America’s ongoing trade war with China has underscored the contentious business practices the Asian power has instituted over the years. Many of these have resulted from the United States’ over-reliance on external manufacturing, particularly for the technology sector. This over reliance has exposed the nation’s supply chain to vulnerabilities that have jeopardized the corporate and government sectors and that threaten economic prosperity and national security. To address this growing repertoire of technology supply chain-related threats, the US government and the American private sector need to forge a more strategic and collaborative partnership. This will ensure that American technology supply chains are comprehensively secured going forward and could also position the United States as a leader in the push for global technology supply chain security.
A July 2018 US
intelligence report found that supply chain attacks — attacks
which target software and hardware manufacturers and distributors, rather than
users —
are on the rise. To no surprise, these attacks have especially impacted the
American technology sector. An analysis of seven major US-based
technology companies — HP, IBM, Dell, Cisco, Unisys, Microsoft and Intel — found that over half of the products the
companies and their suppliers used came from China. Microsoft’s reliance on
these products was particularly staggering, with the company sourcing 73% of
its products from China between 2012 and 2017.
Although a globalized supply chain is not in itself a bad concept (these supply
chains, for example, enable consumers to enjoy cheaper prices when buying
electronics), the consequences of vulnerabilities in the supply chain for the
private sector are significant. Such extensive supply chain vulnerabilities
open these tech giants up to major financial losses, often in the form of
intellectual property (IP) theft. China is the world’s primary IP infringer and
Chinese theft of American IP costs between $225 to $600 billion annually
through avenues such as espionage, forced
technology transfers and mandatory joint ventures for companies trying to
operate in China. This was most recently demonstrated in a Bloomberg
Businessweek report which found that a group
specializing in hardware attacks within China’s infamous People’s Liberation
Army (PLA) had implanted microchips into the motherboards of servers produced
by Taiwanese-American information technology company SuperMicro. These
compromised servers were then operationalized by major American technology
companies such as Apple and Amazon, enabling the PLA to spy on their internal
networks and steal valuable intellectual property. Both Apple and Amazon have rejected the claims in this report
as false, but many contend that the hack was one of the most deleterious
breaches of supply chain security in the American technology sector to date.
The growth of such attacks is particularly concerning considering that most American corporations seem unprepared to respond to and defend against them. Two-thirds of respondents in a survey commissioned by computer security firm CrowdStrike said their organizations had experienced a supply-chain attack in the past year, and 90% of these attacks resulted in financial losses. Despite this, only one-third of respondents said they vetted their suppliers and even fewer organizations expressed confidence in being able to effectively mitigate and defend against a supply chain attack or breach.
Supply chain vulnerabilities have also had a significant impact on US national security. Recent supply chain vulnerabilities that have targeted the US government have done so with the intention of jeopardizing the nation’s security. Many of the compromised SuperMicro servers were used by the Central Intelligence Agency, the Department of Defense and even US Navy warships, demonstrating a significant breach of key intelligence agencies and their networks by Chinese agents. Similarly, Chinese telecom firms such as ZTE and Huawei have come under heavy fire for using their products to spy on US government employees and contractors on behalf of the Chinese government. This is a relatively common practice, one that is employed even by the United States. However, many were shocked to learn about the extent of ZTE and Huawei’s spying operations in the United States. In response, Congress recently enacteda ban that prohibits US government officials and contractors from using either company’s technologies. These companies have faced similar bans in countries such asIndia, Australia and the UnitedKingdom over national security concerns. In the US, however, this ban doesn’t prevent the companies from engaging with US infrastructure outside of the government sector and it will only come into effect gradually over the next two years.
As the United States invests heavily in developing 5G wireless networks that increasingly promote the use of interconnected devices, and in instituting many of the federal government’s IT modernization initiatives, the security of the technology supply chain is a serious concern. The consequences of the country’s over-reliance on external manufacturing are visible here too, as Chinese businesses are consistently able to underbid US companies on subcontracting opportunities, therefore positioning themselves as cost-effective partners, despite the national security risks posed.
The vulnerability of technology supply chains is an issue of economic and national security that will continue to grow in the US. The government has taken some strides toward addressing this issue. In early November 2018 the US Department of Justice (DOJ) establishedthe China Initiative which aims to combat the Chinese government’s national security threats, including supply chain related threats. However, in order for the American supply chain to be comprehensively secured against actors such as China as well as the growing range of supply chain vulnerabilities, there needs to be greater and more strategic collaboration between the public and private sectors. If such partnerships can effectively be formed, scaled and operated, this could position the United States as a leading figure in the push for global supply chain security. This is an important role the United States should seek to play, especially as China and other foreign adversaries ramp up their supply chain attacks on the United States and its allies.
—
Submitted by, Spandana Singh, the Cyber Security Fellow for the Young Professionals in Foreign Policy. She is currently serving as a Millennial Public Policy Fellow at New America’s Open Technology Institute where she works on issues of privacy, surveillance, cybersecurity and countering violent extremism. Spandana is a graduate of the University of California, Berkeley and has previously worked at organizations such as the East West Institute, Twitter, the World Bank Group and UNICEF.
