16 July 2017

Leveraging Blockchain Technology to Protect the National Security Industrial Base


ABSTRACT: Cyber-enabled economic warfare is not limited to the use of digital networks for surveillance, theft, and sabotage. An emerging national security challenge related to the globalization of manufacturing supply chains is the phenomenon of attacks in which substandard, counterfeit, or maliciously-modified electronic components are introduced into the hardware on which the national security industrial base (the “NSIB”) operates.[1] The focus of this work is not on physical countermeasures against infected electronics, but on harnessing blockchain technology to defeat the adversarial networks responsible for the attacks. The complexity of global economic institutions and processes produces an ocean of transactional data in which supply chain attackers can hide. Through blockchain technology, the structure of this data can be transformed to enable new kinds of forensics that can defeat these attacks at scale. This memo is a short-form discussion of the potential to transform legacy acquisitions systems via blockchain technology, along with an outline of pilot activities to initiate this transformation. The limitations of blockchain technology are also presented to ensure that expectations are properly aligned. A longer article that provides more depth and context for the issues raised herein will be published later.

Supply Chain Attacks as a Mode of Cyber-Enabled Economic Warfare

The increasing globalization of manufacturing supply chains will continue to drive broad-based, productivity-led economic growth around the world well into the 21st century.[2] But it also poses national security challenges of existential urgency as the technologically-complex electronic hardware that comprises our national security industrial base (NSIB) is increasingly produced or assembled in countries with documented histories of large-scale, technologically-sophisticated economic espionage against the United States.[3] The complexity and scale of the manufacturing supply chains that produce this hardware gives our adversaries new options for economic warfare that directly threaten the physical security of a United States that is increasingly dependent on imported hardware of verifiably dangerous provenance.[4]

Economic warfare entails the use of non-kinetic actions against an adversary’s vital economic targets to weaken it economically and thereby reduce its political and military power.[5] It implies an intense, coercive disturbance of the target’s economy. Cyber-enabled economic warfare (CEEW) refers to a hostile strategy involving attack(s) against a nation using cyber technology with the intent to weaken its economy and thereby reduce its political and military power.[6] The focus of the present work is on what we consider to be CEEW waged at a strategic level – that is, attacking the entire NSIB of a nation-state by rendering the hardware on which it operates fundamentally unreliable. There are multiple levels of severity in such attacks. Among the more benign is the substitution of counterfeit components for legitimate ones;[7] ordinary economic incentives are sufficient to encourage unscrupulous suppliers to do this without any direction from a sovereign power. More pernicious are components that are modified with malicious functionality, often carefully obfuscated.[8]In such cases, strategic intent can be read more clearly, although there are at present no reliable data with which to assess the relative dominance of profit-driven counterfeiting versus strategically-motivated infiltration.

The cost of inaction is great. While we laud the recent focus on supply chain security problems of the defense industrial base (DIB),[9] we endorse a broader notion of the range of U.S. interests threatened by this phenomenon. Infected components are also potentially entering our national civil infrastructure en masse as well because civil enterprises share the same supply chain risks. In a conflict scenario, the collapse of the domestic economy would not only degrade national morale but disrupt the primary source of material support for U.S. forces.

The scope of potential penetration is difficult to bound with precision, but estimates published by the Semiconductor Industry Association in 2013 estimate that “as many as 15 percent of all spare and replacement parts purchased by the Pentagon are counterfeit.”[10] At the hardware level, there are existing efforts to create better countermeasures against counterfeit components which have opaque chains of custody.[11] While these hardware-level solutions deal with bad components, there is a paucity of enterprise-level defenses to deal with bad actors in the supply chain. A 2017 Defense Science Board report describes the kind of gaps in our acquisitions system in which they so easily hide:

In typically long DoD acquisition processes, approximately 70 percent of electronics in a weapons system are obsolete or no longer in production prior to system fielding. The Department’s mechanisms for tracking inventory obsolescence and vulnerabilities in microelectronic parts are inadequate. Microelectronics components are likely to become obsolete repeatedly during the weapons system lifecycle. Efforts to track component obsolescence lack oversight at a Department-wide level. Reporting of counterfeit and “suspect-counterfeit” microelectronics is mandatory for some, but not all prime contracts and subcontracts. Such reporting requirements are inconsistent and no DoD system at present collects event information on cyber-physical attacks of electronic components as its primary function. To address these concerns, a shared vulnerability database and a parts application database of installed hardware could promulgate corrective actions across weapons systems.[12]

Apart from the economic damage done to victims of intellectual property theft in the case of counterfeits and recycled parts,[13] there is the wide-scale infection of our national infrastructure and defense arsenal with substandard parts.[14] The most serious scenarios would entail an adversary that can remotely turn our systems against us during times of conflict.[15] However, even if the malign effects of supply chain infiltration fall short of the most extreme possibilities, the uncertainty alone in defense planning imposes a cost in its own right.

The Blockchain

Before proceeding, we will define some commonly used terms in blockchain research and practice. The blockchain is a database whose security is assured by the mechanics of distributed consensus. When used generically, the blockchain refers to the general design concept on which such databases are built. The blockchain can also refer specifically to the data structure within a particular protocol. Usually, the generic or specific use of the term will be clear within its context.

The essence of how the blockchain works can be understood through an example. The first widely-adopted implementation of the blockchain is Bitcoin,[16] for which the database is simply a timestamped ledger of payments.[17] In the Bitcoin protocol, Alice transmits a payment to Bob by broadcasting her transaction to a distributed network of Bitcoin miners who race each other to check the validity of Alice’s request. Specifically, the miners are checking that Alice does indeed have the requisite balance of bitcoin in her account by validating that she did not already spend her bitcoin elsewhere before attempting to pay Bob. The race between miners is transparently structured: The winner is the first to solve a mathematical problem that by its design requires a high volume of brute computational work.[18] The winning miner is compensated for his work with a fixed award of bitcoin added to his account.

Alice’s transaction is validated by the miners along with a batch of other transactions submitted during a common interval of time; these transactions comprise a block. The blocks are “chained” together in the sense that every block contains a digest of the contents of the previous block.[19] This chaining of information in the state of one block with the state in the next block is central to the security model of the blockchain. If Alice seeks to attempt to cheat the network by modifying the state of a past block (e.g., by erasing a payment she made to Bob, or forging a payment from Bob made to her), she would need to solve a new puzzle[20] not only for that block, but every subsequent block because by design, the solution of the puzzle corresponding to any given block depends on the state of that block; her modification of the state of any past block would ripple through the states of all subsequent blocks and correspondingly create a new sequence of hard puzzles for her to solve.[21] It becomes rapidly more difficult over time for Alice to successfully modify any past transaction because the likelihood of her solving the necessary sequence of puzzles spawned by her dishonest transaction and shoehorning it into the blockchain decreases exponentially in the number of blocks subsequent to the one containing her dishonest transaction.[22] While the foregoing discussion focuses on the particulars of the Bitcoin protocol, the design principles described illustrate in a general manner the relationships between the data structure, security model, and consensus mechanism that typify most blockchain-based protocols presently in existence.

The “altcoin” development community seized upon the generality of the blockchain concept quickly. The open-source release of Bitcoin in 2009 was followed in 2015 with the release of Ethereum, which enabled the blockchain-based virtualization of Turing-complete machines, encompassing a general class of computational processes, of which a payments ledger like Bitcoin is only a special case.[23] The commonly-adopted term that describes this class is “smart contracts” – which describe a new model of constructing business contracts in which the definition, fulfillment, and validation of contingencies occur as the execution of code on a blockchain rather than as duties of a trusted third party. The prospect of projecting complex business processes onto code, and eliminating expensive middlemen, has already catalyzed over $1 billion in venture investments in blockchain technologies as of 2016.[24] This transformative potential of the blockchain may also revolutionize how we approach supply chain security for the NSIB.

Bringing the Blockchain Solution to the NSIB Supply Problem

The essence of the blockchain solution to supply chain security is the unification of all the transactional activities that constitute a supply chain into a single dataspace so that the transactional fog in which adversaries presently hide can be minimized. At present, adversaries can easily hide because the volume, heterogeneity, and sparseness of records associated with supply chain events makes timely investigations impracticably difficult. By projecting supply chain events onto a common dataspace, auditors and investigators will have a homogeneous, detailed, and real-time graph not only of suspicious transactions and relationships, but also a large baseline corpus of “normal” relationships and transactions as well. With such graphs, the full power of anomaly detection methods from machine learning (ML) and artificial intelligence (AI) can be brought to bear on the scale of the problem. This may speed the time-to-detection of infiltrations, and even deter some attempts outright, as the probability of non-detection perceived by would-be attackers is diminished.

As a general example, we consider a contract awarded to a prime contractor for the production of a complex electronic system for the NSIB. The prime contractor will have subcontractors, and subcontractors to subcontractors. Upon approval to start work, the prime and subcontractors will be assigned accounts on a common blockchain through which payments will be effected. Every value-adding activity by the prime or by a sub will be required to be annotated as events on the blockchain – such events could be the fabrication, testing, or delivery of a component. Payment will only be rendered from a prime to a subcontractor, or a subcontractor to another subcontractor, when the value-adding activity is annotated in a timely and accurate manner on the blockchain (this has the effect not only of ensuring accurate recordkeeping, but also encouraging timely payment to subcontractors). In this manner, the transactional provenance for even a single component can be fully mapped out via the payment chains of the tens or hundreds of subcontractors involved in its manufacture. As transactional graphs are constructed for all components that comprise a device, and all devices that comprise systems, a uniform transactional database is constructed for the entire NSIB, resolvable to any level of precision required for an auditor or investigator.

The simplest problem of excluding known bad actors is almost immediately solved with a blockchain-based dynamical graph of transactions. As an example from a services-based supply chain problem, the Special Investigator General of the Afghanistan Reconstruction (SIGAR) found in its audit of the construction of the Parwan Province justice center that a known bomb-making cell had infiltrated the supply chain of contractors and had actually gained two days of access to the construction site.[25] Such explicitly blacklisted entities, even if only tenuously connected with a performer in an active contract, would be flagged in real time with a blockchain-based contracting system. The simplest cases aside, more sophisticated adversaries are likely to use front organizations to mix and tumble their transactions or to generate other kinds of transactional noise to obfuscate their activities. The blockchain also offers a more oblique technological path to defeating this kind of adversary through ML and AI methods. The adversary is now faced with an immeasurably risky problem of (a) faking his behavioral data such that (b) its deviations from the normal baseline of behavior falls within an error bound that may (c) be modulated by auditors and investigators in ways beyond his ability to know. In the long run, we hypothesize that the probability of successfully faking one’s behavioral data to evade detection will generally decrease as the data itself will become inherently more difficult to hide in. The difficulty is driven by the additive value of data – over time, there can only be a monotonic increase in (a) the number of validated cases of fraud or infiltration to be added to the collection of ground truth instances and (b) the absolute size of the dataset on which ML- or AI-based detection can learn. Asymptotically, there will be more instances of normal and anomalous behavior with which to improve the precision and latency of detection.

There are significant limitations to a blockchain-based approach to supply chain security, and we do not propose it as a fully comprehensive solution by itself. The fundamental problems not addressed directly by the blockchain are twofold. First, the blockchain solution is optimized toward finding bad transactions rather than bad actors. Second, the blockchain only provides an economical and secure dataspace for measurements; for the analysis on such a dataspace to be useful, there must still be a critical density and volume of high-quality measurements of events in the supply chain. While the blockchain will provide an economical, secure, and uniform dataspace to record such events, the forensics enabled by the blockchain are ideally suited to identifying malice in enterprise-level behavioral patterns and relationships. However, an individual bad actor within an enterprise will likely have a variety of ways to evade detection if he has knowledge of gaps in the security procedures in and around his organization, such as the range of realspace events not annotated on the blockchain. Therefore, a blockchain solution will not entirely substitute for sound personnel vetting procedures and personnel activity monitoring. In addition, for even enterprise-level analytics to be effective, the physical spaces and electronic processes which constitute supply chains must be instrumented with a density and distribution of sensors commensurate to the subtlety of the phenomena sought. The development and deployment of such sensors at scale is a nontrivial problem in its own right. We anticipate that any broadly-effective solution to the supply chain security problem will require a combination of approaches of which the blockchain will be one of many parts.

Policy Recommendations

While the NSIB policymaking community wrestles with the potentially existential threats embedded in supply chain threats, the private sector is already embracing the blockchain for its own supply chain security problems.[26] We are in full accord with the policy recommendations of the April 2017 Defense Science Board report; however, implementation of them at scale in a cost-effective manner will require the unique capabilities of the blockchain.

Small-scale experiments can be done, particularly in technology-savvy communities – e.g., cybersecurity specialists and cryptographers. We can develop a novel set of requirements for prime contractors who are able and willing to accept the blockchain-based payment system. To support this, we will need to train a contracting officer and contracting officer technical representatives to define and validate contractual contingencies on such a system. At a more fundamental level, we need to update the privacy requirements for contractor information – existing Defense Federal Acquisitions Regulations (DFAR) requirements impose standards for protecting contractor information,[27] and the pseudynomous[28] quality of behavioral data embedded on a blockchain raises a host of technical risks[29] that will likely have to be managed at the policy level as well as at the technical level.

Legislative and regulatory action should be taken in partnership with industry. There is a common understanding of the urgency of supply chain security, but the globalization of electronics production will continue to be a necessary phenomenon to sustain the global semiconductor industry’s ability to create consumer value, drive economic growth, and innovate into the 21st century.[30] The unique equities of industry and those of the national security community can be harmonized with a combination of technologies and incentives. We may envision a secure acquisitions model in which good faith participation in any new model of supply chain transactional record-keeping can be rewarded with safe harbor indemnifications; but the transparency introduced by the blockchain may also justify a new and higher duty of care to their ultimate end-users in the NSIB.

Conclusion

Our dependence on foreign supply chains is a reality that policymakers will have to contend with in an increasingly open global economy. The blockchain solution will not by itself provide a complete solution, but it will raise the cost and risk of supply chain attacks. Broadly, blockchain-based solutions are just one of a broad range of tools needed to secure the supply chains for the NSIB, providing tools for enterprise-level forensics to detect malicious activity. A full transformation of NSIB acquisitions processes to accommodate the blockchain may require long-term, whole-of-government and whole-of-industry efforts, but can be experimentally implemented in the short run on small scales. In such experiments, we can begin to develop the data required to address broader questions of the return-on-investment (ROI) of blockchain approaches versus approaches based on traditional forensics and analysis. The development of metrics and measurements for such ROI assessments are objectives in their own right in any such experimentation, as the adoption of blockchain technology can be expected to be improvisational and iterative.

Securing the NSIB supply chain is a systems engineering challenge of unprecedented dimensions. Essentially, the problem at hand is to police a corpus of commercial activity which, if only counting the Department of Defense, would comprise the 20th largest economy in the world.[31] While the blockchain, as a new technology, entails extraordinary risks, it also bears extraordinary promise as a tool uniquely suited to such problems of singular scale and complexity.

No comments: