Exploring Subcontract Descriptions
After diving into subcontracts and learning more about how contracts were funded, it is clear that well-funded subcontracts are important. The contractor that makes significant investments in subcontractors clearly sees them as critical assets in completing their contract with the US government. However, not all subcontracts are well funded, but many of those are essential. For example, a subcontract that specifically provided washers would not be expensive relative to subcontracts that provide rocket fuselages, but the former is critical to the end product. Therefore, a second approach is needed to identify critical subcontractors. By utilizing the descriptions of the subcontracts and what is known about hypersonic missiles, descriptions that contain specific keywords should be considered more important than others.
A simple wordcloud can be used to visualize the types of keywords seen in the descriptions of subcontracts. In Figure 7, the most common keywords are seen in larger text. This indicates more descriptions containing this keyword. From this visualization, some keywords begin to stick out as they relate to the production of hypersonic missiles.
In Figure 7, keywords including batteries, detonators, launchers, fuses, and transmitters (among others) stand out. These are words that describe supplies critical to hypersonic missile production. By finding the subcontracts that provide these products, cybersecurity protection efforts can target these companies.
By filtering subcontracts down to only those that contain keywords associated with the production of hypersonic missile technologies, it becomes clearer which subcontractors are a higher priority. However, after further analysis, there are two types of subcontractors. First, some subcontractors provide a single product, such as batteries or explosives. Second, some contractors provide more than one product. Depending on the US government's priorities, an argument could be made either way for prioritizing one type of subcontractor versus another. A simple visualization of the subcontracts is seen in the following figure.
Considering the results shown in Figure 8, there are arguments for prioritizing cybersecurity efforts for each type of subcontractor. First, subcontractors that provide a single service to the main contractor could be considered a single point of failure. If they are the only subcontractor that provides a critical piece to the production of hypersonic missiles, then they should be considered more vulnerable to a cybersecurity threat. In contrast, a company that provides multiple different parts to the production of hypersonics could also be considered vulnerable as it would be a significant disruption to the supply chain.
By filtering down the subcontracts to those only containing one keyword, a similar network visualization shows a different set of subcontractors, each with the associated keyword highlighted above the subcontract. Figure 9 gives a good sense of the types of subcontracts and the subcontractors associated with them.
In Figure 9, the network shows the set of subcontractors that produce only a single item according to their subcontract's description. This network gives us the first view into which subcontracts could be considered more important than others, and by proxy, which subcontractors would be a cybersecurity risk. Everything behaves similarly to the previous networks; however, the blue triangles representing the subcontracts show the keywords found in their respective descriptions. This helps the viewer get a sense of each subcontractor and what they supply. All of these subcontractors stand out as they only supply one type of product to Raytheon, so one might suppose that all of them should be prioritized highly. However, there are many subcontractors in this network, so it would be helpful to continue to filter them down. An important observation that can be made in Figure 9 is that some of these subcontractors are unique in what they produce. For example, Southern Gear & Machine seems to be the only subcontractor that produces gears. This is considered a single point of failure. Perhaps by filtering down to those that produce distinct products, a clearer view of the most critical subcontractors can be seen. Discuss findings in the network. Theorize that some of the subcontracts are far more important, and using this network, we can see which subcontracts provide which. This allows Raytheon to single out their subcontractors they believe are more important when it comes to a single product.
Before transitioning to the final, filtered down network, a second network in Figure 10 shows all of the subcontractors producing more then one product. Subcontractors in this network are important because they produce so many products for Raytheon, so losing them to a cybersecurity attack could slow down production significantly.
Figure 10 shows the network of subcontractors that produce more than one product that is critical to the supply chain. A cybersecurity attack on one of these companies would certain slow production down as multiple types of parts essential to producing hypersonic missiles would stop being supplied temporarily. However, from this visualization, it is not clear that any of these companies are single points of failure, and while they are important to completing the contract, they may not be as crucial as some of the companies mentioned previously. However, similar to the point made earlier, these subcontractors may produce a unique product across all subcontractors, so creating a visualization that shows a filtered version of subcontractors would be illuminating.
Finally, Figure 11 shows a network of subcontractors that, according to their description, produce a unique product across all subcontractors. From this network, it is clear that 13 subcontractors, shown in red squares, stand out.
Figure 11 is a culmination of all of the previous ideas shown in Figures 7-10. These 13 subcontractors shown in Figure 11 are considered single points of failure as they produce a unique product according to the description of their subcontract. As previously hypothesized, Southern Gear & Machine was indeed the only company to produce gears and thus should be considered a single point of failure. However, there are many more. Emoteq produces shafts, API produces washers, and L3 produces encoders. Additionally, the subcontractors that produce multiple products are included if one of those products is unique across all subcontractors. For example, Alliant TechSystems is the only producer of fuselages and detonators, while Aerojet Rocketdyne seems to be the only producer of pyrotechnics and rockets. However, the most important observation to be made happens while exploring this network. Out of the 13 subcontractors, 2 subcontractors stand out. AllComp Inc has different sets of subcontracts for two different and unique products. One set of subcontracts is for fasteners, and separately, one is for missiles and antennas. Next, Pacific Scientific Energetic Material Company has two sets of subcontracts, one set for explosives and separately, one for nuts. These two subcontractors should be considered the most important and most vulnerable to a cybersecurity incident.