Cyber Defense Review

Safeguarding The United States Military’s Cyber Supply Chain

By 2LT Hugh Harsono | September 07, 2016

The International Cyber Supply Chain

Presently, the United States (US) military utilizes an international cyber supply chain, whereby it outsources the manufacturing of military resources and supplies so that it can maintain revenues and market share. One of the USMCSC’s partners is China, which has found equal footing alongside the US, Russia, and Great Britain as a world power due to economic prowess. Since China enjoys a status of neither an ally nor enemy of the US, it can engage with the American military as a manufacturing supplier. However, now that China has emerged as one of the foremost US geopolitical competitors, the American military must strike a balance between working within China’s global economy and safeguarding  US interests against China’s aggressive economic and militaristic actions. It is becoming crucial for the US military to make informed decisions on the use of Chinese-assembled telephone headsets, laptops, smart phones, and accompanying software, knowing that China may use these products and processes as a means of infiltrating the US military and/or its personnel. How did China become part of the development of so much of US military technology, and what can the US do about safeguarding itself against possible use for ill-gotten gain?

China as a Cyber Supply Chain Power

Cyber supply chains encompass sourcing, vendor management, product quality, fulfillment, and scarcity. China, as a cyber supply chain partner, provides the US military primarily with hardware and software, where China’s businesses play a role in the manufacturing and assembling of both these products. This is especially concerning due to the close ties between the China’s military and civilian industries. In fact, these ties are so close that changes in military spending nearly mirror economic growth, as seen in Figure 1.

Fig 1. China’s military spending vs. economic growth (Graph by National Bureau of Statistics of China. “Annual Data: 1996-2014.” NBSC. May 05, 2015. http://www.stats.gov.cn/english/Statisticaldata/AnnualData/ (accessed March 16, 2016).

 

With civilian economic growth leading to corresponding fluctuations in military spending, China’s government is encouraged to do well economically in order to grow militarily. These close ties can be seen in the correlation between military spending and gross domestic product in the last decade, as illustrated in Figure 2:

Fig 2. China’s military budget vs. GDP (Pike, John. “China’s Military Spending.” Global Security. March 15, 2013. http://www.globalsecurity.org/military/world/china/budget-table.htm (accessed March 15, 2016).

The close ties between the China’s civilian and military industries are certainly alarming to the US, especially when dealing with the production of military hardware and software. However, there are other issues that can arise due to the USMCSC being outsourced to China, including the issue of technology transfer, and the vulnerability of the cyber supply chain as a whole. This paper will cover a brief economic history of how China came to be in the position it holds today, while also exploring cyber supply chains and how they work. This paper will also investigate inherent cyber supply chain weaknesses, and point out potential solutions to specifically further safeguard the US military cyber supply chain.

China as an Emergent Economic Power

China’s ability to manufacture on a large scale has been the primary source of economic development and its resultant economic power. This power has many nations outsourcing their manufacturing processes to China. The rise in China’s manufacturing saw its jumpstart in China’s post-reform/ dual trade regime (1980s-1990s), with two distinct stages of economic reform from leaders Zhao Ziyang (1980s) and Deng Xiaoping (early1990s).[1] These two stages allow for a brief understanding of why and how the Chinese government and private industry are so interconnected and powerful.

During the 1980s, Zhao Ziyang implemented a dual track economic system[2], integrating older planned economic systems with newer market economic systems without disrupting the old, with the eventual goal of a market-leaning economy.[3] The “new” track was export-oriented, with large amounts of foreign investments brought into the country. Zhao Ziyang incentivized foreign companies to invest in China’s infrastructure with Special Economic Zones[4], along with a myriad of other incentives for foreign companies, including duty-free imports for export processing purposes, tax benefits, and limited Chinese governmental administrative interference.[5] Additionally, this foreign investment also allowed China to start laying the groundwork to reform its state-owned enterprises (SOEs) through privatization. All in all, these reformation policies helped Zhao Ziyang focus on growing China’s developing industrial capacity, while still utilizing its proven agricultural output.[6]

During the early1990s, Deng Xiaoping further pushed the Chinese desire for strengthened manufacturing, but through the reunification of Zhao Ziyang’s dual track economic system. With a recentralization of both resources and revenue, China began to focus increasingly on expanding the private sector. The state-sector began to downsize, and privatization began to take hold in China, as a result of the large amounts of foreign investment that were incentivized to come in to the country just a few years prior. China also began to privatize many SOEs during this period. However, what is crucial about this time is that China’s government insisted on holding onto the larger SOEs, especially those involved in defense, communications, and hi-tech enterprises[7], while smaller SOEs were allowed to become limited liability companies.[8] This retention of larger SOEs resulted in the significant crossover between China’s civilian and military sectors.[9] With this resulting privatization, combined with the government holding onto the larger SOE’s, China’s economic power would see significant growth in the years to come.

Key Cyber Supply Chain Vulnerabilities

One of the greatest vulnerabilities affecting cyber supply chains is cybercrime, where information is stolen, be it content, passwords, usernames, and/or account information. A ten-month IBM report found that “cybercrime is increasing both in lost information as well as recovery costs, with the average consolidated cost for a data breach increasing 23% since 2013”.[10] This is just one of many reports showing the presence of a cyber supply chain will almost always come with cyber thieves. As the US military battlefield increasingly shifts into the cyber realm, they must identify its vulnerabilities, not only in its forward-facing hardware and software systems, but also in the USMCSC, where procurement and distribution takes place on an international level. Within this realm, cyber thieves look for information on technology transfer. With China being a primary USMCSC partner, it is possible that China will engage in cyber theft to collect information about the American military and its systems. The USMCSC faces serious vulnerabilities in its process as well as the threat of technology transfer, alongside its vulnerabilities in hardware and software.

Cyber Supply Chain Process

The cyber supply chain process is a major vulnerable area that has not attracted much attention. Defense contractors, who typically supply the majority of products in the cyber supply chain, including, but not limited to military hardware and software, often do not have adequate security measures that match those implemented by Department of Defense (DoD) mandates. These contractors often present a softer target than actual military organizations, providing a proxy for attackers to steal intelligence from American military sources.[11]

There have been multiple cases of the US military being compromised through the cyber supply chain with China-based attacks on American defense contractors. One of the most prominent cases involved the China’s hacking of defense contractors BAE Systems and Lockheed Martin, where Chinese sources downloaded top-secret data for the US military’s F-35 Joint Strike Fighter,[12] alongside information for nuclear submarines, missile tracking systems, and space-based lasers.[13] These hacks, among many others, showcases the USMCSC’s liabilities, as China has been documented with already utilizing these stolen secrets and implementing them into their own military technologies. China’s Chengdu J-20, a prototype stealth fighter aircraft, contains copies of technologies stolen through the exploitation of the USMCSC, from wing span design to avionics, and even to flight control mechanisms.[14] These hacks on prominent defense contractors’ systems proves the vulnerability in the supply chain process itself; where a myriad of contractors and loose security guidelines provide China with the ability to direct attacks against America’s cyber supply chain.

Technology Transfer

Technology transfer between the China’s civilian sector and the military has long been a considerable concern for the American military, as the supply chain becomes increasingly outsourced and out of American control.[15] One prime example is through the direct transfer of hardware components defense contractors produce for the US military using Chinese facilities. Many American aerospace ventures with dedicated US military contracts have their facilities located next to, or even in Chinese military aerospace factories. One example is the Chengdu Aircraft Industry Group, a subsidiary of the Chinese government-owned Aviation Industry Corporation of China (AVIC)[16], which helps manufacture the CFM56 engine for General Electric. Copies of this exact engine are used by China’s military in their Chengdu J-10 fighter aircraft,[17] which is also manufactured by AVIC. Additionally, Chengdu produces parts for American defense contractors such as Boeing and Northrop Grumman,[18] while producing aircraft for China’s military use, including stealth fighters, unmanned aerial vehicles, and other aerospace technologies.[19] While this is just one example, there have been multiple other cases of technology transfer between American military production in China and its military.[20]

China’s military is benefiting from technology transfer in the technical know-how and support capabilities gained in this decade. Technology transfer has been a known problem for USMCSC in China, with the US government increasingly issuing sanctions and restrictions on American companies outsourcing manufacturing to China. These specific cases occur not only inadvertently, but also due to direct US involvement, particularly with China’s civilian industry. Defense contractor Rockwell announced in 1996 that it would help to “design, develop, and build commercial GPS navigation receiver systems”[21] with Chinese partners. While concerning, this partnership would not necessarily raise alarms. However, this was followed by the American Federal Aviation Administration’s 1996 announcement to assist the Civil Aviation Administration of China in air traffic control technologies[22]. These two incidents combined, while benefiting the China civilian economic industry, would also allow enhanced development of their military airpower, something that China had previously lacked.[23] A second, more direct example of American technology crossing over to China with effects on the USMCSC is highlighted in the F-35 radar system with both Northrop Grumman and Honeywell International utilizing governmental waivers to source and use Chinese materials and manufacturing.[24] The ability of companies to still conduct business in China despite a US government ban on doing defense-related business is especially troubling because these materials are in critical military systems. Additionally, while these radar technologies may benefit China on the civilian side, they are prone to also make an appearance with their military technology. This transference of technical know-how, while well-intended to benefit the China’s civilian industry, can harm US military interests, especially with such an obvious crossover between civilian and military applications.

Hardware

Hardware is an often over-looked point of cybersecurity, but a critical focus of the US military. Consisting of microchips and intermediate products whose origin and manufacture are easily obscured, the hardware challenges are more dangerous and difficult to defend against. With the global marketplace incubating increasing competition with hundreds of companies producing thousands of new chip designs yearly, the threat of hardware vulnerability is ever-present. Companies such as Huawei Technologies and ZTE Corporation,[25] both of which supply equipment destined for US military applications, also have close ties to China’s military. The US has already banned Huawei and ZTE from bidding on telephone contracts, while Australia has outright banned Huawei from supplying the nation’s national broadcast network.[26] However, China’s technologies from these companies, among many others, still exist in the USMCSC, with Congressional investigations only recommending not using these companies as part of the cyber supply chain, rather than outright legislating their participation in the USMCSC.[27] Trojans and other hidden backdoors could be easily added or hidden in these microchips and hardware,[28] creating a path for China to infiltrate US military systems. The threat of cyber infiltration is very high in the USMCSC, and is a concern that must generate legislative action to facilitate discussions on a workable defense.

Additionally, the issue of counterfeit hardware is one that is present, even in the USMCSC. One specific case involved China’s manufacturing of counterfeit electronic components found on US aircraft to include the L-3 Communications C-27J, Lockheed Martin C-130J, and Boeing P-8A.[29] These parts were provided by L-3, who purchased them from a California distributor, who in turned bought the parts from a Florida firm, who sourced these parts from an affiliate of Shenzhen-based Hong Dark Electronic Trade.[30] While the parts have since been removed from the infected aircraft, the report issued by the Senate Armed Services Committee did point out that contractors knew “little about the ultimate source of the electronic parts they purchase[d]”, something that is especially obvious given the many layers of contractors and distributors involved in the military’s cyber supply chain.[31] The issue of counterfeit hardware has further implications, particularly because warfighting systems are so dependent on certain hardware components. For example, a Senate Armed Services Committee’s investigation into counterfeit hardware inside the USMCSC identified many flaws in current mission-critical hardware, including the U.S. Army’s Terminal High Altitude Area Defense anti-ballistic missile system, the Navy’s Integrated Submarine Imaging System, and the Air Force’s C-130J aircraft, among other systems.[32] These pieces of hardware represent significant portions of the US military defense system, and should they fail due to counterfeit hardware, could result in American casualties. Counterfeit hardware inserted into the US military’s cyber supply chain from China has deep implications that affect US military posture.

Software

The issue of software vulnerability in military applications is something that is well-known and documented. However, the issue of vulnerability arising from the cyber supply chain is relatively new. China’s reputation as a manufacturing powerhouse has led to international firms subcontracting software development and operations to China. These firms represent major government contractors that help develop software systems for the DoD to use exclusively, including but not limited to Accenture, BearingPoint, and Texas Instruments.[33]

Some problems with military software, especially software developed by private companies, include backdoors, remote code execution, insecure protocols, SQL injections, and insecure authentication, among others.[34] There have been documented incidents in which some of these attacks have occurred due to actions that could be from China’s involvement in the cyber supply chain, some of which are documented below:

 

Date System Vulnerability
2010 Department of Defense websites Chinese hackers utilized SQL injections to take down military websites.[35]
2011 Adobe Reader/Microsoft Internet Explorer Zero-day vulnerabilities allowed access to military aerospace and drone information.[36]
2013 Supervisory Control and Data Acquisition (SCADA) Systems Remotely executed code triggered buffer overloads, which crashed DoD software.[37]
2014 File-upload systems File-upload system vulnerabilities allowed Chinese access to servers with classified information about TRANSCOM movements.[38]
2015 Office of Personnel Management databases Zero-day vulnerabilities allowed access to information about DoD personnel.[39]

 

The 2010 DoD SQL injection hack showcased their Internet vulnerabilities.[40] Troop movements and unit openings are frequently transmitted over the publicly-available Internet, and this specific instance showcased China’s ability to potentially obtain actionable intelligence to outmaneuver US forces. The 2011 Adobe Reader/Microsoft Internet explorer vulnerability highlighted the issue of a software existing in all levels of a bureaucracy.[41] With this zero-day vulnerability exploited in just several machines, the same hack was utilized at all levels of the USMCSC, from senior military leaders to civilian contractors using identical software. The 2013 SCADA hack was critical for the USMCSC,[42] as SCADA systems frequently help monitor power usage levels, satellite operations, and other critical tasks that directly affect the cyber supply chain. Additionally, the 2014 file-upload system attack allowed China’s military to see U.S. Transportation Command (USTRANSCOM) movements, further giving China intelligence insight into US military transportation of hardware systems.[43] Lastly, the 2015 OPM hack allowed China access to thousands of military members’ personal information, which then could be used in phishing attacks to infiltrate secure American cyber networks.[44]

With businesses increasingly outsourcing software and coding development to China, its government will be able to obtain more and more source code for both military and civilian applications. This is especially troubling given the type of damage that can be caused by attacks resulting from a zero-day vulnerability. These software flaws, among others, have already resulted in hacks against the US military originating from China’s People’s Liberation Army (PLA).[45] If gone unchecked, these attacks can influence US warfighting capabilities; from being able to cripple military IT infrastructure, to exploiting backdoors, and to remotely controlling  drones. The US currently restricts China’s influence on the USMCSC, with a prohibition on doing defense work in China.[46] At the same time, there is little legislation to support this prohibition, with the US government only creating recommendations and suggested guidelines for companies to follow.[47] Instead, the US government must wield its legislative powers to secure the USMCSC, with these actions forcing companies to directly report foreign involvement in the military end-product, regardless of subcontractor/contractor/offshore corporation entanglements. The US must devote more attention to directly combating China’s involvement in the cyber supply chain, as opposed to only making recommendations about products from the USMCSC used by the military.

Proactive Measures

Attacks on the USMCSC will require a hybrid of policies, technical solutions, and strategies in order to properly combat threats. Assurance policies, cyber supply chain refinement, and cyber supply chain resiliency are just three measures that can be taken to improve defense of the cyber supply chain. With assurance policies enforcing stringent testing standards, cyber supply chain refinement limiting the base of suppliers, and cyber supply chain resiliency allowing for potential attacks, the cyber supply chain could be stronger and less vulnerable than it is today.

Assurance Policies

Assurance policies, along with governmental entities to enforce them, should be considered in order to properly defend the USMCSC. Both hardware and software assurance would protect the integrity and security of devices against potential threats inserted at the cyber supply chain level.

The US military must properly vet both its hardware and software before it even reaches warfighter hands. Contractors must adhere to assurance policies requiring consistent auditing and testing. This would prevent hardware backdoors from ever coming close to reaching sensitive information, and would allow for re-arranging of source code in software to further test for zero-day vulnerabilities. Furthermore, counterfeit hardware and software could be identified earlier in the cyber supply chain, preventing it from reaching military systems. This could be done with additional American inspections on hardware pre-installation for the military application, and/or hash-algorithms to authenticate original software. However, this is not to say that assurance policies would not apply to military systems once in-use. Rather, critical technology in military defense systems should be audited and patched regularly to protect against vulnerabilities. Security testing on imported hardware and software should also be conducted at a military level. Furthermore, these policies should call for red team exercises to perform network penetration testing to guard against potential vulnerabilities, especially for hardware and software recently provided by the cyber supply chain.

Likewise, the US government must be able to enforce these assurance policies, and corrective actions must be required by law. Defense contractors improperly conducting assurance tasks such as auditing and testing should be subjected to legal and punitive action. This would include not only the payment of a fine, but also potentially the withdrawing of bidding rights on proposals for certain time periods, or even cancelling all contracts associated with said company. These assurance policies could even draw influence and/or directly align themselves with the Consumer Protection Agency levying fines to manufacturers for not abiding by safety protocols. While not an easy process to implement, these actions will act as a necessary precaution to ensure the defense of the cyber supply chain is taken seriously by all stakeholders

Legal Enforcement

The legal enforcement of USMCSC practices, particularly those concerned with assurance policies and closing loopholes, is something that must be implemented. Current mandates and regulations are easily skirted through legitimate actions such as company mergers, buy-outs, and rebranding. The US government must take a firm hand in legal enforcement of policies preventing China’s infiltration of the USMCSC.

Currently, the Defense Logistics Agency (DLA) has prohibited products containing components sourced from China through their Qualified Products List (QPL) program.[48] The US also has a direct prohibition on acquisition of military munitions items from China’s military companies.[49] However, these mandates are rife with ambiguity and always subject to waivers. China’s military groups create shell companies to participate in American subcontracting actions of the USMCSC, as demonstrated in the sourcing of components for the F-35 fighter.[50] Additionally, punitive and judicial actions against violations of these policies are only brought to light through Congressional investigations, DoD audits, or formal complaints, with these processes being extremely lengthy and ineffective, with companies legally closing subsidiaries or transferring blame to subcontractors in the meantime.

The US must establish a governmental entity with the ability to rapidly enforce laws pertaining the USMCSC, to ensure that companies cannot utilize the lengthy nature of bureaucracy to skirt punishment. It is imperative for USMCSC to have supporting legislative and judicial bodies, to enforce a “three strikes” policy, forcing contractors and subcontractors to think twice about substituting counterfeit parts or using unauthorized contractors. This policy, or something similar, would also require companies to better vet their subsidiary products and business partners. Additionally, this entity must recognize the close ties between China’s civilian and military companies, and have the capability to warn and ban companies from bidding on governmental contracts if they refuse to provide a secondary supplier for USMCSC products. This would help eliminate much of the current ambiguity surrounding US governmental regulations for defense material trade with China.[51] This governmental entity would completely change the USMCSC supply process, and would positively reduce the risk of doing business with China’s companies.

Legal enforcement of assurance policies, as well as the closing of certain loopholes, must be enacted to ensure that contractors are held to the highest standards. The creation of a government entity with the power to enforce these regulations would enormously help secure the USMCSC.

Cyber Supply Chain Refinement

The USMCSC can also be refined to ensure the best defense against cyberattacks. This includes creating a certain resiliency in the USMCSC, to “anticipate, operate in, recover from, and evolve to better adapt to advanced cyber threats”.[52] The refinement of the USMCSC would be difficult, but is a feasible initiative to undertake because the identification of USMCSC vulnerabilities should not halt cyber supply chain activities.

One proposal to refine the USMCSC through supply chain resiliency would be to invest in hardware and software that monitor themselves for attacks. While costly,[53] it would allow a quick response to threats such as zero-day vulnerabilities. Although costing the American government funds up-front, this would essentially be paying a premium to protect the military’s most critical systems. Another proposal to better allow for supply chain resiliency would be to have item-specific continuity plans, particularly those critical for military infrastructure. Continuity plans would provide a direct framework for either substitution or corrective action in case a threat was identified in specific products. This is in contrast to ad-hoc replacements of a vulnerable product, which could cause more harm than good in the long run, especially if the replacement products were not properly vetted. Lastly, the USMCSC can be changed for the better through the introduction of a ratings and accreditation system of private government contractors. These rating tiers would encompass a company’s supply chain analysis, and provide a level of accreditation for the US government during the bid process. The government would have the potential to encourage these private company ratings in the USMCSC by only purchasing certain hardware/software from certified vendors with high ratings, forcing other subcontractors to comply or lose business.

By refining the cyber supply chain through the use of proactive resiliency efforts, the US government could create an environment where it would be possible for the USMCSC to continue operating despite offensive cyber actions. This is especially important given the US reliance on contractors, particularly when these contractors are responsible for many of the critical systems and infrastructure that support the American warfighter on the ground.

To Trade or Not To Trade?

The question now remains: does the US continue trading with their Chinese counterparts? What about contractors, subcontractors, and producers of intermediate parts? The answer to this question may or may not be abundantly clear, but the fact remains that the US must continue trading with China because of a myriad of mutual economic entanglements, but not necessarily because it is forced to. The US military has benefited from China’s emergence as a world power with cheaper supplies, faster development of technological products, and increased opportunities for innovation are just some of these benefits,[54] among other shared interests that benefit both countries. However, the US must seek a balance between being a primary trading partner with an economic dependence on China, and providing adequate cyber supply chain security against military threats. With sensitive technologies such as the F-35 Joint Strike Fighter and commonly-used products such as Adobe PDF and Internet Explorer used by the US military, the full origination of these products is worrisome. While banning Chinese-affiliated companies may seem like an obvious solution, this answer would not only be economically disruptive, but also lazy. This short-term solution would harm the US economy in the long-run, firstly with the military suffering higher costs incurred by having to source its goods elsewhere, some of which are military specific, and guided by necessarily inflexible build instructions. This would go against all inclination of the military procurement system, which only seeks to provide the most up-to-standard equipment at the least expensive price. Additionally, the US would face a torrent of international backlash by restricting free-trade participation based on national affiliation alone, particularly if the trade restriction was implemented based solely on “national security grounds”.

The US should continue to trade with China because of national interest. The proposed solution of assurance policies is one that is primarily government and contractor-oriented, something that would affect internal governmental and private systems. Cyber supply chain refinement would not cause economic harm, but instead stimulate growth between China and the US. This refinement encourages competition by insisting companies operate to the highest standards, with companies providing sub-par technology forced out of the market. Lastly, cyber supply chain resiliency would allow for the US to be considerably safer in its technology procurement, allowing multiple avenues of approach to retain mission-critical hardware, software, and products. Though tenuous, the cyber supply chain process through China should be considered a benefit for all, and with the necessary safeguards put into place, can serve as a viable trading partner in the cyber supply chain, rather than the serious detriment some claim it to be.

References

[1] Barry Naughton, The Chinese Economy: Transitions and Growth. Cambridge, MA: MIT Press, 2007.

[2] Naughton, 92.

[3] Naughton, 91.

[4] Naughton, 407.

[5] Naughton, 407.

[6] David Roland-Holst, “China’s Agriculture.” Lecture, Economy of China from University of California, Berkeley, Berkeley, February 14, 2013.

[7] Dong Zhang and Owen Freestone, “China’s Unfinished State-Owned Enterprise Reforms.” Economic Roundup1, no. 2 (2013): 77-99.

[8] Roland-Holst, David. “State Owned Enterprises.” Lecture, Economy of China from University of California, Berkeley, Berkeley, March 19, 2013.

[9] Federation of American Scientists. “Part 2: US Perspectives on Technology Transfer to China.” In US Commercial Technology Transfers to the People’s Republic of China. Washington DC: Federation of American Scientists, 1994. 43-101.

[10] IBM X-Force Research. “Cost of 2015 Data Breach Study.” IBM. May 08, 2015. http://www.ibm.com/security/data-breach (accessed April 01, 2016).

[11] Sood.

[12] Sydney J. Freedburg Jr., “Top Official Admits F-35 Stealth Fighter Secrets Stolen.” Breaking Defense. June 20, 2013. http://breakingdefense.com/2013/06/top-official-admits-f-35-stealth-fighter-secrets-stolen/ (accessed March 05, 2016).

[13] Franz-Stefan Gady, “New Snowden Documents Reveal Chinese Behind F-35 Hack.” The Diplomat. January 17, 2015. Accessed February 27, 2016. http://thediplomat.com/2015/01/new-snowden-documents-reveal-chinese-behind-f-35-hack/ (accessed February 27, 2016)

[14] Brendan McGarry, “Lawmaker: Chinese J-31, J-20 ‘Mirror’ American F-35, F-22.” Defense Tech. 2015. http://www.defensetech.org/2015/09/29/lawmaker-chinese-j-31-j-20-mirror-american-f-35-f-22/ (accessed May 19, 2016).

[15] Greg Autry, “Stupid Trade Gets Dangerous: TPP Threatens US Military Supply Chain.” The Huffington Post. May 11, 2015.  http://www.huffingtonpost.com/greg-autry/stupid-trade-gets-dangerous-tpp_b_7245966.html (accessed March 15, 2016)

[16] Global Security, “Chengdu Aircraft Military Corporation.” Military. November 07, 2011. http://www.globalsecurity.org/military/world/china/cac.htm (accessed March 20, 2016).

[17] Softwar, “Pentagon Confirms J-10 Roots.” Fighters, Bombers and Recon. May 23, 2008. https://www.strategypage.com/militaryforums/6-52571.aspx#startofcomments (accessed May 20, 2016)

[18] Global Security.

[19] Global Security.

[20] Mike Collins, “How China Is Stealing Our Secrets.” Manufacturing.net. January 18, 2012. http://www.manufacturing.net/article/2012/01/how-china-stealing-our-secrets (accessed March 20, 2016).

[21] Federation of American Scientists, 60.

[22] Federation of American Scientists, 60.

[23] Federation of American Scientists, 62.

[24] InvestorIntel, The Real “House of Cards”: The Dangers of Dependency on China. Technology. January 06, 2014. http://investorintel.com/technology-metals-intel/real-house-cards-dangers-dependency-china-rare-earth-elements/ (accessed May 20, 2016).

[25] Sean Adl-Tabatabai, “Undetectable Hardware Trojans May Infect Military Systems.” Your News Wire. March 08, 2015. http://yournewswire.com/undetectable-hardware-trojans-may-infect-military-systems/ (accessed April 02, 2016)

[26] GovTechReview Staff, “Governments Weigh Huawei, ZTE Bans after Scathing Security Report.” Technology Decisions: Security. October 15, 2012. http://www.technologydecisions.com.au/content/gov-tech-review/article/governments-weigh-huawei-zte-bans-after-scathing-security-report–73429057#axzz49ey3A0yz (accessed May 16, 2016).

[27] GovTechReview Staff.

[28] Adl-Tabatabai.

[29] Malcolm Moore, “US Weapons ‘full of Fake Chinese Parts'” The Telegraph. November 08, 2011. http://www.telegraph.co.uk/news/worldnews/northamerica/usa/8876656/US-weapons-full-of-fake-Chinese-parts.html (accessed February 19, 2016).

[30] Greg Waldron, “China-made Counterfeit Parts Found in US Military Aircraft: Senate.” Flightglobal.com. May 22, 2012. https://www.flightglobal.com/news/articles/china-made-counterfeit-parts-found-in-us-military-aircraft-senate-372155/ (accessed February 01, 2016)

[31] Waldron.

[32] Vincent J. Napoleon and Nia D. Newton, “DoD Final Rule for the Detection and Avoidance of Counterfeit Electronic Parts Impacts Contractors’ Operations.” Nixon Peabody, June 25, 2014. Government Contracts Alert.

[33] Edward G. Hinkelman, “International Outsourcing.” The World Trade Press Guide, January 1, 2008.

[34] Aditya K. Sood and Richard Enbody. “U.S. Military Defense Systems: The Anatomy of Cyber Espionage by Chinese Hackers.” Georgetown Journal of International Affairs, December 15, 2014.

[35] Dark Reading Editor. “U.S. Army Website Hacked.” InformationWeek. January 12, 2010. http://www.darkreading.com/risk/us-army-website-hacked-/d/d-id/1132749 (accessed April 01, 2016).

[36] Robert Johnson, “New Evidence Suggests China’s Hacking Into US Drones Using Adobe Reader And Internet Explorer.” Business Insider. December 22, 2011. http://www.businessinsider.com/chinas-hacking-into-us-drones-using-adobe-reader-and-internet-explorer-2011-12 (accessed February 17 2016).

[37] ICS-CERT., “AGG SCADA Viewer OPC Buffer Overflow Vulnerability.” Advisory (ICSA-11-018-01). December 31, 2013. https://ics-cert.us-cert.gov/advisories/ICSA-11-018-01 (accessed April 08 2016)

[38] Jack Gillum, “Senate: China Hacked Military Contractor Networks (Update).” Phys.org – Technology. September 09, 2014. http://phys.org/news/2014-09-senate-china-hacked-military-contractor.html (accessed February 05 2016).

[39] Ellen Nakashima, “Chinese Breach Data of 4 Million Federal Workers.” Washington Post. June 04, 2015. https://www.washingtonpost.com/world/national-security/chinese-hackers-breach-federal-governments-personnel-office/2015/06/04/889c0e52-0af7-11e5-95fd-d580f1c5d44e_story.html?tid=hpModule_04941f10-8a79-11e2-98d9-3012c1cd8d1e (accessed February 13 2016).

[40] Dark Reading Editor.

[41] Johnson.

[42] ICS-CERT.

[43] Gillum.

[44] Nakashima.

[45] Bill Gertz, “Security Firm Warns Of New Chinese Cyber Attacks.” The Washington Free Beacon. February 04, 2016. http://freebeacon.com/national-security/security-firm-warns-of-new-chinese-cyber-attacks/ (accessed February 09, 2016).

[46] InvestorIntel.

[47] InvestorIntel.

[48] Steve E. Masiello, Gale R. Monohan, and Tyler Thomas. DLA’s Apparent Prohibition against the Use of Chinese Components on QPL Parts. Insights. May 10, 2016. http://governmentcontracts.dentons.com/en/insights/alerts/2016/may/9/dlas-apparent-prohibition-against-use-of-chinese-components (accessed May 27, 2016).

[49] U.S. Government. 48 CFR 252.225-7007 – Prohibition on Acquisition of United States Munitions List Items from Communist Chinese Military Companies. LII / Legal Information Institute. November 30, 2015. https://www.law.cornell.edu/cfr/text/48/252.225-7007 (accessed May 27, 2016).

[50] John Reed, China Caught the U.S. in Manufacturing, High-Tech Weapons Might Be Next. Around the Globe. June 29, 2012. http://www.defensetech.org/2012/06/29/china-caught-the-u-s-in-education-and-manufacturing-high-tech-weapons-are-next/ (accessed May 28, 2016).

[51] Steve Masiello, et al.

[52] David Inserra and Steven P. Bucci, “Cyber Supply Chain Security: A Crucial Step Toward U.S. Security, Prosperity, and Freedom in Cyberspace.” The Heritage Foundation. March 01, 2014. http://www.heritage.org/research/reports/2014/03/cyber-supply-chain-security-a-crucial-step-toward-us-security-prosperity-and-freedom-in-cyberspace (accessed February 18, 2016).

[53] Inserra.

[54] Moore.