wfedstaff | June 4, 2015 1:45 pm
Lawmakers want vendors to take more responsibility to secure the government’s technology supply chain.
Sens. Carl Levin (D-Mich.) and John McCain (R-Ariz.), chairman and ranking member of the Armed Services Committee, respectively, will sponsor an amendment to the 2012 Defense Department Authorization bill in the coming weeks to increase the oversight by the Pentagon of technology hardware and require contractors to pay for replacing counterfeit parts found after installation.
Levin said Congress, the agencies and vendors must stop the flood of counterfeit technology making its way into mission critical systems because it is costing the government millions of dollars and endangering lives.
“We will require the Department of Defense to put a certification in for part suppliers,” Levin said Tuesday during a committee hearing. “At the border, we have to put in an inspection system for parts coming from China. We do this with agriculture products. If we have a product coming from a particular place that we think will endanger our health, we have a ban on those products or an inspection system on those products. What I also will be offering, while we get a certification program in place, we require inspection of all electronic parts from China. It’s a proven known source of the problem.”
Insight by CyberArk: Learn how the CDC is using the least-privilege model to limit how much damage hackers can do in federal networks in this free webinar.
The amendment also would require vendors to pay for replacing counterfeit parts that already have been installed in DoD systems. It is not unusual for agencies to foot the bill at a cost of millions of dollars to replace fake hardware in systems.
“I want to put some pressures on our contractors to go back up the chain or down the chain to make sure the people supplying the supplier and the people supplying the supplier and just going all the way down are legitimate people,” he said. “The only way I know how to do that, other than just requiring contracting to notify folks, is to make our contractors responsible to replace the parts. We cannot any longer have the government paying for the replacement of these parts no matter what kind of contract it is.”
Levin also said vendors must report to the government more quickly when they realize there is even the possibility of counterfeit products in the supply chain. He offered three examples when the vendor took months, sometimes as much as a year, to tell the Pentagon. Additionally, vendors must report cases of suspected counterfeits to the Government Industry Data Exchange Program, a DoD-run system for the sharing of this information.
Defining counterfeit parts
A counterfeit part falls into one of two categories: a part that is made not by the manufacturer but includes the manufacturer name and markings, or hardware, such as chips or motherboards, which are taken from disposed of computers, fixed up to look new and sold as new.
Agencies and vendors buy these fake parts, most of the time unknowingly, and the parts have reliability issues, even if they are tested to work one day, the next they could fail. That failure could cause an airplane to crash or put a Defense mission at risk if, for example, night vision goggles malfunction without warning, or in one case highlighted by the committee, a part fell out of place and was rattling around the test P8-A aircraft Boeing is developing for the Department of the Navy.
Levin and McCain received a lot of support for the amendment from committee members. This would be the second time in three years lawmakers would include a supply chain risk management provision in the DoD authorization bill. In the 2010 bill, Congress passed a provision related to the acquisition of materials critical to national security.
DoD also issued a memo in March 2010 detailing requirements to secure their supply chain. The Pentagon expects to update the memo this year.
But despite the attention over the last decade, a preliminary report from the Government Accountability Office shows counterfeit IT continues to be a huge problem for DoD-and really every agency.
Richard Hillman, the Government Accountability Office’s managing director of forensic audits and investigative service, said at the request of the Senate Armed Services Committee, GAO purchased 13 parts off the Internet as part of their investigation.
He said GAO created a fake company to buy hardware that DoD currently uses in weapons systems. Hillman said GAO even purchased three parts using bogus part numbers from specific manufacturers from these third party resellers.
GAO sent the parts to a third-party, SMT Corporation, which also testified Tuesday, for analysis.
“None of the seven parts we have complete test results for are authentic. Specifically, according to SMT Corp., all three parts tested after we requested legitimate, but rare or obsolete parts, failed at least three of seven authentication analyses and were suspected counterfeits,” said Hillman. “These parts included two voltage regulators and one operational amplifier, the failure of which could pose risk to the functioning of the electronic system where the parts reside.”
GAO said SMT also found another bogus operational amplifier after the investigators bought one with a post production data code. The analysis found the part failed four of seven analyses and the vendor represented the part as being produced nine years earlier than it actually was.
“In addition, we received three bogus parts after submitting invalid part numbers,” Hillman said.
Not a new problem
Tom Sharpe, vice president at SMT, told the committee this problem is far from new. He’s been following it for at least 15 years and talked to other colleagues who said counterfeit parts have been a problem since the 1960s.
“It’s growing much worse and the reason why I say it’s getting much worse is the counterfeiters are changing their processes to get in front of the processes they know we are currently doing to detect their processes,” Sharpe said. “The process is evolving and it’s getting hard to detect.”
Sharpe said SMT told DoD about three new ways the counterfeiters are getting around the industry and government detection over the last two years, including two since June.
In the meantime while Congress considers legislation, DoD and vendors are taking more aggressive steps to stem the tide.
Lt. Gen. Patrick O’Reilly, director of the Missile Defense Agency, signed a memo in 2009 requiring all suppliers to use original manufacturer parts or authorized reseller, and if the supplier needs to beyond that group, O’Reilly must approve it.
O’Reilly said the memo’s requirements are part of every contract MDA issues for technology.
“We work very closely with the Defense Contract Management Command. They have onsite personnel and I have 50 onsite personnel myself,” O’Reilly said. “It is a combined effort and also most of these incidences are occurring at lower levels of the supply chain-third or fourth level. The prime contractors obviously are motivated not to have this happen to. We literally form a very large set of scrutinizers that work through the supply chain. Being coordinated and working across industry and with other agencies is the key.”
DoD testing new process
DoD also is working with Semiconductor Industry Association to develop a new product authentication process.
Brian Toohey, the Semiconductor Industry Association president, said the initiative is just in the testing stages so it’s too early to understand its impact.
Under the program, DoD fills out a form and sends a picture of the chip or part in question to the manufacturer. The vendor checks the part against their database and tells DoD whether it’s fake.
Several committee members wondered if the National Security Agency’s Trusted Foundry Program could be expanded to include more electronic parts. This program helps DoD ensure it has microelectronics from trusted sources for its weapons and communications systems. Vendors must be accredited by DoD to participate in the program.
However, nearly all the witnesses said the program is a piece of the puzzle, but not the answer.
Vendors also are taking steps to secure their supply chain as their risk also is big.
Vivek Kamath, the vice president for supply chain operations for Raytheon, said the company would implement a new supply chain risk mitigation policy in early 2012.
“Our counterfeit parts mitigation policy assigns specific responsibilities to Raytheon’s supply chain management, engineering mission assurance and other functions,” he said. “The policy also focuses on the aspects of our supply chain that are most likely to present risks, such as the procurement of electronic parts from independent distributors.”
Kamath added Raytheon is developing a preferred supplier list and creating a centralized procurement organization.
Levin, McCain and other members are say more can be done and done more quickly.