Welcome to August recess and thoroughly unreasonable humidity. The only competition with China we’re interested in watching this week airs on NBC and is best viewed from a couch accompanied by snacks and A/C.
Without further ado:
1.Waiting for the semiconductor shortage to end
The CEO of Taiwan Semiconductor Manufacturing Company (TSMC)—the world’s premier manufacturer of semiconductor chips—was optimistic  in a July 15 earnings call, saying he expected the dearth of chips available to car manufacturers “to be greatly reduced” beginning this quarter. He credited TSMC’s 30 percent ramp-up in the production of some types of semiconductors as partly responsible.
Outside of the auto industry, stakeholders and experts are less optimistic. In early June, the manufacturer Flex, based in Singapore and supplier to companies like Hewlett Packard, warned that the overall chip scarcity may last into late 2022 .
With so many conflicting predictions, when will we know for sure? Some experts suggest  a key point will come in the beginning of the fourth quarter, when demand for chips traditionally drops . This could provide some breathing room for a strapped supply. But if demand continues as it is now, there are fears  that the heavy deficit could last well into 2023—an estimate that paces with a recent warning  from the CEO of Intel. Note that recent efforts to expand domestic chipmaking in the West—such as the CHIPS for America Act  or Intel’s proposed factory in Europe —are longer-term strategies that will take years to settle into the global supply chain ecosystem.
2.Kaseya’s rise to ransomware fame
Plenty of people visited Miami over the 4th of July for some fun in the sun. But that same weekend, the company Kaseya—with its U.S. headquarters in the Magic City—hosted the latest in a string of high-profile ransomware incidents this year. The perpetrators were the all-too familiar  group REvil (we know, it’s a lazy villain name), who first demanded a payment of $70 million, and then generously discounted  it to $50 million. Thanks, cyber criminals!
Kaseya has said that less than 0.1 percent of its customers  were directly affected, which is not technically wrong. However, Kaseya’s Virtual System Administration (VSA) software is relied upon by a number of managed service providers (MSPs), who in turn are relied upon by many small-to-medium sized companies to run their IT. It sounds complicated but it’s not: Kaseya’s customers have customers, and in this case, the customer’s customers were also hit. More realistic estimates say roughly 1500 companies were affected by the incident.
There’s been a debate online over whether the Kaseya incident is “actually” a supply chain attack. This excellent analysis  by RiskBased Security breaks down which cyber-related incidents should and should not be characterized as a supply chain compromise. But to the broader point: the Kaseya hack reminds us that global networks are solidly interconnected, frequently opaque and always complex—and so are their compromises.
For more: check out Policy Director Tatyana Bolton and Fellow Kathryn Waldron’s take on the hack and what it says about the need for cyber metrics in The Hill.  And here’s a new piece from Brookings  that dives into the idea of banning ransomware payments.
3.The Export Edition: what does China need from the West?
Amid all the discussion of reshoring and fears of dependency on Chinese-made technologies and products, it’s easy to overlook just how much China relies on the West. And, spoiler alert, it’s not a fan  of said vulnerabilities.
Chief among those weaknesses is China’s ability to produce advanced semiconductors or microchips, which lags several years behind  that of the United States. The United States has already exploited that shortcoming—particularly during the Trump administration, which cut off chip sales to Chinese champion Huawei.
China is working hard to close that gap . But the process is far from straightforward , given the complexity and cost of designing and manufacturing chips; the chokehold that the West has on the incredibly sophisticated tools  it takes to make cutting-edge chips; and the seemingly settled  nature of the semiconductor market.
The long and short of this is that we will continue to see some serious bickering between China and the West, and within the West , over who gets to invest in—and own—the companies that make semiconductor chips and manufacturing equipment.
For more: Policy Director Tatyana Bolton recently spoke at the Internet Governance Forum  on how to foster interoperability, strengthen our supply chains and close our own gaps. And here’s  a piece from our friends at the Foundation for Defense of Democracies making the case that the United States needs to act now to maintain its advanced chipmaking dominance.
4.So long subtweets: Unites States and allies hand out attribution
For months, the Biden administration has been promising  a punchy response to the massive breach of Microsoft Exchange servers discovered back in February. Now, it’s finally arrived. Kind of.
On July 19, the United States formally  attributed the hack  to actors affiliated with the Chinese government—and it brought a number of U.S. allies along  in the process. While the Biden administration pointed the finger directly at China’s Ministry of State Security and issued some indictments, they stopped short of imposing sanctions against the People’s Republic of China.
Some have questioned why.  After all, the United States has leveled a number  of financial sanctions against the Russians for it malicious cyber activities. But in a press briefing, the White House pushed back at any accusation  that it was too cautious in its efforts to retaliate against China, possibly out of fear that it might catalyze a tit-for-tat economic fight. And others have made the point  that the Biden administration is just getting started on its China strategy, and this is the first step in a measured, strategic response.
5.July on the Hill
Along with tracking Team USA at the Olympics, we’re also following supply-chain security on the Hill—but don’t worry, our priorities are in the right order. Here are some of those developments:
- A Senate Commerce hearing  titled “Implementing Supply Chain Resiliency” exemplified why government efforts to improve supply chain security frequently fall short: smart speakers were jam-packed onto one panel (erm, manel ); good ideas were raised and then allowed to die; the subject area was so broad as to be not only unfocused but un-focusable; and people shoehorned in pet issues (drones! climate change! unemployment benefits that incentivize people to be lazy !).
- The Senate passed a bill on July 22  resourcing the newly minted office of the National Cyber Director.
- The House passed two bills that map to the Senate’s United States Innovation and Competition Act (USICA) bill (sort of ) and a half dozen other  shockingly bipartisan cybersecurity and supply chain security bills to beef up the organizational structures, authorities and resources available to government entities.
What to watch:
- As always, the infrastructure bill . Will it pass? Won’t it? Who knows!
- This event , by Foreign Policy for America, exploring the interplay between U.S. racism and foreign policy—especially in the context of competition with China.
Worth the read: The Slotkin/Gallagher-led “Defense Critical Supply Chain Task Force” issued its final report .
We wish you a restful August break to enjoy the sun and cheer on Team USA—both the human and android varieties .
Image credit: TaweeW.asurut
- “optimistic”: https://www.supplychaindive.com/news/tsmc-semiconductor-capacity-manufacturing-automotive-chip/603525/
- “ late 2022”: https://techmonitor.ai/technology/will-global-chip-shortage-continue-into-2023-flex-tsmc
- “experts suggest”: https://techmonitor.ai/technology/will-global-chip-shortage-continue-into-2023-flex-tsmc
- “chips traditionally drops”: https://www.semiconductorintelligence.com/semiconductor-boom-in-2021/
- “fears”: https://techmonitor.ai/technology/will-global-chip-shortage-continue-into-2023-flex-tsmc
- “paces with a recent warning”: https://edition.cnn.com/2021/07/23/investing/premarket-stocks-trading/index.html
- “ the CHIPS for America Act”: https://www.fierceelectronics.com/electronics/chip-auto-groups-urge-congress-to-get-moving-chips-act
- “Intel’s proposed factory in Europe”: https://www.ft.com/content/d365bfe0-98c4-49b5-8e82-dc4386623ace
- “F”: https://www.foreignaffairs.com/articles/2021-07-06/missing-chips
- “oreign Affair”: https://www.foreignaffairs.com/articles/2021-07-06/missing-chips
- “s”: https://www.foreignaffairs.com/articles/2021-07-06/missing-chips
- “Nikkei’s article”: https://asia.nikkei.com/Business/Tech/Semiconductors/Chip-decoupling-risks-costly-failure-TSMC-founder-warns-APEC
- “all-too familiar”: https://fortune.com/2021/07/07/what-is-revil-ransomware-attack-kaseya/
- “generously discounted”: https://www.cnbc.com/2021/07/05/revil-hackers-behind-massive-ransomware-outbreak-drop-demand-to-50m.html
- “than 0.1 percent of its customers”: https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/
- “excellent analysis”: https://www.riskbasedsecurity.com/2021/07/14/is-the-kaseya-hack-actually-a-supply-chain-attack/
- “The Hill.”: https://thehill.com/opinion/cybersecurity/562771-kaseya-hack-proves-we-need-better-cyber-metrics?rl=1
- “Brookings”: https://www.brookings.edu/techstream/should-ransomware-payments-be-banned/
- “not a fan”: https://www.globaltimes.cn/page/202107/1227877.shtml
- “which lags several years behind”: https://rhg.com/research/china-chips/
- “working hard to close that gap”: https://www.protocol.com/china/chinese-companies-make-own-semiconductors#toggle-gdpr
- “far from straightforward”: https://www.brookings.edu/techstream/lagging-but-motivated-the-state-of-chinas-semiconductor-industry/
- “incredibly sophisticated tools”: https://www.brookings.edu/techstream/the-chip-making-machine-at-the-center-of-chinese-dual-use-concerns/
- “seemingly settled”: https://www.brookings.edu/techstream/lagging-but-motivated-the-state-of-chinas-semiconductor-industry/
- “within the West”: https://www.theguardian.com/business/2021/jul/05/chinese-owned-firm-acquires-uks-largest-semiconductor-manufacturer
- “Internet Governance Forum”: https://www.rstreet.org/2021/07/26/event-facilitating-interoperability-bridging-the-gaps-in-supply-chain-security/?utm_medium=email&utm_campaign=CYBER%203%20Things%20in%2030%20Seconds%20Crypto%20Wars%20and%20Olympic%20Gold&utm_content=CYBER%203%20Things%20in%2030%20Seconds%20Crypto%20Wars%20and%20Olympic%20Gold+CID_f25e1fc095aad9668ffbfe4d5ff72ea5&utm_source=Email%20marketing%20software&utm_term=Watch
- “here’s”: https://www.fdd.org/analysis/2021/07/20/stopping-china-from-controlling-semiconductor-industry/
- “has been promising”: https://www.bloomberg.com/news/articles/2021-03-12/biden-and-indo-pacific-leaders-discussed-hacks-chips-shortage
- “formally”: https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoples-republic-of-china/
- “ attributed the hack”: https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoples-republic-of-china/
- “it brought a number of U.S. allies along”: https://carnegieendowment.org/2021/07/22/what-makes-this-attribution-of-chinese-hacking-different-pub-85023
- “Some have questioned why.”: https://www.cnn.com/2021/07/19/politics/china-biden-ransomware/index.html
- “leveled a number”: https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/
- “ pushed back at any accusation”: https://www.nytimes.com/2021/07/19/us/politics/microsoft-hacking-china-biden.html
- “have made the point”: https://breakingdefense.com/2021/07/us-playing-long-game-to-pressure-china-on-cyber-ops-experts/
- “follow up”: https://www.rstreet.org/2021/07/20/after-naming-china-as-the-culprit-behind-the-microsoft-exchange-hack-the-u-s-must-now-take-action/
- “Global Times”: https://www.globaltimes.cn/page/202107/1229070.shtml
- “Senate Commerce hearing”: https://www.commerce.senate.gov/2021/7/implementing-supply-chain-resiliency
- “manel”: https://www.rstreet.org/2020/12/15/making-space-in-cybersecurity/
- “incentivize people to be lazy”: https://money.yahoo.com/turns-getting-600-week-doesn-204213207.html
- “passed a bill on July 22”: https://news.bloomberglaw.com/privacy-and-data-security/senate-passes-bill-to-give-detailees-to-national-cyber-director
- “sort of”: https://www.nytimes.com/2021/06/28/us/politics/house-science-research-bills.html
- “a half dozen other”: https://www.meritalk.com/articles/house-ec-approves-cyber-supply-chain-bills/
- “the infrastructure bill”: https://www.cnbc.com/2021/08/02/infrastructure-senate-to-vote-on-bipartisan-bill.html
- “This event”: https://www.facebook.com/FP4America/videos/4613589795319868/
- “its final report”: https://gallagher.house.gov/media/press-releases/gallagher-slotkin-release-final-report-defense-critical-supply-chain
- “android varieties”: https://twitter.com/NBCOlympics/status/1419989491171930114?s=20