WASHINGTON: If Chinese and Russian spies have been doing their jobs well, they might well have been able to compromise some of America’s most important satellites, including the missile launch detection birds known as SBIRS.

A report out today from the Pentagon’s Inspector General says that Air Force Space Command’s failure to safeguard its supply chain means that “an adversary has opportunity to infiltrate the Air Force Space Command supply chain and sabotage, maliciously introduce an unwanted function, or otherwise compromise the design or integrity of the critical hardware, software, and firmware.”

Of course, as Todd Harrison of the Center for Strategic and International Studies notes:

“This is really an audit report on whether AFSPC complied with the DoD supply chain risk management policy, and clearly there were issues.  It is important to note that just because proper policy and procedures were not followed does not necessarily mean that the system was actually compromised.”

But Harrison says that doesn’t let Space Command off the hook:

“That being said, we rely on these satellites to detect missile launches and queue our missile defense systems. SBIRS is among the most important military space systems we have, and the idea that these satellites are at higher risk of being compromised—or may have already been compromised—is disconcerting.  This is yet another black eye for the Air Force’s management of space acquisitions, and it will likely increase calls to transfer responsibility for programs like this to a new, independent service.”

Space and Missile Systems Center SMC logoHere’s what the IG found:

“Air Force Space Command did not take the steps and establish the controls and oversight necessary to:

  • conduct a thorough criticality analysis and identify all critical components and associated suppliers to manage risks to the system throughout its lifecycle;
  • submit complete and accurate requests to conduct threat assessments of critical component suppliers;
  • require the purchase of all application-specific integrated circuits from trusted suppliers using trusted processes that are accredited; or
  • ensure the use of rigorous test and evaluation capabilities, including developmental, acceptance, and operational testing

“In addition, our limited review of three other Air Force Space Command critical systems revealed concerns similar to those found with the Space Based Infrared System supply chain risk management.”

Congress is unlikely to be pleased and some will certainly use this finding to press harder with their colleagues to make a Space Force and Space Command a reality sooner rather than later.

“The current system is wasting billions of dollars and failing to deliver capability to the warfighter,” Reps. Mike Rogers and Jim Cooper, the top two lawmakers on the House Armed Services strategic forces subcommittee. said in a statement in August last year. “Our adversaries have already reorganized their space programs and are reaping the benefits. Those who continue to oppose reform need to explain to the warfighter, the American people, and their elected representatives how the status quo is acceptable.”

The vice commander of Air Force Space Command Space and Missile Systems (SMC) agreed with the IG’s recommendations on how to fix the problems found in the IG’s audit.

Here’s what SMC said it will do. Bear in mind this means they probably haven’t done it yet:

  • “conduct a criticality analysis to accurately identify and compile a parts list for all critical components;
  • “produce a critical components list that includes the break down for all logic-bearing devices to the component level and provide them with a request for information that includes all key information necessary to conduct threat assessments of critical item suppliers;
  • “use the supplier threat assessment reports to determine the risk posture and identify potential mitigations for application specific integrated circuits not procured from a trusted supplier using trusted processes that are accredited; and
  • “incorporate modernized requirements and verification processes to ensure the security of the program and perform verification and validation of these requirements using program protection surveys, independent third party assessors, and developmental and operational tests.”