Five Developments in ICT Supply Chain Security in July
Without further ado:
1.Waiting for the semiconductor shortage to end
The CEO of Taiwan Semiconductor Manufacturing Company (TSMC)—the world’s premier manufacturer of semiconductor chips—was optimistic in a July 15 earnings call, saying he expected the dearth of chips available to car manufacturers “to be greatly reduced” beginning this quarter. He credited TSMC’s 30 percent ramp-up in the production of some types of semiconductors as partly responsible.
Outside of the auto industry, stakeholders and experts are less optimistic. In early June, the manufacturer Flex, based in Singapore and supplier to companies like Hewlett Packard, warned that the overall chip scarcity may last into late 2022.
With so many conflicting predictions, when will we know for sure? Some experts suggest a key point will come in the beginning of the fourth quarter, when demand for chips traditionally drops. This could provide some breathing room for a strapped supply. But if demand continues as it is now, there are fears that the heavy deficit could last well into 2023—an estimate that paces with a recent warning from the CEO of Intel. Note that recent efforts to expand domestic chipmaking in the West—such as the CHIPS for America Act or Intel’s proposed factory in Europe—are longer-term strategies that will take years to settle into the global supply chain ecosystem.
For more: check out Foreign Affairs on how to protect the semiconductor supply chain and Nikkei’s article on the effects of decoupling with chip supply.
2.Kaseya’s rise to ransomware fame
Plenty of people visited Miami over the 4th of July for some fun in the sun. But that same weekend, the company Kaseya—with its U.S. headquarters in the Magic City—hosted the latest in a string of high-profile ransomware incidents this year. The perpetrators were the all-too familiar group REvil (we know, it’s a lazy villain name), who first demanded a payment of $70 million, and then generously discounted it to $50 million. Thanks, cyber criminals!
Kaseya has said that less than 0.1 percent of its customers were directly affected, which is not technically wrong. However, Kaseya’s Virtual System Administration (VSA) software is relied upon by a number of managed service providers (MSPs), who in turn are relied upon by many small-to-medium sized companies to run their IT. It sounds complicated but it’s not: Kaseya’s customers have customers, and in this case, the customer’s customers were also hit. More realistic estimates say roughly 1500 companies were affected by the incident.
There’s been a debate online over whether the Kaseya incident is “actually” a supply chain attack. This excellent analysis by RiskBased Security breaks down which cyber-related incidents should and should not be characterized as a supply chain compromise. But to the broader point: the Kaseya hack reminds us that global networks are solidly interconnected, frequently opaque and always complex—and so are their compromises.
For more: check out Policy Director Tatyana Bolton and Fellow Kathryn Waldron’s take on the hack and what it says about the need for cyber metrics in The Hill. And here’s a new piece from Brookings that dives into the idea of banning ransomware payments.
3.The Export Edition: what does China need from the West?
Amid all the discussion of reshoring and fears of dependency on Chinese-made technologies and products, it’s easy to overlook just how much China relies on the West. And, spoiler alert, it’s not a fan of said vulnerabilities.
Chief among those weaknesses is China’s ability to produce advanced semiconductors or microchips, which lags several years behind that of the United States. The United States has already exploited that shortcoming—particularly during the Trump administration, which cut off chip sales to Chinese champion Huawei.
China is working hard to close that gap. But the process is far from straightforward, given the complexity and cost of designing and manufacturing chips; the chokehold that the West has on the incredibly sophisticated tools it takes to make cutting-edge chips; and the seemingly settled nature of the semiconductor market.
The long and short of this is that we will continue to see some serious bickering between China and the West, and within the West, over who gets to invest in—and own—the companies that make semiconductor chips and manufacturing equipment.
For more: Policy Director Tatyana Bolton recently spoke at the Internet Governance Forum on how to foster interoperability, strengthen our supply chains and close our own gaps. And here’s a piece from our friends at the Foundation for Defense of Democracies making the case that the United States needs to act now to maintain its advanced chipmaking dominance.
4.So long subtweets: Unites States and allies hand out attribution
For months, the Biden administration has been promising a punchy response to the massive breach of Microsoft Exchange servers discovered back in February. Now, it’s finally arrived. Kind of.
On July 19, the United States formally attributed the hack to actors affiliated with the Chinese government—and it brought a number of U.S. allies along in the process. While the Biden administration pointed the finger directly at China’s Ministry of State Security and issued some indictments, they stopped short of imposing sanctions against the People’s Republic of China.
Some have questioned why. After all, the United States has leveled a number of financial sanctions against the Russians for it malicious cyber activities. But in a press briefing, the White House pushed back at any accusation that it was too cautious in its efforts to retaliate against China, possibly out of fear that it might catalyze a tit-for-tat economic fight. And others have made the point that the Biden administration is just getting started on its China strategy, and this is the first step in a measured, strategic response.
For more: check out our press release on how we should follow up with tangible actions. And here’s a fairly bitter op-ed in the Global Times accusing the United States of framing China.
5.July on the Hill
Along with tracking Team USA at the Olympics, we’re also following supply-chain security on the Hill—but don’t worry, our priorities are in the right order. Here are some of those developments:
- A Senate Commerce hearing titled “Implementing Supply Chain Resiliency” exemplified why government efforts to improve supply chain security frequently fall short: smart speakers were jam-packed onto one panel (erm, manel); good ideas were raised and then allowed to die; the subject area was so broad as to be not only unfocused but un-focusable; and people shoehorned in pet issues (drones! climate change! unemployment benefits that incentivize people to be lazy!).
- The Senate passed a bill on July 22 resourcing the newly minted office of the National Cyber Director.
- The House passed two bills that map to the Senate’s United States Innovation and Competition Act (USICA) bill (sort of) and a half dozen other shockingly bipartisan cybersecurity and supply chain security bills to beef up the organizational structures, authorities and resources available to government entities.
What to watch:
- As always, the infrastructure bill. Will it pass? Won’t it? Who knows!
- This event, by Foreign Policy for America, exploring the interplay between U.S. racism and foreign policy—especially in the context of competition with China.
Worth the read: The Slotkin/Gallagher-led “Defense Critical Supply Chain Task Force” issued its final report.
We wish you a restful August break to enjoy the sun and cheer on Team USA—both the human and android varieties.
Image credit: TaweeW.asurut