Bruno: “This is is just shocking in terms of the scale and ubiquity of this threat.”
WASHINGTON — A supplier of software used in machine tools at United Launch Alliance’s rocket factory turned out to be partially owned by Chinese interests, ULA’s CEO Tory Bruno said on a virtual fireside chat aired Sept. 15 during the Air Force Association’s Air Space Cyber Conference.
Bruno revealed the incident in a pre-recorded video in response to a question from Lt. Gen. David Thompson, vice commander of the U.S. Space Force.
Thompson noted that China has been known to steal U.S. intellectual property and exfiltrate sensitive data from systems “to catch up and move forward quickly” in the development of advanced technology. China is “working their way into our supply chains. What are you all doing about that?” Thompson asked Bruno.
Bruno said the Chinese-owned vendor identified in ULA’s supply chain was a provider of software for tools used to manufacture the company’s next-generation rocket Vulcan Centaur. Because the issue was detected quickly, no sensitive information was extracted by that supplier, Bruno said.
The Pentagon has shown growing concern about the problem and continues to impose cybersecurity requirements on contractors. “But I have to tell you this is just shocking in terms of the scale and ubiquity of this threat and this effort on the part of China to not only gain access to intellectual property through traditional means — hacking or espionage — but through infiltration of the supply chain,” Bruno said.
He did not specify who this vendor was or when exactly the attempted breach took place. “We had a wake up call I would say just a few months ago, maybe a year ago,” Bruno said. “We’re developing our new rocket and we’ve got tooling in our factory and we’ve got a supplier that provides software that drives the tooling.”
These are all domestic sources, he said, “and we discovered almost by accident that the key elements in that software chain of a key company have been purchased by a company owned in China.”
Bruno said he shared the information with the FBI and other authorities but noted that the government’s resources to deal with this problem are stressed so ULA has taken actions on its own o prevent any future breaches.
Like all defense contractors, ULA has to ask all its suppliers to certify their ownership and identify their shareholders. Those that are “not up to snuff” have to make the necessary changes, said Bruno. “If you can’t fix it, we’re going to replace you. If we can’t replace you we’re going to have to figure out how to break up the work in a little bitty pieces so you don’t know what you’re working on, and you’re not getting access to our intellectual property.”
ULA hired a private investigator “to tunnel through all of my supply chain, through all the shell companies and indirect ownership and all the methods that China uses to infiltrate these companies without being detected,” said Bruno. “I have to do that literally every quarter. This is a really dynamic environment.”
Bruno told Thompson the U.S. government could do more to help contractors on this issue. “Put a framework in place that helps us find these guys, have potentially legislation that makes it a lot harder for China to either acquire U.S. companies, invest in U.S. supply chains.”
A study published last month by the data analytics firm Govini said the vast majority of the Defense Department’s top tier vendors are American companies. However, foreign companies make up an average of 70% of suppliers in the lower tiers.
From 2010 to 2019, the number of Chinese suppliers in DoD’s supplier base in a sample Govini assessed increased by 420%, to 655, across numerous critical industries, the report said. “The prevalence of China-based companies across the Department’s supplier base will make it difficult to identify with certainty all of the cases where they are a single source provider of a key technology or material.”