By: Jill Aitoro, Defense News
WASHINGTON — It’s often said that the U.S. Department of Defense is the biggest buyer in the world. But the DoD also has among the most expansive networks of consumers of parts and supplies.
And the Defense Logistics Agency is charged with managing the bulk of those — from raw materials to spare parts; to fuel and sustenance; to the reutilization of military equipment and infrastructure; to the storage and tracking of inventories and suppliers.
With that in mind, securing the supply chain can seem like a game of whack-a-mole involving cyberthreats, counterfeit goods and a shrinking industrial base.
In the words of the DLA director, Lt. Gen. Darrell Williams, the supply chain “simply cannot afford to not be protected.”
Defense News spoke to Williams during a panel discussion and a one-on-one interview at the annual meeting of the Association of the United States Army in October.
How does supply chain security fit into the mission of the Defense Logistics Agency?
I just want to start the whole conversation by saying our motto at DLA is “war fighter first.” And so this whole discussion is all about how do we take care of our war fighters. And with that in mind, and understanding what a big problem security is, not just for the DLA but for the entire Department of Defense, we do in fact take it very, very seriously.
That’s the mindset that we have when we start talking about this issue on supply chain security. It obviously has several different levels for us. It’s our relationship with the over
12,000 suppliers that DLA deals with. It’s obviously all of our customers — foremost among them being the war fighter. But we also have other customers that we work with, like the whole of government. And so anytime you see hurricane and disaster relief operations that are happening that involve the Federal Emergency Management Agency, or FEMA, there’s a DLA component to that.
And so from our standpoint, the business of supply chain security is every bit as important as the actual support that we provide.
Talk about vetting suppliers. How do you ensure suppliers are who they say they are and don’t pose a risk?
It’s definitely a daily challenge, there’s no doubt about that. But we do have a very, very strong vetting process. I will say that nefarious actors are constantly challenging our ability to do that. As they change their tactics, we have to stay ahead of those. One of the tactics that was being used a few years ago was an issue of them trying to provide nonconforming parts. We had to find out who exactly those vendors were, stop that within the supply chain, and then find new vendors who could provide the types of products that our troops deserve and need.
And now they have moved on to yet another tactic, what we call “CAGE siphoning,” where they attempt to steal the identity of a legitimate actor [using the Commercial and Government Entity code] and have the funds transferred to their accounts. And so this is the challenge that we do face within the supply system. We’re doing everything we can in combination with the services that we interface with — with Cyber Command, and with others — to stay ahead of these kinds of issues. But no question about it, it is a persistent problem.
How far down in the supply chain is the biggest risk?
I mentioned that we deal with about 12,000 different suppliers. A vast majority of those suppliers are small businesses. A vast majority of those are second- and third-tier suppliers. And so often times it’s not the prime — the large businesses that we do business with. It is those feeder companies that are much, much more difficult to certify, and that is where the challenges come in.
How do we get both the subs and the small business primes that don’t have the resources of some of the larger businesses cyber compliant? Because this is coming, and they’re going to be essentially forced to do so in fiscal 2020. What happens when we have a small business supplier who does not meet National Institute of Standards and Technology standards, but becomes a sole-source supplier for a major weapon system?
I’ve talked with a lot of the larger businesses, and they feel pretty good about the suppliers that are in their down trace. They’re working with them on a daily basis, they’re getting them there. Many of them have already made it a qualifier to do business with them and, in effect, do business with DLA. But it’s the list of independent [suppliers] who don’t fully understand the requirement or don’t have the resources to get there and still remain very, very critical to DLA support to the war fighter.
Are Chinese investments in U.S. companies a threat?
You know, we focus a lot on China, and we focus a lot on some other countries, but what I would tell you is that technology has become so sophisticated that often times it’s difficult to decipher where the business is that you’re dealing with. You think you’re dealing with a company in the United States, but as you pull the string on it, by routing through three or four different areas, we [discover] they’re actually operating from somewhere else.
The other issue is, oftentimes, it has nothing to do with that country itself. It may be a nefarious actor operating from that country. And so it’s becoming increasingly difficult to isolate who the vendors are that you’re actually working with. That is one of our persistent problems.
How has new technology transformed how you manage logistics for the military?
New technology is part and parcel of what DLA does. We’re always looking for better ways to do business, to bring value to the Department of Defense and then more importantly, as I talked about earlier, to improve our performance so that we get what’s needed to the war fighter even faster. DLA operates nine different supply chains, and we provide almost all of the subsistence or food that our war fighters need, and we provide almost all of the bulk petroleum that they need. All of that involves some element of technology.
The DLA invested in [computer-programmed robotic process automation] more for our internal processes. We have three “bot teams,” each one of them capable of — after we have identified what we want them to do — putting in place and then monitoring about 25 different bots within the DLA processes.
We’ve found them extraordinarily helpful. It has the ability to increase production. We’ve used them primarily in inventory, in inventory reconciliation, reconciliation against our financial systems.
Another area where we’re experimenting with the bots is going from the person having to be sitting there the entire time to now having several of them that are able to operate on a 24-hour basis unassisted, with monitoring. We do also think it does have some applications to security. It can do much more, along with the artificial intelligence, of helping to monitor our network, and identifying patterns, for example, of nefarious actors that would then bring them to our attention and allow us to take further action in a way that perhaps, from a human standpoint, we would not be able to do so.
Is technology a necessity for managing the inventory?
DLA operates a network of about 24 distribution centers on a global basis, and the technology that we are using to run that global network of warehouses that feeds into and supports all of our military services is quite old, 25 or 30 years old.
And so one example is a new warehouse management system that we want to put in place that is going to improve our accuracy, it’s going to improve our accountability, it’s going to improve our support to the war fighter. That’s an example of a piece of technology that we will roll out over the next two to five years that will enhance that.
We would like to use an off-the-shelf capability, and we’re going to try to not customize that as much as we possibly can, but it does have to meet all of the cybersecurity standards that are required.
We’re also starting to use artificial intelligence primarily in the area of demand planning, making [that process] a bit more accurate. And the impact of that is it will eventually allow us to reduce the cost of our services to the military services and to the war fighter. Why? Because it’s going to allow us to reduce the amount of inventory that we have to hold on the shelves.
All of that are the types of things that DLA is using from a technology standpoint to improve our support.
It sounds a lot like lessons learned from Amazon.
Amazon certainly is one of the standards, and when you talk about Amazon, you’re really talking about a capability that others in the industry provide as well. But to your point, yes, we certainly look at that as one of the standards by which we benchmark how well DLA is doing business.
I’ve actually personally visited an Amazon fulfillment center to try to take some of the industry best practices and bring them back to the Defense Logistics Agency. But that’s one of many different capabilities that we benchmark ourselves against industry to make sure that we are keeping pace with the best things that are happening in academia, happening in the industry, to allow us to deliver the best possible support at the lowest possible price to our war fighters on the front line.
Cybersecurity is a priority in logistics and the supply chain. How is DLA approaching cyberthreats?
Cybersecurity is way up on our list of priorities and something we’re taking a hard look at. One of the things that we have done in DLA in just this past year is stand up an enterprise risk-management framework. And then subordinate to that, we’ve stood up a supply chain security component of that, and then within supply chain security we’re looking very, very closely at cybersecurity.
A couple of things we’ve done specifically is appoint a chief risk officer. One of their primary responsibilities is to look at the impact of cyber on our entire supply chain. Another thing we’ve done dating back to the last three or four years is we’ve looked at the number of logistics applications that are required to operate the Defense Logistics Agency. And we have dramatically reduced that number of applications.
The DLA reduced the number of vulnerabilities on the network.
Absolutely. We’ve also tried to take all of our business and placed it behind the defense firewall where it’s even more protected; and now we’re trying to move it in accordance with the rest of the Department of Defense into the cloud, where it can be even more protected.
I don’t think a day goes by that we don’t get 200-300 phishing attacks on the network, so training our people not to respond to those things that come across is a constant training challenge for us, but there’s also, we found, so much more practical things to do that don’t have a lot to do necessarily with technology.
We’re not completely there yet, but this will be a major effort for us this year to not just talk about this in pockets, to identify all of our critical areas of vulnerability, and to monitor those areas on a daily basis and see what impact they’re having on the supply chain. We want this to be systemic and not episodic.