China’s Tentacles Difficult To Untangle from Supply Chain

As government and businesses looked into how disruptions created chaos in the economies during the pandemic, real concerns surfaced around critical goods and services that are a necessity to keep the country functioning.

“We've all had a wonderful opportunity during the pandemic to sit at home and watch, all of the things that we're looking at, from semiconductors to software malware, to meat packing, peanut butter, firmware to formula; all of these particular threats are threatening our supply chains,” said Jeanette McMillian, assistant director for the Supply Chain and Cyber Directorate, National Counterintelligence and Security Center.

Looking into a specific production process of an electronic device that may be a cellphone or a complex component in a weapon system, Lt. Gen. Thomas Horlander, USA (Ret.), strategic business development manager for Defense and National Security, Intel; offered an example: “We design software, we design hardware, that's the first step; then you go into the manufacturing phase where you're going to actually take some raw materials, some rare earth elements, and turn those into a microchip,” and went on to explain how different components are added through final assembly and packaging.

“What I just described to you is, it is incredibly complex, and there is not a single actor in that [technology] ecosystem that does it all from cradle to grave, not a single, not a single company, nobody does that from cradle to grave, therein lies an inherent risk in our supply chain because this is a supply chain that is global,” Horlander told the audience at AFCEA’s Intelligence and National Security Summit on Thursday. The panel analyzed the nation’s exposure to China’s interference when acquiring final products and services produced in stages around the world, many going through China.

“The reality is this is really critical right now because our adversaries have stated in their public documents that they're going to take advantage of their points of leverage [in our supply chains] to impact and inflict pain,” said Halimah Najieb-Locke, deputy assistant secretary of defense, Industrial Base Resilience.

China’s influence in global supply chains is compounded by the opacity behind ownership in many of its companies. Some have close links to the Chinese Communist Party despite looking like private entities.

Untangling those connections may be next to impossible, but advanced tools help.

Using data collection from open sources, like which entities share ownership or close trade links, a picture of how potential exposure to rival actors can be better understood, that job was taken on by businesses that help mitigate risks.

“Any arbitrary list of suppliers that you're concerned about, and its products of interest, can be fused together in a way that allows understanding,” said Peter Swartz, co-founder and chief science officer, Altana AI.

This sort of assists closing the gaps in information, Swartz added.

While tools like these are far from infallible, especially when real actors hide behind structures with several layers, it also adds one more layer of safety in a company’s efforts to comply with law and procedure.

Not every single production chain can be brought under the control of the U.S. and allies, therefore choices have to be made and semiconductors areone that has stayed at the center of this discussion.

“What the CHIPS Act does is allows for domestic investment to expand that capacity,” Najieb-Locke said. The CHIPS and Science Act was enacted in August to award federal aid for the construction of microprocessor manufacturing facilities in the United States.

For software, risks are equally diverse as code may be written by networks of companies and developers as intricate as goods that go into an electronic product.

“Our requirements for critical software are under Executive Order 14028 for cybersecurity initiatives, making sure that those things that are going into those critical mission systems, those critical things within the government that we've been able to identify, if it's going to be a software node, it's got to meet those critical software standards,” Najieb-Locke said.

And software production chains have an added difficulty to make sure they are safe. “We understand that even some proprietary software has a lot of open-source software components,” Najieb-Locke explained, suggesting that the process of securing critical supply chains is only just starting and its final impact is still yet to be understood in full.