WASHINGTON (April 15) – Last year’s John S. McCain National Defense Authorization Act banned government use of certain products from Chinese firms Huawei and ZTE. But these firms are not the only foreign companies that pose a risk to American national security.

In a new policy study, R Street Senior Fellow Paul Rosenzweig and Research Associate Kathryn Waldron discuss how Huawei and ZTE are not isolated threats. Other companies from China and Russia, such as Lenovo and Kaspersky, may also pose threats to American national security, given their countries’ problematic legal structures and history of cyber espionage. 

Until now, the United States has lacked a unified strategy for dealing with supply chain vulnerabilities. Waldron and Rosenzweig argue that the fragmentation of responsibility makes cross-department communication and cooperation all the more imperative. If the U.S. approach to supply chain risk is not transparent, American citizens will be put at risk.

The new Federal Acquisition Security Council, created by the SECURE Technology Act, will need to address a number of issues. They must determine what public and private sector assets to protect from supply chain risk. They must recognize the malicious tactics, techniques and procedures that threat actors are likely to use in order to accomplish their objectives. They must identify the vulnerabilities that exist in U.S. information systems and employ the most effective defensive measures for thwarting adversaries and recovering from failed mitigation efforts. They must design metrics to accurately assess supply chain threats and the methods used to address those threats.

The authors conclude that America should not isolate itself in an increasingly interconnected world, but it must aim for “supply chain assurance—the certainty that raw materials and manufactured components that are vital to our national defense and homeland security do not depend too extensively on availability from more risky non-American sources.”