Supply Chain Risk Management - Wild Apricot...Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R...

12
FOUO - For Official Use Only FOUO For Official Use Only Air Force Materiel Command Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R

Transcript of Supply Chain Risk Management - Wild Apricot...Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R...

Page 1: Supply Chain Risk Management - Wild Apricot...Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R FOUO - For Official Use Only FOUO –For Official Use Only Deliver and Support

FOUO - For Official Use Only

FOUO – For Official Use Only

Air Force Materiel Command

Supply Chain Risk Management

Trixie Brewer

HQ AFMC/A4R

Page 2: Supply Chain Risk Management - Wild Apricot...Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R FOUO - For Official Use Only FOUO –For Official Use Only Deliver and Support

FOUO - For Official Use Only

FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

Great Power Competition, Military – Civilian Fusion

Under great power competition, we see the fusion of military and commercial sectors, where

adversaries are weaponizing commercial activity as a means of degrading US military capability.

Examples include:

Russia’s cornering of rare earth element markets; and the use of cartel-like actions

China’s practices of commercial entity exploitation

Weaponized Mergers & Acquisitions (M&A)

Pressuring partner companies to transfer technology as normal business

Exploiting networks of scientific, academic, & business contacts to steal IP & tech secrets

Controlling ports via targeted ownership & insertion of Chinese-owned tech for access to

transiting goods

Exploitation of DoD commercial supply chains to introduce counterfeit parts

Focused kinetic warfare-based strategies to exploit the commercial domain: Anti-Access/Area-

Denial (A2AD) & Disruption

Page 3: Supply Chain Risk Management - Wild Apricot...Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R FOUO - For Official Use Only FOUO –For Official Use Only Deliver and Support

FOUO - For Official Use Only

FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

Risk Lurking in the Industrial Base

The domain of warfare is expanding well beyond the battlefield to create a new contested space!

1. Warfare on the Battlefield

2. Warfare Against Supply Lines Feeding the Battle

3. Warfare Against War Supporting Production Capability

4. Warfare Against the Industrial Base to Shape War

Co

mm

erc

ial

Ind

ustr

ial B

ase

321

4

Intellectual property theftCyber, software, and hardware attacks

Weaponized M&A

Page 4: Supply Chain Risk Management - Wild Apricot...Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R FOUO - For Official Use Only FOUO –For Official Use Only Deliver and Support

FOUO - For Official Use Only

FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

Program

Offices

(AFLCMC)

DoD &

SAF/HAF

Labs

(AFRL)

A

B

C

Nuclear

Enterprise

(AFNWC)

Testing(AFTC)

Installation

Support(IMSC)

Enterprise SCRM

Sustainment(AFSC)

Enterprise SCRM Operational View

Centralized, integrated function

comprised of AF, AFMC and Center

resources that coordinate for effective,

efficient SCRM

An integrated function brings

effectiveness and efficiency in:

4

Processes

Tools

Communication

Coordination

Program Management

EN

LG / A4

PKTSN

AFOSI &

A2

JA

Page 5: Supply Chain Risk Management - Wild Apricot...Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R FOUO - For Official Use Only FOUO –For Official Use Only Deliver and Support

FOUO - For Official Use Only

FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

Network Illumination

674 Sub-Tier

Suppliers Identified

Page 6: Supply Chain Risk Management - Wild Apricot...Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R FOUO - For Official Use Only FOUO –For Official Use Only Deliver and Support

FOUO - For Official Use Only

FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

Risk Findings

Weight (10pts) 1.00 1.00 2.00 2.50 1.00 2.50

Supplier Risk

Involvement of

Risky Foreign

Entity

Number

of Risk

Lenses Likelihood

Difficulty

of

Mitigation

Difficulty

to Detect

Severity

of Impact

Risk

Score

Boeing Thousands of documents related to the F-22 were stolen from Lockheed and Boeing by an agent of the Chinese military3 4 3 3 3 3 4.83

Texas Instruments Texas Instruments sold sensitive electronics components to a company acting on behalf of the Russian government3 2 3 3 2 3 4.50

Acronis Acronis’ Management has several ties to Russian government entities 3 1 3 3 1 3 4.25

Everspin Technologies Supplier’s lack of profitability increases its susceptibility to bankruptcy and foreign influence 2 3 3 3 1 3 4.25

Intel The AMD-THATIC joint venture will expose two key parts of the Target Program to vulnerabilities in Chinese foreign influence3 3 2 3 2 3 4.25

MobileIron MobileIron’s use of Acronis software in its provision of services to the DoD makes it a foreign influence and cyber risk3 2 2 3 3 3 4.17

Imagination Technologies Shareholders of Imagination Tech, a key supplier, have approved the sale of the company to Chinese firm Canyon Bridge4 3 3 2 1 3 4.17

Xilinx Xilinx Inc.’s FPGAs are frequent targets for foreign acquisition & counterfeiting3 2 3 2 2 3 4.08

TSMC Taiwan Semiconductor Manufacturing Co. (TSMC) poses a threat of foreign influence and IP theft 3 1 1 3 3 3 3.92

Aeroflex Cobham recently acquired Aeroflex, whose ITAR violations create business ethics vulnerabilities. 3 3 3 1 3 3 3.92

Marvell Chinese investors, including a PRC State-Owned Enterprise, have purchased Marvell shares and look to acquire it outright3 1 2 3 1 3 3.92

Xilinx Flextronics has a history of mislabeling and selling counterfeit Xilinx semiconductor chips1 2 3 3 3 2 3.92

Cypress Semiconductor Former Chairman of Cypress Semiconductor helped found Chinese government-backed capital venture fund 3 2 2 2 2 3 3.75

Fairchild Semiconductor Fairchild Semiconductor is a target for foreign influence and weaponized M&A3 2 2 2 2 3 3.75

GlobalFoundries An industrial tool virus infected the microchip fab plant in Vermont where GlobalFoundries produces chips for the DoD2 2 3 2 1 3 3.75

Everspin Technologies Everspin Technologies is partially owned by company with ties to Chinese development agency3 1 2 3 2 2 3.67

Microsemi Microsemi accused of ITAR and FCA violations for allowing unauthorized foreign nationals to access US military IP/CUI2 3 2 2 2 3 3.67

GlobalFoundries UAE’s purchase of GlobalFoundries raises influence concerns about DoD’s reliance on it as a Trusted Foundry 2 2 1 3 2 3 3.67

Insyde Software Firmware made by Insyde Software has serious vulnerabilities that may be known to foreign intelligence 3 1 2 2 2 3 3.67

Lattice Semiconductor Lattice Semiconductor has been targeted by the Chinese Government as a strategic acquisition3 3 2 3 1 2 3.67

DDC DDC was recently acquired by TransDigm, whose monopolistic business practices raise business ethics and financial concerns0 1 2 3 2 3 3.58

Xcerra Xcerra received an acquisition offer of $580 million from Unic Capital Management Co. Ltd, a PRC-affiliated investment firm3 2 2 2 1 3 3.58

Silicon Motion Malicious code can be uploaded to Silicon Motion chips and infect additional devices that connect via USB3 3 1 2 2 3 3.50

Acronis Russian Government-owned power company is a customer of Acronis3 1 3 3 1 1 3.42

Acronis Acronis has a history of cyber security vulnerabilities and has been targeted by hackers 0 1 1 3 3 3 3.42

Microchip A Chinese company allegedly copied the microcodes embedded in a Microchip microcontroller3 2 1 2 2 3 3.42

Micron Micron and its innovations have become a target of Chinese influence, acquisition, and IP theft3 3 2 2 1 2 3.25

Harris Corporation A Harris Corporation contractor pled guilty to violating the Espionage Act after retaining classified Defense Department files0 1 2 2 2 3 3.17

Intersil Counterfeit Intersil chips have been discovered in similar Air Force programs0 1 2 2 2 3 3.17

IDT Chinese and Pakistani investors attempted to acquire IDT at a 65% premium over the share price average in April 2016 3 1 2 2 1 2 3.08

Page 7: Supply Chain Risk Management - Wild Apricot...Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R FOUO - For Official Use Only FOUO –For Official Use Only Deliver and Support

FOUO - For Official Use Only

FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

Risk Findings, Cont.

Weight (10pts) 1.00 1.00 2.00 2.50 1.00 2.50

Supplier Risk

Involvement of

Risky Foreign

Entity

Number

of Risk

Lenses Likelihood

Difficulty

of

Mitigation

Difficulty

to Detect

Severity

of Impact

Risk

Score

Microsemi ProASIC3 chips could have backdoors that permit remote access to logic-bearing devices0 1 1 2 3 3 3.00

Halo X-ES’s supplier, Halo Electronics, makes products that are prone to counterfeit substitution in the marketplace1 1 2 2 2 2 2.92

NXP NXP products are often substituted with counterfeit replicas in the marketplace1 1 2 2 2 2 2.92

Pentair Pentair subsidiaries have a history of illegal sales to Iran and violations of the Foreign Corrupt Practices Act2 3 1 2 2 2 2.92

Cobham Cobham faces an insider-trading probe from the U.K. Financial Conduct Authority (FCA) 0 2 3 2 2 1 2.75

Marvell Marvell has a history of questionable business ethics, including patent claims and disruptive audit probes1 1 2 3 1 1 2.75

Microchip Atmel was the previous target of Chinese government-sponsored weaponized M&A2 2 2 1 2 2 2.75

Exar Reliance on Asian manufacturers for both component supplies and customer revenue creates risk of foreign influence2 1 2 2 2 1 2.67

Intel Intel microprocessors are vulnerable to malicious manipulation undetectable by standard means of testing1 1 2 1 3 2 2.67

Pericom Pericom’s integrated circuit chips are frequent targets for foreign acquisition and have been targeted by the PRC in the past3 2 1 1 2 2 2.58

SMIC The Chinese Government is the largest stakeholder in Semiconductor Manufacturing International Corporation3 1 1 2 2 1 2.50

STMicroelectronics Multiple state-sponsored entities own significant shares of STMicroelectronics2 2 1 3 0 1 2.50

Texas Instruments Texas Instruments employees advertise their association with the Target Program on social media3 1 1 1 1 2 2.33

Fairchild Semiconductor Fairchild has been engaged in a long-running legal dispute which sheds light on questionable business ethics practices 0 2 2 2 1 1 2.25

Intersil Intersil faced a lawsuit regarding its merger with Renesas which highlights its questionable business ethics 0 2 2 2 1 1 2.25

ON Semiconductor ON Semiconductor focuses production in areas that are known to be susceptible to counterfeit operations1 2 1 1 2 2 2.25

Exar MaxLinear’s recent purchase of Exar could jeopardize Exar’s continued production and design of supplied parts0 1 2 1 1 2 2.17

Harris Corporation The SEC caught the chief executive of a Harris subsidiary bribing Chinese Government officials in violation of the FCPA3 2 1 1 2 1 2.17

Silicon Labs Silicon Labs is overly reliant on 3 small customers, but its attempt to diversify into the IoT market could increase the risk0 1 1 2 3 1 2.17

Curtiss-Wright Curtiss-Wright’s sales to Russian entities raise concerns of foreign influence through reverse engineering1 1 1 2 1 1 2.00

Halo Halo Electronics is susceptible to foreign influence through its concentrated reliance on Chinese manufacturing2 1 1 1 1 1 1.75

MobileIron MobileIron faces financial challenges due to accumulated debt and market competition0 1 2 1 1 1 1.75

Pericom Pericom Semiconductor is susceptible to foreign influence through its concentrated reliance on Chinese manufacturing3 1 1 1 0 1 1.75

Global Foundries GlobalFoundries acquired IBM’s poorly-performing chip-manufacturing unit, placing it at financial risk0 1 1 1 2 1 1.58

Microchip Microchip’s withdrawal of a severance package for employees indicates problematic and unethical business practices 0 1 1 1 2 1 1.58

Linear Tech Linear Technology has been sued by shareholders over alleged improper backdating of stock options0 2 1 1 1 1 1.50

Curtiss-Wright Overcharging government clients and gender discrimination undercut Curtiss-Wright’s business ethics0 1 1 1 1 1 1.42

NXP NXP is threatened by financial issues of high debt relative to the industry average0 1 1 1 1 1 1.42

Micron Micron, who supplies DRAM chips to multiple F-22 components, experienced DRAM production delays affecting its global supplies0 1 1 1 0 1 1.25

Cypress Semiconductor Most Cypress Semiconductor parts listed in the parts list are no longer in production 0 1 1 0 2 1 1.17

Page 8: Supply Chain Risk Management - Wild Apricot...Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R FOUO - For Official Use Only FOUO –For Official Use Only Deliver and Support

FOUO - For Official Use Only

FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

Acronis: Foreign Influence

Acronis provided a backup & recovery advanced server to the Joint Stock Company Moscow Integrated Power Company, a subsidiary of Gazprom, the state-owned enterprise that contributes a significant portion of Russia’s GDP.

The Russian government is a direct Acronis customer and has significant connections beyond the above Gazprom connection. But while Gazprom is a customer and not a supplier, this relationship is further evidence of the integration of Acronis with Russian interests.

Proprietary technology contained in the software sold to Russian government clients presents a risk of reverse engineering and vulnerability identification within similar Acronis devices.

Business relationships with adversarial foreign governments could create dual loyalties and leave Acronis vulnerable to coercion in the future.

Supplier Country Risk Lenses

Foreign Influence

Acronis Singapore

Background

Threat to Program

!

Replace Acronis with qualify alternative service providers such as Carbonite, Datto, and Symantec.

Determine if Acronis supports any other aspects or subsystems of the Target Program, or any associated programs, to know degree of criticality and potential vulnerability to know degree of escalation.

Consider informing counterparts in the USN who also use Acronis services.

Determine how Acronis compartmentalizes and protects government customer data, where it's housed, and who has access.

Mitigations

Page 9: Supply Chain Risk Management - Wild Apricot...Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R FOUO - For Official Use Only FOUO –For Official Use Only Deliver and Support

FOUO - For Official Use Only

FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

Acronis management

connections to Russian

government entities

9

Page 10: Supply Chain Risk Management - Wild Apricot...Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R FOUO - For Official Use Only FOUO –For Official Use Only Deliver and Support

FOUO - For Official Use Only

FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

AFMC SCRM Successes

Approved AFMC Roadmap and Implementation Plan and Process

Numerous Programs completed assessments within AF/AFMC

Enabled risk avoidance/mitigation

AF Programs see value of AFMC/SCRM

Fighter / Bomber (FB) Directorate

FB PEO working to perform assessments across Portfolio- FB prioritizing top 6-9 programs for

FY19/20 assessments

Program estimates considered to be an economic win, 0.1% of program costs

Two CIFIUS Cases sent forward—M&A stopped by POTUS

Two additional assessments kicked off this CY (Vehicles, Synthetic Biology)

AFMC and AF Working Groups

Language to SAF/AQ for 63-101-coordinated with Space Cmd

Influenced DoD DASD (SCI) SCRM definition for DoDI 4140.01 & coordinated on AFPD 23-1 SCRM

definition

Page 11: Supply Chain Risk Management - Wild Apricot...Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R FOUO - For Official Use Only FOUO –For Official Use Only Deliver and Support

FOUO - For Official Use Only

FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

AFMC SCRM Way Ahead

SAF& AFMC/A4 evaluate SCRM policies to ensure integrated and aligned

Continue to build Senior Leadership Support - Centers, Program Offices,

Command, & HAF/SAF/OSD - Awareness and Importance

HQ AFMC/A4R establishing central contract vehicle-Provide AFMC Support

and SCRM Assessments-Build organic capability

Continue to Perform Assessments and Fine Tune Processes and Tools

Continue to Work detailed Processes and Develop Relationships &

Collaboration (OSI, AFCEA, PCTTF, etc.)

Standardize SCRM processes and tools Across AFMC

Evaluate and update CDRLS/DIIDs for Contracts

AFMC Leadership To Drive SCRM Evolution Across Command

11

Page 12: Supply Chain Risk Management - Wild Apricot...Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R FOUO - For Official Use Only FOUO –For Official Use Only Deliver and Support

FOUO - For Official Use Only

FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

SCRM Summary

The resurgence of Great Power Competition has introduced an

asymmetric domain of warfare through the weaponization of the

commercial industrial base.

Major Readiness Factor…Supply Chain Risks need to be

addressed. We are at war every day

Communication up, down and across the supply chain and

functional areas is critical to battling this major readiness risk.

Supply Chain Risks are Real--SCRM is everyone’s responsibility.