Out of the Dark, Into the Light: Exposing Vulnerabilities in the U.S. Defense Supply Chain

Two years ago, the Bureau of Industry and Security (BIS) put China-based encryption chip maker Hualan Microelectronics on the Entity List for “acquiring and … attempting to acquire US-origin items in support of military modernization for [China’s] People’s Liberation Army.” But as WIRED’s Andy Greenberg writes, Hualan and its subsidiary Initio still supply chips to Western manufacturers of encrypted hard drives that count NASA, NATO, and the U.S. military as customers. The FAA and other government agencies have bought encrypted hard drives with these chips too, per federal procurement records.

It’s alarming that the federal government would purchase products from or containing components of Entity Listed companies. It’s also a symptom of a much larger problem of the federal government not knowing the risks of the technology it relies on. Overall, the situation underscores the need to (1) gain significantly better visibility into critical supply chains and (2) remove weak links, such as the use of dangerous Chinese technologies. 

Greenberg says the situation with Hualan and Initio has “raised fears among security researchers and China-focused national security analysts that they could have a hidden backdoor that would allow China’s government to stealthily decrypt Western agencies’ secrets. And while no such backdoor has been found, security researchers warn that if one did exist, it would be virtually impossible to detect it.”

Matthias Deeg, a security researcher at German cybersecurity firm Syss, says, “In the end, it’s a matter of trust, whether you actually trust this vendor and its components with all your sensitive data… These kinds of microcontrollers are a black box to me and every other researcher trying to understand how this device is working.”

Hualan chips aren’t the only problematic chips – or materials for that matter – in our critical supply chains. In January, former National Security Advisor Robert O’Brien wrote for the Washington Examiner that taxpayer dollars are used for equipment with chips from SMIC and YMTC, both China-based, Entity Listed companies: “Thus, key functions from air traffic management to electric power distribution and to public emergency communications are at risk of disruption because they contain Chinese-manufactured chips.”

So, what do we do about it? In a new piece on the Pentagon’s limited supplier visibility, Air Force Lt. Cols. Nicholas Jordan and Jennifer Mapp warn that “Defense supply chains are under assault and the United States is losing. It is time for the Department of Defense to stop the studies and take immediate and real action to identify ‘kill shots’ at risk for exploitation.”

That sense of urgency should be shared throughout the U.S. government and beyond as Jordan and Mapp state, “Supply chain risk management is not unique to the defense sector and the need for speed, agility and resilience is just as critical to profit margins as it is to national security.”

For a deeper dive, check out:

  • War on the Rocks: “In The Dark: How The Pentagon’s Limited Supplier Visibility Risks U.S. National Security” by Nicholas Jordan and Jennifer Mapp
  • WIRED: “How a Shady Chinese Firm’s Encryption Chips Got Inside the US Navy, NATO, and NASA” by Andy Greenberg
  • Washington Examiner: “NDAA needs to tighten national security restrictions on chips made in China” by Robert O’Brien
  • China Tech Threat: “No Weak Links” in consultation with Nazak Nikakhtar

Check out our Substack account for all our blogs!