return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Confluence of thinking on Chinese outsourcing and supply chain risks from DSB and USCC ]

Confluence of thinking on Chinese outsourcing and supply chain risks from DSB and USCC

  #

Rather than selling US securities, consider China restricting microchip supplies to the west at a critical junction (which would hit Taiwan, the current global producer of electronic componentry). This is no more implausible than Russia restricting energy flows to the Ukraine which despite the repercussions remains a viable distress option. (Think of combining securities with chips.)

Consider a foreign nation-state or its proxy embedding malicious code somewhere in a software developer's global outsourcing tier. (If bugs get in, certainly purpose-crafted malicious code can get in.) The state actor can be camouflaged by the nationality and location of its proxy.

Think of the implications of the Defense Department "inadvertently outsourcing the manufacturing of key weapons and military equipment to factories in China."

These are but three implications of the confluence of thinking from the Defense Science Board (DSB) and the U.S.-China Economic and Security Review Commission (USCC). With its transient task forces drawn from a wide range of industry and commerce, the DSB is as contemplative and low-key as the bipartisan congressional USCC can be public and hawkish.

U.S.-China Economic and Security Review Commission (USCC)

As I consider the DoD to be a harbinger of threats to private industry, I find the concerns of DSB and USCC to have industry-wide significance in both the US and the EU. All the better that this fifth USCC report has shed its historic "harsh rhetoric" in favor of "more objective and supported cooperative efforts" that secured the "unanimous support" of its twelve Democratic and Republican commissioners; Its output defined realistic risks and offered useful responses, starting with industrial consolidation that amounts to a new autarky on the part of the Chinese:

China's consolidation of its state-owned enterprises (SOEs) is guided by a new policy announced in December 2006. The State-Owned Assets Supervision and Administration Commission (SASAC) and China's State Council identified seven strategic industries in which the state must maintain "absolute control through state-owned enterprises," and five heavyweight industries in which the state will remain heavily involved. The strategic industries are armaments, power generation and distribution, oil and petrochemicals, telecommunications, coal, civil aviation, and shipping. The heavyweights are machinery; automobiles; information technology; construction; and iron, steel, and non-ferrous metals. It is estimated that forty to fifty of SASAC's 155 central SOEs fall in the strategic category and account for 75 percent of SASAC's total assets...

The Commission is disappointed that Beijing's efforts to move in the direction of a market economy appear to be slackening. In particular, the government's decision to retain state ownership or control of a large block of the economy is disappointing. In accord with its 11th Five-Year Plan, China has designated a dozen industries, including telecommunications, civil aviation, and information technology, as "heavyweight" or "pillar" industries over which it intends for government to retain control. In addition, 155 of China's largest corporations remain state-owned, including nearly all the nation's largest banks. Much of the economy remains under the Chinese government's strict control. Beijing's provision of subsidies to its pillar industries may damage competitors in other countries - including the United States where companies do not receive such subsidies...

It is precisely these "pillar" and "heavyweight" industries that China will protect to the point of excluding foreign firms. I offered this guidance in an October 2007 advisory but its theme could have been plucked from far earlier work:

China has repeatedly used standards and administrative edicts to hold competitors at bay until Chinese products were in the market, often at established levels that minimized success of any foreign competitor. One that comes to mind is the 'technical issues' barring Blackberries for well over a year until Chinese products were in the market. China has a not so thinly veiled plan to harvest foreign tech, producing indigenous standards which bar foreign standards BUT let Chinese standards compliant products work overseas, i.e., the PRC wants to completely invert all royalty payments while achieving the price volume curves of a global product... I am not the only one to have [observed] that this standards practice is a strategic weapon.

In private - as in group dinner conversations - senior Chinese individuals have specifically stated that US/EU automotive OEMs will be driven out by use of standards, tariffs and administrative rulings. [Personal email advisory]

The USCC is specific with regards to Chinese predation on US Intellectual Property (IP):

[China] enlists engineers and scientists to obtain valuable information from foreign sources ''by whatever means possible - including theft.''

Additionally, industrial espionage provides Chinese companies an added source of new technology without the necessity of investing time or money to perform research. Chinese espionage in the United States, which now comprises the single greatest threat to U.S. technology, is straining the U.S. counterintelligence establishment.

China still is not enforcing its own laws against intellectual property theft.

Of the USCC Commission's 42 recommendations to Congress, ten were seen to be "of particular significance." Of those ten, numbers 2, 3 and 7 are specific to supply chain and IP risk and affect all industrial segments, commercial and defense:

  • Determining the country of origin of U.S. weapon systems components: The Commission recommends that Congress require the Department of Defense to prepare a complete list of the country of origin of each component in every U.S. weapon system to the bottom tier.
  • Ensuring adequate support for U.S. export control enforcement and counterintelligence efforts: In order to slow or stop the outflow of protected U.S. technologies and manufacturing expertise to China, the Commission recommends that Congress assess the adequacy of and, if needed, provide additional funding for U.S. export control enforcement and counterintelligence efforts, specifically those tasked with detecting and preventing illicit technology transfers to China and Chinese state-sponsored industrial espionage operations.
  • Assessing potential Chinese military applications of R&D conducted in China by U.S. companies: The Commission recommends that Congress direct the U.S. Department of Defense to evaluate, and, in its Annual Report to Congress on the Military Power of the People's Republic of China, to report on, potential Chinese military applications of R&D conducted in China by U.S. companies.

The specifics are laid out in the Commission's comprehensive recommendations:

The Impact of Trade with China on the U.S. Defense Industrial Base
8. The Commission recommends that Congress require the Department of Defense to prepare a complete list of the country origin of each component in every U.S. weapon system to the bottom tier...

China's Military Modernization
12. In order to slow or stop the outflow of protected U.S. technologies and manufacturing expertise to China, the Commission recommends that Congress assess the adequacy of and, if needed, provide additional funding for U.S. export control enforcement and counterintelligence efforts, specifically those tasked with detecting and preventing illicit technology transfers to China and Chinese state-sponsored industrial espionage operations...

China's Science and Technology Activities and Accomplishments
20. The Commission recommends that Congress direct the U.S. Department of Commerce to report periodically on the general R&D expenditures of U.S. companies in China, based on protected business proprietary data the Department currently collects.
21. The Commission recommends that Congress direct the U.S. Department of Defense to evaluate, and, in its Annual Report to Congress on the Military Power of the People's Republic of China, to report on, potential Chinese military applications of R&D conducted in China by U.S. companies...

Defense Science Board (DSB)

It would appear that the USCC's 2007 report has been informed by work by the DSB in the 2005-2007 period, notably in the areas of firmware/microelectronics and software outsourcing and tiered manufacturing, encompassing both the buy side and the make side).

By 2005 DSB noted that the US defense side was disturbed by offshoring or "alienation" of critical supply chains, notably for microelectronics:

Pressure on U.S. IC suppliers for high return on invested capital has compelled them to outsource capital intensive manufacturing operations. Thus, the past decade has seen an accelerating trend toward vertical disaggregation in the semiconductor business. Companies whose manufacturing operations once encompassed the full range of integrated circuit activities from product definition to design and process development, to mask-making and chip fabrication, to assembly and final test and customer support, even materials and production equipment, are contracting out nearly all these essential activities...

One unintended result of this otherwise sound industry change is the relocation of critical microelectronics manufacturing capabilities from the United States to countries with lower cost capital and operating environments. Trustworthiness and supply assurance for components used in critical military and infrastructure applications are casualties of this migration. Further, while not the focus of this study per se, the U.S. national technological leadership may be increasingly challenged by these changing industry dynamics; this poses long term national economic security concerns.

[For] DOD's strategy of information superiority to remain viable, the Department requires:

    • Trusted and assured supplies of integrated circuit (IC) components.
    • A continued stream of exponential improvements in the processing capacity of microchips and new approaches to extracting military value from information.

Trustworthiness of custom and commercial systems that support military operations - and the advances in microchip technology underlying our information superiority - however has been jeopardized. Trustworthiness includes confidence that classified or mission critical information contained in chip designs is not compromised, reliability is not degraded or untended design elements inserted in chips as a result of design or fabrication in conditions open to adversary agents. Trust cannot be added to integrated circuits after fabrication; electrical testing and reverse engineering cannot be relied upon to detect undesired alterations in military integrated circuits. [Emphasis in original]

The opportunities for adversarial intervention are great:

Finding: Because of the U.S. military dependence on advanced technologies whose fabrication is progressively more offshore, opportunities for adversaries to clandestinely manipulate technology used in U.S. critical microelectronics applications are enormous and increasing. In general, a sophisticated, clandestine services develop opportunities to gain close access to a target technology throughout its lifetime, not just at inception.

If real and potential adversaries' ability to subvert U.S. microelectronics components is not reversed or technically mitigated, our adversaries will gain enormous asymmetric advantages that could possibly put U.S. force projection at risk. In the end, the U.S. strategy must be one of risk management, not risk avoidance. Even if risk avoidance were possible, it would be prohibitively costly.

By 2007 DSB observed that the US defense side had focused on microelectronics' mating factor, software design, in its concern of "alienation" of critical supply chains, but with a difference. Software and firmware are not parallel "because the microchip fabrication business requires increasingly large capital formation - a considerable barrier to entry by a lesser nation-state. Software development and production, by contrast, has a low investment threshold. It requires only talented people, who increasingly are found outside the United States." (ICG has had a sustaining interest in the supply chain risks and diversion of embedded software within weapons systems. See my 2005, Israel as serial violator, temporarily the chicken killed to scare the monkeys.):

The task force on microchip supply identified two areas of risk in the off-shoring of fabrication facilities - that the U.S. could be denied access to the supply of chips and that there could be malicious modifications in these chips. Because software is so easily reproduced, the former risk is small. The latter risk of "malware," however, is serious. It is this risk that is discussed at length in this report.

Software that the Defense Department acquires has been loosely categorized as:

  • Commodity products - referred to as "commercial-off-the-shelf" (COTS) software;
  • General software developed by or for the U.S. Government - referred to as "Government-off-the-shelf" (GOTS) software; and
  • Custom software - generally created for unique defense applications.

The U.S. Government is obviously attracted by the first, COTS. It is produced for and sold in a highly competitive marketplace, and its development costs are amortized across a large base of consumers, Its functionality continually expands in response to competitive market demands. It is [a] bargain, but it is also most likely to be produced offshore, and so presents the greater threat of malicious modification.

There are two distinct kinds of vulnerabilities in software. The first is the common "bug," an unintentional defect or weakness in the code that opens the door for opportunistic exploitation. [DoD] shares these defects with all users. However, certain users are "high value targets" such as the financial sector and the Department of Defense. These high-value targets attract the "high-end" attackers. Moreover, the DoD also may be presumed to attract the most skilled and best financed attackers - a nation-state adversary or its proxy. These high-end attackers will not be content to exploit opportunistic vulnerabilities which might be fixed and therefore unavailable at a critical juncture. Furthermore, they may seek to implant vulnerability for later exploitation.

DSB reports are recommended reading as, noted above, DoD assets are the 'canary in the coal mine' for the larger set of commercial assets in the US and abroad. (Even when the subject topic seems far afield, the underlying technology discussions have surprising relevance.) Where DoD threats are now, the commercial sector will soon follow. The latest USCC report shows that defense and commercial risks have now substantially intersected.

The full 2007 USCC report is to be released next week. In preparation, I suggest:

ICG's Intellectual Property (IP) Protection Abstracts, September 2006 to June 2007
ICG's Intellectual Property (IP) Protection Abstracts, April 2004 to July 2006

 

U.S. - CHINA COMMISSION CITES SOME PROGRESS YET SOME TROUBLING TRENDS FOR U.S. ECONOMIC AND NATIONAL SECURITY INTERESTS
Press Release
USCC
November 15, 2007

USCC 2007 Report segments, available online 17 November:
2007 Report to Congress Intro
2007 Report to Congress Executive Summary
The Commission's Recommendations

Panel: China's Spying Poses Threat to U.S. Tech Secrets
By David Cho and Ariana Eunjung Cha
Washington Post
November 15, 2007; 11:57 AM

Chinese Spying No. 1 Threat To U.S. Manufacturing
By Foster Klug, Associated Press Writer
Manufacturing.Net - November 15, 2007

National Security and the PC
Posted by Paul Murphy @ 12:18 am
ZDNet
November 14, 2007

Are Foreigners Ruining DOD Software?
Posted by Catherine MacRae Hockmuth
Ares/Aviation Week
10/30/2007 4:02 PM

Building Trustworthy Circuits
Posted by Catherine MacRae Hockmuth
Ares/Aviation Week
10/29/2007 12:48 PM

Report of the Defense Science Board Task Force on Mission Impact of Foreign Influence on DoD Software
Defense Science Board (DSB)
September 2007

Statement of Senator Carl Levin before the U.S.-China Economic and Security Review Commission Hearing on The U.S. China Relationship
Contact: Press Office
Phone: 202.228.3685
February 1, 2007

Satellite surprise highlights U.S.-China gap: official
Reuters
February 1, 2007; 3:12 PM

Russia Bargains for Bigger Stake in West's Energy
By STEVEN R. WEISMAN
New York Times
June 12, 2006

Gas Halt May Produce Big Ripples in European Policy
By MARK LANDLER
New York Times
January 4, 2006

Defense Science Board Task Force On HIGH PERFORMANCE MICROCHIP SUPPLY
Defense Science Board (DSB)
Office of the Under Secretary of Defense For Acquisition, Technology, and Logistics
February 2005

Gordon Housworth



InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  Weapons & Technology Public  

discussion

  discuss this article


<<  |  July 2019  |  >>
SunMonTueWedThuFriSat
30123456
78910111213
14151617181920
21222324252627
28293031123
45678910
view our rss feed