America can take more actions to cut technology supply chain risks
American concern over supply chain security was born of the Cold War, when our adversaries were ideological and the means of conflict were overt and kinetic. The threat today has shifted into the cyber domain, where the means of conflict are covert and nonkinetic in nature. When an unrecognized system flaw is inevitably exploited to disable a portion of our electric grid or disrupt command and control communications during a crisis, the reality of nonkinetic supply chain dependence and risks will be brought to light, with potentially disastrous consequences for society.
American policy approaches the issue of supply chain assurance in a schizophrenic manner. In some cases, we react with an extreme response that effectively blacklists companies like Huawei and Kaspersky. At the same time, we ignore other businesses like Lenovo and Saudi Telecom Company that could easily exploit the integrity of both the hardware and software in American systems. The latest actions against Huawei, however justified, need to be advanced in a broader context. The United States must develop goals for supply chain security, including descriptions of plans on how to achieve those goals and metrics to assess outcomes.
The United States needs to conduct a holistic assessment of what public and private sector assets we should protect from supply chain risks, the threat actors who pose the greatest supply chain risks, the malicious techniques and procedures that threat actors are likely to use, the specific vulnerabilities of American information systems and devices, the most effective and efficient defense measures and mitigation strategies for thwarting adversaries and recovering from failed mitigation efforts, and the metrics that public and private sector entities should use to accurately assess supply chain threats and the effectiveness of risk mitigation and recovery efforts necessary to properly address them.
To that end, I recommend the following to put the United States on a path toward true supply chain assurance. The National Security Council should prioritize the issue of supply chain assurance and support the work of the Federal Acquisition Security Council to make sure that it is achieving its objectives. The Federal Communications Commission should conduct a series of public hearings through next year regarding supply chain threats to the telecommunications infrastructure of the United States and its foreign partners, how best to mitigate those threats and how best to recover from malicious activity directed against such infrastructure.
The president should request that the United States China Economic and Security Review Commission evaluate the supply chain risks posed by all Chinese controlled manufacturers beyond just Huawei. Finally, leaders in Congress should immediately designate one committee in each chamber to conduct federal oversight of supply chain risk management, conduct hearings with input from experts in the public and private sectors, and propose legislation to address identified gaps in the law. The designated committees should be instructed to complete their work by fall 2021.
Thematically, the federal government and other supply chain consumers should consider supply chain risks in a more nuanced framework. To date, the American threat definition has been limited to only two countries, Russia and China, and companies that appear to be wholly controlled by or connected to a foreign government. A more realistic threat assessment would recognize risks that arise from other countries, including putative allies like Israel, and also supply chain providers whose connections to foreign governments are more indirect, such as in the case of Lenovo.
American strategy for supply chain security has been ad hoc, reactive, uneven, and episodic. It focuses on risks from only a few companies in a few countries. But supply chain risks are broader than a few bad actors. The risks are endemic and need a wider approach. These modest steps would not completely solve the problem of supply chain assurance, nor would they completely mitigate the inherent risks of any engagement in the global information technology supply chain. But they would be strong first steps toward a much more comprehensive strategy for supply chain assurance. Huawei is a problem, to be sure, but the problem is bigger than a single company. The United States needs a broader solution.
Image credit: AStudio