The Fatal Flaw - Part 7: The Invisible War: Modern Supply Chain Vulnerabilities

The War That’s Already Being Fought

When military planners discuss future conflict, they typically imagine scenarios that begin with a dramatic event—a missile launch, an invasion, a blockade. But a different kind of war has been underway for decades, fought not on battlefields but in fiber optic cables, patent offices, and shipping containers.

This is the war for control of supply chains.

Adversaries have recognized what the Last Supper made possible: an American defense industrial base with concentrated vulnerabilities, limited visibility, and critical dependencies on foreign sources. They are exploiting these vulnerabilities through means that fall below the threshold of conventional military response—cyber intrusions, intellectual property theft, strategic investment, and supply chain manipulation.

The invisible war doesn’t destroy weapons systems directly. It degrades the ability to build them, repair them, and replace them. When kinetic conflict begins, the invisible war will have already determined much of the outcome.

The Cyber Threat to the DIB

The Defense Industrial Base (DIB) and Defense Critical Infrastructure (DCI) face relentless cyber attack. The interconnected nature of modern defense production—vendor networks, business systems, distribution centers, IT infrastructure—creates an attack surface of staggering complexity.

The scale of the threat:

• Millions of intrusion attempts target DoD networks annually
• Successful breaches occur regularly, often remaining undetected for months
• Sophisticated attackers have penetrated prime contractors and major subcontractors
• Smaller sub-tier suppliers, with limited cybersecurity resources, provide easier targets

The consequences of breach:

Intellectual Property Theft

Adversaries have stolen designs for advanced weapons systems, manufacturing processes, and operational capabilities. This theft isn’t just economic damage—it provides detailed knowledge of how American systems work, enabling the development of countermeasures and copies.

Known examples include compromise of data related to:

• F-35 Joint Strike Fighter systems
• Submarine propulsion technology
• Missile defense components
• Advanced radar systems

The IP theft creates an asymmetric advantage: adversaries gain the benefits of billions of dollars in American R&D investment without bearing the cost.

Malicious Insertion

Even more concerning than theft is the potential for malicious insertion—the introduction of defects or hostile functionality into components that will be integrated into weapons systems.

A compromised microprocessor could:

• Fail on command during combat operations
• Transmit data to adversary collection systems
• Provide backdoor access to classified networks
• Degrade system performance in ways designed to appear as normal malfunction

The globalized supply chain for microelectronics makes malicious insertion practical. A component manufactured overseas, passing through multiple intermediaries before reaching an American weapons system, has numerous opportunities for compromise.

Operational Mapping

Successful cyber intrusions map the structure of defense production—who supplies what to whom, where vulnerabilities exist, what production bottlenecks could be targeted. This intelligence enables precise targeting of supply chain attacks in any future conflict.

The Rare Earth Chokepoint

Perhaps no vulnerability illustrates the supply chain crisis more starkly than rare earth elements (REEs).

Rare earths are essential to modern weapons systems:

• Precision-guided munitions require neodymium for motor magnets
• Fighter aircraft depend on samarium-cobalt magnets
• Night vision systems use lanthanum
• Radar and electronic warfare systems require various REEs

Despite the name, rare earths aren’t particularly rare—they exist in many locations globally. What’s rare is the processing capability to refine them into usable form.

The current situation:

• China controls approximately 85% of global rare earth refining capacity
• The U.S. has essentially no domestic refining capability
• Alternative sources (Australia, Canada) have limited refining and depend on Chinese processing
• Building new refining capacity takes 5-10 years

China has already demonstrated willingness to weaponize rare earth supply. In 2010, after a diplomatic dispute with Japan, China halted rare earth exports, causing prices to spike 10-fold and demonstrating the leverage that supply control provides.

In a conflict scenario: China could cut off rare earth supply to the United States and its allies. Existing stockpiles (limited) would be exhausted within months. Weapons production requiring REE components would halt. The U.S. couldn’t manufacture the missiles, aircraft, and precision munitions that modern warfare requires.

This isn’t a hypothetical vulnerability—it’s a known, documented, strategic reality that has no near-term solution.

The Semiconductor Dependency

The semiconductor supply chain presents an even more acute vulnerability. Modern weapons systems are essentially computers with military applications—they require advanced microprocessors that the United States increasingly cannot produce domestically.

The geography of semiconductor production:

• Taiwan produces approximately 90% of the world’s most advanced semiconductors
• Taiwan Semiconductor Manufacturing Company (TSMC) is the critical node for chips under 7 nanometers
• Taiwan is located 100 miles from mainland China, within easy strike range of Chinese missiles
• Alternative production (Samsung in South Korea, emerging fabs in the U.S.) is years away from matching TSMC capability

The conflict calculus: A Chinese military operation against Taiwan—whether invasion, blockade, or targeted strikes—would immediately cut off the most advanced semiconductor production in the world. Even if Taiwan’s fabs weren’t destroyed, conflict conditions would halt production.

American weapons programs depending on Taiwanese chips would lose their supply source. Existing inventories would run out. Systems requiring semiconductor replacements or new production would become unavailable.

The irony is pointed: the weapons systems America would need to defend Taiwan depend on components produced in Taiwan. A conflict over Taiwan could disable the very forces meant to prevent it.

The Neon Gas Example

The 2022 Ukraine conflict provided an unexpected illustration of hidden supply chain vulnerabilities.

Ukraine produces an estimated 90% of the world’s semiconductor-grade neon gas—a critical input for chip manufacturing. When Russia invaded, Ukrainian neon production facilities were damaged or went offline.

This was a dependency almost no one in the semiconductor industry had considered. Neon is a byproduct of steel production; Ukraine’s large steel industry happened to be the world’s dominant neon source. The concentration wasn’t the result of anyone’s plan—it emerged from economic optimization over decades.

The Ukraine neon shock contributed to the global semiconductor shortage that disrupted industries from automotive to defense. A single hidden dependency, in a country no one associated with chips, affected production worldwide.

The lesson: Supply chain vulnerabilities exist at every tier. Materials, chemicals, and components that seem commodity-like may actually flow through chokepoints that aren’t visible until they fail.

The Software Supply Chain Risk

Hardware isn’t the only attack surface. Modern weapons systems depend on millions of lines of software code, which itself depends on libraries, components, and tools from a complex network of sources.

Software Supply Chain Risk (SSCR) refers to threats that originate upstream in this network:

• Malicious code inserted into widely-used libraries
• Compromised developer tools that inject vulnerabilities
• Third-party components with hidden functionality
• Update mechanisms that can be hijacked

The SolarWinds attack of 2020 demonstrated the pattern: attackers compromised a widely-used network monitoring tool, inserting malicious code that was distributed to thousands of customers—including government agencies and defense contractors—via routine updates.

Defense systems face the same risk. Software used in weapons platforms, command and control systems, and logistics management depends on components from numerous sources. Any of these sources could be compromised, and the resulting malicious functionality would be distributed with legitimate updates.

The challenge is scale: modern software systems incorporate thousands of components from hundreds of sources. Auditing all of them is effectively impossible. Managing the risk requires accepting that some vulnerabilities will exist and focusing on detection and response.

The Compound Vulnerability

Each of these vulnerabilities—cyber attack, rare earth dependency, semiconductor concentration, software risk—would be serious in isolation. In combination, they create a compound vulnerability that multiplies danger.

Consider a scenario:

1. Cyber preparation: Adversary intrusions have mapped the defense supply chain and identified critical nodes
2. Pre-conflict disruption: Targeted cyber attacks disable key sub-tier suppliers weeks before kinetic conflict begins
3. Supply cutoff: Rare earth and semiconductor supply from Asia halts due to conflict conditions
4. Malicious activation: Compromised components in deployed systems begin failing or degrading
5. Stockpile exhaustion: Existing inventories run out with no ability to replace

In this scenario, kinetic military operations become almost secondary. The industrial capacity to sustain warfare has been disabled through means that never required a missile to be fired at a factory.

This is the essence of supply chain warfare: achieving military effects through economic and technological means that avoid the thresholds of conventional conflict. The invisible war is already determining outcomes for conflicts that haven’t yet begun.

The Visibility Imperative

Addressing these vulnerabilities requires, first, visibility: knowing what dependencies exist, where they are concentrated, and how they could be disrupted.

Currently, this visibility doesn’t exist at scale. The DoD relies on over 200,000 suppliers but has “little visibility” into the origins of manufacturing. Prime contractors often don’t know their own supply chains below Tier 2.

Required visibility includes:

• Supplier mapping: Complete identification of all suppliers at all tiers for critical programs
• Geographic analysis: Understanding where production occurs and under what jurisdictions
• Single-point identification: Flagging components or materials with concentrated sourcing
• Risk scoring: Quantifying vulnerability for prioritization of mitigation efforts
• Real-time monitoring: Tracking supply chain conditions for early warning of disruption

Achieving this visibility requires contractual mandates (requiring suppliers to disclose their supply chains), technology investment (systems to aggregate and analyze supply chain data), and organizational authority (someone responsible for end-to-end supply chain security).

Current efforts are fragmented, uncoordinated, and limited in scope. The organizational will to impose these requirements—and the resources to implement them—remain inadequate to the threat.

The Diplomatic Dimension

Supply chain security isn’t purely a technical or industrial problem—it has critical diplomatic dimensions.

Many essential suppliers are located in allied or partner nations. Securing these supply chains requires coordination with foreign governments, which may have different priorities, constraints, and perspectives.

For suppliers in non-allied nations, the calculus is more complex. Reducing dependency on adversarial sources may require accepting higher costs, longer timelines, and reduced capabilities during transition. Political will for these tradeoffs is inconsistent.

Even within alliances, supply chain security can create tensions. If the U.S. demands that allies reduce their dependencies on certain nations, those allies may resent the imposition or question why America makes the same demands of them that it hasn’t met itself.

DIB protection activities in foreign countries could be perceived as U.S. government intrusion into sovereign areas. Coordination with host governments and conformance with existing treaties is essential—but adds complexity and potential points of failure.

The Race Against Time

The vulnerabilities described in this post are known. They have been documented in government reports, analyzed by think tanks, and discussed in classified briefings. The question is not awareness—it is action.

Addressing these vulnerabilities requires:

• Years to build new facilities
• Years to train workers
• Years to qualify alternative suppliers
• Years to develop domestic sources for critical materials
• Years to implement robust cybersecurity across the supply chain

The timeline for potential peer conflict may not provide those years. Every year of delay in addressing vulnerabilities is a year adversaries use to exploit them further.

The invisible war is being fought now. The question is whether the United States will mobilize to fight it—or continue treating supply chain security as a secondary concern until the visible war begins and the outcome has already been determined.