The vulnerability of the defence supply chain is a threat to National Security. On 28 January 2020, despite continued opposition from the United States and also from within his own cabinet, most noticeably the Defence Secretary Ben Wallace (Conservative MP for Wyre and Preston North), the Prime Minister Boris Johnson confirmed that Huawei would be allowed to help build the UK’s 5G network. Commentators’ views on the threat that employing the Chinese telecom company’s equipment poses to the integrity of the nation’s future 5G network are mixed; however, most cautiously support a restricted role, whereby Huawei technology is excluded from sensitive areas of the network, for example the core, and used instead in peripheral components, such as mobile phone masts and antennae.
Complexity of the Supply Chain
The key issue in this debate is the complexity of the supply chain and the lack of vendor diversity that will support the UK’s 5G network. As James Sullivan, Head of Cyber Research at RUSI points out, there is no such thing as completely ‘trustworthy’ equipment or vendors in any context. Moreover, it impossible to eradicate all risk in complex technology-dependent activities. To counter this, Sullivan contends that a realistic risk tolerance, informed by the degree of confidence in the security of components and infrastructure, must be set.
Supply Chain Vulnerabilities
The problems of supply chain vulnerability exposed in the development the UK’s 5G network are experienced every day in the acquisition of military capability in the UK. In this instance, it is the capability managers within the Royal Navy, Army and Royal Air Force, supported by the MOD’s delivery agents (Defence Equipment and Support, Information Systems and Services, and the Submarine Delivery Agency) who must identify what the realistic risk tolerance is for their programme. The difficulty with this is understanding what specifically must be done to achieve confidence in the supply chain and then actually going ahead and doing it.
At the macro level, the challenge can be summarised as: how do you precisely and cost-effectively identify, assess and eliminate supply chain vulnerabilities within the supplier networks that support Defence capability programmes? Further examination suggests that supply chain vulnerabilities can be broken down into the following areas of risk:
– Mergers and Acquisitions. Companies within the supply chain deliberately targeted for merger or acquisition to increase state-owned foreign influence.
– Intellectual Property Theft. Stealing ideas, trade secrets or proprietary technologies, often through industrial espionage, cyber-breaches or the exploitation of outsourcing.
– Non-Value Added Suppliers. Suppliers providing components to systems without any additional value-added manufacturing, leading to increased cost without increasing capability.
Risks within the Defence Supply Chain
There is growing evidence of all these risk areas within the defence sector. In 2016, The Economist reported that China is aggressively using a policy of mergers and acquisitions to become a superpower in the semiconductor industry. More recently, Mark Esper, US Defence Secretary, warned that the same country was perpetrating the “greatest intellectual property theft in human history”. Finally, analysis from an independent review of one the MOD’s largest acquisition programmes in 2017 identified that as many as 4.7% of parts supplied could be subject to a non-value added financial mark up. The extrapolation of that data suggested a potential overpayment during the acquisition phase of £155 million.
Unfortunately, as with most complex issues, the devil is in the detail. With supply chains for some capabilities extending down at least a dozen tiers and involving thousands of companies across the globe, understanding that complexity is eye-wateringly difficult, not to mention time-consuming, labour intensive and expensive. Nonetheless, without that understanding, a credible level of risk tolerance cannot be set.
Conclusion
From an MOD perspective, it is tempting simply to hand the problem off to its prime contractors and original equipment manufacturers. However, as most contracts do not require the management of vendors further down than tier two or three, that is simply unrealistic. Instead a combined MOD/Industry approach is needed. Technology does exist, primarily through a combination of AI and machine learning, to meet the challenge. As ever, it will come down to finance and, more specifically, prioritisation of spend. Supply chain management has traditionally been seen as a low priority within defence acquisition programmes and is often the first port of call when savings are needed. That must change. Ignoring threats to the defence supply chain today will lead to much more serious threats to national security tomorrow.
