Supply Chain Risk Management - Wild Apricot...Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R...
Transcript of Supply Chain Risk Management - Wild Apricot...Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R...
FOUO - For Official Use Only
FOUO – For Official Use Only
Air Force Materiel Command
Supply Chain Risk Management
Trixie Brewer
HQ AFMC/A4R
FOUO - For Official Use Only
FOUO – For Official Use Only
Deliver and Support Agile War-Winning Capabilities
Great Power Competition, Military – Civilian Fusion
Under great power competition, we see the fusion of military and commercial sectors, where
adversaries are weaponizing commercial activity as a means of degrading US military capability.
Examples include:
Russia’s cornering of rare earth element markets; and the use of cartel-like actions
China’s practices of commercial entity exploitation
Weaponized Mergers & Acquisitions (M&A)
Pressuring partner companies to transfer technology as normal business
Exploiting networks of scientific, academic, & business contacts to steal IP & tech secrets
Controlling ports via targeted ownership & insertion of Chinese-owned tech for access to
transiting goods
Exploitation of DoD commercial supply chains to introduce counterfeit parts
Focused kinetic warfare-based strategies to exploit the commercial domain: Anti-Access/Area-
Denial (A2AD) & Disruption
FOUO - For Official Use Only
FOUO – For Official Use Only
Deliver and Support Agile War-Winning Capabilities
Risk Lurking in the Industrial Base
The domain of warfare is expanding well beyond the battlefield to create a new contested space!
1. Warfare on the Battlefield
2. Warfare Against Supply Lines Feeding the Battle
3. Warfare Against War Supporting Production Capability
4. Warfare Against the Industrial Base to Shape War
Co
mm
erc
ial
Ind
ustr
ial B
ase
321
4
Intellectual property theftCyber, software, and hardware attacks
Weaponized M&A
FOUO - For Official Use Only
FOUO – For Official Use Only
Deliver and Support Agile War-Winning Capabilities
Program
Offices
(AFLCMC)
DoD &
SAF/HAF
Labs
(AFRL)
A
B
C
Nuclear
Enterprise
(AFNWC)
Testing(AFTC)
Installation
Support(IMSC)
Enterprise SCRM
Sustainment(AFSC)
Enterprise SCRM Operational View
Centralized, integrated function
comprised of AF, AFMC and Center
resources that coordinate for effective,
efficient SCRM
An integrated function brings
effectiveness and efficiency in:
4
Processes
Tools
Communication
Coordination
Program Management
EN
LG / A4
PKTSN
AFOSI &
A2
JA
FOUO - For Official Use Only
FOUO – For Official Use Only
Deliver and Support Agile War-Winning Capabilities
Network Illumination
674 Sub-Tier
Suppliers Identified
FOUO - For Official Use Only
FOUO – For Official Use Only
Deliver and Support Agile War-Winning Capabilities
Risk Findings
Weight (10pts) 1.00 1.00 2.00 2.50 1.00 2.50
Supplier Risk
Involvement of
Risky Foreign
Entity
Number
of Risk
Lenses Likelihood
Difficulty
of
Mitigation
Difficulty
to Detect
Severity
of Impact
Risk
Score
Boeing Thousands of documents related to the F-22 were stolen from Lockheed and Boeing by an agent of the Chinese military3 4 3 3 3 3 4.83
Texas Instruments Texas Instruments sold sensitive electronics components to a company acting on behalf of the Russian government3 2 3 3 2 3 4.50
Acronis Acronis’ Management has several ties to Russian government entities 3 1 3 3 1 3 4.25
Everspin Technologies Supplier’s lack of profitability increases its susceptibility to bankruptcy and foreign influence 2 3 3 3 1 3 4.25
Intel The AMD-THATIC joint venture will expose two key parts of the Target Program to vulnerabilities in Chinese foreign influence3 3 2 3 2 3 4.25
MobileIron MobileIron’s use of Acronis software in its provision of services to the DoD makes it a foreign influence and cyber risk3 2 2 3 3 3 4.17
Imagination Technologies Shareholders of Imagination Tech, a key supplier, have approved the sale of the company to Chinese firm Canyon Bridge4 3 3 2 1 3 4.17
Xilinx Xilinx Inc.’s FPGAs are frequent targets for foreign acquisition & counterfeiting3 2 3 2 2 3 4.08
TSMC Taiwan Semiconductor Manufacturing Co. (TSMC) poses a threat of foreign influence and IP theft 3 1 1 3 3 3 3.92
Aeroflex Cobham recently acquired Aeroflex, whose ITAR violations create business ethics vulnerabilities. 3 3 3 1 3 3 3.92
Marvell Chinese investors, including a PRC State-Owned Enterprise, have purchased Marvell shares and look to acquire it outright3 1 2 3 1 3 3.92
Xilinx Flextronics has a history of mislabeling and selling counterfeit Xilinx semiconductor chips1 2 3 3 3 2 3.92
Cypress Semiconductor Former Chairman of Cypress Semiconductor helped found Chinese government-backed capital venture fund 3 2 2 2 2 3 3.75
Fairchild Semiconductor Fairchild Semiconductor is a target for foreign influence and weaponized M&A3 2 2 2 2 3 3.75
GlobalFoundries An industrial tool virus infected the microchip fab plant in Vermont where GlobalFoundries produces chips for the DoD2 2 3 2 1 3 3.75
Everspin Technologies Everspin Technologies is partially owned by company with ties to Chinese development agency3 1 2 3 2 2 3.67
Microsemi Microsemi accused of ITAR and FCA violations for allowing unauthorized foreign nationals to access US military IP/CUI2 3 2 2 2 3 3.67
GlobalFoundries UAE’s purchase of GlobalFoundries raises influence concerns about DoD’s reliance on it as a Trusted Foundry 2 2 1 3 2 3 3.67
Insyde Software Firmware made by Insyde Software has serious vulnerabilities that may be known to foreign intelligence 3 1 2 2 2 3 3.67
Lattice Semiconductor Lattice Semiconductor has been targeted by the Chinese Government as a strategic acquisition3 3 2 3 1 2 3.67
DDC DDC was recently acquired by TransDigm, whose monopolistic business practices raise business ethics and financial concerns0 1 2 3 2 3 3.58
Xcerra Xcerra received an acquisition offer of $580 million from Unic Capital Management Co. Ltd, a PRC-affiliated investment firm3 2 2 2 1 3 3.58
Silicon Motion Malicious code can be uploaded to Silicon Motion chips and infect additional devices that connect via USB3 3 1 2 2 3 3.50
Acronis Russian Government-owned power company is a customer of Acronis3 1 3 3 1 1 3.42
Acronis Acronis has a history of cyber security vulnerabilities and has been targeted by hackers 0 1 1 3 3 3 3.42
Microchip A Chinese company allegedly copied the microcodes embedded in a Microchip microcontroller3 2 1 2 2 3 3.42
Micron Micron and its innovations have become a target of Chinese influence, acquisition, and IP theft3 3 2 2 1 2 3.25
Harris Corporation A Harris Corporation contractor pled guilty to violating the Espionage Act after retaining classified Defense Department files0 1 2 2 2 3 3.17
Intersil Counterfeit Intersil chips have been discovered in similar Air Force programs0 1 2 2 2 3 3.17
IDT Chinese and Pakistani investors attempted to acquire IDT at a 65% premium over the share price average in April 2016 3 1 2 2 1 2 3.08
FOUO - For Official Use Only
FOUO – For Official Use Only
Deliver and Support Agile War-Winning Capabilities
Risk Findings, Cont.
Weight (10pts) 1.00 1.00 2.00 2.50 1.00 2.50
Supplier Risk
Involvement of
Risky Foreign
Entity
Number
of Risk
Lenses Likelihood
Difficulty
of
Mitigation
Difficulty
to Detect
Severity
of Impact
Risk
Score
Microsemi ProASIC3 chips could have backdoors that permit remote access to logic-bearing devices0 1 1 2 3 3 3.00
Halo X-ES’s supplier, Halo Electronics, makes products that are prone to counterfeit substitution in the marketplace1 1 2 2 2 2 2.92
NXP NXP products are often substituted with counterfeit replicas in the marketplace1 1 2 2 2 2 2.92
Pentair Pentair subsidiaries have a history of illegal sales to Iran and violations of the Foreign Corrupt Practices Act2 3 1 2 2 2 2.92
Cobham Cobham faces an insider-trading probe from the U.K. Financial Conduct Authority (FCA) 0 2 3 2 2 1 2.75
Marvell Marvell has a history of questionable business ethics, including patent claims and disruptive audit probes1 1 2 3 1 1 2.75
Microchip Atmel was the previous target of Chinese government-sponsored weaponized M&A2 2 2 1 2 2 2.75
Exar Reliance on Asian manufacturers for both component supplies and customer revenue creates risk of foreign influence2 1 2 2 2 1 2.67
Intel Intel microprocessors are vulnerable to malicious manipulation undetectable by standard means of testing1 1 2 1 3 2 2.67
Pericom Pericom’s integrated circuit chips are frequent targets for foreign acquisition and have been targeted by the PRC in the past3 2 1 1 2 2 2.58
SMIC The Chinese Government is the largest stakeholder in Semiconductor Manufacturing International Corporation3 1 1 2 2 1 2.50
STMicroelectronics Multiple state-sponsored entities own significant shares of STMicroelectronics2 2 1 3 0 1 2.50
Texas Instruments Texas Instruments employees advertise their association with the Target Program on social media3 1 1 1 1 2 2.33
Fairchild Semiconductor Fairchild has been engaged in a long-running legal dispute which sheds light on questionable business ethics practices 0 2 2 2 1 1 2.25
Intersil Intersil faced a lawsuit regarding its merger with Renesas which highlights its questionable business ethics 0 2 2 2 1 1 2.25
ON Semiconductor ON Semiconductor focuses production in areas that are known to be susceptible to counterfeit operations1 2 1 1 2 2 2.25
Exar MaxLinear’s recent purchase of Exar could jeopardize Exar’s continued production and design of supplied parts0 1 2 1 1 2 2.17
Harris Corporation The SEC caught the chief executive of a Harris subsidiary bribing Chinese Government officials in violation of the FCPA3 2 1 1 2 1 2.17
Silicon Labs Silicon Labs is overly reliant on 3 small customers, but its attempt to diversify into the IoT market could increase the risk0 1 1 2 3 1 2.17
Curtiss-Wright Curtiss-Wright’s sales to Russian entities raise concerns of foreign influence through reverse engineering1 1 1 2 1 1 2.00
Halo Halo Electronics is susceptible to foreign influence through its concentrated reliance on Chinese manufacturing2 1 1 1 1 1 1.75
MobileIron MobileIron faces financial challenges due to accumulated debt and market competition0 1 2 1 1 1 1.75
Pericom Pericom Semiconductor is susceptible to foreign influence through its concentrated reliance on Chinese manufacturing3 1 1 1 0 1 1.75
Global Foundries GlobalFoundries acquired IBM’s poorly-performing chip-manufacturing unit, placing it at financial risk0 1 1 1 2 1 1.58
Microchip Microchip’s withdrawal of a severance package for employees indicates problematic and unethical business practices 0 1 1 1 2 1 1.58
Linear Tech Linear Technology has been sued by shareholders over alleged improper backdating of stock options0 2 1 1 1 1 1.50
Curtiss-Wright Overcharging government clients and gender discrimination undercut Curtiss-Wright’s business ethics0 1 1 1 1 1 1.42
NXP NXP is threatened by financial issues of high debt relative to the industry average0 1 1 1 1 1 1.42
Micron Micron, who supplies DRAM chips to multiple F-22 components, experienced DRAM production delays affecting its global supplies0 1 1 1 0 1 1.25
Cypress Semiconductor Most Cypress Semiconductor parts listed in the parts list are no longer in production 0 1 1 0 2 1 1.17
FOUO - For Official Use Only
FOUO – For Official Use Only
Deliver and Support Agile War-Winning Capabilities
Acronis: Foreign Influence
Acronis provided a backup & recovery advanced server to the Joint Stock Company Moscow Integrated Power Company, a subsidiary of Gazprom, the state-owned enterprise that contributes a significant portion of Russia’s GDP.
The Russian government is a direct Acronis customer and has significant connections beyond the above Gazprom connection. But while Gazprom is a customer and not a supplier, this relationship is further evidence of the integration of Acronis with Russian interests.
Proprietary technology contained in the software sold to Russian government clients presents a risk of reverse engineering and vulnerability identification within similar Acronis devices.
Business relationships with adversarial foreign governments could create dual loyalties and leave Acronis vulnerable to coercion in the future.
Supplier Country Risk Lenses
Foreign Influence
Acronis Singapore
Background
Threat to Program
!
Replace Acronis with qualify alternative service providers such as Carbonite, Datto, and Symantec.
Determine if Acronis supports any other aspects or subsystems of the Target Program, or any associated programs, to know degree of criticality and potential vulnerability to know degree of escalation.
Consider informing counterparts in the USN who also use Acronis services.
Determine how Acronis compartmentalizes and protects government customer data, where it's housed, and who has access.
Mitigations
FOUO - For Official Use Only
FOUO – For Official Use Only
Deliver and Support Agile War-Winning Capabilities
Acronis management
connections to Russian
government entities
9
FOUO - For Official Use Only
FOUO – For Official Use Only
Deliver and Support Agile War-Winning Capabilities
AFMC SCRM Successes
Approved AFMC Roadmap and Implementation Plan and Process
Numerous Programs completed assessments within AF/AFMC
Enabled risk avoidance/mitigation
AF Programs see value of AFMC/SCRM
Fighter / Bomber (FB) Directorate
FB PEO working to perform assessments across Portfolio- FB prioritizing top 6-9 programs for
FY19/20 assessments
Program estimates considered to be an economic win, 0.1% of program costs
Two CIFIUS Cases sent forward—M&A stopped by POTUS
Two additional assessments kicked off this CY (Vehicles, Synthetic Biology)
AFMC and AF Working Groups
Language to SAF/AQ for 63-101-coordinated with Space Cmd
Influenced DoD DASD (SCI) SCRM definition for DoDI 4140.01 & coordinated on AFPD 23-1 SCRM
definition
FOUO - For Official Use Only
FOUO – For Official Use Only
Deliver and Support Agile War-Winning Capabilities
AFMC SCRM Way Ahead
SAF& AFMC/A4 evaluate SCRM policies to ensure integrated and aligned
Continue to build Senior Leadership Support - Centers, Program Offices,
Command, & HAF/SAF/OSD - Awareness and Importance
HQ AFMC/A4R establishing central contract vehicle-Provide AFMC Support
and SCRM Assessments-Build organic capability
Continue to Perform Assessments and Fine Tune Processes and Tools
Continue to Work detailed Processes and Develop Relationships &
Collaboration (OSI, AFCEA, PCTTF, etc.)
Standardize SCRM processes and tools Across AFMC
Evaluate and update CDRLS/DIIDs for Contracts
AFMC Leadership To Drive SCRM Evolution Across Command
11
FOUO - For Official Use Only
FOUO – For Official Use Only
Deliver and Support Agile War-Winning Capabilities
SCRM Summary
The resurgence of Great Power Competition has introduced an
asymmetric domain of warfare through the weaponization of the
commercial industrial base.
Major Readiness Factor…Supply Chain Risks need to be
addressed. We are at war every day
Communication up, down and across the supply chain and
functional areas is critical to battling this major readiness risk.
Supply Chain Risks are Real--SCRM is everyone’s responsibility.