An unclassified summary released by The National Academics of Sciences, Engineering, and Medicine (NAP), discusses the risks and solutions associated with the Air Force’s electronic systems. The summary describes United States Air Force (USAF) capabilities requiring secure and reliable microelectronic components, and provides an overview on near- and long-term threats in the supply chain.
High-performance electronics are indispensable when it comes to delivering lethal effects wherever and whenever they want. These electronic systems need to be able to perform on the battlefield and be able to continue their mission whilst under cyber and electronic warfare (EW) attack. Therefore a high degree of reliability that they are both physically capable and resistant to adversary action is necessary throughout their lifecycle from design to sustainment.
Unfortunately, due to factors such as the reduction of onshore advanced technology and packaging availability, the U.S. electronics industrial base has been weakened. In response, U.S. government and Department of Defense (DOD)-level programs have been initiated to address these concerns. Additionally, the summary says USAF must take further action to help ensure that the embedded electronics in its weapon systems can be trusted to execute the mission.
In 2016, a workshop was convened by the Air Force Studies Board and a follow-on consensus study was requested by Air Force leaders in order to provide recommendations to the USAF acquisition community. The report states that “NAP assembled an ad hoc committee of leading experts to investigate the issues, and this report is a result of the deliberations of the Committee on a Strategy for Acquiring Secure and Reliable Electronic Components for Air Force Weapon Systems.” The issue was debated and an enterprise approach for the protection of electronics within the Air Force was established.
The summary makes clear that those responsible want to win the war before there is a battle. In order to achieve this mission, advantage must be taken of the growing global supply chain and highly interconnected networks. Advancements have been made, however, in spite of the absence of a “smoking gun” the report cannot provide any level of assurance of the absence of a “loaded gun”.
A committee member is quoted in the summary as saying, “it is not a matter of if hardware within a critical weapon system can be compromised but when such a compromise will occur and what impact it will have to USAF lethality”. Within USAF there is a critical need for an integrated solution or a system-level approach to ensuring trust in mission-critical electronics. The current approach within USAF focuses on risk-based management, dictated by a collection of policies. Unfortunately, the summary reveals that the implementation of these policies is inconsistent. Additional efforts are needed in order to better define and institutionalize “how” to perform supply chain risk management along with the metrics needed to assess the efficacy of current policies.
According to the summary, “efforts are needed to increase the capacity and capability of the workforce across the acquisition life cycle in specialized areas such as secure integrated circuit design, cyberphysical security, and reverse engineering and anti-tamper for firmware and hardware but also in contracting and operational security to ensure that program information is protected at all stages.” The goal of modernization efforts should therefore be to create a burden of resource on the adversary, costing the adversary significantly more resources to target USAF electronics systems.
Based on reviews from the committee, the summary offers actionable recommendations to the USAF to ensure security, reliability, and lethality of its weapon systems. When it comes to lead supply chain risk management as a technique of fixing problems faced by the USAF, there are three recommendations.
First, “The USAF must authorize, implement, and monitor at the highest level of the organization for supply chain risk management to be effective.” Second, “The USAF should establish a central office- the Program Protection Office- that has the responsibility and authority to implement a holistic approach to protecting program information across the acquisition enterprise that includes an integrated supply chain threat assessment and risk management program.” Third, “The USAF Program Protection Office must have unfettered access to program office vulnerability information and risk mitigation plans, must be able to direct the use of red teams to proactively probe and identify risks; must establish enforceable rules for protection program information at all stages of the program; must have the authority to hold program managers accountable for implementation of threat mitigation actions; and must be resourced to develop gold standard risk supply chain assessment tools that are incorporated into the program protection plans.”
Continuing in the same vein, the summary goes on to describe capitalization of U.S. government-level modernization efforts and the recommendations associated with such plans. The recommendations are twofold and describe strategies that USAF should implement including becoming early adopters for U.S. government-level programs that are focused on improving capability concurrently with increasing security and reliability in weapon systems. Additionally, USAF should work closely with the Microelectronics Innovation for National Security and Economic Competitiveness (MINSEC) program.
Developing USAF-level sustainment processes, employing system-level operational security, expanding supply chain monitoring, and implementing a program information protection program (SystemSecure), are all also on the list of strategies that USAF has the ability to implement when combating the growing lethality of Air Force mission-critical electronics. This issue is imposing and of utmost importance, however, with proper recognition and implementation of combative strategies, the United States Air Force will continue its ability to deliver lethal effects based upon their desires and needs.