Clausewitz defined war as a duel on an extensive scale, an act of violence intended to compel the opponent to submission. Violence, the use of physical force, was the means to achieve the terminal objective. War, according to Clausewitz, was nothing but the application of military force, and all other activities, including those related to the maintenance of the military, were subservient to it. [1] Jomini, a contemporary of Clausewitz, proposed an alternate theory of war, which stated that the art of war consisted of five principal parts – strategy, grand tactics, logistics, tactics of different arms, and art of the engineer. [2] The relevance and importance attached to logistics has slowly grown ever since the word was used by Jomini in the context of the military.
A review of military literature from over the last two centuries would make it apparent that two principal Clausewitzian ideas have dominated almost all militaries. First, that the primary function of the soldier is to use the tools of war in combat, and not to fashion them or provide them; and second, that the material forces have not yet diminished the classic and decisive role of courage, leadership, and the arts of command. [3]
The recent pager attack in Lebanon, in some manner, has significantly challenged the above stated ideas. The act of maintenance of the forces, previously deemed subservient, has been converted into a primary tool of war and has produced violence of an unprecedented nature and scale. The pager attack has been classified in media as a supply chain attack; but since it doesn’t have a historical parallel, it is essential to dwell on its definition before proceeding further.
The supply chain is a set of firms that move material forward, or a set of organisations linked by upstream or downstream movement of materials or/ and services, information and finances; all between a source and a customer. Management of these firms, which are linked to form a supply chain, is defined as supply chain management, a concept which took shape in eighties and has seen increasing prominence since the mid-nineties. Globalisation, focus of the industry on developing core competencies, aspiration to achieve specialisation, initiatives to enhance supply chain collaboration, growth of electronic data interfaces, and ready to use enterprise applications have fuelled the growth of supply chains to achieve competitive advantage. All of this has enhanced global inter-dependencies, which often provide a source of turbulence in the supply chain. A supply chain attack essentially involves the discrete exploitation of a weak link in the set of firms that form a supply chain, with the purpose of achieving one’s own objectives with respect to the end users of the supply chain’s products.
The objectives of supply chain attacks in the past have been the stealing of information, causing a disruption in operations of the target company, stealing money, or causing damage to an organisation’s reputation. Such attacks were caused by injecting malicious code in open-source software or even commercial software, import of foreign products with malicious code, by compromising of hardware or firmware at the manufacturing stage, and by third party vendors or suppliers who are part of the supply chain and have access to networks or products.
A recent and one of the classic supply chain attacks is that of Solar Winds, a company providing SaaS solutions for IT Infrastructure, supply management, and network administration. The company offered a product called Orion for IT performance management, which was used worldwide. Orion, on account of its role, had access to performance logs and customer data, making it an extremely lucrative target. Malicious actors made a supply chain attack by targeting third-party resources to insert malicious code into the Orion framework, and created a backdoor to access system files and hide their tracks by blending into Orion activity. The attack is estimated to have infected more than 18,000 systems worldwide, causing irreparable damage worth billions of dollars to both government and corporate organisations. [4]
The deadly attack that caused thousands of pagers to explode in Lebanon also fits into the category of supply chain attack, but is distinctly different in scale and intended effect on the target. It is the first supply chain attack which has had a violent dimension, causing loss of human life and property. The intervention in supply chain here was not limited to software code and circuit boards, but also included the insertion of explosives and a detonation mechanism, both of which remained safe in transit and use. The product’s design features were also carefully chosen by the attacker, like ruggedness, being waterproof, and a long battery life with an heavy over-sized battery that could facilitate the insertion of lethal explosives. The two-step message decryption process ensured that the user was in close proximity of the product when it was triggered.
The attacker obviously exploited a weak link in the commercial electronics supply chains or impersonated one. Thus, apart from the damage and destruction it has caused, the attack has also exposed the vulnerability of commercial supply chains to physical interference, primarily on account of their complexities and inter-dependencies.
More importantly, the detection of such interference with products as they move downstream to the end users is not easy. It has also brought to fore the potential of ordinary electronic devices to cause physical damage to a targeted community.
The attack on Hezbollah marks a significant shift in the trends of supply chain attacks, as it has substantially enhanced the value of risk associated with the common user electronics supply chain. From the industry perspective, the method of establishing trust between supply chain partners is now an even bigger problem, especially when such partners are in foreign countries. Supply chains would also view dependence on oversees manufactures as a grave risk, which may lead to alteration in the existing supply chain designs. Also, the attack would prompt original equipment manufacturers (OEM) to build in additional inspections which will lead to penalties in terms of cost and time. The governments would in all probability consider imposing additional customs checks to safeguard themselves from such attacks, adding to supply chain delays. There would also be a requirement for enhancing the physical security of common electronics goods as they move within the supply chain to prevent interference in transit.
What does the supply attacks mean for the military? Are they also vulnerable? The obvious answer is that the military also needs to protect itself from such supply chain attacks. The extended military supply chains are highly complex and their dependencies are fairly large on account of the use of critical and scarce technologies. Both the indigenous and imported goods that reach the military users are manufactured by OEMs who have dependencies on hundreds of suppliers, and in case of bigger platforms, it may go up to thousands of vendors and third party suppliers. In most cases, the OEMs don’t even share with the buyer details of backend participants in their supply chain for purely commercial reasons. It is only a corollary to all of the above arguments that in the near future, supply chain intelligence will become of increasing importance, not only for the corporates who were already practicing it in some form, but also for the military.
The pager attack should be seen as a note of caution by all military supply chains, and should lead to institution of stricter final acceptance inspection standards for all inbound deliveries. Also, it calls for a systemic review of procurement manuals and acquisition procedures with a view to make them safe from effects of a supply chain attacks. While that may take time, future requests for proposal should be modified to include provisions that help in ensuring traceability of components provided by third party vendors, and also include a process to establish credentials of such vendors.
The pager attack has revealed the potential of causing targeted violence on a large scale by exploiting supply chain vulnerabilities. The attack will bring a paradigm shift in supply chain management, both for the military and corporates. Achieving competitive advantage will now become subject to supply chain security. More importantly, complete atmanirbharta will become increasingly important, not only for India but for all nations.
Bibliography
[1] C. v. Clausewitz, On War, New Delhi: Natraj Publishers, 2013.
[2] B. D. Jomini, Art of War, New Delhi: Kaveri Books, 2012.
[3] C. R. Shrader, United States Army Logistics 1175-1992, Honolulu, Hawaii: University Press of Pacific.
[4] Baivab Kumar Jena, “SolarWinds Attack And All The Details You Need To Know About It,” 13 Aug 2024. [Online]. Available: https://www.simplilearn.com/tutorials/cryptography-tutorial/all-about-solarwinds-attack. [Accessed 3 Oct 2024].
