Amid a growing concern that foreign countries have infiltrated American weapon systems and suppliers, the Pentagon is conducting a pilot program to discover which companies are in their supply chain, according to a top defense contractor.
“We are working with some pilots with the Department of Defense and some of our industry partners to say, ‘How can we build a system for the government where the government can see where is the supply chain from A to Z,’ ” Mike Gordon, the deputy chief information security officer at Lockheed Martin, told reporters.
The test-program allows the Pentagon to see who supplies parts that end up in military weapons and equipment.
The defense industry “is very tiered,” Gordon said. “Because of contract privity and competitive advantage, the tier one doesn’t necessarily know who in the tier four is working on a particular program, and the government does not necessarily know that either.”
Lockheed Martin officials claim the company works with roughly 16,000 suppliers.
A spokesperson for the Pentagon did not respond to questions from Fifth Domain regarding details of the pilot program. Lockheed Martin did not respond to questions regarding when the pilot program began and what products are being tested.
The pilot program comes amid growing concern that Pentagon parts have been infiltrated by hackers.
Data compiled by Lockheed Martin shows that in the past decade, hackers have shifted from attacking large defense firms to targeting smaller subcontractors. Gordon said the change occurred because large defense contractors have hardened their cybersecurity and smaller companies are an easier target.
Attackers believe that it is easier to hack into small businesses who are further down the supply chain, rather than attempt to hack a large contractor, said Rich Astle, director of product management at NeQter Labs, a company that works on supply chain security with smaller businesses. Companies who work with controlled, unclassified information are required to follow NIST standards, but that does not always work, Astle said. Some subcontractors “don’t know that the rules apply to them because they don’t have a [direct] contract with the government.”
The Pentagon has also warned that its supply chain is under attack.
“Cybersecurity has not become an ingrained norm in manufacturing, especially in small and medium-sized manufacturers,” read an October report from the Pentagon.
Earlier this year, the Washington Post reported that China hacked a naval contractor and stole more than 614 gigabytes of data.
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.