Defense officials worry unfriendly foreign governments could find a way of secretly slipping counterfeit electronic parts or malicious software, called malware, into U.S. weapon systems. The result could be weapons suddenly malfunctioning or sensitive military information getting into the wrong hands.
In response, officials have kicked off a wave of new efforts recently under the moniker Supply Chain Risk Management (SCRM) to make sure potentially harmful components manufactured overseas don't end up in Washington's weaponry. (The Defense Science Board issued a report discussing some software-specific pitfalls in September 2007.)
The government's Committee on Foreign Investment in the United States (CFIUS) has long been a tool to control foreign organizations taking ownership of U.S. companies considered part of the defense industrial base. But, officials say, the CFIUS regime has limited utility in securing the global stream of high-tech hard- and software intended for use in the Pentagon's arsenal.
"While the CFIUS work remains important, CFIUS addresses only one aspect of the problem," Mitchell Komaroff, director of the Globalization Task Force in the office of DOD Chief Information Officer John Grimes, told us in a written statement.
"Ownership is not the only indicator of risk stemming from the global commercial marketplace. Ownership does not indicate where products are developed, where services are executed and whether or not only trusted persons are accessing critical data. Even where CFIUS does review a transaction, the risk management tools available have a limited ability to mitigate for supply-chain risks."
According to Komaroff, the government's emerging SRCM model will "complement" the work of CFIUS.
"DOD approaches SCRM through a defense-in-breadth strategy -- a multi-faceted risk mitigation strategy that seeks to identify, manage, mitigate, and monitor risk at every stage of the IT system or network lifecycle, from product design to system retirement. DOD is actively working to ensure that policies and processes are put in place to raise awareness of the risk, empower acquirers to make informed decisions when they request and procure ((information and communications technology)) products and services, and arm acquirers with practices and tools necessary to mitigate risk when ICT products are used across the government."
-- Sebastian Sprenger