US' IT supply chain vulnerable to Chinese, Russian threats
© Getty Images

Security and resilience of information technology (IT) supply chains have been essential problems for the United States from the inception of the industry. Up to the 1980s, there were two distinct industrial bases for microelectronics: defense vs. civilian.

Defense electronics need to survive (or at least be able to recover) from nuclear war effects like electromagnetic pulses (EMP). Civilian systems, on the other hand, are either not concerned or only partially protected. Both sectors benefited from extensive research and development (R&D) support by the U.S. government.

ADVERTISEMENT

From the 1980s onward, civilian R&D in semiconductors took off and ultimately exceeded government-funded R&D. The civilian IT sector benefited from efforts by the George W. Bush administration to open markets and ensure fair trade and protection of intellectual property by competitors in Japan and the East Asian newly industrialized economies (NIEs), many of which historically employed subsidies and weak intellectual property (IP) laws to gain market share against U.S. firms. Government support of IT has been and continues to be part and parcel of the success of both civilian and military industries.

 

When the cold war ended with the collapse of the USSR and nuclear war became a remote possibility, the Department of Defense (DoD) under Secretary William Perry moved to adopt for military applications civilian electronics that had, in the meantime, leapfrogged defense electronics by decades (Perry Memo: 1994). This resulted in the merger of two industrial bases with few exceptions.

Today, over 95 percent of all electronics components and IT systems are civilian. The supply chain for civilian IT is a global enterprise that is now dominated by suppliers in East Asia with many operations in the People’s Republic of China (PRC). Whereas East Asia’s participation in the IT supply chain was mostly commodity, low-end activities up until the 1990s, today, firms in Japan, Taiwan, South Korea, etc. have developed capabilities that are in many areas, world class.

Many manufacturing facilities have, in turn, been transferred to the PRC, which now assembles most of the world’s consumer and commercial electronics devices and produce parts like flash memory in state-of-the-art facilities. In terms of industrial capacity for IT, the PRC dominates the world in volume.

Participation or domination of the IT supply chain by nominal allies like Japan, Taiwan, South Korea, Singapore, etc. is one matter. The PRC’s participation, on the other hand, raises major concerns, as they are not an ally now or in the foreseeable future. It is a regime that institutionalizes the leading role of the communist party presiding over a non-market economy with aspirations to displace the U.S. as the leading economic power.

PRC entities (both state and private) routinely engage in theft of IP,  industrial / economic espionage and unfair trade practices. China is a peer competitor that has repeatedly made clear its rejection of the rules-based international order, even as it takes full advantage of the rules when they are in in its favor. Both the administration and Congress now recognize China as both an economic and military threat — a Soviet Union on steroids.

Existing laws, regulations and rules to protect the U.S. government IT supply chain, like the Federal Information Technology Acquisition Reform Act (FITARA) and implementation guidance M-15-14; the Cyber Supply Chain Risk Management (C-SCRM) program outlined in Supply Chain Risk Management Practices for Federal Information Systems and Organization and the NIST (SP) 800-161 are regimes architected to protect the IT supply chain with the assumption of a global suppliers network without the complications of national rivalry.

DoD and other agencies' special protections extend only to a very small portion of the overall IT supply chain. The validity of these assumptions behind the U.S. IT supply chain protection regime are questionable with the rise of Russia and PRC and potential for conflict, including nuclear attacks on the U.S. homeland. Likewise, conventional high-intensity conflicts will severely stress the IT supply chain worldwide under the existing regime.

Conflict in East Asia that did not involving an actual outbreak of armed clashes or attacks on U.S. allies can still disrupt the global IT supply chain and the U.S. government IT supply chain in particular by embargos, sanctions, rationing, or other disruptions unilaterally imposed by belligerents or by U.S. allies that elect to be neutral.

Disruptions of IT supply chains from East Asia will have substantial impacts not only on the U.S. civilian economy, but also on the ability of the U.S. to rapidly field new military capabilities and to ramp up war production. These eventualities and scenarios need to be considered and contingency plans put in place. In order to do so, existing laws and regulations need to be updated to reflect the politico-strategic environment as it is today and not as imagined by the liberal economic order of the late 20th Century.

Danny Lam, Ph.D., is a research associate and on the faculty of engineering at University of Waterloo, Canada. David Jimenez is president and CEO of Wright Williams & Kelly, Inc., the largest privately-held operational cost management software and consulting services company.


The views expressed by contributors are their own and not the views of The Hill.