China syndromeFederal IT, communications technology supply chain vulnerable to Chinese sabotage, espionage

The U.S.-China Economic and Security Review Commission released a report entitled Supply Chain Vulnerabilities from China in U.S. Federal Information and Communications Technology, prepared for the Commission by Interos Solutions, Inc. The report examines vulnerabilities in the U.S. government information and communications technology (ICT) supply chains posed by China, and makes recommendations for supply chain risk management.

The report issues a warning about the extent to which China has penetrated the technology supply chain, and calls on the U.S. government and industry to develop a comprehensive strategy for securing their technology and products from foreign sabotage and espionage.

“China did not emerge as a key node on the global ICT supply chain by chance,” the report says. “The Chinese government considers the ICT sector a ‘strategic sector’ in which it has invested significant state capital and influence on behalf of state-owned ICT enterprises.”

Derek Johnson writes on FCW that

At the same time, Bejiing has moved to prevent other countries from using similar strategies to crack the Chinese market, accelerating indigenous production of IT and communications parts and requiring outside businesses to turn over their source code store data on Chinese servers and allow the government to conduct security audits on their products before gaining access to the Chinese market.

Furthermore, the report argues that the U.S. government lacks an overall strategy to anticipate future developments in supply chain, identify potential threats and mitigate threats. The overall push for IT modernization means the government will increasingly rely on a web of complex supply chain operations that eventually originate with commercial suppliers in China. Laws like the Federal IT Acquisition Management Act and the Modernizing Government Technology Act put pressure on agencies to modernize through commercial-off-the-shelf products that are more likely to originate from China.

Key findings:

• Effective supply chain risk management is the ability to anticipate future developments in supply chains, identity potential threats to supply chains, develop threat profiles, and mitigate or address future threats to the supply chain. Federal government laws and policies do not currently address supply chain risk management comprehensively.

• Chinese government’s policies prioritize domestic production, extract intellectual property and technology from multinational companies in exchange for market access, use Chinese companies to further state goals, and target U.S. federal networks and the networks of federal contractors. These policies have heightened risks to the U.S. ICT supply chain, and to U.S. national and economic security.

• Cyberattacks on supply chains will become easier—and more prevalent—as developing technologies such as fifth generation (5G) mobile network technology and the Internet of Things (IoT) exponentially increase avenues for attack.

• ICT products have increasingly complex, globalized, and dynamic supply chains, many of which include commercial suppliers that source from China at multiple points within a single supply chain. For example, an average of 51 percent of shipments to seven leading federal ICT providers originate in China (see Exhibit 1).

• It is unlikely that political or economic shifts will push global ICT manufacturers to dramatically reduce their operations in China or their partnerships with Chinese firms. A national strategy is needed for supply chain risk management of U.S. ICT, and it must include supporting policies so that U.S. security posture is forward-leaning, rather than reactive and based on incident response.

• To minimize risks, the federal government should: centralize the leadership of federal ICT supply chain risk management efforts, link federal funding to supply chain risk management, promote supply chain transparency, and craft forward-looking policies.

— Read more in Tara Beeny et al., Supply Chain Vulnerabilities from China in U.S. Federal Information and Communications Technology (Interos Solutions, April 2018)