The potential for specialized microchips from China to find their way into U.S. computers and networks, or even into conventional Western weapons systems, isn't just a frightening prospect—it's a chilling reality.
The defense industry supply chain is rife with counterfeit parts, and efforts to police it are failing. The potential that these parts could compromise the quality of U.S.-made defense systems is bad enough, but on top of that Chinese components could offer a back door to cybersnoops, escalating the threat of cyberspying and intellectual theft.
The U.S. knows about the potential of such capabilities because it is conducting its own research in that rarified arena of cybercombat. Draper Laboratory, for example, has a long-running project to design ways of planting hostile circuitry inside what appear to be standard microchips. This could easily become—or may already be—a two-way street, since many avionics and military systems now include generic and commercial off-the-shelf chips built into custom processor boards.
A counterfeit chip might be a copy of a U.S.-designed chip, made in China and sold for commercial applications. It could find its way into U.S. aerospace and defense components because those industries' demands are tiny compared to commercial applications. Therefore, the only economical way to provide computing power is to use commercial chips.
The unknown is whether malicious hardware could be inserted in defense applications. Given the market in counterfeit chips described in the recently released Senate report, this is not likely. The report paints a picture of an aftermarket supplier base, comprising thousands of dealers in the U.S. alone, that has grown up because system manufacturers—aerospace, defense and others—need out-of-production chips to produce or repair systems designed years ago.
Some Chinese suppliers to U.S. distributors have responded to this demand by harvesting chips from scrapped devices. Counterfeiting can take the form of selling those devices as new, or re-labeling them with a higher performance grade. However, no mechanism is described by which specific batches of chips could be steered into crucial military applications.
A potential problem with demanding tighter standards and pedigrees for defense-related chips is that distributors could be forced to exit the defense market, eliminating what has been at least a partial solution to obsolescence issues.
The threat is real enough to worry Congress. A Senate Armed Services Committee investigation of the defense supply chain completed last week found about 1,800 cases of suspected counterfeit parts over a two-year period and estimates that the total number of suspect parts involved exceeds one million. The committee tracked 100 of those parts back through the supply chain and found that 70% originated in China.
The parts found their way into military products made by the nation's biggest contractors, including's Terminal High-Altitude Area Defense Missile and the cargo aircraft. products were impacted as well, including the AH-64 Apache and CH-46 Chinook helicopters, the cargo aircraft and the . Other parts filtered into the helicopter and Alenia's airlifter.
's vice president for supply chain operations told lawmakers that sharing information about fake parts through the Government-Industry Data Exchange program (Gidep) “can help stop suppliers of counterfeit parts in their tracks.”
But the Senate report indicates that industry is still slow to come clean about counterfeits. When Boeing discovered counterfeits on the P-8A, the company only notified the Navy after a year and a half. And Lockheed Martin told Air Force engineers that suspected counterfeit parts in an L-3 display unit were “tested and found to be authentic but re-marked.” A six-month Air Force effort to keep tabs on the display units uncovered “several failures” including blank screens and lost displays that could have been caused by counterfeit parts.
“However, Lockheed Martin produced no documents indicating efforts by the company to determine why that particular display unit, or others, had failed,” the SASC report says. “Nevertheless, Lockheed Martin reported to the Air Force that 'no failures from Jan. 2011-June 2011 were attributed to the suspect lot.'” The Defense Logistics Agency (DLA) found a suspect part that is used in 176 different weapons systems including the B-52 bomber,Eagle, and A-10 Thunderbolt. Of 202 suspect parts identified by DLA in 2009 and 2010, only 15 were reported to the Gidep, four of those by DLA.
Counterfeit parts could undermine the weapons systems and further drive up costs, the report says.
So last year, the Senate Armed Services Committee passed legislation that requires contractors who supplied the counterfeit parts to be charged for reversing the damage. It seeks to ensure that companies buy their parts from trusted suppliers and mandates written notification of counterfeit parts.
In March, Frank Kendall, the Pentagon's acting acquisition chief, directed the Pentagon to establish testing and verification requirements, require that the military and industry report suspect parts to the Gidep and ensure that the's agencies train their personnel to deal with counterfeits.
And while the findings of this report illustrate that counterfeits are “a very serious problem,” according to Sen. John McCain (Ariz.), the committee's top Republican, lawmakers are not taking corrective measures further than they did last year.
Committee Chairman Sen. Carl Levin (D-Mich.) says no additional legislation is required at this point. “We're going to make sure it's very effectively implemented,” he says.
But to date, even industry officials greet efforts to police the flow of counterfeits into the Pentagon's vast supply chain with a shrug.
Long-running U.S. worries also concern the involvement of Chinese civilian telecommunications companies in military and information-warfare programs. A March 8 congressional report questioned the relationship between Huawei Technologies—which has twice been blocked from buying into U.S. telecommunications companies—and the People's Liberation Army (PLA) and ministry of state security.
In fact, the Huawei, Zhongxing and Datang organizations all received direct government funding for research and development of cyber, communications and intelligence-gathering systems, according to the U.S.-China Economic and Security Review Commission. Other companies providing information security and computer network operations to the PLA have close ties to hacker groups.
The overlapping connections allow for penetration of international supply chains for electronics that support U.S. military, government and civilian industries, the report states. That connection offers the “potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security and public safety,” it says.
The Pentagon's 2012 annual report to Congress on military and security developments in China identifies a strategy that embraces cyberspying and theft—that is not considered a military attack—while taking advantage of a “unique opportunity to focus on international development while avoiding direct confrontation with the United States,” it says. Beijing's goal remains aimed at “taking advantage of prolonging this window of opportunity . . . for peaceful development [while] sustaining economic growth.”
At the same time, the country's leaders are building a force capable of fighting and winning “regional wars,” the report says, “using information technologies that have been developed, refined and integrated to ensure continuity with China's military strategy.”
China's operational model is “active defense” which serves as the highest-level guidance to the PLA on how to fight and win wars. It emphasizes using precise and well-timed offensive operations, launched under favorable conditions to gain and maintain the initiative. Another key factor is “exploiting an opponent's most vulnerable weaknesses” which once again matches U.S. concerns about its vulnerable energy distribution pipelines, public utilities and a military that is hopelessly dependent on computers and cyber networks.