Could the Chinese Communist Party “page” U.S. servicemembers, the way the Mossad did to Hizballah on Sept. 17, 2024, in one of the most daring deception operations in living memory? It is possible.
The Department of Defense does not fully understand the breadth and depth of its supply chain. Former Under Secretary of Defense for Acquisition and Sustainment William LaPlante revealed how difficult this problem had become for the U.S. military services and the defense industry that supports it. An industry executive first “thought he had 300 suppliers,” LaPlante reported in a September 2022 press briefing, “then he discovered no, when he counted all of his suppliers, he probably had 3,000.”
Today’s supply chains are increasingly sprawling and complex, with critical materials and components often sourced from adversarial or single-source entities. While there are some restrictions on sourcing from China, the limitations do not apply to all Defense Department systems, so pervasive risk remains: An adversarial source could tamper with a small, unassuming part to a weapon system or platform, as Israeli intelligence did by booby trapping Hizballah pagers.
While the government and the defense industrial base have made some strides in learning about the origins of their suppliers, current efforts amount to little more than reverse engineering — trying to piece together supply chains after they’re built instead of as they’re being built. It would be easier to capture supplier information while systems are being developed and fielded, and while those suppliers are brought into the fold.
Moreover, current efforts aim to have a central repository of all supply chain data. While this approach has benefits — such as visibility of shared suppliers across multiple systems — it risks proprietary supplier data and intellectual property being shared inappropriately, or worse, exposing vulnerabilities in Department of Defense supply chains to U.S. adversaries through cyber operations.
To address these shortcomings, the department should adopt a system that uses distributed ledger and blockchain technology where only data owners (suppliers) can grant access, controlling those who can see data about their parts and materials. This would enable the department to conduct the supply chain analysis it requires, while simultaneously protecting supplier information from unnecessary exposure and reducing the risk of creating vulnerabilities with dependence on foreign, particularly adversarial, sources.
It’s time for the Defense Department to have the necessary visibility into the materials and components its warfighters rely on to protect the nation — everything from aircraft to critical munitions. The department can only achieve this if data is captured up front when suppliers are being identified and brought into the supply chains for the products and programs under development. Until then, there is constant danger of supply chain disruptions to critical defense operations, including component tampering that could lead to malfunctions of systems and platforms. This is an unacceptable risk.
A Legacy of Supply Chain Opacity
Decades of globalization led to many of the Defense Department’s critical supply chains moving off-shore — often to unfriendly countries. In September 2018, the department issued the report Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States in response to Executive Order 13806, which, directed the secretary of defense to lead a government-wide effort to assess risk, identify impacts, and propose recommendations to improve the manufacturing and defense industrial base. The report shone a light on a growing problem: As sourcing issues and chronic obsolescence problems mounted, it became clear that industry did not know enough about its suppliers.
To help address this opacity, an industry of supply chain “illumination” companies has emerged in recent years. Using AI and machine learning tools, these companies promise to map the entities, companies, and products involved in a program’s supply chain. While innovative and capable of providing a starting point in the absence of any supply chain data, illumination uses data inputs that are incomplete and unverified.
Supply chain illumination typically relies on publicly available data — news articles, social media posts, and government contracting and financial data — augmented by AI and machine learning to digest these inputs, attempting to find or establish linkages between suppliers and programs. For example, Avionics International reported that the Air Force had awarded General Atomics and Anduril contracts for their collaborative combat aircraft, so the supply chain illumination software would link those companies as suppliers to the program.
But this approach is like shining a flashlight down a dark hole: You only get a narrow view. Information obtained from this method does not come from the suppliers themselves and is usually not verified. Although data on supplier financial health and foreign ownership can be discerned, which is helpful in assessing some aspects of supply chain risk, no information is available for some critical metrics the Department of Defense needs when performing supply chain analysis. This includes a supplier’s minimum sustaining rate, maximum capacity, and surge capability, or the other programs that the company is a supplier for. In addition, the data is typically “time stamped,” meaning it is only accurate in that moment in time. Since the defense industrial base is constantly shifting, with suppliers coming in and out and moving between programs, a linkage that might exist one day may not the next.
Additionally, there is also a risk of “false positives” in identifying entities in a supply chain. Indeed, the article about the collaborative combat aircraft highlighted that Boeing, Lockheed Martin, and Northrop Grumman did not win an award for the program. However, the supply chain illumination software may incorrectly link these companies as suppliers to it anyway. Some illumination companies have been able to obtain partial supplier data, either from industry directly or from the programs. But most have not, and even when they do, it is usually only for the first few tiers of a supply chain, not the entire list of parts, materials, and suppliers. Major information gaps persist.
Illumination Is Big Business, But Not the Panacea for Supply Chain Risk Management
Primes on any contract depend on their sub-tier suppliers (“subs”) for information about the supply chains the subs use. But for the subs, that information is sometimes fiercely guarded and considered proprietary — it’s the “secret sauce” that makes them competitive, and they don’t want to share that information for fear that either it won’t be protected or may be misused. There is also concern with protecting intellectual property. The resultant lack of supply chain transparency has made illumination big business, with these companies jockeying to portray themselves as the panacea that can solve the Defense Department’s supply chain risk management problems.
In addition, these efforts are costing taxpayers a lot of money as each successive program pays the illumination company to develop and implement an analysis for their particular system. In 2019, the Navy paid the data analytics firm Govini $400 million “to deliver data, analysis and insights into DoD spending, supply chain and acquisition using a database it continues to compile.” What Govini found was deeply concerning: Over 40 percent of the semiconductors used in the Defense Department’s weapons systems and associated infrastructure were sourced from China. As troubling, from 2005 to 2020, the number of Chinese suppliers within the defense industrial supply chain had quadrupled. Unfortunately, these findings are not surprising to anyone who has any knowledge of the department’s supply chains.
At present, there are numerous illumination companies analyzing multiple programs and gathering multiple sets of data, but there is no central authority to cross-reference all the data, and no ability to track instances where companies supply multiple defense programs. Put simply, no one sees the complete picture. This problem becomes critical when there is an obsolescence issue, as the Defense Department needs to understand the total impact, or when it wants to increase production, as these suppliers can become major bottlenecks. In my experience, such obstacles have impeded the flow of U.S. defense materials and components to Ukraine.
For its part, the Department of Defense has tried to gather some supply chain data on its own and by working with interagency partners. While well-intended, these efforts have not provided what the department needs. For example, the Defense Contract Management Agency performs supply chain analysis, including through collecting supply chain, capability, and capacity data through surveys of defense industry companies. Yet, the surveys are voluntary and inevitably some companies don’t respond. The agency does, however, maintain a supply chain database that is cross-referenced to establish which entities supply multiple defense programs. The Department of Commerce conducts mandatory industry surveys, but they can take years to complete. This is simply too slow for the Defense Department, which requires real-time supplier data to understand and mitigate supply chain risks. In 2023, while I was serving in the Office of the Secretary of Defense’s Industrial Base Policy office, there was an effort that sent a mandatory supply chain survey to the service program offices for 110 weapons systems, which the program offices then had to enlist industry’s help in answering. The survey asked for data down to “tier three” companies — ones that are three levels below the prime contractor. However, many problems such as insufficient capacity and obsolescence occur at even lower tier suppliers.
The biggest challenge with all these existing supply chain illumination methods, whether government or commercial, is that they seek to reverse engineer the problem. They aim to piece together the supply chains after they’re built rather than as they’re being built. Instead, the individual military service program offices, the prime contractors, and the Office of the Secretary of Defense should work together to build complete supply chain maps. This should occur during the program development phase, using accurate data that doesn’t have to be pieced together after the fact and propped up by assumptions based on unverified information.
All government programs should be able to access this information, so they can understand the potential impacts of obsolescence and shared suppliers. For her part, former Deputy Secretary of Defense Kathleen Hicks tried to start a data repository in the existing Advana data platform for advanced analytics, but the program has been paused and is being recompeted.
As an alternative to a repository — in which intellectual property and proprietary data could either be shared inappropriately, or worse, infiltrated by adversarial cyber threats — the Defense Department should adopt a system that uses distributed ledger and blockchain technology. Such systems have multiple attributes which make them ideal for supply chain identification and analysis: advanced encryption to authenticate and protect data exchange; verifiable credentials and secure identity protection that allow suppliers to share sensitive information solely with authorized parties; smart contracts to automate the enforcement of agreements and compliance with regulations; and assurance that suppliers retain ownership and control over their data, including managing consent, data access rights, and the revocation of these rights. These attributes could help address the main objection that suppliers have for participating in data illumination efforts by guaranteeing data ownership rights and providing a secure platform for the exchange of sensitive data, thus allowing for greater data protection.
While industry would only have access to the specific data needed from its suppliers to ensure they meet the government’s requirements, the Defense Department would gain greater access to information. So, for instance, a prime contractor may require their first-tier supplier’s component to meet a specific level of performance. That first-tier supplier can provide performance test data showing it meets the requirement but is not required to show who their sub-tier suppliers are, or the materials used to build the component. However, the Defense Department, which is bound by the Trade Secrets Act not to reveal industry’s proprietary information, would be able to have additional access to that granular piece of information. The department would not download and store the information into a repository, but a select group of supply chain analysts and managers who have received permission from the data owners could use AI to do queries of all systems to find commonalities such as shared suppliers and materials, as well as other risk areas such as adversarial and sole/single source suppliers, allowing for proactive mitigation.
Blockchain is already being used in many industries. For instance, food companies use it for supply chain management to track the path and safety of food throughout the farm-to-consumer journey. This becomes important when there is an outbreak of E. coli or salmonella, for instance, and the companies need to track food through each step it’s taken back to its origin. Historically, it has taken weeks to find the source of these outbreaks, but using blockchain enables discovery much faster, potentially saving lives. The Department of Defense could benefit from the same approach.
In September 2022, the Defense Department temporarily halted deliveries of F-35 fighters following the discovery that an engine component had been made with cobalt and samarium alloy that came from China. The use of blockchain could have enabled the earlier detection of these raw materials in a critical defense platform and allowed the department to identify which other systems used the same materials.
The Department of Defense will probably still need to incentivize industry to participate in supply chain illumination efforts. Such incentives could involve financial, contractual (contract requirements and/or preferences), and informational benefits (suppliers will gain insight into issues within their supply chains they may not have had visibility of before). Congressional language in Section 849 of the latest version of the Fiscal Year 2025 National Defense Authorization Act may assist with the effort to induce compliance. It requires the secretary of defense to develop and implement ways to incentivize defense contractors to assess and monitor the entire supply chain of goods and services provided to the department to identify potential vulnerabilities and noncompliance risks.
Financial incentives might pay for themselves in cost savings realized from greater supply chain visibility. The costs of production stoppages, system redesigns, and “lifetime buys” resulting from part and material obsolescence alone can be immense. When a component or material becomes unavailable due to other circumstances — for example, China banning the export of germanium, gallium, and antimony, critical minerals necessary for many defense systems — the economic cost can be even higher, as China is the major or sole supplier of many of the raw materials the Defense Department currently uses. In these cases, the department should provide funding to establish new suppliers and then run tests to ensure the new material performs the same — and that is only if there is enough time to do so before a supply shut-off.
Get Access to All the Data
The current practice of reverse engineering the Defense Department’s supply chain to identify risks and vulnerabilities doesn’t work. Because the information is unverified, and due to the lack of cross-program visibility into shared suppliers, it exposes the department — and, by extension U.S. national security — to potential hazards, from disruptions of adequate supplies of materials to cyberattacks and sabotage by adversaries.
To address this problem, the department and the defense industrial base should build out supply chain data while defense systems are under development and maintain databases as systems are upgraded. All data should be made available to any Defense Department program to eliminate duplication of effort and to minimize cost. Data should be accessed through a distributed ledger and blockchain system to ensure that all programs can use and cross-reference it. Only then can the Department of Defense be assured that U.S. adversaries are not hiding in the department’s supply chains.
Dr. Christine Michienzi is a former senior defense official and is now the owner of MMR Defense Solutions LLC, as well as a nonresident senior associate at the Center for Strategic and International Studies.
Image: Toiete Jackson via DVIDS.
Jesus Christ is King
