Michael Clauser
Head of Data Policy & Trust
[email protected]
In Washington and other capitals around the world, the term “supply chain security” has become a politely coded way of talking about China. It’s true: China animates almost every topic in supply chain security. Prior year trends, such as tariff and export controls, were motivated as much by Chinese intellectual property theft as by American frustration with its dependence on Chinese supply chains.
Looking forward to 2020, watch for a new focus on supply chain security for software—especially open source software—as much as hardware. Also look out for Europeans to wake-up and take action on supply chain security, while at the same time the Chinese develop their own rules targeting Western “unreliable entities” in the supply chain for Chinese finished goods. Finally, watch for supply chain shifts away from a wealthier and increasingly isolated China toward smaller South and South East Asian countries, like Vietnam, whose success in attracting foreign direct investment may invite the wrath of the US Trade Representative.
Software is the New Hardware
When people think supply chain, they usually think hardware, manufacturing, and goods. Yet there is a robust global software supply chain as well. Much of the software that makes cyberspace work is non-proprietary, open source software. This is poorly understood by policy-makers due to the opacity of software inputs to consumer technology. IT, unlike grocery store food, does not come with a list of ingredients, but such a list is known as a software bill of materials (SBOM).
The Heartbleed cybersecurity attack in 2014 targeted OpenSSL, a widely used bit of open source. Companies could not determine whether, where, and which patched or unpatched version of OpenSSL was hiding in their enterprise tech stack. The concept of the SBOM developed in Heartbleed’s aftermath.
Reactions to the SBOM concept are mixed. Its attractiveness is that it ameliorates concerns over “dude, what’s in my tech?”—even as it excludes propriety code. An SBOM requirement accomplishes this without, “having to look at the passport of every single programmer who touched the code,” as a senior US Commerce Department official put it. As a result, sophisticated Chinese consumer IT product vendors with global product offerings are fully bought in.
Early top-down efforts to mandate SBOM adoption by technology vendors for technology products procured by the US Government were dashed by tech industry lobbyists. Today, SBOM has found a foothold at the National Telecommunications and Information Administration (NTIA), an agency of the US Department of Commerce. SBOM proponents have shifted their strategy from writing adoption mandates into the US Federal Acquisition Regulations to engaging industry verticals with big spend who are exposed to cybersecurity risk, such as the health IT, medical technology, and the financial services sector.
As a result, this year will see CIOs and CISOs at major regulated companies increasingly move to require the inclusion of a SBOM in their major enterprise purchases. All without a single government regulation forcing the action. The idea will also likely infect thinking in Europe or Japan where US tech lobbyists with concerns over SBOM compliance costs and time to market delays are less persuasive.
Europe Discovers New World…of Supply Chain Security
The year 2019 saw the stirring of major EU member states exploring options for domestic supply chain security rules as well as pan-European schemes focused on Xi’s China—instead of Snowden’s United States. While EU-wide supply chain rules were halted by smaller European states with troubled economies and investments by China, the prospect for rules in individual member states is alive, especially Germany, France, and the UK (to the extent the latter remains an EU member state). Germany, specifically, has published rules about the supply chain and cybersecurity standards required for “foreign” (Chinese) companies to access its telecommunications market. Thus, 2020 will see more rules, standards, and regulations emerging from European capitals as they realise the reality of supply chain security threats.
Leaks in the Great Wall
Regardless of how the US-China tariff war ends—if it ends—Western procurement specialists are anxious enough about the creeping costs and political exposure from off-shore manufacturing in China that they have begun seeking options beyond China to source their supply chain. But it’s not just tariffs causing alarm. As China grows wealthier, wages rise and citizens demand better air quality through environmental regulations, which raise the costs of energy inputs in the supply chain.
At the same time, growing Chinese domestic companies—including state owned enterprises—seek protections and competitive advantages. The result is that the Chinese government is less accommodating to foreign investment and prerogatives. Assistant US Attorney General Jon Demers observed that Western companies tire of China’s policy of “rob, replicate, and replace” and are deciding not to manufacture in China. The best example from 2018 was when Fujian Jinhua Integrated Circuit Corporation (FJICC) stole the IP from Micron, the largest US maker of memory chips, to make DRAM memory. Once acquired, FJICC successfully sued Micron in Chinese courts alleging IP theft in order to ban Micron from the Chinese market.
Thus, calculations based on political risk, creeping labour and energy costs, and unmitigated IP theft may lead some companies to source elsewhere in South and Southeast Asia, or even Africa. This year will see US and Western companies increasingly flee China for these other hot, emerging economies.
Vietnamisation
One of these hot, emerging economies is Vietnam—a popular destination for shifting supply chains. This is in no small part due to both supply chain flight out of China, as well as Vietnam’s inclusion in the Trans-Pacific Partnership trade pact. As a result, Vietnam’s urban landscape is transforming. But its streak of success has drawn the ire of the Trump Administration, which has threatened the same “Section 301 Investigations” against Vietnam that they launched against China, precipitating the trade war. US trade aggression will only grow against Vietnam in 2020 and Vietnam will potentially develop a raft of diplomatic concessions to minimise tension.
China: Unreliable Entities
Fresh thinking about offshoring is especially popular with companies that have not already invested billions of dollars in China. The catch is that many Western companies’ source in China not only for the lax labour and environmental standards, but as a political prerequisite to access the larger and increasingly upwardly mobile market of newly middle-class Chinese. Western CEOs are stuck. On one hand, their global marketing chiefs are attracted to the increasingly lucrative Chinese market. While on the other, their corporate compliance and government affairs chiefs warn of the enormous pressures from the US government as multi-million-dollar customers like Huawei and ZTE wind up on export control lists that legally prevent US companies from fulfilling orders. If these Western companies shift their supply chain out of China or refuse to do business with Chinese entities—draining jobs, IP, and revenue—the Chinese Government may not allow companies to access the Chinese domestic market. The mechanism for this is a new blacklist of “Unreliable Entities,” or, Western companies who obey US export control rules and banking sanctions, even to the detriment of their Chinese customers. The list of unreliable entities is not so straight forward and may consist of Western companies facing Chinese domestic competitors with the ear of the Chinese government.
Thus, watch for China to tackle its own “supply chain security” problems in 2020 by targeting US and Western suppliers who have outlived their usefulness to China’s industrial policy objectives.
