Cybersecurity & Tech

What the Biden Administration Gets Right and Wrong on ICT in the New Supply Chain Executive Order

Robert Morgus, John Costello
Thursday, March 18, 2021, 10:41 AM

On Feb. 24, President Biden signed an executive order titled “America’s Supply Chains,” outlining a process for the United States to identify and mitigate the risks and challenges it faces in a series of critical supply chains, including that of information and communications technology (ICT).

President Biden takes notes during a meeting in the White House Situation Room. (White House Photo by Adam Schultz)

Published by The Lawfare Institute
in Cooperation With
Brookings

On Feb. 24, President Biden signed an executive order titled “America’s Supply Chains,” outlining a process for the United States to identify and mitigate the risks and challenges it faces in a series of critical supply chains, including that of information and communications technology (ICT). The Cyberspace Solarium Commission, on which we are staff, was asked by Congress in late 2020 to undergo a similar process and propose a strategy and recommendations to secure America’s ICT supply chains. While the Biden administration’s order is a step in the right direction and largely conforms to the approach proposed by the commission, it misses discussions of several key issues raised in the commission’s white paper on the topic. The order differs primarily in scope: While the commission focused explicitly on information and communications technology, the Biden order outlines four different supply chains of interest, including ICT but also batteries, rare earth elements and critical materials, and pharmaceuticals.

Despite the differences in scope, the similarities between the commission’s proposed approach and the Biden order are striking. The commission’s white paper highlights the disjointed approach the U.S. government has taken to addressing ICT supply chain challenges, with inefficient efforts spread across myriad departments and agencies and inconsistent collaborations with the private sector. This order signals that the Biden administration intends to coalesce around a unified strategy. However, the order repeats a critical mistake made by past administrations: It does not clearly delineate a lead department or agency for supply chain efforts around ICT and semiconductors. The order gives both the Department of Homeland Security and the Department of Commerce split responsibility over ICT, among numerous other sectors. The Department of Commerce not only should serve as the lead agency for ICT and semiconductors but also, moving forward, should be the center of any strategy to ensure security and integrity of ICT supply chains—as it holds the authorities to both shape exports and mitigate risk in the domestic market.

The Commerce Department’s lead on ICT supply chain efforts is complemented by its existing authorities under Executive Order 13873, titled “Securing the Information and Communications Technology and Services Supply Chain,” and the subsequent rule. Executive Order 13873 gives the secretary of commerce wide latitude in prohibiting equipment or services if they pose an undue or unacceptable risk to the national security of the United States. This rule, similar to the process under the Committee for Foreign Investment in the United States (CFIUS), also empowers the secretary to enter into negotiated “national security agreements” with companies, allowing their products or services into the U.S. market under certain conditions. These requirements generally include additional security measures to mitigate particular risks identified in the course of review. The Biden administration has demonstrated that it will enforce the interim final rule for Executive Order 13873 from the Trump administration.

When Executive Order 13873 was issued on May 15, 2019, it joined a panoply of ongoing, interrelated supply chain and economic security efforts within the U.S. government, including the Federal Acquisition Security Council, the CFIUS and the (currently suspended) executive order on the U.S. bulk-power system. Yet the Biden administration’s new supply chain executive order does not mention any sort of coordination mechanism whereby these efforts can be deconflicted. Nor does it establish common risk frameworks or converge on a set of mitigation options for common risks the programs identify in their reviews. The Biden executive order directs the national security adviser and national economic adviser to coordinate on supply chain efforts, but it fails to mention or prescribe a precise mechanism for doing so. The White House should consider adopting a model similar to the Obama-era Presidential Policy Directive 41—which instituted the Cyber Response Group to share information and coordinate efforts among federal departments and agencies in cybersecurity—to bring coherence and synergy among its various supply chain efforts. This will be critical if the new administration intends to both implement and coordinate a truly unified strategy in the coming months and years.

One area where the Biden order is particularly strong, however, is in the clearer process and set of criteria it lays out for understanding the nature of the supply chain challenge facing the United States in some of its critical technologies. The order includes reviewing areas where “exclusive or dominant supply of critical goods and materials and other essential goods and materials by or through nations that are, or are likely to become, unfriendly or unstable” and “the location of key manufacturing and production assets,” with an eye toward assessing any risk posed by the “assets’ physical location.” These fact-finding missions are crucial in defining the current state of U.S. supply chains, and the executive order is right to highlight not only the importance of understanding critical materials and intermediate goods but also the manufacturing capabilities and the ability of the U.S. manufacturing base to modernize to meet future needs.

The order is light on details for how to improve things beyond fact finding. This is understandable, as the administration will want to gather facts before charting a course. However, as the commission’s white paper highlights, there are several actions that the administration can take now, in parallel with the assessments called for in the executive order. For example, the private sector will play an important role in securing supply chains, and in some cases, the intelligence community could furnish key players in the private sector with much needed information about ongoing adversary operations to help the private sector mitigate certain supply chain risks. As such, the commission’s white paper proposed the designation of a National Supply Chain Intelligence Center to integrate supply chain intelligence efforts across the federal government with those of private partners and to serve as the central, shared knowledge resource for threats to supply chain activities or supply chain integrity. As a part of this process, the Biden administration should conduct a review of existing intelligence authorities for departments and agencies and assess whether to grant Title 50 intelligence authorities to any departments and agencies currently lacking them, including the Department of Commerce.

Second, the Biden administration should start devising a plan to pay for the much-needed reinvigoration of American high-tech manufacturing, particularly in semiconductor fabrication. Semiconductor fabrication plants can cost up to $20 billion to build. The magnitude of the financial and personnel investment needed to make the United States, its allies and private-sector partners competitive in global high-tech manufacturing is staggering. The investment required to reinvigorate cutting-edge manufacturing at scale will likely cost upward of $100 billion and may outstrip what Congress will be willing to spend in taxpayer dollars to subsidize private industry. The Biden administration must therefore consider ways to unlock latent private capital and point it toward strategic investment areas in the United States and with partners. The commission’s white paper proposed the creation of a National Security Investment Corporation, or some such entity, to serve as a clearinghouse, connecting interested institutional investors to strategically important investment opportunities and providing government backing through loan guarantees and other tools. The Biden administration must also consider the creation of foreign trade zones and tax incentives to drive down costs for American producers of critical technologies.

Finally, in the immediate term, the Biden administration must consider ways to ensure the global competitiveness of American and partner companies in the face of anti-competitive behavior from Chinese state-owned and state-backed enterprises. The U.S. government must assess whether American development and trade institutions—including the U.S. Agency for International Development, the U.S. Trade and Development Agency, the Export-Import Bank of the United States, and the U.S. International Development Finance Corporation—possess the needed authorities and capabilities to support U.S. and—crucially—partner companies in global markets.


Robert Morgus is a senior director for the Cyberspace Solarium Commission. At the commission, Morgus has led the development of the ecosystem pillar of the commission’s final report as well as the “Pandemic White Paper,” the “Supply Chain White Paper,” and the “Transition Book for the Incoming Biden Administration.” Previously, he helped build New America’s Cybersecurity Initiative, where he headed the organization’s international cyber policy work.
John Costello is an adjunct senior fellow at the Center for a New American Security and an adjunct professor at the University of Maryland School of Public Policy. Previously, he served as senior director and lead, Task Force Two for the Cyberspace Solarium Commission and as deputy assistant secretary of commerce for intelligence and security.

Subscribe to Lawfare