Executive Summary

High-performance electronics are key to the U.S. Air Force’s (USAF’s) ability to deliver lethal effects at the time and location of their choosing. Additionally, these electronic systems must be able to withstand not only the rigors of the battlefield but be able to perform the needed mission while under cyber and electronic warfare (EW) attack. This requires a high degree of assurance that they are both physically reliable and resistant to adversary actions throughout their life cycle from design to sustainment.

The reduction of onshore advanced technology and packaging availability has weakened the U.S. electronics industrial base; however, the committee is pleased to see that U.S. government and Department of Defense (DoD)-level programs have been initiated that seek to address these concerns. Independent of these programs, there are actions that the USAF must take to help ensure that the embedded electronics in its weapon systems can be trusted to execute the mission.

In 2016, the Air Force Studies Board convened a workshop titled Optimizing the Air Force Acquisition Strategy of Secure and Reliable Electronic Components; a summary of that workshop is provided in Appendix B. Air Force leaders subsequently requested a follow-on consensus study to provide recommendations to the USAF acquisition community. The National Academies of Sciences, Engineering, and Medicine assembled an ad hoc committee of leading experts to investigate the issues, and this report is a result of the deliberations of the Committee on a Strategy for Acquiring Secure and Reliable Electronic Components for Air Force Weapon Systems.

THE CASE FOR AN ENTERPRISE APPROACH FOR PROTECTION OF ELECTRONICS WITHIN THE AIR FORCE

Our near-peer adversaries want to win the battle before a shot is fired. One of the best ways to achieve this mission is to take advantage of the growing global supply chain and highly interconnected networks. These channels allow them freedom to operate across the weapon system life cycle—from design to sustainment—from exfiltrating critical design information that is processed on Internet-connected networks to enabling access and control of mission-critical electronics. A disconnected patchwork of assurance efforts throughout the U.S. government that are intended to reduce the threats to the supply chain in fact make the adversary’s job easier. This, combined with an inconsistent approach to protection of program information at all stages of the life cycle, imposes unquantified risks to the assured operational capability of USAF platforms. Investigative organizations such as the Air Force Office of Special Investigations (AFOSI) lack sufficient numbers of technically qualified staff dedicated to monitoring supply chain risk. Moreover, the lack of risk and threat assessment experts embedded within the USAF program offices was a major deficiency identified in the earlier workshop and subsequently reinforced by this study. In spite of the extensive efforts to identify a “smoking gun” or confirmation that malicious or compromised hardware had degraded mission performance of USAF weapon systems, this report will not provide that level of certainty on the realization of this threat. However, in spite of the absence of a “smoking gun,” this report cannot provide any level of assurance of the absence of a “loaded gun.” In the words of one committee member, it is not a matter of if hardware within a critical weapon system can be compromised but when such a compromise will occur and what impact it will have to USAF lethality.

There is a critical need in the USAF for an integrated solution or a system-level approach to ensuring trust in mission-critical electronics. The current approach within the USAF program offices focuses on a risk-based management approach dictated by a collection of policies such as DoDI 5200.44, DoDI 5000.02, and DoDI 4140.67. Unfortunately, the implementation of these policies is inconsistent across the USAF, and additional efforts are needed to better define and institutionalize “how” to perform supply chain risk management (SCRM) along with metrics to assess the efficacy of current policies. Past reports have focused significant attention on the risks associated with the loss of a U.S.-based manufacturing capability (e.g., trusted foundry), and there are numerous efforts across the government to improve onshore manufacturing capabilities for both new and legacy components. As a result, now is the ideal time for the USAF to leverage these U.S. government-led efforts and focus its efforts on creating a culture within the acquisition (ACQ) community that embraces a holistic approach to protection of program information that extends beyond ensuring that the electronic components are procured

from a trusted supply chain. As one expert shared with the committee during his briefing, why would the adversary expend the considerable resources to insert a malicious feature into hardware with the hope that it could remain undetected and eventually be exploited when it is easier and less costly to compromise the supply chain through other mechanisms such as flooding the market with counterfeit parts or insider threat exploitation? Efforts are needed to increase the capacity and capability of the workforce across the acquisition life cycle in specialized areas such as secure integrated circuit design, cyberphysical security, and reverse engineering and anti-tamper for firmware and hardware but also in contracting and operational security to ensure that program information is protected at all stages. Additional focus directed at addressing the security risks in obsolete components through modernization efforts ideally can be aligned with the goal of creating new capability as well as enhancing security and reliability of the platform. The goal of modernization efforts should be to create a resource burden on the adversary such that it costs the adversary significantly more resources (people, funding, or time) to target USAF electronics systems. Based on the committee’s review of the processes and policies available from leading industry experts and other federal entities, this report offers actionable recommendations to the USAF to ensure the security and reliability and, ultimately, the lethality of its weapon systems.

This report first describes USAF capabilities requiring secure and reliable microelectronic components and stresses the criticality of electronic components to achieving the USAF mission. Next, the report provides a brief overview on threats facing the microelectronic supply chain and summarizes the current SCRM policies. Subsequent sections of the report delve more deeply into near- and long-term threats, and the classified version of this report provides illustrative examples of potential scenarios regarding the consequences and impact of compromised electronic components. The final sections of this report expand the discussion of the earlier description of SCRM, provide two examples of best practices, and highlight the implementation challenges facing the USAF program offices. Finally, the report concludes with a summary of organizational and policy recommendations for the USAF acquisition community.

Lead Supply Chain Risk Management from the Top

Delegating supply chain risk management (SCRM) to the program offices results in costly duplication of effort, nonuniform implementation of policy and practices, and presents yet another threat vector. The threat to USAF microelectronic components spans the entire life cycle of USAF weapon systems. Understanding both security and reliability of the system starts at the earliest stages of research and design and impacts every acquisition decision from system development to sustainment of the platform. An effective SCRM program requires a

robust information protection strategy that spans all stages of the weapon system to ensure the protection of program information relating to critical technologies and capabilities.

Recommendation: The USAF must authorize, implement, and monitor at the highest level of the organization for supply chain risk management (SCRM) to be effective.

Recommendation: The USAF should establish a central office—the Program Protection Office—that has the responsibility and authority to implement a holistic approach to protecting program information across the acquisition enterprise that includes an integrated supply chain threat assessment and risk management program—from research and development (Air Force Research Laboratory, AFRL), through acquisition (Office of the Assistant Secretary of the Air Force for Acquisition, Technology, and Logistics, SAF/AQ), to sustainment (Air Force Materiel Command, AFMC). The Air Force Office of Special Investigations (AFOSI) Program Protection Office is a critical component of this new office.

Recommendation: The USAF Program Protection Office must have unfettered access to program office vulnerability information and risk mitigation plans; must be able to direct the use of red teams to proactively probe and identify risks; must establish enforceable rules for protecting program information at all stages of the program; must have the authority to hold program managers accountable for implementation of threat mitigation actions; and must be resourced to develop gold standard risk supply chain assessment tools that are incorporated into the program protection plans.

Capitalize on U.S. Government-Level Modernization Efforts

The whole-of-government is working to improve onshore electronics capabilities through programs such as the Microelectronics Innovation for National Security and Economic Competitiveness (MINSEC). If successful, these efforts may mitigate the risks associated with access to critical components and pace of technology development. The USAF can implement the underlying programs in MINSEC to improve provenance controls, protect Critical Program Information (CPI) from nontrusted suppliers, and improve security of components in sustainment programs.

Recommendation: The USAF should be an early adopter for U.S. government-level programs that are focused on improving capability concurrently with increasing security and reliability in weapon systems.

Recommendation: The USAF should work closely with the Microelectronics Innovation for National Security and Economic Competitiveness (MINSEC) program to help to inform decisions on creating, evolving, and maintaining a Department of Defense-specific, trusted, and verified electronic components library repository. Subsequently, once obsolete or compromised components are identified, this effort will inform modernization requirements to reduce the threat landscape and increase resilience into the future.

Develop USAF-Level Sustainment Process

The USAF can leverage commercial best practices to improve the security posture in the design and manufacturing stages of leading-edge electronic components for new weapon systems; however, sustainment time frames for USAF weapon systems are unique and, therefore, must be the focus of the USAF.

Recommendation: Because many of the legacy platforms employ similar electronic components and share an already fragile supply chain, the USAF should develop an enterprise-wide vulnerability assessment and risk management capability to better share information across the program offices in a timely fashion.

Recommendation: The USAF should implement a platform-by-platform review of critical electronic components and work with the Joint Federated Assurance Center (JFAC) or similar Department of Defense organization to ensure a secure and trusted supply of critical components for all sustainment programs.

Employ System-Level Operational Security

One of the easiest and most cost-effective ways to aid the adversary and weaken USAF mission effectiveness is to allow insight into U.S. capabilities and operations. Poor operational security (OPSEC) practices put critical USAF electronics information at risk. These include undesirable practices such as making readily available unprotected program protection plans (PPPs), allowing electronics to be designed on Internet-connected computers, and the open publication of critical weapon system parts lists and processes. Many of these practices are intended to support contracting “best practices” such as full and open competition. However, this behavior enables the adversary to steal or exfiltrate CPI from unsecured information technology (IT) systems with little to no effort. Poor OPSEC is especially damaging because once the information is obtained, it then allows the adversary to expend as much time as needed to identify exploitable vulnerabilities—often before the weapon system has even been fielded. Protecting program information must be a priority at all stages of the acquisition life cycle. This level of security

awareness must extend beyond acquisition of new weapon systems and be used to inform acquisition approaches for legacy platforms in sustainment.

Recommendation: The USAF must enforce existing operational security (OPSEC) policies across the entire weapon system life cycle—from initial design to sustainment of existing systems—and as new threats emerge, promulgate new policies throughout the enterprise to protect USAF weapon systems.

Recommendation: The USAF should adopt secure design environments and methodologies by ensuring that mission-critical design activities are performed only in secure design environments, with licensed and vetted design tools and intellectual property libraries. All components should incorporate “assured-by-design” strategies.

Recommendation: Early in the design process, the USAF should proactively assess what electronic components will require a trusted fabrication and packaging capability and then develop acquisition and sustainment strategies to support those requirements. The acquisition strategy should also consider technology obsolescence as a risk to the program and incorporate options for technology modernization.

Expand Supply Chain Monitoring

The AFOSI has the responsibility to monitor and investigate threats to the microelectronics supply chain. The AFOSI Program Protection Office does not have sufficient resources (funding or manpower) to move toward a proactive stance to protect USAF systems. Staffing limitations hinder AFOSI’s ability to identify threats to supply chains in time to have operational relevance. Additional training and subject matter expertise for SCRM are needed within the USAF program and sustainment offices that support the technical complexities of the weapon system.

Recommendation: The USAF should increase funding and staffing of the Air Force Office of Special Investigations (AFOSI), and related investigative efforts, to move from a reactive to a proactive threat assessment and risk management posture.

Recommendation: The USAF should ensure that sustainment personnel have access to the same supply chain risk management training and threat intelligence as the acquisition community.

Implement Program Information Protection Program (SystemSecure)

The USAF does not have a culture of proactive security assurance that emphasizes protecting program information at all stages of the acquisition life cycle such as the U.S. Navy’s Submarine Safety Program (SUBSAFE)¹ and the newly created Cybersecurity Safety Program (CYBERSAFE).²

Recommendation: Analogous to the U.S. Navy’s Submarine Safety Program (SUBSAFE) and the newly created Cybersecurity Safety Program (CYBERSAFE), the USAF should establish a “SystemSecure” program. SystemSecure should focus on increasing awareness across the USAF on the need for aggressive protection of program information, including proactive supply chain monitoring and remediation whenever risks are identified.

___________________

¹ The U.S. Navy’s Submarine Safety Program (SUBSAFE), the quality assurance program established in the wake of the 1963 USS Thresher disaster, was designed to maintain the safety of its submarine fleet—specifically, to provide maximum reasonable assurance that submarine hulls will stay watertight and that they can recover from unanticipated flooding.

² In 2015, the Navy established CYBERSAFE, which aims to ensure survivability and resiliency of critical warfighting information technology and system components and processes.