How the Pentagon buys basic technology is suddenly a matter of national security. For everything from security cameras to printers to cellphone networks, the whole apparatus of modern office technology has now gained an air of ominous menace. Operating under a new acquisitions bill that prohibits unwaivered purchases from strategic competitors, the Department of Defense has to find a way to square its desire for cheap, off-the-shelf commercial technology with the high-profile objections of senators in the name of national security.
At stake is everything from the basics of how civilians in the Pentagon make PowerPoint presentations to how the whole Department of Defense moves to 5G.
While the implications, for now, center on top-level manufacturers, the possibility exists that in an effort to reach perfect security, the component supply chain is radically reshifted. That the modern world is bound together by global supply chains is not news. An attempt to fully decouple those supply chains will invariably become news, depending on exactly how deep into hardware the quest for Made-in-America goes.
On Nov. 6, 2019, Sen. Marco Rubio sent an open letter to the Pentagon, asking the Department of Defense to clarify what steps it had taken to phase out Chinese-made technology. Rubio’s letter highlights the findings of a report by government contractor Forescout, which found 3,500 devices “from telecom giants Huawei and ZTE, as well as surveillance camera-makers Dahua and Hikvision, on U.S. government systems a month before the ban was to take effect.”
It is the connectivity of these devices, at least as much as the nation of origin, that makes it a security risk. A camera that can connect to an online security network is one that could potentially share what it sees remotely. The ban on such devices, which went into effect in August 2019, specifically concerns technology produced by companies with links to China’s government.
The interim rule, already written into the 2019 National Defense Authorization Act, followed the July 2019 publication of Department of Defense Inspector General report that found the Pentagon spent over $32 million on risky technology in 2018. This spending included everything from Lexmark printers to GoPro cameras to Lenovo computers, all major commercial off-the-shelf products and all, according to the report, with cyber vulnerabilities.
The printer, camera and computer markets all have companies in them with headquarters in the United States, so there’s always a way for the Pentagon to buy domestic instead. But if concerns spread to fear of compromise from not just the top-level of the company, but harm in the manufacturing process, then the interconnectedness of international manufacturing may show where a company is headquartered to be far less relevant for security than where its product is built.
In October 2018, server motherboard company Supermicro become the subject of one such fear. While Supermicro is headquartered in Silicon Valley, a report published in Bloomberg suggested that its motherboards were assembled in China and some were fitted with a tiny microchip that allowed China’s government to compromise any network connected to a Supermicro server. While members of Congress have pointed to the case of Supermicro as an example of the threat they are trying to prevent, subsequent investigations into the motherboards were unable to prove the claims made.
In 2019, Supermicro shifted its manufacturing outside of China. It was a move that appeared driven as much by business concerns as by the new considerations of security risks, even if unproven. It was an uncoupling, perhaps of necessity.
In the quadcopter and commercial drone market, where no U.S.-made product matches the price point desired by civilian government agencies, those agencies have worked with manufacturers abroad to develop product that matched government security needs. At least, until unspecified security concerns grounded the fleet of drones.
While there are quadcopters made to the security specifications of the U.S. military, they are not at the same price point, and still feature some components made abroad. Any decoupling of supply chains would necessitate changes in domestic production as well.
There are alternatives to a nation-of-origin based security approach for incorporating commercial technology into government and civilian use. One such approach focuses instead on testable, verifiable standards.
The Center for New American Security published a thorough report Nov. 7 on how the United States can adapt to the challenges of 5G competition. Among other policies, the report recommends the United States take an active role in developing international standards for 5G, especially with an emphasis on “the requirements of cybersecurity and methods to mitigate the risks of disruption must remain a core consideration, including the continued promotion of security standards for internet of things devices.”
The CNAS report goes on to outline a holistic approach for the Pentagon to handle both 5G and the security challenges it poses. A nonzero part of that approach involves investing in domestic industry to develop the capability, and in waiting until that technology is available.
“At present, there are no American companies in 5G that can compete directly with Huawei in the radio access network. There are a small number of viable alternatives among current companies,” suggests the report. “The U.S. government should explore opportunities to diversify and rebalance its existing dependencies in supply chains and vendors. It is important to mitigate dangerous dependencies or the vulnerability that any single player or source of equipment could be compromised by a potential adversary.”
In the meantime, as the Pentagon seeks to decouple its supply chains from foreign production, it will have to wait for industry to catch up to the new demand signal.