US Defense Industrial Base facing growing supply chain risks from China including cyber threats, launches new security measures

Rajesh Uppal March 31, 2021 Cyber, Industry, Threats Comments Off on US Defense Industrial Base facing growing supply chain risks from China including cyber threats, launches new security measures 515 Views

The Department of Defense (DOD) relies on a wideranging and complex industrial base for the products and services that enable the Department’s warfighting capabilities. The domestic DIB includes public-sector (government-owned, government-operated) facilities and private-sector (commercial) companies located in the United States. The commercial companies that contract with DOD are diverse, ranging in size from small businesses to some of the world’s largest corporate enterprises.

These commercial companies provide a wide variety of products to DOD, encompassing everything from complex military-unique platforms (such as aircraft carriers) to common items sold commercially (such as laptop computers, clothing, and food). These companies also provide a wide variety of services, including everything from routine services (e.g., information technology (IT) support) to highly specialized services (e.g., launching space vehicles).

The Pentagon had released a report in Oct 2018, accusing China of seeking to undermine the US military’s industrial base. “China represents a significant and growing risk to the supply of materials and technologies deemed strategic and critical to US national security,” said a Pentagon report commissioned by Donald Trump. “China’s trade dominance and its willingness to use trade as a weapon of soft power increases the risks America’s manufacturing and defense industrial base faces in relying on a strategic competitor for critical goods, services, and commodities,” the report adds. The report found the US was susceptible to nearly 300 such vulnerabilities, from “dependencies on foreign manufacturers to looming labour shortages”, US trade adviser Peter Navarro wrote in the New York Times.

The report, found that China dominates global military supply chains in key sectors such as mining for rare-earth metals used in high-tech defence equipment and is often the only supplier for speciality chemicals used in munitions and missiles. China’s aggressive industrial policies have already eliminated some capabilities with critical defense functions, including solar cells for military use, flat-panel aircraft displays, and the processing of rare earth elements,” the report says, adding “China’s actions seriously threaten other capabilities, including machine tools; the production and processing of advanced materials like biomaterials, ceramics, and composites; and the production of printed circuit boards and semiconductors.”

But alongside over-reliance on China, the report also noted the US was dependent on Japan and Europe. Japan and European nations are the only suppliers of certain carbon fibers used in missiles, satellites, and space rockets; Germany is the prime supplier of special vacuum tubes for night vision goggles, it says.

President Joe Biden will direct his administration to conduct a review of key U.S. supply chains, including those for semiconductors, high-capacity batteries, medical supplies and rare earth metals. The assessment, which will be led by members of Biden’s economic and national security teams, will analyze the “resiliency and capacity of the American manufacturing supply chains and defense industrial base to support national security [and] emergency preparedness,” according to a draft of an executive order seen by CNBC.

The White House review will take place in two phases. The first will consist of a 100-day review process, during which officials will analyze and report on a handful of high-priority supply chains, including those for semiconductor manufacturing and packaging, high-capacity and electric car batteries, rare earth metals and medical supplies. The second phase — beginning after the specific, 100-day review — will broaden the administration’s investigation to various sectors, including the production of equipment for defense, public health, energy and transportation. After those two are complete, one year after the order is issued, the task force will submit recommendations to the president on potential actions, including diplomatic agreements, trade-route edits or other ways to ensure supply chains are not monopolized.

Eric Chewning, deputy assistant secretary of defence for industrial policy, said China was deliberately pursuing “strategies of economic aggression and its complementary military modernisation efforts”, in emailed comments to the Financial Times. “The Chinese Communist Party has used an arsenal of policies inconsistent with free and fair trade, including tariffs, quotas, currency manipulation, forced technology transfer, intellectual property theft, and industrial subsidies that are handed out like candy to foreign investment,” Vice President Mike Pence said in a speech.

“A sudden and catastrophic loss of supply would disrupt DoD missile, satellite, space launch, and other defence manufacturing programs,” said the report, which warned that in many cases no substitutes were readily available. It contained particularly stark warnings on the risk of China’s growing technology prowess. “At risk is America’s loss of leadership in industries of the future such as artificial intelligence, quantum computing, and robotics,” the report said, noting that these would redefine the battlefield this century.

Report recommends creation of a national advanced manufacturing strategy. “Diversifying away from complete dependency on sources of supply in politically unstable countries who may cut off US access” is one of the report’s central recommendations. Other areas include “accelerating workforce development efforts to grow domestic science, technology, engineering, mathematics, and critical trade skills.”

The White House calls for targeted investments in domestic manufacturing in an industrial-base especially into US companies that produce items critical to the US military, like high-performance aluminum, steel, tungsten and carbon fibers. The funds will “address critical bottlenecks, support fragile suppliers, and mitigate single points-of-failure,” according to the report. Defense officials said that one such investment will include a $250 million increase for small and medium manufacturers in the submarine supply chain. “The assessment recognizes the global nature of our supply chains and really addresses the need for strengthening alliances and partnerships so that we can jointly address industrial base risk,” Ellen Lord, undersecretary for acquisition and sustainment, said.

The supply chain is also vulnerable to cyber attacks and cyber espionage. In Oct 2020, National Security Agency warned that Chinese government hackers are taking aim at U.S. computer networks involved in national defense, characterizing the threat posed by Beijing as a critical priority in need of urgent attention. The NSA urged the Defense Department’s cyber officials and those within the defense industrial base to take action to guard against the intrusion by the Chinese. “These networks often undergo a full array of tactics and techniques used by Chinese state-sponsored cyber actors to exploit computer networks of interest that hold sensitive intellectual property, economic, political, and military information,” the Tuesday morning advisory warned. For a number of years, China’s theft of American military secrets has been a top national security issue. Concerns have continued to grow, and a recent internal audit concluded the problem was far more dire than officials had realized.

The report said China’s “capture” of foreign technologies and intellectual property included the “systematic theft of US weapons systems”, argued that this had eroded the military balance between the US and China. Many manufacturers in the defence supply chain lacked the ability to defend against cyber attacks, it added. But the report also revealed that the US government was at something of a loss to dissuade domestic companies from relocating to China to take advantage of lower costs and engaging in technology transfer agreements that are required by Beijing but which the US says harms national security. “China has forced many American companies to offshore their R&D in exchange for access to the Chinese market,” it noted, highlighting one reason US companies are likely to be reluctant to reverse years of offshoring.

Cyber-enabled intellectual property theft from the Defense Industrial Base (DIB) and adversary penetration of DIB networks and systems pose an existential threat to U.S. national security. The DIB is the “[t]he Department of Defense, government, and private sector worldwide industrial complex with capabilities to perform research and development and design, produce, and maintain military weapon systems, subsystems, components, or parts to meet military requirements.” It is a compelling example of a cross-domain challenge that lies at the intersection of cyberspace and conventional domains of warfare. This is because adversary behavior in cyberspace has broader ramifications, such as the potential to erode the United States’s conventional military advantage, undermine deterrence, and provide emerging nation-state competitors with an edge over the U.S. in military contingencies and conflicts.

The threat is multifaceted. Intellectual property theft can enable adversaries to replicate cutting-edge U.S. defense technology without comparable investments in research and development. Adversary access to the DIB could inform the development of offset capabilities. It could even provide insights or access points that enable adversaries to thwart or manipulate the intended functioning of key weapons and systems designed and manufactured within the DIB.

As the sector-specific agency for the DIB, the Department of Defense takes the lead within the federal government for working with this critical infrastructure sector. The 2018 Department of Defense Cyber Strategy identifies defense of the DIB as a crucial imperative, noting that the Defense Department will “defend forward to halt or degrade cyberspace operations targeting the Department, and … collaborate to strengthen the cybersecurity and resilience of [the Defense Department], [Defense Critical Infrastructure], and DIB networks and systems.” There are a number of federal entities involved in identifying, prosecuting and thwarting cyber threats to the DIB. These include the recently established Cybersecurity Directorate within the National Security Agency (NSA); the DIB Cybersecurity Program; and law enforcement and counterintelligence entities such as the FBI, the Air Force Office of Special Investigation, the Naval Criminal Investigative Service, U.S. Army Counterintelligence and the Department of Defense Cyber Crime Center.

Nevertheless, vulnerabilities within the DIB persist and there are gaps in existing efforts. Two critical shortcomings are, first, that there is no truly shared and comprehensive picture of the threat environment facing the DIB and, second, that efforts to rapidly detect and mitigate threats to DIB networks and systems are lacking. Adversaries operate in cyberspace across multiple areas and sectors within the defense industry. This means that, while an advanced threat actor may be targeting a number of entities within the DIB, any given target can only observe the adversary—its capabilities, tools, techniques and indicators of compromise—as it operates on its own assets, if at all. However, to gain insight into adversaries as strategic organizations, the Defense Department needs a consistent and coherent picture of where, how and why they are operating.

These gaps drive two important recommendations advocated by the Cyberspace Solarium Commission. First, through legislation, Congress should require companies within the DIB, as part of the terms of their contract with the Defense Department, to participate in a threat intelligence sharing program that would be housed at the department component level. Information sharing programs do exist, but they are insufficient. For example, the department’s Cyber Crime Center and the DIB Cybersecurity Program are largely voluntary, although DIB entities have some mandatory reporting requirements. Existing programs also tend to benefit the larger prime contractors, which have the ability to share and consume threat information. But small and sub-prime contractors play vital roles in the supply chain, and vulnerabilities within these entities can have cascading negative implications. Finally, the Defense Department lacks a complete view of its supply chain, which may include non-U.S. companies. There are no mandatory reporting requirements that require prime contractors to disclose to the department the identities of their subcontractors.

The ultimate end state of this information sharing program is to leverage fused, real-time information from DIB network owners and operators, coupled with U.S. government intelligence collection products, to create a comprehensive picture of adversary organizations and an improved understanding of the adversaries’ own intelligence collection requirements. This would help the Defense Department and the intelligence community anticipate where adversaries will seek to collect against DIB targets. And, importantly, this information would need to be communicated to DIB network owners and operators so that they can proactively defend against impending threats, as well as support the threat-hunting efforts described further below.

The program should contain a number of key elements. First, drawing on the Defense Department’s new Cyber Maturity Model Certification (CMMC) regulation, the requirements associated with participation would be tied to a firm’s level of maturity. In addition, there should be incentives around participation, particularly for small- and medium-sized companies. Second, there should be defined frameworks that guide specifically delineated information sharing, such as incident reporting and reporting on the use of subcontractors. Third, participation in the program should automatically entail consent by DIB entities for the NSA to query in foreign intelligence collection databases on DIB entities and provide focused threat intelligence to them, as well as enable all elements of the Defense Department, including the NSA, to directly tip intelligence to the affected entity. Finally, as it develops, the program should aim to support joint, collaborative, and colocated analytics, as well as drive investments in technology and capabilities to support automated detection and analysis.

The second committee recommendation is that Congress should direct regulatory action that the executive branch should pursue, through the Defense Federal Acquisition Regulation Supplement, to require companies within the DIB to create a mechanism for mandatory threat hunting on DIB networks. This would be as part of the terms of a company’s contract with the Defense Department. Threat hunting is the act of proactively searching for cyber threats on assets and networks. This recommendation is meant to address the detection and mitigation of adversary cyber threats to the DIB, going a step beyond the intelligence sharing recommendation described above.

Threat hunting on these networks, particularly those that are assessed to be of interest to an adversary, enables network owners and operators, as well as the Defense Department, to have increased confidence in the security of such assets. Additionally, if threat activity is identified, it brings all parties’ attention to the breach so that they can work in concert to contain, remediate, and assess any potential damage and information exposure.

MICROCHIPS Act proposed in US to protect technology supply chain

US is preparing a new bill on cyber-security, which would require intelligence officials to create a plan of action to defend the supply chain. The bill, known as S. 2316 or the The Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property and Supply (MICROCHIPS) Act, would require US intelligence officials to create a plan of action to defend the supply chain. If passed, it would also create a National Supply Chain Security Center and would make funding for supply chain protections available under the Defence Production Act.

Under the terms of the proposed law, the US director of national intelligence, DOD and other relevant agencies would be tasked with submitting to Congress an official plan for strengthening supply chain intelligence. This plan would include recommendations for workforce models, governance structure within the intel community, and budget. The language for this section can also be found in the House of Representatives’ recently introduced version of the Intelligence Authorisation Act.

The MICROCHIPS act was created with China especially in mind, particularly in light of recent US government allegations that products from Chinese telecom and electronics company Huawei may enable Chinese government actors to spy on users.

“The lack of comprehensive detection and apprehension of potentially compromised technology and component parts has practical and serious implications,” states a summary of the law published by Crapo’s office. “US companies continue to lose billions of dollars of IP to theft by China. Additionally, counterfeit and compromised electronics installed in US military, government and critical civilian platforms give China potential backdoors to interfere with and compromise these systems.”

“Through government investments and subsidies, as well as intellectual property theft of companies like Idaho’s Micron, China aims to dominate a £1.2 trillion electronics industry, which creates serious, far-reaching threats to the supply chains that support the US government and military,” said Crapo himself in a news release. The MICROCHIPS Act would create a coordinated whole-of-government approach to identify and prevent these efforts and others aimed at undermining or interrupting the timely and secure provision of dual-use technologies vital to our national security.”

Meanwhile, the Senate bill amends Intelligence Authorisation Act by adding a National Supply Chain Intelligence Center within the Office of the Director of National Intelligence. Its mission would be to a collector and supplier of supply-chain intelligence including threats, risk assessments and vulnerability details. The center would be led by a director who is appointed by the president and its senior management would be composed of individuals working for the Departments of Defence, Justice, Homeland Security and Commerce.

Another section would amend Section 303 of the Defence Production Act of 1950, adding language that authorises the president to make available funding that manufacturers of critical technologies, components and supply chain defence products can use to improve supply chain protections. This section was also separately adopted in the Senate’s recently introduced version of the National Defence Authorisation Act.

“While there is a broad recognition of the threats to our supply chain posed by China, we still lack a coordinated, whole-of-government strategy to defend ourselves,” said Warner in the same release. “As a result, US companies lose billions of dollars to intellectual property theft every year, and counterfeit and compromised electronics in US military, government and critical civilian platforms give China potential backdoors to compromise these systems. We need a national strategy to unify efforts across the government to protect our supply chain and our national security.”

Intel bags deal with US Navy to aid in improving its defense

The ongoing tussle between the US government and the Chinese administration has created waves in the tech industry. This has resulted in huge changes in the market plan and production development of many semiconductor industries. Though most of the companies which are not US-based has to comply with the policies enforced by the US administration, it has most certainly created many possibilities for the US-based silicon manufacturers. The chipmaker giant Intel Corporation bags one such opportunity.

The company announced its subsidiary, Intel Federal LLC, has won a government contract from the United States Government. The contract will help the United States is shifting its defense industrial manufacturing base to its homeland. Intel is one of the only three companies in the entire world capable of manufacturing processors based on advanced processing nodes. Hence, the silicon giant acquiring this deal is a huge deal.

One other reason for offering Intel a deal in defense is to protect access to critical semiconductor technology from rivals like China. Intel recently celebrated its 2020 manufacturing and day. The chipmaker showcased its prowess in semiconductor fabrication. The silicon giant revealed that it produces ten billion transistors each second, and it has compacted four hundred million circuits into one mm2 of a chip. The company also recently revealed its 10nm chipset based Intel Tiger Lake SoCs. The company is manufacturing its next-gen 7nm chipsets, which is delayed by six months to 2023, due to yield problems during the manufacturing process.

Intel will develop Prototypes that will integrate Government Chips with its products. Intel is developing prototypes means that the silicon manufacturer has to ‘lump’ together multiple chips in a single package. This is referred to as by the semiconductor industry a Chiplets.

Chiplets are designed by Intel to tackle various problems that chip manufacturers face due to an increase in the manufacturing cost of silicon dies as node-scaling increases. A silicon die is costlier to manufacture and becomes even more costly as nodes become more advance. Intel aims at reducing this cost using its chipsets. Intel chipsets are smaller, which can then be linked together using Through-Silicon-Vias (TVs), short wires, and interposers.

Apart from chipset, Intel also offers its Foveros 3D die-stacking technology. This new technology provides placing chips like CPU and memory chip on an interconnect unit, which are then connected to the packaging material and then to the motherboard.

Aside from Foveros, the company also offers connecting multiple chips through its Embedded Multi-Die Interconnect Bridge (EMIB) technology. This new tech completely removes TSVs from the connecting equation, which is a bonus and decreases production cost. The US Navy intends to use all of the above Intel’s technology to integrate its purpose-built chips with Intel’s products. This is mainly due to the US administration’s concern over its national security and the integrity of US technology.

The DMEA State of the Art Trusted Foundry Services project provides services to ensure the confidentiality and integrity of military microelectronics.

Officials of the U.S. Defense Microelectronics Activity (DMEA) in McClellan, Calif., needed a company to provide leading-edge current and legacy microelectronics and trusted processes for the U.S. Department of Defense (DOD) and other federal agencies. They found their solution from Globalfoundries U.S. 2 LLC in Hopewell Junction, N.Y. DMEA announced a $400 million order to Globalfoundries on Thursday for access to leading-edge current and legacy microelectronics and trusted processes for DOD and other federal agencies.

DMEA officials are turning to Globalfoundries because of an increase in interest for leading-edge microelectronics technology and lifetime orders for end-of-life technology. This contract modification brings to total value of the original Globalfoundries contract to $1.1 billion. The DMEA State of the Art Trusted Foundry Services project seeks to give DOD and other government agencies access to a wide range of microelectronics services that will ensure the confidentiality and integrity of specialized devices for military applications.

The globalization of the integrated circuit industry in recent years has made this function difficult, DMEA officials say. The DOD Trusted Foundry program seeks to ensure that mission-critical national defense systems can obtain classified and unclassified microelectronics components like application-specific integrated circuits (ASICs) from sources like GlobalFoundries that can protect the confidentiality and integrity of these devices. This program involves design, aggregation, mask manufacturing, wafer fabrication, post-processing, packaging and assembly, test, and broker services. From GlobalFoundries, DOD officials require leading-edge and state-of-the-art semiconductor process technologies, including military temperature ranges and radiation hardness requirements.

The DOD needs GlobalFoundries to fabricate at least 1,200 8-inch ASIC wafers per year, as well as crucial microprocessors, field-programmable gate arrays (FPGAs), and other microelectronics components. GlobalFoundries maintains a secret facility security clearance for manufacturing or assembly work, and otherwise will protect all trusted designs and devices with a cleared group of employees with personnel security clearances.

GlobalFoundries will maintain its expertise in leading-edge and state-of-the-art complementary metal–oxide–semiconductor (CMOS) technologies, as well as in silicon germanium BiCMOS technologies. The company also will develop the ability to produce trusted microprocessors, graphics processors, digital signal processors, analog-to-digital converters, photonics, micro-electro-mechanical systems (MEMS), and other advanced microelectronics. The company will continue its ability to conduct dedicated prototype runs, production runs, obtain trusted masks, and provide complete ASIC services, including design, fabrication, packaging, and test.