Fri, Mar 29, 2019
In mid-2018, the Pentagon announced a potential major change in the way it would award future aerospace and defense (A&D) contracts, elevating the role of supply chain security in future acquisition decisions.1 This new acquisition policy would require A&D companies to demonstrate the integrity of their supply chains as a prerequisite to winning a new defense contract. As a senior U.S. intelligence official recently testified to Congress, “It is no longer sufficient to only consider cost, schedule and performance when acquiring defense capabilities. We must establish security as a fourth pillar in defense acquisition and, also, create incentives for industry to embrace security, not as a cost burden, but as a major factor in their competitiveness for U.S. government business.”2
“We must establish security as a fourth pillar in defense acquisition and, also, create incentives for industry to embrace security, not as a cost burden, but as a major factor in their competitiveness for U.S. government business.”
– Anthony Schinella, national intelligence officer for military issues at the Office of the Director of National Intelligence, Testimony to House Armed Services Committee, June 21, 2018.
Although details about how the U.S. government could use its purchasing and regulatory power to encourage A&D companies to address supply chain security concerns are sparse, a recently published Department of Defense-sponsored report provides additional insights.3 This report identifies four levers available to government acquisition officers:
Define requirements to incorporate new security measures;
Reward superior security measures in the source selection process;
Include contract terms that impose security obligations; and
Use contractual oversight to monitor progress.
While not yet codified into law or policy, it is likely that this concept will eventually take root, especially in light of recurring U.S. government concerns about the security of its A&D supply chains.
“A global industrial base means increased supply chain risk associated with foreign provision, including counterfeits, lack of traceability, and insufficient quality controls throughout supply tiers.”
– Interagency Task Force in Fulfillment of Executive Order 13806, Assessing and Strengthening Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States, September 2018, p. 29.
A key source of concern with A&D supply chain security stems from the widespread presence of third-party relationships within the industry. Five third party-related challenges stand out:
Large, complex and often opaque supply chains.
A&D supply chains are notoriously large and complex, comprising hundreds or even thousands of third parties in a multi-tiered, webbed relationship.4, 5 As a result, transparency across an entire supply chain is difficult if not impossible.6
Reliance on overseas suppliers.
As a Department of Defense-led interagency report on the defense industrial base notes, “A global industrial base means increased supply chain risk associated with foreign provision, including counterfeits, lack of traceability and insufficient quality controls throughout supply tiers.”7
Sourcing from potentially hostile countries.
There is a growing concern about sourcing from third parties located in or controlled by a competitor nation since hostile state actors could use downstream entities as a vector to harm U.S. national security interests.8, 9 A frequently cited jurisdiction is China.10, 11 Russian-owned or controlled firms are also of concern, as evidenced by the U.S. government procurement ban on Russian-owned software company Kaspersky Labs.12
Vulnerability of information and communication technology (ICT) supply chains.
Although ICT systems are critical for the U.S. military, these systems’ reliance on overseas manufacturers and suppliers also presents a weakness. Adversaries could potentially leverage upstream manufacturers and suppliers to introduce malware, gain possible backdoor access for espionage means, or reduce capabilities by compromising ICT system integrity.13
Susceptibility of downstream partners to a cybersecurity breach.
As my Kroll colleagues recently noted, “many of the high-profile cybersecurity breaches of the last several years share a common, disturbing thread: the result not of a direct attack on the targeted organization, but instead due to exposures arising from vendors and other trusted third parties.”14 This threat of a cybersecurity breach via a third party increases for the A&D industry, given that the IT systems of the Department of Defense and its largest contractors are sufficiently hardened, pushing the threats upstream to smaller vendors with fewer resources.15
“Many of the high-profile cybersecurity breaches of the last several years share a common, disturbing thread: The breach was not the result of a direct attack on the targeted organization, but instead due to exposures arising from vendors and other trusted third parties.”
– Anju S. Chopra, Brian Lapidus and Keith Wojcieszek, “Scaling Cyber Supply Chain Risk Management with Dark Web Monitoring,” Kroll, Oct 1, 2018
While due diligence screening is traditionally used to minimize exposure to business risk stemming from third parties, it can be modified to accommodate national security concerns. At a minimum, A&D companies should consider the following when developing and implementing a national security-informed due diligence program:
It is increasingly likely that future defense contracts will elevate security to a new fourth pillar of acquisition alongside current requirements of cost, schedule and performance. To remain competitive, A&D companies will need to demonstrate to U.S. government procurement staff that they have undertaken steps to ensure the integrity of their supply chains. One such method is to implement a due diligence program informed by national security priorities. While doing so won’t solve all the security challenges confronting the industry, it will help to reduce some concerns stemming from its third-party partnerships.
Sources:
1 Ellen Nakashima, “Pentagon is rethinking its multibillion-dollar relationship with U.S. defense contractors to boost supply chain security,” Washington Post, August 13, 2018.
2 Federal News Network, “Contractors look for clues to new security proposal in appropriations bills,” August 29, 2018.
3 Chris Nissen, et al., Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War, MITRE, August 2018, p. iii.
4 https://www.dhs.gov/cisa/defense-industrial-base-sector
5 https://www.gao.gov/assets/700/693082.pdf
6 Justin Lynch, “Pentagon moves to secure supply chain from foreign hackers,” Fifth Domain, Oct 21, 2018.
7 Interagency Task Force in Fulfillment of Executive Order 13806, Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States, U.S. Department of Defense, September 2018, p. 29.
8 Interagency Task Force in Fulfillment of Executive Order 13806, Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States, U.S. Department of Defense, September 2018, p. 8.
9 Chris Nissen, et al., Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War, MITRE, August 2018, p. 7.
10 See, for example, Interagency Task Force in Fulfillment of Executive Order 13806, Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States, U.S. Department of Defense, September 2018; and U.S.-China Economic and Security Review Commission, 2018 Report to Congress, 115th Congress, 2nd Session, November 2018, pp. 20 and 21.
11 Doug Cameron, “Pentagon to Audit Defense Supply Chains,” Wall Street Journal, October 5, 2018.
12 Joseph Marks, “Pentagon to Scrub Kaspersky From Defense Systems Following DHS Ban,” Nextgov, October 27, 2017, https://www.nextgov.com/cybersecurity/2017/10/pentagon-scrub-kaspersky-defense-systems-following-dhs-ban/141978/.
13 Tara Beeny, Supply Chain Vulnerabilities from China in U.S. Federal Information and Communications Technology, Interos Solutions, Inc., April 2018, p. v; and Chris Nissen, et al., Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War, MITRE, August 2018, pp. 7-8.
14 Anju S. Chopra, Brian Lapidus, and Keith Wojcieszek, “Scaling Cyber Supply Chain Risk Management with Dark Web Monitoring,” Kroll, oct 1, 2018, https://www.kroll.com/en/insights/publications/scaling-cyber-supply-chain-risk-management.
15 Lisa Lambert, “Chinese hackers targeting U.S. Navy contractors with multiple breaches: WSJ,” Reuters, December 14, 2018, https://www.reuters.com/article/us-usa-cyber-china-navy/chinese-hackers-targeting-u-s-navy-contractors-with-multiple-breaches-wsj-idUSKBN1OD1V6
16 For more on dark web monitoring, see my colleague’s recent white paper: Anju S. Chopra, Brian Lapidus, and Keith Wojcieszek, “Scaling Cyber Supply Chain Risk Management with Dark Web Monitoring,” Kroll, oct 1, 2018, https://www.kroll.com/en/insights/publications/scaling-cyber-supply-chain-risk-management.
The Kroll Investigations, Diligence and Compliance team partners with clients to anticipate, detect and manage regulatory and reputational risks associated with global ethics and compliance obligations.