At first glance, S&L Aerospace Metals LLC appears to be just another defense subcontractor, making parts for U.S. fighter jets and missiles in Flushing, New York. Sounds all-American enough.

Yet the company is actually owned by Jerry Wang, a member of multiple United Front Work Department entities, which play a critical role in Chinese influence and espionage operations.

Under Mr. Wang, S&L collected roughly $60 million in U.S. contracts. The case has triggered a major uproar in Congress, where the China Select Committee sent a formal oversight letter to the Department of Defense.

S&L’s case is frustrating because it should never have happened. In 2019, Congress directed the Pentagon to institute expansive vetting of defense contractors and subcontractors for foreign ownership, control, and influence (FOCI). Unfortunately, the Biden administration failed to implement this legal requirement fully.

In April, the Defense Counterintelligence and Security Agency (DSCA) finally announced that it will issue the new regulation to institute the expanded FOCI vetting—in 12 to 18 months. Congress should push the Defense Department to accelerate its implementation of FOCI vetting and consider further expansions of the vetting requirement.

>>> Some Priorities for the Next NDAA

But S&L is just the tip of the iceberg.

Chinese entities have infiltrated the U.S. defense supply chain, controlling a wide range of essential inputs from magnets to drone parts. Data analysis company Govini estimates that nearly one in 10 “Tier 1” subcontractors to defense-industry prime contractors are Chinese firms. The real numbers may be even higher, as the DoD has historically struggled to fully understand its sprawling supply chain.

Beijing’s presence in the defense supply chain poses three risks.

First, Chinese contractors and subcontractors can illicitly acquire U.S. defense-industrial secrets to strengthen the People’s Liberation Army. Second, Beijing can cripple U.S. defense supply chains by restricting contractors’ export of bottleneck inputs. Third, Chinese contractors and subcontractors can secretly place unauthorized components in defense hardware for surveillance and sabotage purposes.

Chinese suppliers enmeshed in the defense supply chain could—and in fact have—illegally obtained U.S. defense technology. Chinese national Su Bin owned Lode-Tech, a small Air Force contractor. According to the Air Force Office of Special Investigation, between 2008 and 2014, Mr. Su “managed to make close business contacts within the global defense industry community, and used those contacts to gain insight into protected technology and eventually unfettered entry into company files.”

Mr. Su used his acquired insight to help PLA hackers steal more than 630,000 files from Boeing related to the C-17 cargo aircraft. Mr. Su’s case demonstrates how even small defense subcontractors can leverage their access to the defense industrial base to obtain critical information.

In addition to espionage concerns, Chinese suppliers can withhold exports of critical inputs to paralyze the defense supply chain. Take the burgeoning U.S. drone industry, which is critical for the Pentagon’s “Hellscape” plan to deploy tens of thousands of drones to deter China. Unfortunately, U.S. drone manufacturers rely heavily on Chinese components. Last year, Beijing leveraged this vulnerability by imposing export restrictions on parts to U.S. defense drone contractor Skydio, forcing the company to ration batteries to one per drone.

Chinese suppliers can also sabotage U.S. defense hardware by secretly installing unauthorized components. In 2015, U.S. investigators found that Chinese factories produced motherboards containing tiny chips that facilitated Chinese cyberattacks. The motherboards ended up in servers made by Elemental, a U.S. company that provided servers to the DoD, CIA, NASA, DHS, and both houses of Congress.

Beijing could also use compromised hardware to directly attack warfighters. In a brilliant supply-chain attack against Hezbollah, an Israeli company secretly inserted explosive devices into pagers that exploded in the pockets of members of the terrorist organization. It would be naïve to ignore the potential of a similar Chinese day-zero attack on U.S. warfighters.

Despite these risks, it’s difficult to identify, much less completely eliminate, Chinese suppliers in the defense supply chain. In 2022, the Pentagon had to temporarily suspend the shipment of F-35 jets after Chinese-origin metals were found in its engines.

>>> The 3 Big Lies Xi Will Try To Sell Trump About Taiwan

Congress understood the gravity of the problem, which is why, in Section 847 of the 2020 National Defense Authorization Act, legislators required the Defense Department to implement FOCI vetting for contracts or subcontracts worth more than $5 million. The provision drastically expanded the scope of FOCI vetting, which was previously only required for suppliers working on classified contracts.

In May 2024, the Pentagon issued an internal instruction initiating the establishment of the policies and procedures required by the provision. As of today, the final rule implementing the memorandum has yet to be issued. Congress should push the Pentagon to ensure that this five-year-old legal requirement is implemented as soon as possible.

There’s still more to do, though.

Section 847 exempts contractors and subcontractors providing commercial products and services, unless senior Pentagon officials determine that FOCI vetting is warranted. It’s reasonable that such routine consumer goods as pencils be exempt from FOCI vetting. However, the Defense Department increasingly relies on “commercial products and services” suppliers to deliver cutting-edge capabilities like drones. The commercial carve-out should not be used to exempt these suppliers from FOCI vetting.

Congress can also pass additional legislation to further strengthen FOCI vetting. Section 847 relies on voluntary reporting by contractors and subcontractors. The Pentagon can benefit from additional authority to investigate contractors and subcontractors for FOCI concerns.

Compromised Chinese suppliers have no role in the defense supply chain. It’s time for the Defense Department and Congress to act.