Cyber era brings new kinds of supply-chain threats

Problems in the Defense Department’s supply chain aren’t a new issue. The military has always been at risk from enemies and had a need for tight security. A GAO sting operation earlier this year highlighted some vulnerabilities, for example.

But the prevalence of digital systems brings a newer kind of threat: one that can be tiny in size but huge in potential impact. It is the risk of electronic components that have been altered to digitally infiltrate U.S. defense systems.

"We’re now worried [about] the integrity of the products coming into our global supply chain that might compromise businesses confidentiality or the overall availability of essential services,” said Melissa Hathaway, former White House cybersecurity adviser and now president of Hathaway Global Solutions. Hathaway spoke as part of a panel at the Potomac Institute in Washington on Sept. 26.

The globalization of the market and the supply chain opens the door to more potential adversaries gaining access to parts, the panelists indicated.

“Products are being built, delivered, maintained and upgraded all around the world, and they are vulnerable to opponents who wish harm,” Hathaway said. She added that the global nature of today’s manufacturing cycle “provides adversaries, or these opponents, with greater opportunities to manipulate the product from design through its entire life cycle,” including the possibility of gaining access to DOD networks.

Brett Lambert, deputy assistant secretary of defense for manufacturing and industrial base policy, admitted that Pentagon officials have seen cases of chips with “built-in back doors” that could allow system access for espionage or data theft.

"The vast majority of this is really criminal behavior,” Lambert said, noting that the problem is exacerbated by the government’s increased of commercial products, which can be more difficult to track and regulate than custom-built goods.

The digital aspect of the supply chain worries represent a step further than more traditional concerns of just physical risks, as were the subject of the GAO’s operation and resultant study. In those cases the concern was more often about parts that were counterfeit and could possibly fail or not function at all – equally dangerous, but with a different intent.

“It started out in the way of theft…[but now] our real concern and fear is that it could evolve past that, to destruction,” said Dennis Bartko, special assistant for cyber to the National Security Agency director.

So what can be done about the problem?

Bartko said he was encouraged by the growing federal use of cloud, which allows for data to be stored in different servers, dispersing the elements that enemies want to target. Cloud’s institution also allows for built-in security from the start, allowing for better protection, he added.

Another solution discussed at the panel was the idea of incentives, such as tax credits to companies that invest in good, more secure processes and practices to create better products in the future, as Hathaway noted.

Other possible solutions include the growing use of a trusted supplier list, and the potential for DOD to buy electronic parts from “trusted foundries” – highly secure manufacturers based in the U.S.

According to Lambert, the trusted foundries may be the answer for a narrow swath of very high-priority programs, but it’s expensive, puts limitations on global innovation and won’t work for most weapons systems. He also stressed that further regulations wouldn’t be a viable option, either.

“We’re really looking at incentives, not disincentives,” Lambert said. “The old standby remedy to most supply chain concerns of ‘mandate it’ won’t work in the new global reality. Strict regulations and restrictions, when you talk about technology, never really work over a long period…we find ourselves coming up with great standards but alienating the very technological edge we’re seeking.”

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group