Given the importance of every element in the defense supply chain, it makes sense that airtight security would be a major focus. The goal has always been a zero-tolerance approach to security issues. However, the reality is that these supply chains are simply too complex.
How is it possible to manage something that spans the globe and incorporates countless people in the process? It’s clear that our current approach isn’t working. The only solution is to change how we approach this key element of the supply chain.
A Growing Concern in The Defense Supply Chain
The defense supply chain is enormous, but even the smallest of intrusions can call its entire security into question. Take for example the story that Bloomberg broke in 2018.
A microchip, roughly the size of a single grain of rice, found its way onto motherboards. These were, in turn, placed inside servers everywhere. This chip was not part of the design. Despite this, it somehow found its way into multiple servers. These include Amazon, the US Department of Defense (DOD), CIA drone operations, and even a ship in the US Navy.
The chip, small as it was, allowed the creator to open a backdoor into the network. This compromises all of the information within. Unlike your usual website hacks, this was something deliberate, intentional, and very difficult to achieve. And yet, it still happened.
The thread lead back to China, who produces a vast majority of the world’s electronics. It was a worse case scenario, but could it have been prevented? It was revealed that the problem originated within the factories where it was made, and somehow passed through all of the supply chain without triggering any alarms.
Both the manufacturer and the customers denied the accuracy of the report, but the topic was already out there. It was time to rethink security in the defense supply chain.
Putting The Focus Where it Belongs
The US Department of Defense started by looking at lower-tier suppliers who may have holes in their security. The problem with that approach, however, was the sheer number of them.
The Pentagon alone has contracts with thousands of companies, who in turn have their own contracts and suppliers. In fact, major contractor Lockheed Martin has over 16,000 suppliers of their own.
The best place to start is by looking at what needs to change. This is where the Government Accountability Office (GAO) High-Risk report helps paint a better picture. In the 2019 version of the report, two major areas appear as high-risk parts of the defense supply chain:
- Asset Visibility – The ability to pinpoint the location, quantity, condition, and status of inventory across the supply chain. The DOD identifies opportunities to better track cargo movements as a specific example
- Material Distribution – This refers to the supply chain’s ability to deliver products at the right cost and within the correct timeline. A lack of delivery data, combined with unmet deadlines contributes to this issue
With this focus in mind, the DOD also introduced a new initiative entitled “Deliver Uncompromised,” in June of 2018. The concept focuses on sourcing, adding a focus on security in addition to price, delivery, and performance.
By positioning security as a focus during the inception of a product, designers can more effectively tailor their sourcing. The goal is to avoid questionable or gray market suppliers that have led to security issues in the past.
This is all moving in the right direction, but it doesn’t address the issue of smaller suppliers deeper down the supply chain. It’s here that we have an opportunity to understand the source of the problems and steps we can take to fix it.
People and Suppliers are The Secret
Taking a step back, it really comes down to the means of individual organizations in the supply chain. While larger ones are going to have the time and resources to properly vet their suppliers, smaller to mid-sized businesses simply don’t have the means.
While speaking at a cybersecurity conference in Virginia, Federal Chief Information Security Officer Grant Schneider mentioned a potential model to weight security risks in both purchasing and procurement.
A model like this, as Schneider put it, would naturally lead both the private and federal sector to discriminate against lower cost and simultaneously low-security parts.
“We’re very much looking for feedback on how we do market incentives, where we can focus in the federal government, because I don’t believe the free market is necessarily going to get us there in cybersecurity. At least, it’s not going to get us there fast enough.”– Federal Chief Information Security Officer Grant Schneider
So part of it comes down to cooperation between regulations and suppliers of all sizes, but it’s also important to consider the power of people. The individuals who work within the supply chain are simultaneously the most powerful and most vulnerable aspects of all.
Empowering The People in Your Supply Chain
We’ve seen incidents in the past where a single set of hacked credentials can lead to massive data leaks. On the opposite side of the spectrum, however, it’s possible to fortify this aspect of the supply chain by better empowering people and their individual security measures.
One example would be a better method of accountability. By closely monitoring the activity of individuals working on sensitive projects, it becomes possible to spot discrepancies in their activity, suggesting that their credentials could be compromised.
Ultimately, it comes down to using the right tools. If the DOD’s “Deliver Uncompromised” wishes contractors and suppliers to incorporate security into the very design of a product, then it all starts with the knowledge and tools people need to make smarter, more secure decisions.
A Trusted Solution
One of the most common entry points for compromised components is during the sourcing and procurement stage of the process. Faced with a shortage, long lead times, or other obstacles, purchasers turn to any solution they can find. As a result, components from low-security sources or grey markets enter the supply chain.
What if we could prevent that decision from ever happening? By giving your teams access to trusted distributors and the ability to pinpoint or predict problems ahead of time, you remove the need for desperate decision-making.
With Findchips Pro, the ability to compare parts on your BOM lets you quickly find a trusted alternative from any one of our secure distributors. Moreover, our proprietary Risk Rank algorithm gives you deep insight into each part. Using this score provides a window into the potential future of any component.
Security is a top priority in the defense supply chain, and it starts with giving people the tools they need to make smarter decisions. Schedule a demo of Findchips Pro today, and discover how this one decision can offer a brighter future for your supply chain.