Leveraging a crowd sourcing methodology to enhance supply chain integrity

Supply chain integrity (SCI) is emerging as one of the top security issues facing critical systems. The government's reliance on commercial off-the-shelf (COTS) products is apparent, as is the threat of critical systems being designed and manufactured overseas. To date, few tools or capabilities exist to prevent or even detect these classes of attacks. Programs, such as DARPA Trust, exist to identify solutions; however, alternative strategies must be explored. It is extremely challenging to establish the trustworthiness of a supply chain for a product or system in today's globalized climate, especially given the complexity and variability of the hardware and software, and the diverse geographical areas where they are made. Counterfeit items, from individual chips to entire systems, have been found both in commercial and government sectors. Supply chain attacks can be inserted at any point during the product or system life cycle and can have detrimental effects to mission success. We hypothesize that wisdom of crowds techniques may be applicable to the analysis of supply chain integrity. Current supply chain security efforts are hindered by a lack of detailed information on a product's entire supply chain. End-users have virtually no access to supply chain information, and even major manufacturers may have difficulty getting access to their suppliers' sub-suppliers. Component testing and even reverse engineering can be used to mitigate risks, but these approaches are imperfect, time consuming, and expensive. This paper will discuss the development of a semi-automated supply chain integrity risk analysis framework to assist the supply chain security analysts in assessing the level of risk associated with a component of a mission critical system. This capability can provide the system designer a more rigorous and efficient approach to assess the security of the components in the design. By fusing all of these tools into a centralized framework, we hypothesis that we can create a capability that will enable analysts to more effectively interrogate the data and extract trending as well as critical information.