Dangers of overlooking supply chains

ISLAMABAD:

Defense acquisitions and supply chain management typically demand meticulous planning due to the complex relationships between suppliers, manufacturers, and regulators. The US State Department continuously monitors such acquisitions, international tenders, and procurements to control the proliferation of ballistic missile, space, and nuclear technologies. In fact, any local or international tender floated by governments can offer valuable insights into their technology readiness levels (TRL) and capability maturity levels regarding critical technologies.

When the US imposed sanctions this month on Chinese suppliers for providing rocket motor testing equipment to Pakistan, it was likely due to Chinese companies subcontracting to a US company for components (through a complex, obfuscated chain) or possibly due to leaked RFPs/bid documents . It’s also noteworthy that the use of free online Chinese-to-English translator services could be flagged by the US government if the translated document pertains to national security.

A similar supply chain lens can be applied to the mysterious case of exploding pagers in Lebanon. The Taiwanese pager in question (Apollo 924) is a relatively simple telecom device that can only receive short messages, with no provision for replying or voice communications. Each pager is identified by its 7-10 digit CAPcode (Channel Access Protocol code), which can be easily cloned. These pagers allow for assigning up to six CAPcodes, enabling them to receive six different broadcast streams simultaneously. Capable of running on a single AAA battery for up to three months, they could be useful in war zones where traditional telecom and internet services may be disrupted. Thus, both civilians and soldiers can use them to receive important broadcasts in the frequency range of 130MHz to 180MHz.

However, the initial choice of pager model floated in the Lebanese tender was disastrous. One-way pagers like the Apollo 924 are practically useless, offering no encryption for VHF/UHF broadcasts. Apollo also manufactures a two-way alphanumeric pager, the AL-125TR, which incorporates Advanced Encryption Standard (AES), a strong cryptographic protocol that could take years to crack. Even without the pager explosion incident, rogue elements or foreign spies could have easily intercepted or sent broadcasts (pretending to be the government) to the insecure Apollo 924 pagers.

Moreover, the Lebanese government failed to scrutinize the supply chain for its 5,000 newly sourced pagers. Apollo has numerous distributors worldwide, and it’s crucial to determine whether you’re dealing with a distributor or a manufacturer. For example, in Australia, Apollo pagers are distributed primarily by WiPath Communications. In 2021, the Apollo Group (Kim Apollo and Gold Apollo Co. Ltd) signed an IP license deal with BAC Consulting Ltd, an obscure company in Budapest, Hungary, to manufacture and distribute pagers in Europe and MENA. This means that these custom-designed units were not subject to Apollo’s quality assurance or verification tests.

Founded in 2019, BAC Consulting specializes in sustainable development but has no prior manufacturing or design experience. The company, led by CEO Dr Cristiana Bársony-Arcidiacono, has a small nine-member team with staff in countries such as Mauritania, Tunisia, Denmark, Hungary, and Spain. Despite BAC having no staff in the Middle East, Apollo confirmed that all royalties for its license deal with BAC Consulting were being remitted from the region. This raises suspicions that BAC may have outsourced manufacturing to Israeli state-owned companies, given Israel’s technological edge in the MENA region.

This situation underscores the consequences of neglecting thorough collaboration with suppliers in defense acquisitions and ignoring best procurement practices, which allowed Lebanon to miss several red flags for months. Unknowingly, they used pagers that contained 3g of explosives embedded in the chip, which detonated when a particular codeword was received.

To avoid such oversights, Lebanon could have taken a cue from the US playbook on defense procurement. During the Cold War, the US government followed a single-source procurement model, closely collaborating with companies like Boeing, Lockheed Martin, Northrop Grumman, and General Dynamics. The government invested in these partners’ R&D and was actively involved in their internal project management.

Fast forward to 2024, and the US now has a comprehensive system for supplier registration and verification. Vendors must first register with the System for Award Management (SAM) and follow DD Form 2345 and DFARS Clause 252.204-7012, which govern agreements involving military-critical technical data. Once the design process begins, vendors must navigate the DoD’s Trusted Supplier Program and comply with ITAR regulations. Contractors are also required to meet strict Cybersecurity Maturity Model Certification (CMMC) and TEMPEST standards, the latter of which protects equipment against electromagnetic eavesdropping. Suppliers must provide a detailed supply chain map, identifying subcontractors and component suppliers. The DoD conducts a risk assessment of their supply chain, while the Defense Contract Management Agency (DCMA) performs regular audits and inspections to ensure compliance.

In short, these practices have evolved for a reason and took decades for even the US to perfect. Lebanon’s hasty procurement practices were a mistake. Even without the pager explosion, the country exposed its vulnerabilities, technical capabilities, and internal communication processes due to irregular and irresponsible procurement practices.

THE WRITER IS A CAMBRIDGE GRADUATE AND IS WORKING AS A STRATEGY CONSULTANT