Advertisement

Blog

DoD Tightens Supply Chain Security

Your company has been supplying components to {complink 9356|Northrop Grumman Corp.} for years. But one day, the massive defense contractor notifies you that you're being dropped from all of its contracts. Every single one. When you ask why, the company simply replies: “Because the government said so.”

Although not likely, that scenario is possible under a new provision included in the National Defense Authorization Act passed by Congress in late December. It reflects the government’s increasing alarm over the security of the supply chains for everything from missile systems to PCs, according to EDN.

The government is tight-lipped about this topic and has revealed little about specific incidents. But there are increasing reports of Chinese attempts to hack into US government computers. Some of the diplomatic cables released by WikiLeaks show just how obsessed China is with hacking into the computers of the US government. One cable revealed that an attack in November 2008 yielded emails and a complete list of user names and passwords for a US government agency, according to a New York Times story .

In a Foreign Affairs article last fall, Deputy Defense Secretary William J. Lynn III described a cyber attack on DoD networks that was caused by a flash drive inserted into a US military laptop in the Middle East. He said the code spread undetected through both classified and unclassified systems, establishing a digital beachhead from which data could be transferred to servers under foreign control.

Government officials fear that foreign powers could surreptitiously design something into a component or printed circuit board that would end up in a piece of equipment used by the government. “Maliciously tampered ICs cannot be patched,” retired General Wesley Clark said in 2009. “They are the ultimate sleeper cell.”

So now the DoD wants to be able to ban a contractor if the department has evidence that its supply chain is not secure. Although that was always possible (though rarely done), the new wrinkle added by the provision is that the government doesn't have to disclose its reasons, according to Trey Hodgkins, senior vice president for national security and procurement policy at TechAmerica, a trade association representing the IT industry. The provision is not as severe as originally proposed: The decision to eliminate a company from bidding on a contract would only be undertaken by senior officials, would require a thorough review, and would require disclosure to Congress. But it still has important ramifications.

If the government identifies a risk in your supply chain but doesn't tell you about it, how can you possibly correct it? Not only would you not know what's wrong, but the DoD action could amount to blacklisting your company, says Hodgkins. That's because the provision requires the DoD agency that takes this action to spread the word to other DoD offices and other federal agencies. And as other federal agencies drop you, the effect could spill over into the commercial market as well.

The legislation defines supply chain risk as:

    the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to survey, deny, disrupt, or otherwise degrade the function, use, or operation of such system.

Can you prove the security of every step in your supply chain? That’s the best protection you may have. The DoD is unlikely to resort to banning companies outright. What's more likely is that it will start modifying the qualifications that companies must meet in order to compete for contracts. And one of the qualifications is likely to be documentation that assures the DoD that you've battened down security at every link in your supply chain.

12 comments on “DoD Tightens Supply Chain Security

  1. Ashu001
    February 28, 2011

    Tam,

    I like what you say here,

    If the government identifies a risk in your supply chain but doesn't tell you about it, how can you possibly correct it? Not only would you not know what's wrong, but the DoD action could amount to blacklisting your company, says Hodgkins. That's because the provision requires the DoD agency that takes this action to spread the word to other DoD offices and other federal agencies. And as other federal agencies drop you, the effect could spill over into the commercial market as well.

    Can we trust the Govt.to do things efficiently and transparently?I for one am completely unsure about this possibility(after looking at Govts past track record on these issues).So all senior execs have a very valid and relevant reason to be very worried here.

    Regards

    Ashish.


  2. Tam Harbert
    February 28, 2011

    I agree! If my company was a subcontractor, I would be concerned about this. The government is obviously very worried about this, so it seems likely it would err on the side of caution and would ban a company if it had any concerns at all.

  3. Backorder
    February 28, 2011

    “Ultimate Sleeper Cells”.. Amazing read. Though with such a scrutiny, could any of the suppliers prove the integrity of their supply chain, when the material is mostly originating in the same country you are facing such threats from? Mission Impossible. It will all boil down to trust and lobby strength.

  4. Parser
    February 28, 2011

    With almost everything made in China I just don’t know how we can protect ourselves. How can we empower our government to screen that process? You are right these could be the ultimate sleeping cells. What could be the internal directives for manufactures and suppliers to assure safety? 

  5. Backorder
    February 28, 2011

    Parser,

    I suspect if any internal directives would in anyway deter companies away from their existing supply chains. We have already gone too far ahead down this road and there would never be a guarantee against such an ultimate hack. We can only put our trust in the reliable vendors and hope their supply chains remain insulated.

  6. Parser
    February 28, 2011

    Backorder: unfortunately hope is not the part of the national security vocabulary. National security qualification process has to be quantifiable and verifiable. 

  7. Taimoor Zubar
    February 28, 2011

    With almost everything made in China I just don’t know how we can protect ourselves”

    @Parker: The US government has already realized the risk of using equipment from Chinese manufacturers and I think they will be aiming to scrutinize the Chinese companies pretty soon. Just recently the famous Chinese company Huawei has been put under pressure to allow the authorities to investigate its facilities and processes. Bolaji has explained this scenario very well in his post.

  8. Parser
    February 28, 2011

    TaimoorZ: Huawei is a good example, but our own Google could not manage its own security and pulled out from China. 

  9. Jay_Bond
    February 28, 2011

    This sounds like the government has good intentions by protecting our government agencies, but there are going to be many hurdles. For starters, if you are a company the government decides to drop without warning, how do you protect your reputation? The government wants the best products available, at the best prices available. If you’re going to require these suppliers to secure their supply chain the best they can, how do they pass along the cost increases when the government wants the best deals?

  10. Barbara Jorgensen
    February 28, 2011

    Considering the hoops contractors and suppliers have to jump through just to sell to the DoD, it seems they (the DoD) would be a little less reactive in just dropping suppliers. Also, based on this criteria, UPS would be banned from shipping to government contractors, correct? They weren't hacked, but their supply chain was compromised.

  11. Mydesign
    March 1, 2011

        Tam, I think now a day’s government is much concerned about the cyber security aspects. When it comes for the national security, it has to take utmost care for the well being of the country. Now a day’s almost all data’s are storing in digital form in distributed environments. It is true that the other nations like Iran, china and similar countries are trying all the ways for leaking the official secrete data by hacking the system using different spy wares and malwares.

           In order to safe guard such important data’s; it’s very important for through checking and scrutiny of the supply chain distributors and venders. Otherwise, they can make use of the chances for back door entry in to such vigilant areas.

  12. stochastic excursion
    March 2, 2011

    “National security qualification process has to be quantifiable and verifiable. “

    Quantifiability and verifiability are good qualities for a qualification process to have, however oversight of this process is extremely limited.  The result is a club-like association of vendors, contracting agencies, and government arbiters of national security.  Certainly leeway in qualification would be useful in any contract negotiation, but unclear that the government is interested in cutting spending of money that is not their own (remember the $600 toilet seats?).  I would advise anybody interested in keeping the government's business to work on their golf game, it's a good way to get the ear of program managers.  Anyway, companies that are involved with lucrative government contracts should be willing to take the bad with the good.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.