The US military’s electronics supply chain is vulnerable to malicious cyber attacks and needs to be overhauled to ensure weapons systems are protected from initial design to end-of-life in the field, according to a recently released Defense Science Board Task Force report.
The “Cyber Supply Chain” report assessed current practices for managing cyber threats to DoD weapons systems—including protection processes and the use of commercial-off-the-shelf (COTS) electronic components to reduce supply chain risk—and found them wanting. The report calls on the Under Secretary of Defense for Acquisition, Technology and Logistics (USD(AT&L)) to “strengthen lifecycle protection policies, enterprise implementation support, and R&D programs to ensure that DoD weapons systems are designed, fielded, and sustained in a way that reduces the likelihood and consequences of cyber supply chain attacks.”
The current strategy used by the DoD to secure its electronics supply chain relies on relationships with “trusted” suppliers and supply chain partners. This includes commercial foundries, component and sub-system manufacturers, and electronics distributors. However, the task force points out that even though a supply chain partner has been vetted, there is always a risk that rogue employees or even the company itself could pose a cyber threat.
“For a sophisticated adversary, this complex, multi-tiered supply chain offers numerous targets for attackers to potentially subvert the design, integrity, and resilience of key national security assets,” Senator Gary Peters (D-Mich.), a member of the Senate Armed Services Committee, told The Hill.
As evidence, the report pointed to the existence of counterfeit components that circulate through the supply chain and have made their way into weapons systems. This is due in part to the age of the systems in the field that need replacement parts that are no longer available from the manufacturer. The DoD has no alternative but to purchase discontinued components from “distributors where the pedigree is less secure,” according to the report.
Also, the longer a system is in the field with the same electronic parts and embedded software, the more likely it is that adversaries will be able to gain system information and discover vulnerabilities.
The report cited examples of pernicious corporate activity in the commercial world that could be replicated in defense systems. For example, Volkswagen’s use of a “defeat device” to thwart emissions testing in the company’s cars. And a Scottish design company, FTDI, that allegedly used a Windows driver update to disable computers using functional clones of certain components found inside pre-built products, such as Arduino boards, according to one source.
The task force determined that the capital cost of maintaining a DoD-owned trusted foundry is not feasible and recommends the DoD develop a long-term strategy for access to state-of-the-art commercial foundry capabilities that does not rely exclusively on trust.
This includes directing the USD(AT&L) to “strengthen lifecycle protection policies, enterprise implementation support, and R&D programs” and direct development of comprehensive program protection plans for critical fielded weapons systems.
The report also cites promising research from the Defense Advanced Research Projects Agency (DARPA) and other DoD agencies that “offer the potential for a technology-enabled strategy that can use widely sourced parts confidently rather than depending on a sole source Trusted Foundry.”