Cyber era brings new kinds of supply-chain threats

Problems in the Defense Department’s supply chain aren’t a new issue. The military has always been at risk from enemies and had a need for tight security. A GAO sting operation earlier this year highlighted some vulnerabilities, for example.

But the prevalence of digital systems brings a newer kind of threat: one that can be tiny in size but huge in potential impact. It is the risk of electronic components that have been altered to digitally infiltrate U.S. defense systems.

"We’re now worried [about] the integrity of the products coming into our global supply chain that might compromise businesses confidentiality or the overall availability of essential services,” said Melissa Hathaway, former White House cybersecurity adviser and now president of Hathaway Global Solutions. Hathaway spoke as part of a panel at the Potomac Institute in Washington on Sept. 26.

The globalization of the market and the supply chain opens the door to more potential adversaries gaining access to parts, the panelists indicated.

“Products are being built, delivered, maintained and upgraded all around the world, and they are vulnerable to opponents who wish harm,” Hathaway said. She added that the global nature of today’s manufacturing cycle “provides adversaries, or these opponents, with greater opportunities to manipulate the product from design through its entire life cycle,” including the possibility of gaining access to DOD networks.

Brett Lambert, deputy assistant secretary of defense for manufacturing and industrial base policy, admitted that Pentagon officials have seen cases of chips with “built-in back doors” that could allow system access for espionage or data theft.

"The vast majority of this is really criminal behavior,” Lambert said, noting that the problem is exacerbated by the government’s increased of commercial products, which can be more difficult to track and regulate than custom-built goods.

The digital aspect of the supply chain worries represent a step further than more traditional concerns of just physical risks, as were the subject of the GAO’s operation and resultant study. In those cases the concern was more often about parts that were counterfeit and could possibly fail or not function at all – equally dangerous, but with a different intent.

“It started out in the way of theft…[but now] our real concern and fear is that it could evolve past that, to destruction,” said Dennis Bartko, special assistant for cyber to the National Security Agency director.

So what can be done about the problem?

Bartko said he was encouraged by the growing federal use of cloud, which allows for data to be stored in different servers, dispersing the elements that enemies want to target. Cloud’s institution also allows for built-in security from the start, allowing for better protection, he added.

Another solution discussed at the panel was the idea of incentives, such as tax credits to companies that invest in good, more secure processes and practices to create better products in the future, as Hathaway noted.

Other possible solutions include the growing use of a trusted supplier list, and the potential for DOD to buy electronic parts from “trusted foundries” – highly secure manufacturers based in the U.S.

According to Lambert, the trusted foundries may be the answer for a narrow swath of very high-priority programs, but it’s expensive, puts limitations on global innovation and won’t work for most weapons systems. He also stressed that further regulations wouldn’t be a viable option, either.

“We’re really looking at incentives, not disincentives,” Lambert said. “The old standby remedy to most supply chain concerns of ‘mandate it’ won’t work in the new global reality. Strict regulations and restrictions, when you talk about technology, never really work over a long period…we find ourselves coming up with great standards but alienating the very technological edge we’re seeking.”

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.

Featured

  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above