Washington has a long history of defeating its enemies through industrial might. From the Liberty ships of the Second World War to the semiconductor race with China, America’s power has rested not merely on its armed forces but on the astonishing breadth of its private sector.

However, a new regulatory offensive in cyberspace threatens to do something no foreign adversary has yet managed: thin the very supply chain on which the Pentagon depends.

The United States Department of Defense has finally rolled out its long-delayed Cybersecurity Maturity Model Certification (CMMC), a framework designed to protect sensitive military data held by contractors. Its purpose is straightforward. Modern weapons are not merely hardware; they are information. Technical drawings, maintenance systems, software patches and logistics databases are all vulnerable to espionage. Protecting what Washington calls “controlled unclassified information” is now deemed a national security imperative, but, as so often in government, the intent and the effect are diverging sharply.

The rules, which began implementation late last year, require companies working on federal defence contracts to complete cybersecurity assessments, followed by stricter audited compliance at higher certification levels. Months-long waits for audits and uncertainty over exactly what data must be protected have left contractors bewildered. The result is not reassurance but hesitation — particularly among smaller firms.

This matters more than Washington’s regulators appear to appreciate. Nearly 88 per cent of aerospace companies are small businesses. They manufacture wiring harnesses, machined components, sensors, valves and specialist electronics — the unglamorous parts without which no fighter jet ever leaves the runway.

Now many are wondering whether the Pentagon is worth the trouble.

Compliance can cost hundreds of thousands of dollars per company, a crippling sum for firms that often operate on slender margins and also serve commercial aviation markets. Industry representatives warn that the cumulative regulatory burden is pushing some suppliers to consider abandoning defence work altogether. One executive cited uncertainty about whether even half his suppliers would meet the new standards.

The paradox is stark. The Trump administration is pressing defence contractors to increase production and diversify the supply base, yet the cybersecurity regime risks shrinking it.

This is not simply a matter of bureaucracy. The Western world has spent the past three years rediscovering the importance of industrial capacity. The war in Ukraine revealed that wars are won as much by factories as by battalions. Ammunition stocks ran thin, production lines stalled, and governments across NATO scrambled to rebuild manufacturing ecosystems they had allowed to atrophy.

America’s defence system depends on a layered industrial network — primes such as Lockheed Martin and Boeing at the top, but beneath them thousands of small subcontractors, many of them family-owned machine shops. Some produce components for only one weapons programme. If even a handful withdraw, entire production chains can halt.

Indeed, lawyers advising defence contractors warn the certification could inadvertently reduce competition in the lower tiers of the supply chain. In other words, security measures designed to strengthen resilience may produce fragility.

The international implications are equally awkward. Many suppliers operate across borders and must already comply with European privacy regimes. Differing data-handling rules now place them in an impossible legal triangle: American military standards on one side, EU data law on another, and domestic regulations at home. One Canadian executive estimated he would need roughly half a million Canadian dollars simply to meet both U.S. and European requirements.

From a British or European perspective, the episode should look familiar. Brussels has often been accused of regulating first and calculating later, producing rules that large corporations can navigate but smaller firms cannot. Washington now risks replicating precisely that mistake.

There is, of course, a real threat. Defence contractors have long been prime targets for cyber-espionage. State actors understand that the weakest link is not the Pentagon itself but a subcontractor’s email server in an industrial park. A stolen maintenance manual or component specification can be as valuable as a captured missile.

Yet security policy must balance risk against capacity. If protection measures drive out suppliers, they may paradoxically increase strategic vulnerability. A smaller, more concentrated industrial base is easier for adversaries to disrupt — whether by cyber-attack, sabotage, or economic coercion.

One small aerospace manufacturer, weighing the cost of certification against its limited military work, has openly questioned whether continuing defence contracts makes commercial sense. It is a decision likely to be repeated across the sector.

For decades American strategy assumed the private sector would always be there — deep, flexible and innovative. That assumption is no longer safe. Industrial ecosystems are delicate. Once specialist firms leave defence markets, they rarely return; expertise disperses, staff retrain, and production lines retool for civilian customers.

The United States faces a genuine dilemma. Cybersecurity failures could leak advanced weapons technology to adversaries. But regulatory excess could leave the Pentagon with secure networks and empty factories.

Wars in the twenty-first century will be fought across code as well as continents. Yet even in the digital age, tanks still need gears and aircraft still need wiring. Washington’s challenge is to secure the data without losing the makers.

Because a perfectly protected supply chain that no longer exists offers little protection at all.

Main Image: By Touch Of Light – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=172649655