The Dangers of Bypassing Supply Chains

ISLAMABAD:

Defense acquisitions and supply chain management typically require meticulous planning due to the complex relationships among suppliers, manufacturers, and regulators. The U.S. Department of State constantly monitors such acquisitions, international tenders, and government procurements to control the spread of ballistic missile, space, and nuclear technologies. In fact, any local or international tender issued by governments can provide valuable information on their Technology Readiness Levels (TRLs) and Capability Maturity Levels for key technologies.

When the U.S. imposed sanctions on Chinese suppliers this month for supplying rocket engine testing equipment to Pakistan, it was likely because the Chinese companies were subcontracting to the U.S. company for components (through a complicated, obfuscated chain) or perhaps because of leaked bid/RFP documents. It’s also worth noting that using free online Chinese-to-English translation services can be flagged by the U.S. government if the translated document involves national security.

A similar supply chain lens can be applied to the mysterious case of pager explosions in Lebanon. The Taiwanese pager in question (the Apollo 924) is a relatively simple telecommunications device that can only receive short messages, with no ability to reply or communicate verbally. Each pager is identified by a 7-10 digit CAP (Channel Access Protocol) code that can be easily cloned. These pagers can be assigned up to six CAP codes, allowing them to receive six different transmission streams simultaneously. They can operate on a single AAA battery for up to three months, and could be useful in war zones where traditional telecommunications and internet services can be disrupted. This allows both civilians and soldiers to use them to receive important transmissions in the 130 MHz to 180 MHz frequency range.

However, the initial choice of pager model that appeared in the Lebanese tender was disastrous. One-way pagers such as the Apollo 924 are virtually useless, offering no encryption for VHF/UHF transmissions. Apollo also produces a two-way alphanumeric pager, the AL-125TR, which includes Advanced Encryption Standard (AES), a strong cryptographic protocol that could take years to crack. Even without the pager explosion incident, rogue elements or foreign spies could easily intercept or send transmissions (pretending to be from the government) to unsecured Apollo 924 pagers.

What’s more, the Lebanese government failed to investigate the supply chain for its 5,000 newly acquired pagers. Apollo has multiple distributors around the world, and it’s crucial to determine whether you’re dealing with a distributor or a manufacturer. In Australia, for example, Apollo pagers are primarily distributed by WiPath Communications. In 2021, Apollo Group (Kim Apollo and Gold Apollo Co. Ltd) signed an IP licensing agreement with BAC Consulting Ltd, a little-known company based in Budapest, Hungary, to manufacture and distribute the pagers in Europe and the MENA region. This means that these custom-designed devices were not subject to Apollo’s quality testing or verification.

Founded in 2019, BAC Consulting specializes in sustainability but has no previous experience in manufacturing or design. The company, led by CEO Dr. Cristiane Bársony-Arcidiacono, has a small team of nine with employees in countries including Mauritania, Tunisia, Denmark, Hungary and Spain. Despite BAC’s lack of employees in the Middle East, Apollo confirmed that all royalties for its licensing agreement with BAC Consulting were channeled out of the region. This raises suspicions that BAC may have outsourced production to Israeli state-owned companies, given Israel’s technological advantage in the MENA region.

The situation underscores the consequences of failing to work closely with suppliers on defense purchases and ignoring best purchasing practices, which allowed Lebanon to miss several red flags for months. They unknowingly used pagers containing 3g of explosives embedded in a chip that detonated upon receiving a specific code word.

To avoid such oversights, Lebanon could have taken a leaf out of the U.S. defense procurement playbook. During the Cold War, the U.S. government used a single-source procurement model, working closely with companies like Boeing, Lockheed Martin, Northrop Grumman, and General Dynamics. The government invested in these partners’ R&D efforts and actively participated in their internal project management.

Fast forward to 2024, and the U.S. now has a comprehensive supplier registration and verification system. Suppliers must first register with the System for Award Management (SAM) and comply with DD Form 2345 and DFARS clause 252.204-7012, which govern contracts involving military-critical technical data. Once the design process begins, suppliers must navigate the DoD Trusted Supplier Program and comply with ITAR regulations. Contractors are also required to meet rigorous Cybersecurity Maturity Model Certification (CMMC) and TEMPEST standards, the latter of which protects equipment from electromagnetic eavesdropping. Suppliers must provide a detailed supply chain map identifying subcontractors and component suppliers. DoD conducts a risk assessment of its supply chain, while the Defense Contract Management Agency (DCMA) conducts regular audits and inspections to ensure compliance.

In short, these practices evolved for a reason, and it took even the US decades to perfect them. Lebanon’s hasty procurement practices were a mistake. Even without the pager explosion, the country exposed its weaknesses, technical capabilities, and internal communication processes because of irregular and irresponsible procurement practices.

THE WRITER IS A CAMBRIDGE GRADUATE AND WORKS AS A STRATEGIC CONSULTANT