made it clear that I’m not negligent,” Rishikof said.

Contracts will be another vehicle for the government to spell out a company’s security obligations, he said.

F-35 contract feud exposes rift over ‘fair’ prices