WASHINGTON — An audit by the Defense Department’s inspector general office found security cracks in the supply chain of four critical military space programs. As a result, an adversary has “opportunity to infiltrate the Air Force Space Command supply chain and sabotage, maliciously introduce an unwanted function, or otherwise compromise the design or integrity of the critical hardware, software and firmware,” said a redacted IG report released Aug. 14.
Auditors looked at the Air Force Space Command’s supply chain risk management program for four systems. They conducted a detailed review of the Space Based Infrared System, and a limited review of the Air Force satellite control network, the family of advanced beyond line-of-sight terminals, and the global positioning system.
Theresa S. Hull, assistant inspector general for acquisition, contracting and sustainment, said the audit was mandated by Congress in the 2017 National Defense Authorization Act.
All four programs reviewed provide strategic capabilities to the military. The Space Based Infrared System satellites detect missile launches, space launches and nuclear detonations. The Air Force satellite control network is a global system providing command, control, and communications for space vehicles. The family of advanced beyond line‑of‑sight terminals are nuclear-survivable terminals that communicate with satellite constellations. Global Positioning System satellites provide navigation data to military and civilian users all over the world.
The Air Force Space Command has a program in place to manage supply chain risk for the SBIRS program but “did not fully implement DoD supply chain risk management policy,” the IG found. The command, for example, did not conduct a thorough enough analysis of all critical components and suppliers.
In the SBIRS program, the command also failed to comply with a DoD policy that requires the purchase of some specific integrated circuits from trusted suppliers using accredited processes, the IG said. There were similar concerns in the other three programs reviewed.
The supply chain extends from raw material to the finished product. It covers all phases — designing, manufacturing, producing, packaging, handling, storing, transporting, operating, maintaining and disposing.
Worries about supply chain vulnerability in weapons systems started more than a decade ago amid warnings that components and electronics used in weapon systems that are produced overseas may be vulnerable to tampering or, in the case of software, to malware. A recent report by the MITRE Corporation, “A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War,” says improved supply chain security requires actions on the part of DoD and the companies with which it does business.
“Nation-state adversaries have exploited cyber and supply chain vulnerabilities critical to U.S. security for hostile purposes,” says the MITRE report. “These include exfiltration of valuable technical data — a form of industrial espionage — attacks on control systems used for critical infrastructure, manufacturing, and weapons systems.”
MITRE suggests all national security and intelligence agencies should form a “whole-of-government national supply chain intelligence center.”
Pentagon policies require all defense organizations to identify “critical” information and communications technology components, purchase those components from trusted suppliers, and test and evaluate these components for malicious threats. DoD can also hold prime contractors accountable for security breaches in lower tiers of the supplier base.
The agency that oversees Air Force space programs, the Air Force Space and Missile Systems Center, agreed with the finding and recommendations of the IG report and assured auditors that the Air Force Space Command will improve the supply chain risk management for the SBIRS program, conduct a detailed analysis of all critical components, improve the scrutiny of suppliers and of the testing process.
The vice commander of the Air Force Space and Missile Systems Center is responsible for reporting back to the IG and providing the documentation showing that the actions have been completed.