人工智能在保护美国国防工业基础软件供应链中的应用（英文）-CSIAC

APPLICATIONSOF

ARTIFICIALINTELLIGENCE

(AI)FORPROTECTING

SOFTWARESUPPLYCHAINS

(SSCS)INTHEDEFENSE

INDUSTRIALBASE(DIB)

CSIAC-BCO-2023-499

SOAR

STATE-OF-THE-ARTREPORT(SOAR)

JANUARY2024

ByAbdulRahman

DISTRIBUTIONSTATEMENTA

Approvedforpublicrelease:distributionunlimited.

ContractNumber:FA8075-21-D-0001

PublishedBy:CSIAC

iii

State-of-the-ArtReport

ApplicationsofArtificialIntelligence(AI)forProtectingSoftwareSupplyChains(SSCs)intheDefenseIndustrialBase(DIB)

DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.

SOAR

STATE-OF-THE-ARTREPORT(SOAR)

JANUARY2024

APPLICATIONSOFARTIFICIAL INTELLIGENCE(AI)FORPROTECTINGSOFTWARESUPPLYCHAINS(SSCS)INTHEDEFENSEINDUSTRIALBASE(DIB)

ABDULRAHMAN

iv

State-of-the-ArtReport

Cybersecurity&InformationSystemsInformationAnalysisCenter

DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.

ABOUTCSIAC

TheCybersecurity&InformationSystemsInformationAnalysisCenter(CSIAC)isa

U.S.DepartmentofDefense(DoD)IACsponsoredbytheDefenseTechnicalInformationCenter

(DTIC).CSIACisoperatedbySURVICEEngineeringCompanyundercontractFA8075-21-D-0001andisoneofthethreenext-generationIACstransformingtheDoDIACprogram:CSIAC,DefenseSystems

InformationAnalysisCenter(DSIAC),andHomelandDefense&SecurityInformationAnalysisCenter(HDIAC).

CSIACservesastheU.S.nationalclearinghouse

forworldwidescientificandtechnicalinformationinfourtechnicalfocusareas:cybersecurity;

knowledgemanagementandinformationsharing;modelingandsimulation;andsoftwaredata

andanalysis.Assuch,CSIACcollects,analyzes,

synthesizes,anddisseminatesrelatedtechnical

informationanddataforeachofthesefocusareas.Theseeffortsfacilitateacollaborationbetween

scientistsandengineersinthecybersecurityand

informationsystemscommunitywhilepromotingimprovedproductivitybyfullyleveragingthissamecommunity’srespectiveknowledgebase.CSIAC

alsousesinformationobtainedtogeneratescientificandtechnicalproducts,includingdatabases,technologyassessments,trainingmaterials,andvarioustechnicalreports.

State-of-the-artreports(SOARs)—oneofCSIAC’s

informationproducts—providein-depthanalysisofcurrenttechnologies,evaluateandsynthesizethelatesttechnicalinformationavailable,andprovideacomprehensiveassessmentoftechnologiesrelatedtoCSIAC’stechnicalfocusareas.SpecifictopicareasareestablishedfromcollaborationwiththegreatercybersecurityandinformationsystemscommunityandvettedwithDTICtoensurethevalue-added

contributionstoWarfighterneeds.

CSIAC’smailingaddress:

CSIAC

4695MillenniumDrive

Belcamp,MD21017-1505

Telephone:(443)360-4600

v

State-of-the-ArtReport

ApplicationsofArtificialIntelligence(AI)forProtectingSoftwareSupplyChains(SSCs)intheDefenseIndustrialBase(DIB)

DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.

REPORTDOCUMENTATIONPAGE

FormApproved

OMBNo.0704-0188

Thepublicreportingburdenforthiscollectionofinformationisestimatedtoaverage1hourperresponse,includingthetimeforreviewinginstructions,searchingexistingdatasources,gatheringandmaintainingthedataneeded,andcompletingandreviewingthecollectionofinformation.Sendcommentsregardingthisburdenestimateoranyotheraspectofthiscollectionofinformation,includingsuggestionsforreducingtheburden,toDepartmentofDefense,WashingtonHeadquartersServices,DirectorateforInformationOperationsandReports(0704-0188),1215JeffersonDavisHighway,Suite1204,Arlington,VA22202-4302.Respondentsshouldbeawarethatnotwithstandinganyotherprovisionoflaw,nopersonshallbesubjecttoanypenaltyforfailingtocomplywithacollectionofinformationifitdoesnotdisplayacurrentlyvalidOMBcontrolnumber.

PLEASEDONOTRETURNYOURFORMTOTHEABOVEADDRESS.

1.REPORTDATE

January2024

2.REPORTTYPE

State-of-the-Art

Report

3.DATESCOVERED

4.TITLEANDSUBTITLE

ApplicationsofArtificialIntelligence(AI)forProtectingSoftwareSupplyChains(SSCs)intheDefenseIndustrialBase(DIB)

5a.CONTRACTNUMBER

FA8075-21-D-0001

5b.GRANTNUMBER

5c.PROGRAMELEMENTNUMBER

6.AUTHOR(S)

AbdulRahman

5d.PROJECTNUMBER

5e.TASKNUMBER

5f.WORKUNITNUMBER

7.PERFORMINGORGANIZATIONNAME(S)ANDADDRESS(ES)

Cybersecurity&InformationSystemsInformationAnalysisCenter(CSIAC)SURVICEEngineeringCompany

4695MillenniumDrive

Belcamp,MD21017-1505

8.PERFORMINGORGANIZATIONREPORTNUMBER

CSIAC-BCO-2023-499

9.SPONSORING/MONITORINGAGENCYNAME(S)ANDADDRESS(ES)

DefenseTechnicalInformationCenter(DTIC)

8725JohnJ.KingmanRoad

FortBelvoir,VA22060

10.SPONSOR/MONITOR’SACRONYM(S)

DTIC

11.SPONSOR/MONITOR’SREPORT

NUMBER(S)

12.DISTRIBUTION/AVAILABILITYSTATEMENT

DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.

13.SUPPLEMENTARYNOTES

14.ABSTRACT

Theapplicationofartificialintelligence(AI)tosoftwaresupplychains(SSCs)withinthedefenseindustrialbase(DIB)holdspromisetoimprovecybersecurityposture,ensurestrictercompliancewithNationalInstituteofStandardsandTechnology(NIST)controls,andincreaseuserconfidenceinsoftwarebuiltinpartuponmodulesandlibrariesfromoutsiderepositories.AIcanprovideanalystswithsuggestedfrequenciesfor(re)scanning,supplementthreatassessmentsofinfrastructure,automatethreatintelligenceprocessing,andexpeditecybersecurityriskmanagement.Moreover,thesecurityofSSCsintheDIBcanbenefitfromsimilarusesofAIasa

recommendationengineforcommunicatingtheprobabilityofcompromise.ForU.S.DepartmentofDefensecybersecurityanalysts,

AI-drivenautomationcanprovideinsightintohowcloselysoftwarecapabilitiesdeployedonmilitaryandgovernmentnetworksadheretoNISTcompliancestandards.Theabilitytoreflectthemostup-to-datesetofvulnerabilitieswithinasystemsecurityplancouldsignificantlyimproveupontheexistingpracticeofrelyingonmanualinternalscanning.AIcanenablehuman-in-the-loopworkflowstooptimizetheintegrationofprocessedthreatintelligenceandbetteridentifyvulnerabilitiespersoftwareand/oroperatingsystem.ThisreportpresentsanddiscusseshowAIcanprotectSSCspurpose-builtfortheDIBecosystem.

15.SUBJECTTERMS

cybersecurity,cyberattack,softwaresupplychain(SSC),coderepositories,softwarevulnerabilities,cybersecurityframework,softwarebillofmaterials,artificialintelligence,machinelearning,automation,penetrationmonitoring,defenseindustrialbase,contractorsoftware,softwarebuildsecurity,third-partyvendorsecurity

16.SECURITYCLASSIFICATIONOF:

U

17.LIMITATIONOFABSTRACT

UU

18.

NUMBEROFPAGES

48

19a.NAMEOFRESPONSIBLEPERSON

Vincent“Ted”Welsh

a.REPORT

UNCLASSIFIED

b.ABSTRACT

UNCLASSIFIED

c.THISPAGE

UNCLASSIFIED

19b.TELEPHONENUMBER(includeareacode)443-360-4600

ONTHECOVER:

(Source:Shutterstock&freepik)

StandardForm298(Rev.8/98)

PrescribedbyANSIStd.Z39.18

vi

State-of-the-ArtReport

Cybersecurity&InformationSystemsInformationAnalysisCenter

DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.

THEAUTHOR

ABDULRAHMAN,PH.D.

Dr.AbdulRahmanisasubjectmatterexpertinthe

designandimplementationofcloudanalyticsand

architecturesthatsupportsituationalawareness

toolsforcybernetworkoperationsforcommercial

andgovernmentcustomers.Hehasover25years

ofinformationtechnologyexperience,including

softwaredevelopment,networkengineering,

systemsdesign,systemsarchitecture,security,

andnetworkmanagement.Hehaspublished

widelyontopicsinphysics,mathematics,and

informationtechnology.Dr.RahmanholdsDoctor

ofPhilosophydegreesinmathematicsandphysics.

vii

State-of-the-ArtReport

ApplicationsofArtificialIntelligence(AI)forProtectingSoftwareSupplyChains(SSCs)intheDefenseIndustrialBase(DIB)

DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.

ABSTRACT

Theapplicationofartificialintelligence(AI)

tosoftwaresupplychains(SSCs)withinthe

defenseindustrialbase(DIB)holdspromiseto

improvecybersecurityposture,ensurestricter

compliancewithNationalInstituteofStandards

andTechnology(NIST)controls,andincreaseuser

confidenceinsoftwarebuiltinpartuponmodules

andlibrariesfromoutsiderepositories.AIcan

provideanalystswithsuggestedfrequenciesfor

(re)scanning,supplementthreatassessments

ofinfrastructure,automatethreatintelligence

processing,andexpeditecybersecurityrisk

management.Moreover,thesecurityofSSCsin

theDIBcanbenefitfromsimilarusesofAIasa

recommendationengineforcommunicatingthe

probabilityofcompromise.ForU.S.Department

ofDefensecybersecurityanalysts,AI-driven

automationcanprovideinsightintohowclosely

softwarecapabilitiesdeployedonmilitaryand

governmentnetworksadheretoNISTcompliance

standards.Theabilitytoreflectthemostup-to-

datesetofvulnerabilitieswithinasystemsecurity

plancouldsignificantlyimproveupontheexisting

practiceofrelyingonmanualinternalscanning.

AIcanenablehuman-in-the-loopworkflowsto

optimizetheintegrationofprocessedthreat

intelligenceandbetteridentifyvulnerabilitiesper

softwareand/oroperatingsystem.Thisreport

presentsanddiscusseshowAIcanprotectSSCs

purpose-builtfortheDIBecosystem.

viii

State-of-the-ArtReport

Cybersecurity&InformationSystemsInformationAnalysisCenter

DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.

ACKNOWLEDGMENTS

Theauthorwouldliketothankthestaffofthe

Cybersecurity&InformationSystemsInformation

AnalysisCenterandSURVICEEngineering

Companyfortheirguidanceandreviewofthis

report.

ix

State-of-the-ArtReport

ApplicationsofArtificialIntelligence(AI)forProtectingSoftwareSupplyChains(SSCs)intheDefenseIndustrialBase(DIB)

DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.

EXECUTIVESUMMARY

ManagingtheintricateanddiversesupplychainwithintheU.S.governmentinvolvesaheavy

relianceonanextensiveandvariednetworkof

suppliersandvendorsforsoftwarecomponents.Thisdependenceintroducesarangeofchallengesinensuringthesecurityofthesesoftware

components.Toaddressthesesoftwaresupplychain(SSC)securitychallengeseffectively,a

combinationoftechnicalsolutions,robustsecuritypractices,collaborationamongstakeholders,andadherencetoindustrystandardsisessential.

PrioritizingSSCsecurityiscriticalfororganizationstomitigaterisksandsafeguardagainstpotential

vulnerabilitiesandattacks.Unfortunately,

federalentitiesoftenlackcompletevisibility

intotheirSSCs,includinginformationaboutthe

origin,integrity,andsecurityofbothpacketand

precursorcomponents.Thislackofvisibilitymakesitchallengingtoidentifyandmitigaterisksand

vulnerabilities.Furthermore,relianceonthird-

partyvendorsintroducesadditionalrisksrelatedtothesecuritypracticesandintegrityofprovidedsoftwarecomponents.

TosecureSSCs,itiscrucialtoimplement

preventivestrategiesagainstattacks.Thiscanbeachievedbyestablishingasecuritybaselineand

engaginginrobustandcontinuousbehavioral

monitoringpractices.Themostsophisticated

ofthesebehavior-basedmethodsinvolvesthe

utilizationofartificialintelligence(AI)modelsto

forecast,infer,predict,correlate,andpinpointlikelyweaknesses,potentialattackvectors,andavenuesofapproachwithinSSC-embeddedsoftware.

AI-poweredsystemscancontinuouslymonitorSSCsinrealtime,identifyingsuspiciousactivitiesandflaggingactionsthatwouldotherwiseallowforunauthorizedaccess.

AImodelsareparticularlywellsuitedforthe

automationofroutineSSCsecurityauditsand

assessmentsthatareintendedtodetectpotentialvulnerabilities,risks,andsecuritycontrolgaps.

Suchaproactive,real-timeapproachenables

organizationstoaddresspotentialexploitsand

vulnerabilitiespromptlyand,ifapenetrationdoesoccur,toreceiveimmediatealertstofacilitate

swiftresponsestosecurityincidents,minimizingdamage.Moreover,theintegrationofAIwith

securitycodingworkflowscanstreamlinethe

autocompletionandupdatingofrequired

compliancepractices,therebyenhancingoverallcodequality,defectreduction,andefficiency.

State-of-the-ArtReport

Cybersecurity&InformationSystemsInformationAnalysisCenter

DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.

ThisPageIntentionallyLeftBlank

xi

State-of-the-ArtReport

SECTION1

1.1

1.2

1.3

1.4

SECTION2

2.1

2.2

2.3

2.4

SECTION3

3.1

3.2

3.3

3.3.1

3.3.2

3.3.3

SECTION4

4.1

4.2

4.3

ApplicationsofArtificialIntelligence(AI)forProtectingSoftwareSupplyChains(SSCs)intheDefenseIndustrialBase(DIB)

DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.

CONTENTS

ABOUTCSIACIV

THEAUTHORVI

ABSTRACTVII

ACKNOWLEDGMENTSVIII

EXECUTIVESUMMARYIX

INTRODUCTION1-1

DefiningSSCAttacks1-1

SSCsandtheDefenseIndustrialBase1-3

SecuringSSC1-4

ReportOverview1-4

DATAMANAGEMENTSTRATEGIES2-1

Open-SourcePackages2-1

AttackSurfaceManagementandThreatModeling2-2

ApplicationCodeSecurity2-5

NISTCybersecurityFramework2-5

FEATUREDEVELOPMENT3-1

SecureSoftwareUpdates:Development,Security,andOperations(DevSecOps);

ArtificialIntelligenceforInternetTechnolocyOperations(AIOps);andMachine

LearningOperations(MLOps)3-1

PushProtection3-2

OtherSSCFrameworks3-2

GeneralFrameworks3-3

SBOMandPipelineBillofMaterials(PBOM)3-3

SupplyChainLevelsforSoftwareArtifacts(SLSA)3-

4

APPLICATIONSOFAI4-1

AIModelsWithBlockchainIntegrationWithSSCFrameworks4-1

SoftwareVulnerabilityAnalysisandDetectionUsingAI4-3

AI-EnhancedCodingReliability4-4

xii

State-of-the-ArtReport

Figure1-1

Figure1-2

Figure2-1

Figure2-2

Figure2-3

Figure3-1

Figure3-2

Figure4-1

Table2-1

Cybersecurity&InformationSystemsInformationAnalysisCenter

DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.

CONTENTS,continued

CONCLUSIONS5-1

REFERENCES6-

1

FIGURES

AnEnterprise’sVisibility,Understanding,andControlofItsSSCDecrease

WithEachLayeroftheBroaderDevelopmentCommunity’sInvolvement1-2

CybersecurityRisksThroughouttheSupplyChain1-5

AnSSCWithFocusonaSingleLink;SystemwideSecurityDependsonUpstream/

DownstreamTransparency,LinkValidity,andLogicalSeparationBetween

ComponentsandLinks2-1

DataFlowDiagramofanExampleAttackSurface2-3

TheSixMainPillarsofaSuccessfulCybersecurityProgram,asReflectedinthe

NISTCSFVersion2.0(Draft)2-6

BuildPlatformWorkflowforProvenance,asAttestationofCreatedArtifacts

inSupportofSSCSecurity3-4

SLSAApproachtoSSCThreatsandMitigations3-

5

NotionalArchitectureofBlockchainIntegratedWithAI(FL)andFramework;

FrameworksProvideArtifactLevelAlignmentforDistributedAI(FL)toBeTrained

OverAllLocations4-2

TABLES

NISTGuidanceforOrganizationalSupplyChainRiskManagementUnderthe

“Identify”FunctionoftheNISTCSFVersion1.12-7

1-1

State-of-the-ArtReport:SECTION1

INTRODUCTION

ApplicationsofArtificialIntelligence(AI)forProtectingSoftwareSupplyChains(SSCs)intheDefenseIndustrialBase(DIB)

DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.

SECTION

01

OnceusedbytheU.S.militaryinonlyitsmost

high-techsystems,softwareisnowomnipresentacrossthedefenseestablishment.AstheDefenseInnovationBoardnotedin2019,softwaredrives

“almosteverything”thattheU.S.Departmentof

Defense(DoD)“operatesanduses,”fromdiscreteweaponssystemstotheoverarchingnetworksthatprovidecommand,control,andcommunicationscapabilitiesforcommanders[1].WhileprotectingDoDsystemsfromtraditionalcyberbasedattackswillremainanenduringchallenge,threatsto

thesecurityofthesoftwaresupplychains(SSCs)thatdevelopandproducecriticalproducts

haverecentlyriseninprominenceasapreferred

threatvectorforpenetratingandcompromising

informationsystems.Byoneestimate,thenumberofSSCattacksagainstcommercialandpublic

entitiesintheUnitedStatesincreasedbymore

than700%between2019and2023[2].SSCattackshavebecomesuchanacutethreatthatthereal-

timetrackingofSSCincidentshasbecomeanichesubsectionofthecybersecuritysolutionsmarket[3].

1.1DEFININGSSCATTACKS

Asitsnamesuggests,anSSCrefersbothtothe

processofdevelopingcode-basedpackages

acrossmultiplepartiesandtheoutcomeof

chained-developmentactivitiesintousable

softwareproducts.SSCsencompasssoftware

modules,libraries,registries,andcomponents,

aswellasallthehardware,operatingsystems,

andcloudservicesthatmaybeusedduringthecodinganddevelopmentprocess.Asoneleading

softwaredeveloperRedHathaspointedout,an

SSCismostproperlyconsideredtoincludeeven

thepeoplewhowritethecode[4].Current

softwaredevelopmentpracticesarerelativelyopen,especiallywhencomparedwithtraditionalcodingmethods,whichremainedinusewellintothe

early2000s.Insteadofsingleentitiesdevelopingsoftware—entirelyinhouseandbywritingallcodefromscratch—currentpracticesintentionallydrawuponbroadsoftwarecommunities.Developers

leveragecodesourcedfromexternal(but

interconnected)librariesandmodulesthatmay

servedifferentpurposesforanapplication(e.g.,

encryption,authentication,andnetworking)[4].

Althoughthistypeofcommunitydevelopment

deliverskeyefficienciestosoftwareproduction,

italsopresentsbadactorswithawiderangeof

potentialthreatvectors.AdmittingdependenciesthroughSSCdevelopmentcanintroduce

exploitablesoftwarecodethatisvulnerableto

numerous,andcascading,vulnerabilitiesintothepostbuiltproductcodebaseline(seeFigure1-1).

AnSSCattackmightseektoexploitopen-sourceorsharedtools,ortoillicitlyaccessasingledeveloper’sproprietarybuildinfrastructures[5].Whatever

thevector,anSSCattackconsistsofatleasttwo

elements:(1)amalignactorcompromisingatleastonesupplierwithinanSSCand(2)thatvulnerabilitythenbeingusedtoharmothersupplier(s)orthe

finalproduct/customer.WhileitispossiblethatanSSCcanbepenetratedinpartduetotheactionsofaninsider,leadingdefenseintelligenceauthoritiesliketheU.S.NationalCounterintelligenceand

1-2

State-of-the-ArtReport:SECTION1

Cybersecurity&InformationSystemsInformationAnalysisCenter

DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.

Figure1-1.AnEnterprise’sVisibility,Understanding,andControlofItsSSCDecreaseWithEachLayeroftheBroaderDevelopmentCommunity’sInvolvement(Source:Boyensetal.[6]).

SecurityCenterseecyberbased(orsoftware

enabled)SSCattacksasthemorecommonand,thus,greaterthreatatpresent[5].

ThedocumentedabilitytoexploitvulnerabilitiesinanSSChasexistedsinceatleastthe1980s,whenthe“KenThompsonhack”or“trustingtrustattack”demonstratedtheabilitytocompromisesource

codewhileleavingbehindalmostnotraceof

alteration[7].Sincethen,themassiveexpansionofsoftwareproductionandtheubiquitoususeofconnectedinformationsystemsacrossallsectorsoftheeconomyhavemadeSSCexploitsaprime

vectorformalignactors.Forexample,SSCattacksoftentargetpopularpackagemanagers(e.g.,nodepackagemanager[npm]forJavascriptnode.js)

andtheirusercommunities.Thesecommunitieshaveexperiencedincrediblegrowthoverthe

pastdecade—thenumberofpublicrepositorieshostedintheGitHubplatformgrewfrom46,000

inearly2009tomorethan200millionby2022[5].Accordingly,adversarialnation-states,terrorists,andothertransnationalcriminalorganizations

recognizethatSSCattackscancausewidespreadandcascadingharmfuleffects,allwhilerequiringrelativelyfewresourcestoexecute[8].

AnumberofheadlinepenetrationsinrecentyearshaveraisedtheprofileofSSCattacksformalign

actors.In2017,the“NotPetya”SSCcyberattack—themostdamagingsuchattackthentodate—infectedalineofaccountingandtaxreportingsoftwareusedbytheUkrainiangovernment

beforespreadingtoseverallargemultinational

firms.ThemalwarethatRussian-sponsored

hackersinserteddisruptedemailsystemsata

majorfoodmanufactureranddisabledmultiple

logisticssystemsforaninternationalshipping

company.Indoingso,NotPetyaevencrippled

onepharmaceuticalfirm’sabilitytosupply

1-3

State-of-the-ArtReport:SECTION1

ApplicationsofArtificialIntelligence(AI)forProtectingSoftwareSupplyChains(SSCs)intheDefenseIndustrialBase(DIB)

DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.

vaccinestotheU.S.CentersforDiseaseControl

andPrevention[9].By2020,the“SolarWinds”

cyberattack,whichoriginatedfromtheRussian

ForeignIntelligenceService,similarlypenetratedawidearrayofnetworkedsystems,primarilywithintheU.S.federalgovernment.Afterbeinginjectedwithbackdoorcode,aroutinesoftwareupdate

packageforatechnologyadministrationsuitewaswidelydownloaded;worse,thecompromisewentundetectedfornearly12months[10].

1.2SSCSANDTHEDEFENSEINDUSTRIALBASE

TheDoDacquiressoftwareproductsandsystems,professionalservices,andthesupportinghardwareandcomputingpowerneededforoperation

muchinthesamewayitobtainscratesof

5.56-mmrifleammunition—mostlypurchasing

themfromprivatefirmsandotherpublicor

nonprofitsuppliers.Generallyknownasthe

DefenseIndustrialBase(DIB),thiscollectionof

organizations,facilities,andresourcesprovides

theDoDwithhundredsofbillionsofdollarsof

productsandserviceseachyearandrepresents

thenation’senduringindustrialandeconomic

might[11].Thebroadmagnitudeandscopeof

theDoD’sacquisitionactivitiesmeansthatmorethan1millionworkersandaround60,000firms

canbeconsideredpartoftheDIB[11].Whilemanyofthesefirmsdonotdirectlyshapeorinfluence

thedevelopmentofsoftwareproductsthatentermilitarily-relevantSSCs,everysingleentity(eventhosethatonlyproducehardware,like5.56-mmcartridges)usessoftwareplatformsthatare

vulnerabletopenetration.

TheDIB’simmensescopeandwidereachinto

suppliersandsubcontractorsmakethedefenseofitsSSCsanimmensetask.Twolongstandingvulnerabilitiesfurthercomplicatethischallenge:

1.Theproductionofmicroelectronics,once

co