Embedding “Proactive Vigilance” Into The Pentagon’s High-Tech Supply Chain

In national defense, supply chain mistakes, when found too late, can be massive and hard to overcome. And yet, the Pentagon isn’t too eager to implement more proactive detection systems, a potentially expensive process of randomly testing contractor assurances.

But this lack of “proactive vigilance” can have big costs. In shipbuilding cases, out-of-specification steel – a critical component – was used on U.S. Navy submarines for two decades before the Pentagon learned of the problems. More recently, out-of-specification shafting aboard the Coast Guard’s Offshore Patrol Cutter had to be installed and removed—an embarrassing waste of time and funds for both the contractors and the government clients.

Had these issues been caught early, the short-term blow to profits or schedule would have more than offset the wider damage of a complex and long-term supply-chain failure.

Put another way, the suppliers may benefit from vigorous external tests and more rigorous—or even random—compliance tests.

Fortress Information Security founder Peter Kassabov, speaking on a Defense and Aerospace Report podcast earlier this year, noted that attitudes are changing and more defense leaders are likely to start looking “at the supply chain not only as an enabler, but also as a potential risk.”

Protective regulation is still being developed. But to get companies to take proactie supply chain vigilance more seriously, companies may face greater incentives, bigger sanctions—or perhaps even a requirement that executives at major prime contractors be personally liable for damages.

Old Compliance Regimes Focus On Old Targets

What’s more is that the Pentagon’s supply chain compliance framework, such as it is, remains focused on ensuring the fundamental physical integrity of basic structural components. And while the Pentagon’s present quality control systems are barely able to catch concrete, physical problems, the Pentagon really struggles to enforce current Department of Defense integrity standards for electronics and software.

The difficulty in assessing electronics and software integrity is a big problem. These days, the gear and software used in the military’s “black boxes” are far more critical. As one Air Force General explaineed in 2013, “The B-52 lived and died on the quality of its sheet metal. Today our aircraft will live or die on the quality of our software.”

Kassabov echoes this concern, warning that “the world is changing and we need to change our defenses.”

Certainly, while “old-fashioned” bolt-and-fastener specifications are still important, software is really at the core of almost any modern weapon’s value proposition. For the F-35, an electronic weapon and a key battlefield information and communications gateway, the Pentagon should be far more attuned to Chinese, Russian or other dubious contributions to critical software than it might be in the detection of some China-sourced alloys.

Not that the national content of structural components lacks importance, but as software formulation becomes more complex, supported by ubiquitous modular subroutines and open-source building blocks, the potential for mischief grows. Put another way, a Chinese-sourced alloy won’t bring down an aircraft by itself, but corrupt, Chinese-sourced software introduced at a very early stage in subsystem production could.

The question is worth asking. If suppliers of America’s highest priority weapons systems are overlooking something as simple as steel and shafting specifications, what are the chances that harmful, out-of-specification software are unintentionally contaminated with troubling code?

Software Needs More Scrutiny

The stakes are high. Last year, the annual report from Pentagon weapons testers at the Office of the Director, Operational Test and Evaluation (DOT&E) cautioned that “the vast majority of DOD systems are extremely software-intensive. Software quality, and the system’s overall cybersecurity, often are the factors that determine operational effectiveness and survivability, and sometimes lethality.”

“The most important thing that we can secure is the software that enables these systems, says Kassabov. “Defense suppliers cannot just focus and make sure that the system does not come from Russia or from China. It is more important to actually understand what is the software inside of this system and how eventually this software is vulnerable.”

But testers may not have the tools necessary to evaluate operational risk. According to DOT&E, operators are asking for someone at the Pentagon to “tell them what the cybersecurity risks, and their potential consequences, are, and to help them devise mitigation options to fight through a loss of capability.”

To help do this, the U.S. government relies on critical low-profile entities like the National Institute of Standards and Technology, or NIST, to generate standards and other basic compliance tools needed to secure software. But funding just isn’t there. Mark Montgomery, the executive director of the Cyberspace Solarium Commission, has been busy warning that NIST will be hard-pressed to do things like publish guidance on security measures for critical software, develop minimum standard for software testing, or guide supply chain security “on a budget that for years has hovered at just under $80 million.”

No simple solution is in sight. NIST’s “back-office” guidance, coupled with more aggressive compliance efforts, can help, but the Pentagon has got to move away from the old-fashioned “reactive” approach to supply chain integrity. Certainly, while it is great to catch failures, it is far better if proactive efforts to maintain supply chain integrity kick in the second defense contractors first start crafting defense-related code.

Source: https://www.forbes.com/sites/craighooper/2022/11/01/embedding-proactive-vigilance-into-the-pentagon-high-tech-supply-chain/