Expelling Digital Demons from U.S. Sensitive Supply Chains

By Samantha F. Ravich

Dr. Samantha Ravich is the chair of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. She serves on the U.S. Secret Service’s Cyber Investigation Advisory Board and was vice chair of the President’s Intelligence Advisory Board, and co-chair of the Artificial Intelligence Working Group of the Secretary of Energy Advisory Board.

If the U.S. Department of Defense were an economy unto itself, it would be the 20th largest in the world. Like any other advanced modern economy, it is deeply integrated with the entire globe, its supply chains often stretching into countries with whom the United States has adversarial relations.

The open manner with which U.S. national security enterprises bid for goods and services can be exploited by U.S. adversaries seeking to inject counterfeit or malicious components into sensitive electronic hardware. The unprecedented challenge of policing the vast and complex supply chains for such hardware will require radical innovation in technology and governance to ensure that the rules-based system of international trade that the U.S. has long championed is not degraded into a chaotic arena of unrestricted economic warfare.

It is beyond dispute that the supply chains for the electronic hardware used by U.S. armed forces are under attack. Security researchers have documented multiple cases of sophisticated, malicious functionality being surreptitiously introduced into such hardware potentially allowing an adversary, in times of crisis, to turn our own devices against us. But even if this worst-case scenario fails to materialize, the uncertainty in both the reliability of U.S. warfighting arsenal and the civil infrastructure upon which U.S. national security industrial base relies, imposes a cost in its own right.

In 2011, it was reported that, “1,700 supposedly-new memory parts from an ‘unauthorized distributor’ showed signs of previous use, prompting the Missile Defense Agency to have to call for almost 800 parts to be stripped from the assembled hardware.” Then-head of the Missile Defense Agency, Lieutenant General Patrick O’Reilly, testified before the Senate that, “We do not want a $12 million THAAD [Terminal High Altitude Area Defense] interceptor to be destroyed by a $2 part.”

These supply chain attacks are seen as a particular kind of cyber-enabled economic warfare. U.S. national security leadership is confronted with the problem of blunting the aggression of foreign powers who have perverted the peaceful bonds of international trade into channels of espionage and sabotage, while preserving as much as possible the open nature of global trade on which U.S. economic prosperity depends. In lieu of seeking promises of better behavior from adversaries, which are hard to verify, or erecting import restrictions that can trigger a cascade of mutual retaliation, we endorse a mix of technology and governance innovation based on detection and deterrence.

The complexity and scale of the transactions that comprise U.S. sensitive supply chains create a kind of informational fog in which adversaries can hide. However, if the information associated with each such transaction can be projected onto a timely and granular digital dataspace, the U.S. can harness the power of modern machine learning methods to identify suspicious activities within its supply chains at scale. Although there are many technologies with which this dataspace can be constructed, we believe the blockchain has, even in its nascence, demonstrated that it has the economy, security, and power that make it the ideal technology for this purpose.

Simply put, the blockchain is a ledger of business transactions whose validation is distributed to a large network of participants that are well incentivized to coordinate their efforts to prevent bad actors from tampering with the ledger’s events. The nature of the incentives and the nature of the efforts ensures that the honest participants do not have to consciously collaborate; the collective weight of their honest efforts is enough to safeguard against tamper motivated by theft, sabotage, or any other reason.  This is evidenced empirically by the security of the bitcoin blockchain protocol over its nine years of existence.

A more general implementation of the blockchain is ethereum, in which the ledger records the definition, fulfillment, and validation of a much more general class of business events. As Sally Davies, a Financial Times technology reporter, succinctly explained, “[blockchain] is to Bitcoin, what the internet is to email. A big electronic system, on top of which you can build applications. Currency is just one.”

The security, economy, and power of the blockchain demonstrated by protocols like bitcoin and ethereum inspire optimism that it can be used to build a real-time, finely-resolved global atlas of the supply chains that make up the U.S. national security industrial base. To facilitate detection of suspicious activity, contractors and subcontractors would be required to annotate on a blockchain any value-adding activities associated with a sensitive acquisitions process. Such annotations can be analyzed by machine learning methods capable of coping with the volume and subtlety of this data in a way that human investigators cannot.

The power of the blockchain ensures that there should be no set of contractual contingencies too complex to be encoded in a protocol; its economy ensures that no excessive burden is placed on contractors to meet such compliance requirements; and its security ensures that bad actors seeking to hide or modify their record of events will not likely succeed. As detection improves, so will the deterrent effect of a riskier cost-reward calculus for the attacker.

We acknowledge the risks and challenges that this approach entails. Blockchain technology is new, and legacy acquisitions systems are deeply ingrained. However, the existential dangers introduced by the supply chain threat and the unprecedented scale of the systems engineering problem of defeating them calls for solutions that are as potent as these problems are hard. The blockchain is not the only technology that will be required for a fully-articulated solution, and technology will need to be joined with similarly bold innovation in governance.

Our broader hope in spotlighting a technology as revolutionary as the blockchain for the national security mission is that the U.S. can, through example, shorten the lag between technological innovation and governance practice. We also seek, through this advocacy, to create an enduring collaborative dynamic between the government and technology communities in which technologists need not relinquish working on the most exciting technologies of the day if they choose to help solve national security problems of gravest importance.

Co-authoring this article is Michael Hsieh, a Hitachi Fellow at the Council on Foreign Relations. He is also a nonresident affiliate of the Center for International Security and Cooperation at Stanford University. Previously, he was a program manager at the Defense Advanced Research Projects Agency (DARPA), where he led several technology development efforts in secure computation, data security, and data analytics at scale. He presently serves on the Cyber-Enabled Economic Warfare Advisory Group at the Foundation for Defense of Democracies, where his focus is on technological solutions for intellectual property protection and supply chain integrity.

Related Articles