DOD considers vendor incentives to bolster supply chain security

The Defense Department wants its tech to be delivered uncompromised. But there are several obstacles to supply chain security, including lack of data from vendors on possible vulnerabilities.

For Defense Security Service Counterintelligence Director William Stephens, "uncompromised" means capabilities sent to operating forces without "critical information and or technology being wittingly or unwittingly lost, stolen, denied, degraded or inappropriately given away or sold." Or at the very least being able to account for how something took place, he said at an April 24 Center for Strategic and International Studies event on supply chain security.

DSS oversees cleared industry partners working on classified projects with the Defense Department. Stephens wants to capture potentially adverse information from those vendors as early as possible, even if that means paying companies incentives to get it right.

The agency has a lot on its plate. DSS gets about 50,000 reports annually, seriously looking into about 8,000 for counterintelligence interest. For the last two years, Stephens said reports have been overwhelmingly a mix of cyber and human activity: 16% were cyber only, 30% were human only, 54% had indicators of both. That means only focusing only on the cyber or intelligence connection "is a dangerous thing," he said.

"Industry does a good job" of reporting activity he said -- 15% of facilities report information of counterintelligence interest and a quarter making some sort report. But it's still not enough: DSS needs about three times as many facilities reporting for the data to be statistically significant, hence the need to incentivize contractors to report.

"The challenge is that we're going to have to incentivize if we're actually going to truly get to the depth and breadth of the challenge," he said. "If the incentives are correct, they'll deliver."