Five Developments in ICT Supply Chain Security in June
June was another busy month for information communication technology (ICT) supply chain security—a previously rather unsexy topic that now ties with infrastructure as one of Washington D.C.’s hottest issue areas.*
*Okay, that might be a stretch.
Anyway, here are the trends you should be aware of for the month of June.
===
1. Silicon Valley bets big on the Sonoran Desert
The American Southwest is known for a few things: Sin City, stunning desert landscapes, and, currently, a searing drought. Now, it’s hoping it can be one of the country’s major semiconductor manufacturing hubs and help bolster the flagging U.S. chip supply against future shortages and crises.
In June 2021, Taiwan Semiconductor Manufacturing Company (TSMC) broke ground on a $12 billion project to build a new chip-making facility in Arizona—joining the likes of Intel which has long had a significant presence in the region and recently committed to two more factories nearby. Phoenix is investing substantial taxpayer dollars in the push as well.
Why the eye-boggling amounts of cash? While America is still the undisputed leader when it comes to designing chips and investing in research and development (R&D), its market share of manufacturing capacity for those chips has dramatically declined in recent years (from 37 percent in 1990 to 12 percent in 2020). There are concerns that innovation will follow manufacturing, and undercut U.S. security and competitiveness. (But also, concerns that pushing for a manufacturing ramp-up globally will lead to a market glut.)
For more: The Nikkei has had some excellent coverage on global semiconductor woes. If you’re looking for a thought piece with obvious parallels, check out The Atlantic’s “Why America Doesn’t Really Make Solar Panels Anymore.”
2. The Reign of EO 14017
June 4 marked 100 days since President Joe Biden signed Executive Order (EO) 14017 “America’s Supply Chains.” His administration delivered a 250-page report breaking down the United States’ most critical supply chain security challenges in four key areas. (No worries if you’re slammed, here’s an abridged version, which is slightly more accessible because it’s not, you know, 250 pages.)
What’s most interesting to us is the tricky line the administration is attempting to walk on alliances. They’re working to: 1) bolster U.S. collaboration with allies—particularly in Europe; 2) promote “buy American”; and 3) signal that Pacific Rim allies like Taiwan, South Korea and Japan are good partners for collaboration but also pose risks because of their proximity to China.
We get it: there’s multiple, overlapping, and sometimes competing, priorities. But a little more explicit coherence would help business, allied governments and other parts of the U.S. government figure out how to get on the same page.
For more: see our timeline on Presidential Orders on Supply Chain Security. And here’s Biden administration officials in their own words on the report and its conclusions.
3. “Build Back Better” goes global
President Biden hit supply chain security hard on his jam-packed weeklong trip to Europe last month. Here are the highlights:
First stop, the G7, where leadership promised to work together on supply chain security and resiliency—particularly in semiconductors and critical minerals. They also announced “Build Back Better World”: a partnership to invest in the infrastructure needs of lower-income countries, and a pretty clear counter to China’s Belt and Road Initiative. Details are sparse, but “mobilizing private-sector capital in (…) digital technology” is one of its four focus areas. We’re skeptical and watching.
Then to the U.S.-EU summit, where United States and European Union leaders announced the creation of a new Trade and Technology Council (TTC) to promote collaboration and dialogue between the two parties—who have clashed on tech and cyber security issues. The specifics are still in the works, but ICT security and general supply chain security are key priorities.
Finally, President Biden and President Vladimir Putin met for their first in-person meeting since Biden assumed the presidency. Biden told Putin that the 16 sectors the United States designates as “critical infrastructure” are off the table for a cyberattack—following a wave of Russian-origin cyber campaigns against the United States that have targeted many. different. sectors. Note that Biden is going after the effect (cyber damage to a critical function) rather than the technique (cyber capabilities at large). And note that, well, we’re not off to a good start.
For more: Here’s a good overview by Politico on the TTC. And here’s a good one by the National Interest on some of the biggest areas of disagreements between the European Union and the United States.
4. Supply chain risk management gets spicy
Words like “regulations,” “compliance” and “standards” immediately make eyes glaze over. Enter… salsa.
SLSA (indeed pronounced “salsa”) is Google’s brand new end-to-end framework for software supply chain security: Supply chain Levels for Software Artifacts. (Really, this should have been SCLSA, but we understand that doesn’t roll off the tongue.) It’s been introduced to the public in an early form, and Google says its goal is to create an enforceable, consensus-based, incrementally adopted new standard that can actually be used to certify the security of products.
What does any of that mean? While the Biden administration is doing a lot of work to try to generate security improvements in network, software and supply chain through executive order, much of those efforts don’t directly impact industry—they’re focused on federal networks, and they are mostly based on compliance. Google is complementing this effort by working with industry to raise the level of security and quality of their products and others proactively.
For more: Check out Google’s detailed overview of SLSA here (yes, there are diagrams for the visual learners out there). And here’s a short explainer on how government and industry efforts support each other.
5. Restr(ICT)ing our Relationship with Chinese Technology
In August 2020, then-President Donald Trump horrified Gen-Z when he threatened to ban U.S.-based users from TikTok via executive order. (Was the motive national security or was it this crazy story?) The messaging app WeChat was also on the administration’s chopping block.
Responses to the bans were mixed. Plenty of people agreed that both applications were a potential threat to U.S. data security, but just as many (and not a mutually exclusive group) feared that it was more about Trump’s anti-China animus.
Well, Biden just undid both of those executive orders with his own executive order entitled “Protecting Americans’ Sensitive Data From Foreign Adversaries.” Rejoice—for now, at least, we’re free to watch the Washington Post TikTok Guy to our hearts’ content.
But neither TikTok nor WeChat are off the hook: Biden seems to disagree with Trump’s methods while generally agreeing that Chinese-owned technologies constitute a security risk. So while the new EO promises “rigorous, evidence-based analysis” to better understand the threat and plan a response, we just might come full circle in four months and find either or both apps officially re-banned.
For more: Lawfare, with an excellent up-to-date backgrounder on the TikTok / WeChat ban controversies.
What to watch:
+ The Huawei saga continues at the Federal Communications Commission (FCC).
+ The Senate’s countering China bill—the United States Innovation and Competition Act of 2021 (USICA, pronounced “you-see-ka” and yes, we think “Endless Frontier” was a lot catchier too)—passed in the Senate in early June. No one is yet quite sure what’s going to happen in the House, but China’s certainly paying attention.
Worth the read: Bernie, on his concerns over Washington’s developing China consensus.
Image credit: Funtap
