‘Just Say No’ Is Not a Strategy for Supply Chain Security

David Forscey, Herb Lin
Wednesday, March 25, 2020, 10:55 AM

Globalization has left Western end-users at least partially dependent on capabilities and services provided by foreign vendors that may not be entirely trustworthy.

Published by The Lawfare Institute
in Cooperation With
Brookings

Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.


On Feb. 12, White House National Security Adviser Robert O’Brien announced that the U.S. government has “evidence that Huawei has the capability secretly to access sensitive and personal information in systems it maintains and sells around the world.” This represents the latest attempt by the Trump administration to support an argument that allied governments—and the businesses they oversee—should purge certain telecommunications networks of Huawei equipment. The position reflects the preferred approach in the United States, which is to issue outright bans against select companies (including Huawei) that meet an as-yet-unknown threshold of risk to national security.


Globalized information and communications technology (ICT) supply chains mean that nations generally do not produce ICT systems at scale solely from indigenous sources. It is well known that many “Western” companies are heavily dependent on components originating in non-Western nations. Thus, one supply chain risk arises from the possibility of security compromises in components before they are integrated into a final product or service that is made available to an end-user customer.


This is not to say that components produced indigenously or by partners and allies are necessarily safe—only that the provenance and security of components produced in untrusted foreign nations is more questionable. Regardless, globalization has left Western end-users at least partially dependent on capabilities and services provided by foreign vendors that may not be entirely trustworthy—either because of substandard security engineering or practical obligations to unfriendly governments.


“Just Say No” Is Not a Strategy


The debate over 5G and Chinese vendors illustrates the need for a more sophisticated approach than the United States has employed to date. Washington’s approach—to disparage or ban outright untrusted Chinese vendors from the U.S.—has yielded mixed results. Inside the United States, authorities have met with more success owing to their greater control over efforts to decouple federal technology from foreign suppliers and pursue rip-and-replace in small, rural networks. When it comes to allied partners, however, the American mission to keep companies like Huawei out of emerging 5G infrastructure boils down to “just say no.” Yet the U.S. does not offer realistic alternative vendors that account for present realities.


This is not a strategy for success.


Outcomes in partner nations such as the United Kingdom and Germany underscore the approach’s primary shortcoming: conflating strategy with tactics. Friendly governments and the businesses they oversee have no desire to be dependent on untrustworthy suppliers, and their decisions should not be taken as a fundamental break with U.S. strategic interests. But for businesses, market realities are an important factor in risk management decisions. European companies have responsibilities to serve their customers and investors based on conditions today, and fiduciary duties of all private-sector for-profit companies compel them to favor (if not necessarily choose) the lowest cost vendors for comparable products and services.


In the case of 5G telecommunications networks, European operators long ago installed Huawei products throughout their now-legacy 3G and 4G networks. Crucially, because these companies plan to deploy 5G capabilities on top of their legacy networks, sticking with Huawei comes with enormous cost advantages. Opting out of Huawei entirely would mean ripping out and replacing Huawei components in existing 4G networks. Overall costs are unmanageable for European operators, many of whom are much smaller than the four (soon to be three) American giants (Verizon, AT&T, Sprint and T-Mobile). British Telecom has estimated that the U.K. decision to place limits on the acquisition of Huawei equipment would cost it a half-billion pounds, including the need to replace some 4G Huawei components already in the infrastructure and turning to more expensive alternatives for 5G products. The Trump administration’s admonishments cannot override the ground truth: European 5G operators will not incur massive costs to eliminate only one source of risk.


Toward a More Strategic Approach


The current American approach is shortsighted. A myopic focus on the China problem and 5G will not solve the broader challenges at play, and the national security imperatives of cybersecurity and the vulnerabilities generated by international supply chains will not end, regardless of how the debate over Huawei and 5G plays out. A proactive U.S. strategy must look beyond the immediate issues to consider risks in critical technology sectors more broadly and formulate partnerships to ensure that the U.S. and partner nations have meaningful alternatives to untrusted vendors.


What would be the key characteristics of such a strategy? First and foremost, it should be designed around the clear goal of making it easy for any operator of critical infrastructure—whether in the United States or an allied partner—to reject a bid from an untrusted supplier. The objective is to foster a collaborative relationship between governments and industry to reduce national security liabilities created by excessive dependence on untrusted suppliers.


Tying the strategy narrowly to national security risks is important for several reasons. Most important, it addresses a real and substantial national security concern for the United States and partner nations. Politically, a focus on national security maximizes chances for success during a time of rising bipartisan concerns about market dominance by companies like Huawei. Internationally, a genuinely risk-based plan would involve collaborative efforts with industries in allied nations, offering a clear rebuttal to claims that the United States is simply pursuing anti-competitive behavior by another name.


Second, this strategy must be proactive. China’s near-dominant position in certain parts of the 5G hardware market illustrates how a supply chain dependency can emerge as a systemic risk only gradually, without any acute moment that focuses the attention of business and government leadership. A strategy to mitigate systemic ICT risks must identify possible critical technology dependencies years in advance, providing adequate time for government leaders to communicate their concerns to industry, to implement a multistakeholder process to identify indigenous or allied capability gaps, and to take appropriate actions to reduce risk. Early planning and execution will be especially important in areas where there is a first-mover advantage, such as future wireless communications technologies.


Third, a strategy must be collaborative. A national strategy must marry U.S. government authorities, capabilities, and support with the technical know-how and execution prowess of industry. Most important, the partnership must encompass and embrace governments and industries in partner nations. Government is arguably in the best position to assess national security risks, but assessing those risks will demand a clear understanding of technological trends that are determined primarily by investment in the private sector and researchers in academia. It is likely that developing a sustainable source for alternatives to untrusted components or services will require significant efforts from the private sector. Yet in some cases the market alone may not solve the problem—as we have seen in the 5G context. For that reason, government investment might be essential in some cases.


These three characteristics suggest that a 21st century version of industrial policy focused on national security may be an appropriate response to an increasingly untenable situation. If successful, such a policy would give those wanting to say no to untrusted suppliers a viable alternative.


Possible Lines of Effort


With these strategic principles outlined, what would it mean in practice? Several models may be worth consideration for their potential to diversify the market for critical ICT components.


Sematech 2.0


During the 1980s, Japanese semiconductor manufacturers rapidly expanded market share, spooking competitors in the United States and alarming U.S. officials who understood the critical role for computer processors in exercising national power. In response, U.S. chipmakers teamed up with the Defense Advanced Research Projects Agency (DARPA) to establish a cross-industry consortium named Sematech. Armed with $100 million from DARPA, Sematech plowed resources into intensive research and development efforts, allowing U.S. industry to leapfrog Japanese competitors. Sematech’s success inspired a copycat program by the Department of Energy to drop the cost of solar energy generation. Leveraging the Huawei imbroglio as a wake-up call, the Trump administration could similarly convene U.S. manufacturers to reestablish a lead in those sectors of networking equipment where they have fallen behind.


More NSTACs


The critical infrastructure space is littered with organizations that try to identify and communicate cybersecurity risks, but many of these bodies are focused on the areas that leaders already recognize as high priority, for example, telecommunications, banking, energy, and Section 9 companies. But systemic risks can arise from narrow supply chain vulnerabilities that reside in sectors the government overlooks. New governance structures are needed to institutionalize a more sustained, high-level, risk-based dialogue in sectors that we might write off today as tangential to national security but that, given time and innovation, may become central to controlling systemic risk.


Closing the Cost Gap


For various reasons, including Chinese government subsidies, Huawei competes effectively on cost and service. For some European vendors who are making risk-based business decisions, the cost considerations can be dispositive. Attorney General William Barr recently floated the notion of the U.S. government taking a stake in Nokia or Ericsson—5G manufacturers that the U.S. government deems less risky than Huawei. A less dramatic approach would be to offset some of the cost difference between Huawei products and those sold in Europe by Nokia or Ericsson. Underwriting the cost differential to encourage the purchase of non-U.S.-based companies would be more resilient to criticism that the United States was simply borrowing interventionist practices that it regularly attacks. (Putting money behind one’s words offers credibility not conveyed by the sincerest of speeches or tweets.) This model would not technically be proactive or work to expand vendor diversity, but it offers another potential model for making it easier to “just say no.”


Conclusion


Our views on a modern, security-centric industrial policy to avoid systemic risks posed by ICT dependencies are shaped by what we hope is an unassailable premise—the national security needs of Western nations are not well served by the lack of serious Western competitors to Chinese companies in critical areas such as telecommunications.


Subsequent analysis may indicate that one of these models, an altogether different one, or some combination of models is a feasible and reasonable policy option. Such analysis should not begin with the ideological stance that government intervention in the market is inherently wrong or inappropriate. Indeed, it is just this stance that has brought the United States—once the telecommunications envy of the world—to the point where it must plead with skeptical allies to refrain from buying Chinese telecommunications equipment.


Once policymakers choose an appropriate model, a question of implementation will remain. For example, it is likely that the Cyber Solarium Commission will address some of the issues described in this note by recommending the use of the authorities of the existing Defense Production Act. In the long run, it is likely that a strategic response to the challenges described in this post will require both new authorizing legislation and ongoing appropriations to address these challenges at a meaningful scale.


The free market alone cannot address national security risks, especially considering that foreign domination even in relatively small product categories, to say nothing of large industries, can generate systemic risks. We believe that the United States should be unafraid of promoting economic competition using the entire array of possible policy tools at its disposal—even if it involves using a dirty term like “industrial policy.”


David Forscey is Managing Director for Aspen Digital’s cyber & technology programming at the Aspen Institute. Previously he worked in the Resource Center for State Cybersecurity at the National Governors Association and as National Security Fellow at Third Way. He graduated from Georgetown University Law Center in 2015 and earned his undergraduate degree from the University of Virginia in 2011.
Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.

Subscribe to Lawfare