When it comes to microelectronics supply chain, better security risk assessment as manufacturers base contend with ongoing threats.
The Defense Department's concerns about supply chain security have only increased over the past year as the COVID-19 pandemic has exposed manufacturing challenges. But when it comes to microelectronics, better risk assessment to breed better policy.
"We are facing, not just the after effects of COVID, but as we look forward we see the effects of...instability added into the supply chain over the next several decades," said Rep. Mikie Sherrill (D-N.J.), vice chair of the House Armed Services Subcommittee on Tactical Air and Land Forces and a former Navy helicopter pilot, during an Aug. 23 Hudson Institute virtual event on microelectronics, naming environmental threats, weather, politics and economic policies that counter U.S. interests as potential instabilities.
"In the defense industry, we have put it on the backs of so many of the manufacturers, so many of the purchasers and suppliers to keep track of the supply chain and drill down on where things come from," Sherrill said. "The Defense Department has got to do a lot better at assessing the risk -- the country has to do a lot better at assessing the risk -- so we really can make good policy decisions."
There's been an increased focus on microelectronics and semiconductor manufacturing in recent National Defense Authorization Acts, primarily addressing reshoring efforts and scoping security concerns.
The House Armed Services Committee recently concluded a probe into defense supply chain issues. The Defense Supply Chain Task Force, which Sherrill was on, found that DOD's small market presence in semiconductors and microelectronics "impedes direct access to corporate data required to fully and independently assess" the microelectronics supply chain.
But securing these tiny, intricate chips essential to weapons systems and computing devices is another story. Victoria Coleman, chief Scientist for the Air Force, said part of the solution is embracing zero trust, which DOD has begun to embrace, "removes the focus of attention from the process that was used to create something."
"It's a little bit like deciding to buy a stroller for your child. Would you buy a stroller that you had never been tested, but it came out of a factory that is well known for making strollers? Most people wouldn't. So we need to replace faith in [the] process with faith in the product that comes out of that."
Coleman suggested building safety cases for better cybersecurity, taking a cue from the safety critical systems community, which includes protocols for aircraft manufacturers and medical equipment, such as diagnostic or treatment machines that use high radiation levels.
"For each one of those systems, that community has to build something that I call a safety case, which is a logical argument that lays out the criticality of the various functions that the system contains. Depending on this criticality, there have to be mitigations. There has to be test data ...analytical data, and all of that comes together in a safety case," Coleman said at the Aug. 23 event.
"I think when we think about zero trust as an approach to get us out of this hole, I think we need to start thinking about assurance cases for all these systems that take into account, not only about the product parameters, but also in the case of the DOD, the context within which it gets embedded."
Coleman stressed that cyber vulnerabilities in these systems were virtually guaranteed and stressed resilience as the main line of defense.
"Let's build them in such a way that they're actually resilient," she said. "So when these things hit us, we can contain the infection and we can contain a lot of breakage, so that it doesn't spread to the whole system."