Supply Chain Huddle | No. 1

February 28, 2023 | 7 min read


The supply chain news on our radar this month: defective parts, a costly ransomware attack, and a win for the F-35 engine

The BlueVoyant Government Solutions team is constantly reading (and listening) to the latest news and insights on supply chain risk management in the U.S. Department of Defense (DoD) and broader Defense Industrial Base (DIB). Every month, we invite you to take a peek at some of the headlines that got us talking around the watercooler the most, and how we’re approaching our work in the DoD as a result.

Applied Materials’ Sales Shortfall Linked to Cyberattack at MKS
by Ian King for Bloomberg, 16 February 2023

  • What happened: A supply chain cyber attack targeting an Applied Materials’ supplier cost the semiconductor technology company $250M in damages and delivery disruptions. The supplier in question, MKS Instruments Inc., was unable to process orders, ship products, and provide customer service in its vacuum and photonics divisions as a result of the breach.

  • Why it matters: It’s no secret that semiconductor chips are a precious commodity for U.S. national security and economic interests. Ransomware attacks also remain a constant and common cyber threat for companies supporting critical American supply chains. While we hate a headline like this, it feels like we’ve been here before, and we should probably have the tools and processes to prevent something like this from happening again.

  • Our take: We do, in fact, have the tools to get ahead of this type of ransomware attack – or, at the very least, mitigate it before it turns into a larger supply chain issue. Getting ahead of cybersecurity risk requires complete digital and physical supply chain transparency, persistent monitoring of emerging vulnerabilities, and immediate coordination to remediate threats with your impacted third-party suppliers.

  • What happened: Boeing has launched a lawsuit against Raytheon following allegations that Raytheon subsidiaries supplied faulty parts to F/A-18 and F-15 fighter jets. The incident in question began in 2018 at Boeing’s St. Louis County facility, causing Boeing to incur tens of millions of dollars in mitigation costs and delaying the F/A-18 release by three months in 2019.

  • Why it matters: Large companies suing each other isn’t exactly breaking news. The problem is, we’re still talking about a three month delay that occurred four years ago. Even a seemingly momentary supply chain disruption can have long-term impact. This is a perfect example of the ways in which these issues can drag out for years.

  • Our take: Boeing and Raytheon aside, imagine how a smaller company in your supply chain might fare under a similar financial or legal battle. (Spoiler alert: probably not well.) All the more reason to take another look at the lowest tiers of your supply chain, identify criticality amongst those suppliers, engage in continuous business and cyber risk monitoring, and be prepared with alternative supplier options. You know, just in case.

Fix coming for F-35 engine problem that froze fighters’ deliveries
by Stephen Losey for Defense News, 10 February 2023

  • What happened: After facing engine troubles that halted deliveries of the F-35 Joint Strike Fighter for two months, it seems as though a solution may be available as soon as the end of February.

  • Why it matters: While any delivery delay is not ideal, we also think it’s important to acknowledge and commend the DoD for working with their prime contractors and suppliers to remediate an issue as quickly as possible. In this instance, the U.S. Air Force and Pratt & Whitney worked together to identify and isolate a specific engine vibration issue, as well as conduct the necessary due diligence to release a suitable and safe solution within months.

  • Our take: For every unexpected supply chain disruption, we could only hope that the response is just as swift. Even more importantly, both parties have already taken proactive steps to require additional testing practices and prevent similar disruptions from happening again. That’s the energy we like when it comes to efficacy, transparency, and continuous improvement in supply chain risk management.

Interview with Frank Finelli, Managing Director - Defense and Aerospace at The Carlyle Group
Episode #21 of Building The Base Podcast, 8 February 2023

  • What was discussed: The big topic of discussion in this episode was China, and the ways in which they may be out-investing and out-innovating the United States. New research indicates that China’s defense innovation cycles may be five times faster than what we are seeing in the U.S. military, but Frank warns that we can’t skip over critical foreign risk assessments in our desire to move just as quickly.

  • Why it matters: A comprehensive analysis of foreign ownership, influence and control (FOCI) requires diving into the details beneath the surface – who they are, who advises them, who they do business with, where they’re doing business, why they’re doing business there, and all of the business and cyber risks that might pose.

  • Our take: Cue the ‘yeah, isn’t that obvious and covering the basics?’ comments, and they’re not wrong. But unfortunately, FOCI is an area where we see a lot of DoD programs typically left wanting for more. Getting ahead of foreign influence threats and protecting mission-critical government investments is something we are fully on board with — and already engaged in at every stage of the acquisition lifecycle.

Pentagon Didn't Check Risks Before Authorizing Cloud Services, IG Finds
by Edward Graham for Defense One, 22 February 2023

  • What happened: The Pentagon’s Office of Inspector General (IG) recently conducted an audit to determine whether five DoD cloud systems using three different commercial cloud service offerings (CSOs) were in compliance with federal and DoD security requirements. Well, the results are in, and it’s not looking great. According to the IG, the five agency component authorizing officials (AOs) didn’t follow requirements for assessing CSO risk when granting access, as well as reassessing risk for authorizations and continuous monitoring activities.

  • Why it matters: This wouldn’t be alarming, except for the fact that the role of AOs is to grant system-level authorization to operate (ATO) in accordance with requirements that aim to reduce cybersecurity risk. When the DoD has gone all in on commercial CSOs, insufficient review processes leave the agency exposed and vulnerable to cyber threats.

  • Our take: Not all hope is lost. The IG report recommended that the respective AOs reevaluate the ATOs for the five cloud systems in order to determine the most salient cybersecurity requirements. Understanding that a strong cyber internal defense starts with external third-party systems is truly validating to our own work in the DoD. But seriously… @DoD, call us?

More February headlines not to miss:

Want to tune into our next huddle instead? Every month, the BlueVoyant Government Solutions team huddles up live to discuss the latest supply chain risk events impacting the U.S. Department of Defense and Defense Industrial Base. Subscribe here to get on the list and receive the next huddle recording as soon as it drops.

Related Reading