Fake parts: A Pentagon supply chain problem hiding in plain sight

WASHINGTON — For about half the summer, 18 newly completed F-35 fighter jets sat outside Air Force Plant 4, a Lockheed Martin-operated facility in Fort Worth, Texas.

Instead of flying to military bases around the world, the F-35s were parked while U.S. Defense Department officials tried to untangle the supply chain mess that had stuck them there.

In August, the Pentagon had halted delivery of the aircraft after Honeywell, the maker of a key engine component in the F-35, told Lockheed it had new concerns about the provenance of one part. Specifically, the subcontractor had learned a magnet in the component had been made for years using raw materials sourced in China — a violation of federal procurement rules.

The Defense Department ultimately decided the Chinese alloy didn’t endanger or compromise the F-35, and it granted a waiver in early October for deliveries to resume.

But the high-profile incident spotlighted a quandary for Pentagon leaders, one the department has struggled to address and was warned about for more than a decade: how to keep counterfeit parts and other unauthorized material from sneaking into the department’s sprawling supply chain.

It’s a problem Pentagon officials worry could lead, in a best-case scenario, to poorer equipment performance — or in a worst-case scenario, to the accidental death of troops.

Amid China’s rise as a military rival to the United States and its status as the origin of much counterfeiting in the world, officials and experts say it’s a growing concern.

“Obviously [there are] lives at stake,” said Bryan Clark, a defense analyst at the Hudson Institute who has studied the Pentagon’s supply chain for computer chips.

The Defense Department’s far-reaching network of suppliers makes trying to catch counterfeit, shoddy or otherwise unacceptable parts a daunting task. Pentagon leaders say they are developing new tests to find counterfeit parts, putting a renewed emphasis on reporting when problematic components are found, and encouraging the military and industry to compare notes more often about counterfeit parts they discover.

“The good news is there are tools coming out using artificial intelligence and open source, that we can dive in and maybe find some of these things,” Bill LaPlante, undersecretary of defense for acquisition and sustainment, said in a September news conference after the F-35 deliveries stopped. “But I think it’s going to be a constant issue for us … understanding our supply chain.”

‘Constant vigilance’

The trouble with counterfeit parts isn’t only the theft of intellectual property, Halimah Najieb-Locke, deputy assistant secretary of defense for industrial base resilience, told Defense News in September. More importantly, they might not work, or could be shoddy or unreliable.

In the case of the June 2020 death of Air Force pilot 1st Lt. David Schmitz, the lack of transparency may have proved deadly. Schmitz died after his parachute didn’t deploy from his malfunctioning ejection seat, which the Air Force Research Laboratory said may have had up to 10 counterfeit and faulty transistors and semiconductor chips.

While the lab said the parts were “suspect,” it noted more analysis would be required to determine if they were truly counterfeit.

Schmitz’s widow, Valerie, has filed a federal civil lawsuit against three defense contractors, seeking to learn through the discovery process whether the components were proved to be fake. The Air Force has declined to comment on this case.

In the midst of a worldwide semiconductor shortage, some Pentagon officials are worried about a potential influx of counterfeit chips — both through vendors seeking to profit from suppliers in a tight spot and through an adversary who’s created a cloned part that’s home to a cyber backdoor.

“There is more incentive than ever to profit off of counterfeit components just by advertising that you have them available within the supply chain when no one else does,” said Nick Martin, director of the Pentagon’s in-house semiconductor supplier, the Defense Microelectronics Activity.

In 2018, Bloomberg Businessweek reported the Chinese government got a stealth doorway into servers made by the Oregon-based company Elemental Technologies in the form of a tiny microchip.

According to the report, the servers — with chips inserted at factories run by manufacturing subcontractors in China — could be found in Defense Department data centers, CIA drone operations and the onboard networks of Navy ships.

Now, with it often taking as long as two years to obtain some components from approved sources, electronics manufacturers find themselves facing fewer options. The most common counterfeits are not malicious, Martin said, and might simply have had their serial numbers altered to disguise that they’re not suited for military purposes.

“Our DoD weapons systems are long in the tooth in terms of time in the field, and we need to make sure that there’s specific reliability requirements for the components that we put into them,” Martin said. “Counterfeits or even cloned components will compromise the reliability” of equipment.

Counterfeit chips can pass for the genuine article for a while, but they can wear out faster, Clark said. If a chip isn’t coated or hardened correctly, uses substandard materials, or is connected with cheap wires, he explained, then it’s not living up to the standard the military expects — and could potentially endanger service members

“When we talk about these [military] standards, a lot of it is designed to perform the way it’s supposed to, even if it’s kept in service beyond when it was supposed to,” Clark said. “In a commercial product, Apple’s never going to stand behind your iPhone for 10 years; whereas in DoD, that F-16 [fighter jet] is supposed to run for decades.”

The scale of the Defense Department’s supply chain makes keeping an eye on what goes into it a daunting task. Najieb-Locke estimated the department has 200,000 significant suppliers in the defense-industrial base, and scores more subcontractors.

“It’s hard to give a truly firm number … given the fact that we only have visibility so far down the chain,” Najieb-Locke said. “Lockheed can contract with whoever they want to contract [with] for their widget that goes into” what they supply as a prime manufacturer.

Indeed, the F-35′s problem this summer shone new light on the Pentagon’s complex supply chain and how opaque it can be to the department.

The F-35 relies on more than 1,700 suppliers at all levels providing roughly 300,000 parts. The Air Force’s network is even broader; the service said it depends on about 12,000 direct suppliers. But further down the supply chain, the network expands to about 1 million companies.

“One of the lessons of COVID is we [have not] understood supply chains as well as we thought we did,” Andrew Hunter, the service’s acquisition chief, told reporters at a conference in September. “Both COVID impacts and inflation [are] causing people to go back and say: ‘Hey, there’s more complexity in the supply chain than we may have fully appreciated.’ ”

This isn’t the first time the F-35 has had this kind of issue, Hunter said. During the Obama administration, an F-35 part initially manufactured in Scotland was outsourced to China — without the knowledge of Lockheed or the manufacturer of the component that used the part.

“These supply chains are not static,” Hunter said. “It’s a challenge, and it’s a constantly moving target. So it does require constant vigilance to make sure that our supply chains are resilient, they are secure, and that we know where stuff is coming from and whether they’re compliant.”

An information-sharing push

This summer, the Pentagon adopted a new policy aimed at fixing gaps in reporting suspected counterfeit parts to an unclassified government-industry clearinghouse — an issue the Government Accountability Office identified in 2016.

The 24-page policy would mandate all DoD component chiefs ensure counterfeit and “nonconforming” items are reported within 60 days of being found to a decades-old but little-known program now called the Government-Industry Data Exchange Program, or GIDEP.

Long-standing regulations mandate the Defense Department’s suppliers test and inspect their wares before they’re handed off to the government. Under the new policy, when those suppliers and DoD components find a suspected counterfeit part, that should yield a report to GIDEP.

The policy taps the undersecretary of defense for research and engineering, currently Heidi Shyu, to oversee GIDEP and chair two panels established around it that will have representatives of the military departments, the Defense Logistics Agency and other DoD entities.

The new policy will also bring the Pentagon in line with a 2019 federal acquisition regulation requiring GIDEP reporting and monitoring mandates be written into certain contracts.

“The GAO recommendation [that prompted the policy] was intended to make sure there was a level playing field,” said GIDEP Program Manager Jim Stein. “Industry would share what it knew across industry and government, and the government would share what it knew across government and industry. One benefit of this for industry is the government will start reporting what it should.”

Following a congressional probe, GIDEP participation surged in 2011 but later fell off significantly, GAO found. The watchdog agency said the Army, Air Force and Missile Defense Agency weren’t making any reports, blaming the lack of a central point person and varying approaches to reporting across the department.

According to Stein, the Defense Department has seen counterfeits increase in number and sophistication over the last two decades, with batches of counterfeits increasingly hidden in authentic parts, making them harder to find. But the DoD has also seen vendors grow more vigilant about testing and vetting.

“An example would be if you bought a reel of capacitors,” he said. “Some cases … are that the first 100 on the reel are authentic, and then they start inserting the counterfeits farther back. It makes testing difficult, but then conferences of experts are held, and then that information becomes more widely known.”

Meanwhile, the Defense Department is exploring is a zero-trust policy that would assume no microelectronics are safe and all must be validated. This could mean only allowing microelectronics into the supply chain if testing shows there are no exploits built into them and that they meets all the requirements.

“I don’t need to have its entire back history if I can test it in situ and say, ‘go’ or ‘no-go,’ ” Clark said.

Indeed, Najieb-Locke confirmed the Defense Department doesn’t require complete visibility throughout the supply chain. As long as a screw works, she said, it doesn’t matter who made it or whether the contractor bought it at a local hardware store.

But in some cases involving crucial systems, she noted, the Pentagon might track suppliers down to the 15th tier or so. In others, such as basic maintenance contracts, the department might only track suppliers to the second tier.

The Pentagon has qualification systems and other safeguards in place to catch these phony parts before they slip into its supply stream, Najieb-Locke said. Suppliers are also supposed to send a test batch first so the defense organization can verify the parts before accepting ownership.

But the Pentagon also has tests to catch counterfeit parts and checks components during maintenance, she said.

The department is exploring a less-invasive technique that analyzes the emissions from a part when it is pulsed with an electromagnetic signal. Martin said electronic fingerprint-detection equipment is promising because it costs less than $1 million and works in a few minutes or less. But the artificial intelligence needed to perform the comparative analysis still must mature before it can, for example, detect intentionally inserted flaws.

Congress in 2018 ordered the DoD to create a pilot program to evaluate machine-vision technologies to determine the authenticity and security of microelectronics parts and weapon systems. The Defense Microelectronics Activity, which led the pilot program, is due to soon release a public report on its findings.

“For the machine-learning stuff right now, there’s still a considerable amount of work that needs to be done,” Martin said, but it’s “showing a lot of promise.”

The role of contractors

Hunter said the Air Force is watching some defense contractors build new relationships with companies that specialize in supply chain management to improve their visibility.

But at times, the government’s longing for supply chain visibility can conflict with suppliers’ desires to keep their trade secrets.

“How do we get more transparency into second, third, fourth and fifth layer[s] of suppliers?” said Edward Smith, director of F-35 domestic engagement at Lockheed. “Some of that becomes proprietary information for our suppliers, so they don’t have to share that with us because it is proprietary on how they produce their product and get the economic value.”

Beyond the second and third layer of the supply chain, Smith said, the process relies on trust that subcontractors are going to follow the acquisition rules.

“We have to say … we expect you to maintain your supply chain inside of your own IP [intellectual property], and we’re going to respect your IP since you’re a partner on this — and expect [compliance],” Smith said.

Who takes responsibility between industry and the Pentagon for counterfeit parts at the third tier of the supply chain and below is already part of a high-level tug of war, according to Chris O’Donnell, a senior Pentagon acquisition official.

“We’ve heard from the primes that: ‘Hey, you’re not paying us to do that. Do you expect us to do that? Well then, pay us to do that,’ ” O’Donnell said. “And our answer is: ‘No, we sort of, kind of expected you to do that. If it’s your design, and you’re producing it, and you’re responsible for sustainment, that you’re watching out for your supply chain.’ And the answer is, not so much.”

The question snowballs into whether the Pentagon or industry would be responsible for ensuring zero-trust standards are met. Whether the department should even go to a zero-trust approach remains unresolved.

“It’s a big debate,” O’Donnell said. “What we’re saying is we can make these chips anywhere in the world, and because we designed it with zero trust in mind, we’re good to go. I still haven’t pushed the ‘I believe’ button on that.”

Chris Stone, the vice president for supply chain for enterprise operations at Lockheed, said the F-35 incident underscores the need for the company and others to see better into its supply chain.

“We’re moving to a point that in areas we know have more critical risk exposure, how do we get better insights,” Stone said.

And across the defense-industrial base, firms are trying to figure out how to find potential problems.

“Unfortunately, we often get caught flat-footed,” Stone said. “There’s all this data out there. Well, it’s not just about getting all the data; we need to get smart about what the data tells us about risk and how we get humans in the loop.”

Najieb-Locke sees continuous improvement in communication with industry as the best option for catching counterfeit parts before they make their way into the DoD’s ecosystem, more so than tightening up its own processes.

“It’s not really a process of what can we tighten up, as much as … working with industry and our suppliers to make sure we are aware of who is out there counterfeiting their products,” Najieb-Locke said. “And making our acquisition corps aware that, here is a new list of counterfeit products and this is what the counterfeit looks like. So it’s an education regime more than a process. Because if it slips through that check, that means it passed technical viability.”