An F-35A Lightning II begins to lift off from the flightline at Eielson Air Force Base, Alaska, March 14, 2024.

An F-35A Lightning II begins to lift off from the flightline at Eielson Air Force Base, Alaska, March 14, 2024. U.S. Air Force / Airman 1st Class Carson Jeney

How to keep China out of the Pentagon’s weapons

The U.S. military should take a page from the cybersecurity playbook.

Two summers ago, when Honeywell told the Pentagon it feared that a subcontractor had improperly put Chinese metals in some F-35 jet engines, the reaction was swift. The Air Force halted acceptance of new aircraft containing the Chinese cobalt and samarium alloy. While the Defense Department and prime contractor Lockheed Martin raced to find out if the Chinese-sourced metals could be relied on, 18 badly needed fighter jets sat on a tarmac in Texas.

We were lucky that time. The Air Force resumed deliveries after determining that the potentially compromised parts wouldn’t affect airplane safety. 

Next time, could sabotaged or defective Chinese parts, or secret surveillance devices, be slipped into weapons or communications systems by unwitting vendors further down the defense supply chain? In a conflict over, say, Taiwan, the United States can’t take the risk that an air-to-air missile will misfire due to China planting a defective chip in the guidance system or that secret software embedded in military communications system will siphon data back to Beijing. 

Not only is the Defense Department aware of the risk in general, but the government or a major defense contractor often also knows the problematic source of a specific product—yet the information isn’t disseminated effectively down the chain of subcontractors. The result is we might discover the vulnerability after it’s already in the hands of the military—or worse, we sometimes never know for sure exactly what’s in our weapons or critical systems. 

Many obstacles stand in the way of the government doing a better job of sharing supply chain vulnerabilities with the industry it relies on. The first is that simply tracking the origin of parts is difficult and costly. Given the complexities of today’s electronics and the nature of global supply chains, it’s often impossible for a contractor to know whether a component came from China. The problem is especially acute in the defense industry because of its far greater scope, involving the protection of the entire array of military systems, from nuclear missiles to aircraft carriers, from satellites to submarines. And it’s likely to get worse as our military increasingly relies on sophisticated future technologies. 

In any case, sensitive ownership and sourcing information is rarely commercially available and even when it is, piecing it together in a coherent and accurate picture is beyond the resources of all but the federal government and the largest defense contractors—and the latter aren’t privy to classified insights.

Even when the Pentagon has details of potential compromises, whether through disclosures from contractors or from its own sources, officials are hesitant to fully share the information with industry. There’s no express statutory authorization for the Defense Department to divulge potentially derogatory information about whether a company is owned by a Chinese entity or whether a vendor is known to use Chinese-made products. Even if there were, fears of liability for cutting out a supplier due to erroneous information would make officials pause before disclosing something unless it was a certainty. Yet details about corporate ownership and parts provenance are often murky. Moreover, officials worry that sharing supply chain information with a contractor might divulge classified information or improperly advantage one supplier over another. Contractors themselves are reluctant to share information within the industry, both for competitive reasons and antitrust concerns; besides, there are few incentives to, and potentially even defamation liability for, revealing the information to the government. 

The result: even where relevant information is known about supply chain vulnerabilities, it often doesn’t get into the hands of the contractors who need it the most.

But in many other spheres—from food and drug safety risks to terrorist threats against infrastructure—the private sector and the federal government share critical information. The Government-Industry Data Exchange Program run by the United States and Canada shares technical matters about defective parts and counterfeiting in government contracting generally, but it’s voluntary, isn’t focused on the defense industry and doesn’t deal with classified information.

There is, however, another sharing template relevant and adaptable to the defense supply chain problem: the well-known model for sharing cybersecurity risks. Protecting large institutional computer networks from cyberattacks and securing global supply chains have many common elements. Both networks and weapons are complex combinations of software and devices, with hidden electronic vulnerabilities that can be exploited by adversaries. Most of the technical knowledge about how those networks and platforms work, and their associated vulnerabilities, are in the hands of the private-sector manufacturers and operators; as a result, that sector is usually in the first and best position to detect malicious activity. But it’s the government that has classified and deep insights into adversary capabilities and behavior and is in the best position to communicate defensive information and take appropriate action against adversaries. 

In the cybersecurity arena, these disparities are resolved by the government and the private sector sharing information about cyber threats, vulnerabilities, and remedies. And when they do, it makes a difference. The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency, often tipped off by a company that’s been the target of a cyber hack, routinely and quickly disseminate warnings and potential solutions to the private sector, enabling companies in many cases to thwart future similar attacks. 

This cyber information-sharing model should be adapted to illuminate supply chain risks. Defense contractors and subcontractors could report problematic sourcing to the government, which could vet and enrich that information with classified data and details garnered from other vendors, and then disseminate the resulting analysis to the appropriate contractors. And just as cybersecurity vendors have great insight into their clients’ vulnerabilities and compromises suffered—and thus often are the first to inform the government of malicious cyber events—so too could defense industry supply chain risk management consultants alert the Department of Defense to questionable sourcing.

While the cybersecurity model shows the promise of public-private information sharing, it also reveals difficulties to be overcome, such as fears of legal liability. Reacting to the tepid response by industry under the Cybersecurity Information Sharing Act of 2015 due in part to such fears, Congress improved the law and initiated mandatory cyber reporting. These lessons should be applied to any new regime for supply chain reporting, perhaps including a legal “safe harbor” for entities that report supply chain information in good faith, even if subsequently determined to be erroneous. A safe harbor would encourage reporting by precluding claims for defamation or business torts such as interference with contract.  

Legislation could equally embolden the federal government to disseminate information about problematic ownership or sourcing of products, without fear of contractor claims. The law is already clear that the Pentagon can make contractual decisions, in accordance with its regulations requiring contractors to meet “responsibility” standards, that have the effect of eliminating certain potential vendors. But those decisions are understandably fraught; Congress should remove any doubt by granting the Department of Defense express authority, within carefully crafted guidelines, to share negative information. Pushing the decision about the nature or severity of a supply-chain risk onto the government would make the contactors more willing to rely on that information. Perhaps aggrieved contactors, at least in some appropriate cases, could be afforded some notice to protest allegedly incorrect determinations.

Legislation could also assuage antitrust concerns with an exemption for reporting supply chain compromises—it’s normally illegal for companies in the same industry to share information in a way that might drive up prices or freeze out potential competitors who don’t have access to that information. 

Building upon lessons learned from the cyber security model, the Department of Defense could establish a secure, automated online platform to share supply-chain information among the Department and key defense contractors. A defense supplier could enroll in the program and report securely and privately about its subcontractors and their sources. Pentagon analysts, drawing on an integrated database of commercial and government classified and unclassified data, would use automation to uncover risks ranging from cyber connectivity with Chinese entities or other adversarial companies to foreign investment or control of subcontractors, vendor representatives sitting on foreign corporate boards and other signs of vulnerabilities. Officials could then quickly approve online sharing of the information at the appropriate level of detail with the relevant contractor so that it can make timely decisions about which subcontractor they are going to do business with. 

As in the cybersecurity area, rapid and detailed information disclosure isn’t the full answer to supply chain risks but is an essential part. Our government must find a way—now, before the next conflict—to share supply chain vulnerabilities with the defense industry. 

Otherwise, we run the risk that in that next conflict, another country will have compromised our critical supply chains, so our missiles will miss their targets, our bombs will fail to work, and our commanders won’t be able to communicate with their troops. 

Glenn S. Gerstell served as General Counsel of the National Security Agency and Central Security Service from 2015 to 2020 and is a Senior Adviser at the Center for Strategic & International Studies.

Andrea McFeely is a Senior Principal Initiative Lead at The MITRE Corporation and is a former U.S. government intelligence analyst and diplomat.