Causes of Vulnerabilities and Key Threats to Defense Supply Chains Published June 6, 2025 By Col. David Levene, USAF Supply Chains are Complex and Globally Integrated The procurement of materiel to support national defense requirements involves massively complex commercial, government, and international supply chains. The interconnected nature of these supply chains, the loss of domestic manufacturing and materials processing, and the opaque nature of many lower-tier suppliers have left acquisition programs vulnerable to intentional attacks, disruptions, manipulation, and degradation by adversaries for economic or military advantage. Program managers must understand and consider the underlying causes that lead to vulnerable supply chains and methods by which adversaries can deliberately disrupt them to properly account for risks and contingencies while ensuring safe, secure, and effective defense capabilities are delivered to the joint force. Layered Supply Chains Induce Risk and Vulnerabilities Manufacturing processes for advanced technologies require multi-tiered supplier networks. These networks form layered webs of providers specializing in their respective sectors or niche areas, which are then fed into integrated production chains, and this “network of interconnected companies…must come together at the right time and place to deliver a timely product.”[1] The final assembly of many consumer and defense products is essentially an integration of parts and sub-systems purchased from several tiers of suppliers. The delicate nature of trade and strong incentives to reduce costs mean that production chains are often very fragile to even minor disruptions in trade. Additionally, integrators and prime contractors may not have complete visibility into the activity and reliability of sub-tier suppliers, and they may not even know the full spectrum of sub-tier suppliers in their supply chains, making production vulnerable to risks that may be difficult to measure and assess. Concerns About Defense Supply Chains While the U.S. defense industrial base and program management ecosystem have significantly benefited from the increased efficiency and lower costs associated with global supply chains, vulnerabilities and shortcomings inherent to outsourced or opaque suppliers have piled up. Jordan and Mapp assessed that “it took a global pandemic for the Department of Defense to take notice of the fragility of its supply chains and the full impact of China’s global economic expansion.”[2] There are several key types of supply chain threats and underlying causal factors that program managers should consider. Exiger, a company focused on risk management and compliance, lists four common risk areas surrounding defense supply chain weaknesses, each of which can lead to intentional degradation: focusing on cost instead of national security, cyberattacks, counterfeiting, and over-reliance on offshoring.[3] Additionally, poor understanding of supplier networks, purchase restrictions and export controls, and planning for peacetime instead of conflict also contribute to risks. Causes of Supply Chain Vulnerabilities There are multiple reasons that program managers and senior decision-makers leave supply chains vulnerable to disruption. Decisions on sourcing and low-tier supplier selection are often made for reasonable programmatic reasons that leave residual supply risk in the system’s procurement ecosystem. In most cases, this residual risk is difficult to quantify or accept because permissive supply chain access and free movement of goods have been the norm for so long that spending extra money or time planning for a seemingly unlikely contingency might seem unreasonable—or program managers may just have no training or experience in this area. Traditional, peacetime efforts to optimize supply chains and account for natural ebbs and flows in supply chain efficiency are insufficient in the face of determined adversaries who intentionally wish to disrupt production. A broad assessment of the defense acquisition landscape reveals three key causes of supply chain risks that can allow adversaries to affect programs deliberately: Prioritizing cost instead of security. Overreliance on offshoring. Planning for peacetime instead of conflict.[4] The following sections provide a short explanation and analysis of these factors, followed by an analysis of how malicious actors intentionally affect supply chains. Prioritizing Cost Instead of Security Simply put, redundancy and security are expensive. Having lived in a permissive environment and being incentivized to cut costs, program managers recognize that “supply chain resilience and risk management often are viewed as additional cost drivers with little or no return on investment.”[5] The Assistant Secretary of Defense for Sustainment’s 2023 Supply Chain Risk Management Framework report listed several cultural factors that affect supply chain risk. These include: Supply chain risk management “is considered overhead and eats at a company’s profit,” reducing financial incentives to incorporate rigorous planning.[6] Since all contractor activity is charged through cost accounting, risk mitigation is assessed as added cost to a program.[7] The supply chain culture of contractors is typically associated with prime contractors, not necessarily sub-tier suppliers.[8] The obvious danger from prioritizing cost over security is that if the security threat renders the capability investment ineffective or unable to be produced, the cost is wasted anyway. In different terms, contractors or program managers ignore supply chain security risks at their peril. While reduced redundancy, resiliency, and security may lower program costs and speed production in permissive geopolitical environments, they pose existential threats to production when risks become real. The Risk Management Framework described above includes an initiative focused on Acquisition Security, called Line of Effort 2, which focuses on “shaping supply chain risk management and resilience,” and another, Line of Effort 3, focused on Supply Chain Sustainment.[9] These initiatives seek to “require supply chain illumination, transparency, and risk management from final product to the raw materials” and “synchronize the information, intelligence, and vulnerability analysis” for supply chain risk mitigation.[10] None of these objectives can be accomplished without cost. Still, they are essential to securing supply chains and reducing vulnerabilities, so budget planning and resource allocation must be adjusted to support these goals. Programs should consider that preparing for supply chain-related threats is not wasted funding but an insurance policy to maintain capabilities in contested environments. Overreliance on Offshoring In peacetime, when the liberal, global trade system and the rules-based international order operate effectively, the economic principle of comparative advantage, coupled with cheap transportation and communication, allows a fully integrated transnational web of supply chain relationships to exist. The U.S. “is broadly dependent on foreign sources for many raw materials, manufactured goods, and services.”[11] This drives down costs, spreads production to where it can be accomplished most efficiently and extends the benefits of trade. Naturally, companies and project managers have optimized their supply chains to lower costs and maximize profit and efficiency. However, in times of conflict, heightened tensions, or aggressive competition, this can pose dire problems for supply chains. Willy C. Shih, writing for Harvard Business Review, noted that “firms have taken advantage of reliable, low-cost transportation and a benign trading environment to leverage low-cost labor in Asia to deliver a plethora of products to distant markets.”[12] These “cross-border dependencies,” highlighted by major disruptions during the COVID-19 pandemic,[13] shed light on the dangers of outsourcing parts of the production chain or the manufacturing of components beyond the borders of the U.S. Parts shortages, deliberate delays or withholding of shipments, export restrictions, and competing priorities for foreign manufactures can all pose major dilemmas for acquisition programs. As Shih described manufacturers “have approached their suppliers transactionally, focusing mainly on price,”[14] but perhaps different variables should sometimes be prioritized. Additionally, foreign access to supply networks presents opportunities for sabotage or physical tampering that are less likely in domestically sourced products. Programs that need flexibility, resilience, surge capacity, or stockpiles need a more “strategic approach” to supplier relationships,[15] preferably one that balances the price and partnership benefits of outsourcing with the need for national security resiliency and a strong domestic economy. Planning for Peacetime Instead of Conflict The era of Great Power Competition and the decline of domestic manufacturing in the United States have created a gray area of competition between peacetime and conflict. Adversaries seek to exploit the competition environment to affect U.S. power in asymmetric ways. Despite this, defense policy is still catching up to the threat. Department of Defense (DoD) Instruction 4140.01, DoD Supply Chain Materiel Management Policy, details that the responsibilities of the DoD include: Managing the supply chains during peacetime and war, and balancing risk with cost. Managing supply chains to “provide best-value materiel and services” for U.S. forces. Identifying, monitoring, and assessing supply chain security and possible disruptions from all sources to manage risk. Guarding against counterfeits.[16] The instruction specifies that programs must “maintain flexibility to respond to contingencies while minimizing” the costs to the Department but emphasizes minimizing life cycle costs in sourcing materials.[17] This instruction does not address supply chains as a warfighting domain beyond vague mentions of risk, disruptions, and counterfeits, which do not highlight the criticality of securing and reinforcing supply networks. The Assistant Secretary of Defense for Sustainment published a Supply Chain Risk Management Framework report that declared the United States’ adversaries are “using our global supply chains as a non-standard tool to engage in competition below the level of armed conflict.”[18] This framework proposed definitions for supply chain resilience[19] that mesh with the Resilient Supply Chain focus in the 2023 National Defense Industrial Policy, which sets the goals of adaptability, responsiveness, and scalability.[20] In addition to a multitude of domestic and peacetime-related supply chain challenges, the strategy focuses on “increasing stockpiles of strategic and critical systems,” managing cybersecurity costs and capabilities within the defense industry, and promoting supply chain visibility to “mitigate risks and manage disruptions proactively, aggressively, and systematically.”[21] Programs must account for risks and disruptions due to intentional targeting that have traditionally not been significant considerations in peacetime. Key Supply Chain Attack Methods Each of these key causes of supply chain vulnerabilities contributes to weaknesses in defense production that can allow an adversary to manipulate or disrupt a supply chain intentionally. These activities can prevent the ability of the defense industrial base to mobilize quickly to support national priorities. Beyond these causal factors, however, it is also important for program managers and leaders to understand the most prevalent methods by which adversaries can deny or disrupt supply chains to create an advantage. While there are numerous approaches that can lead to deliberate effects on supply chains, this paper focuses on two disruptive approaches that defense programs are likely to encounter or that can cause the most serious disruptions. Key attack modalities include: Cyberattacks Supply chain interdiction, manipulation, and counterfeiting Cyberattacks There are many types of cyberattacks that target a wide variety of civil, military, and dual-use systems and infrastructure. In some cases, adversaries can target cyber systems and infrastructure that enable and relate to supply chains, seeking to gain intelligence, disrupt operations, or gain a military advantage. Seongkyoon Jeong, writing in Supply Chain Management Review, classified three types of cyberattacks that affect global supply chains.[22] First, “fake” supply chains use social engineering to impersonate stakeholders, manipulate victims to compromise security, and coerce the disclosure of sensitive information.[23] The second type of cyberattack targets “resources managed by third-party suppliers rather than directly attacking the company itself.”[24] Jeong describes these resources as sensitive data, information technology systems, and digital access points, which can lead to “compromised operations and reputational damage for the supplier’s customers” as well as data breaches.[25] Finally, the third type of cyberattack that affects supply chains “involves hackers leveraging a supplier’s access to a company’s systems.”[26] This utilizes a supplier’s network to access and take advantage of a target company’s information through software or hardware systems.[27] Mitigating these types of attacks takes personnel training and proactively establishing a security-focused supply chain culture that leverages cybersecurity across vendors and supply chain participants. In the highly networked global supply chain world, this can be exceedingly difficult. Supply Chain Interdiction, Manipulation, and Counterfeiting An adversary seeking to impact the performance of a defense system negatively could use access to a supply chain to cause a variety of effects on the products and the resulting defense capabilities. This can occur through interdiction or manipulation of the supply chain, or the introduction of lesser-quality counterfeits. In the first case, malign actors can interdict supply chains to stop or severely slow the flow of goods to enable defense production. This can occur overtly, through nation-state-level legal or economic actions, or more quietly, by applying administrative, bureaucratic, or other corporate process delays to shipments and production. A country that a product passes through could directly deny shipment to the U.S. or could use questionable or valid safety, security, legal, or commercial reasons to prohibit shipments from proceeding in a timely manner. In the second case, adversaries can develop plausible deniability or opaque processes that slow or drastically delay supply chains without openly indicating an intent to cause harm. This interdiction could occur across an entire product line, individual orders, or even individual recipients or sources. In contrast to outright interdiction of goods, adversaries can also disrupt supply chains through malicious manipulation of products and counterfeiting. This includes physical and electronic manipulation, destruction, or alterations that can destroy, modify, delete, or add to product capabilities. For example, in late 2024, the terrorist group Hezbollah in Lebanon suffered separate simultaneous mass explosions of pagers and walkie-talkies that were issued to its members across the region.[28] These devices, which had been purchased from seemingly legitimate suppliers, had allegedly been manipulated by the Israelis, in some cases over a decade prior.[29] As one Israeli source told BBC News: “Hezbollah had unwittingly bought over 16,000 walkie-talkies at ‘a good price’ from a fake company 10 years ago.”[30] These types of attacks, which can be insidious and quite difficult to detect, compound the challenges decision-makers face in preparing for supply chain attacks. For example, DuHadway et al. asserted that “storing excess inventory to protect against a disruption would alleviate the impact of a supply chain disruption in the case of a natural disaster, but would exacerbate the negative impact of a disruption if the cause were due to fraudulent product quality from a supplier.”[31] If the stockpiled products are counterfeit, defective, or otherwise adulterated, this nullifies the benefit of the stockpile, wastes resources, and adds new layers to the supply problem, proving that there is no single type of risk or one-size-fits-all solution to supply chain challenges. Mitigation strategies for these types of attacks are varied. Processes like the Committee on Foreign Investment in the United States (CFIUS) can review foreign purchases of supply chain nodes to ensure that domestic companies do not pose manipulation threats to producers and partners. Robust, intelligence-driven reviews of suppliers, broad reporting of detected counterfeits and supply chain disruptions and manipulations, combined with detailed quality checks on products, can also alleviate some risk. However, the most surefire risk mitigation strategy is using vetted, trusted domestic producers or reliable sources from allies and partners for as much of the production supply as possible. The downside, of course, is that this adds costs and complexity to production, and not all supplies can be produced domestically. Overview of Mitigation Strategies and Policies In summarizing the risk reduction and mitigation strategies discussed in the sections above, several vital policy and program management considerations should be emphasized to reduce key vulnerabilities to broad areas of the defense supply chain network in the United States: Improve program office and vendor training on supply chain risks. Emphasize and resource robust cybersecurity training and protections for supply chain systems at all tiers for critical defense products and technologies. Work with Congress to fully resource stockpiles, backup suppliers, and other risk reduction options to always ensure the reliable flow of supplies. Use contract structure and terms to incentivize suppliers and prime contractors to focus on supply chain security. Share intelligence on adversary threats and capabilities against supply chains with program managers to account for risks properly. Leverage partners and allies and combine production and supply chain capabilities to keep as much of the supply chain in “friendly” control as possible. Implement stringent quality control measures to ensure that supplies are legitimate and not manipulated. Enforce reporting of counterfeit and manipulated supplies in a shared database with sanctions against suppliers that cannot control their inventories. These policies and recommendations represent possible national-level and program-level mitigation strategies to reinforce best practices and identify and minimize the threats and risks due to defense program activities. Conclusion Varied supply chains that take advantage of globally sourced goods can create significant cost-saving and program timeline advantages but can also open program supply chains up to deliberate interference, interdiction, or intentional geopolitical obstacles that can seriously hamper defense production. Additionally, advanced threats such as cyberattacks, and covert manipulation can make even domestic supply chains susceptible to adversary interference or degradation. Program managers and defense leaders must be mindful of these threats, as well as the common program decisions that leave supply chains vulnerable in the first place, so that they can mitigate the risks that supply chain attacks can pose to national security and ensure resilient, effective, and secure defense capability production. Colonel David L. Levene has 20 years of experience in fighter aircraft operations, developmental test and evaluation, basic science research, technology development, and program management. He has over 1,300 flight hours as a Weapon Systems Officer in the F-15E and more than 25 other aircraft types, including over 230 combat hours. He has led test and acquisition organizations, was a fellow at Argonne National Laboratory, and most recently served as a Senior Advisor to the Secretary of the Air Force before attending the Eisenhower School at National Defense University. He holds a bachelor’s degree in mechanical engineering from Washington University in St. Louis and master’s degrees in Aeronautical Engineering from the Air Force Institute of Technology and Flight Test Engineering from U.S. Air Force Test Pilot School. [1] Nicholas Jordan and Jennifer Mapp, “In the Dark: How the Pentagon’s Limited Supplier Visibility Risks U.S. National Security,” War on the Rocks, June 14, 2023. [2] Jordan and Mapp, “In the Dark.” [3] “Supply Chain Visibility: A Top Priority for the Defense Industrial Base ” Exiger, accessed November 16, 2024. [4] “Supply Chain Visibility: A Top Priority for the Defense Industrial Base.” [5] Steven V. Karl, “The Race to Resilience—Your Role in Securing Defense Supply Chains in a New Era of Great Power Competition” February 2023. [6] Office of the Assistant Secretary of Defense for Sustainment, “Supply Chain Risk Management Framework Project Report Phase 1,” February 2023, A-1. [7] Office of the Assistant Secretary of Defense for Sustainment, A-1. [8] Office of the Assistant Secretary of Defense for Sustainment, A-1. [9] Office of the Assistant Secretary of Defense for Sustainment, 14-15. [10] Office of the Assistant Secretary of Defense for Sustainment, 14-15. [11] Karl, “The Race to Resilience.” [12] Willy C. Shih, “Are the Risks of Global Supply Chains Starting to Outweigh the Rewards?” Harvard Business Review, March 21, 2022. [13] Shih. [14] Shih. [15] Shih. [16] Office of the Under Secretary of Defense for Acquisition and Sustainment, “DoD Instruction 4140.01: DoD Supply Chain Materiel Management Policy,” March 6, 2019, 3. [17] Office of the Under Secretary of Defense for Acquisition and Sustainment, 9. [18] Office of the Assistant Secretary of Defense for Sustainment, “Supply Chain Risk Management Framework Project Report Phase 1,” February 2023, iv. [19] The proposed definition of Supply Chain Resilience was: “Resistance to disruptions and ability to recover quickly greatly limiting the effect of the disruption on the delivery of a good or service.” However, the report used the following definitions as a common baseline: Supply Chain Resilience—the capability of supply chains to respond quickly, so as to ensure continuity of operations after a disruption, and to quickly adapt to change; Supply Chain Risk Management—the process of proactively identifying supply chain vulnerabilities, threats, and potential disruptions and implementing mitigation strategies to ensure the security, integrity, and uninterrupted flow of materials, products, and services as risks are found, or disruptions occur; Supply Chain Security—the application of policies, procedures, processes, and technologies to ensure the security, integrity, and uninterrupted flow of products while moving through the supply chain. Source: Office of the Assistant Secretary of Defense for Sustainment, “Supply Chain Risk Management Framework Project Report Phase 1,” 11-12. [20] Department of Defense, “National Defense Industrial Strategy,” 2023, 14. [21] Department of Defense, 16-17. [22] Seongkyoon Jeong, “The 3 Types of Cyberattacks Affecting Global Supply Chains,” New SCMR, October 7, 2024. [23] Jeong. [24] Jeong. [25] Jeong. [26] Jeong. [27] Jeong. [28] Raffi Berg, “Ex-Israeli Agents Reveal How Hezbollah Pager Attacks Were Carried Out,” BBC News, December 23, 2024. [29] Berg. [30] Berg. [31] Scott DuHadway, Steven Carnovale, and Benjamin Hazen, “Understanding Risk Management for Intentional Supply Chain Disruptions: Risk Detection, Risk Mitigation, and Risk Recovery," Annals of Operations Research (2017): 1-20.