return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Intellectual Property Theft Public ]

Israel was planting malicious chips in US assets before China

  #

Reporting on the FBI investigation of Chinese counterfeit, some possibly malicious, electronics has made no mention that Israel had embedded malicious chips in nothing less than the White House phone system by 2000. Outside of members of the intelligence community and attentive technical readers of the period, this will come as a surprise, possibly coupled with the erroneous assumption of anti-Israeli bias, to many readers.

Nothing in open source then or since has convinced me that the US telecommunications network is either secure or immune to further interruption or breach. Whereas SCADA control networks, primarily for power grid generation, transmission and distribution applications (genco, transco, disco), and recently fiber optic networks have been identified as vulnerable to attack, little has been made publicly of telco vulnerability until the China Cisco counterfeits. The vulnerability of the US/EU telco network to a variety of state and nonstate actors is so great that it should be ranked adjacent to the vulnerabilities of our SCADA networks, for all applications, and fiber optic networks. See:

Telco supply chain analysis has again been reduced to function at lowest cost with the assumption of low risk. All tier providers from whatever state actor need to be examined and risk assessed in the design, fabrication, installation and maintenance phases. See Foreign vulnerability inherent in US globalization of its commercial and defense supply chains, 5/6/2008.

Israel as independent actor, often counter to US interests, not unlike China

From Palmerston, interests, and forms of governance, 5/22/2004:

Israel pursues an independent diplomatic policy at odds with US interests. Israel is a modest cooperative partner in the US war against terrorism. Just as the Russians, the Pakistanis, the Chinese and others did in the post 11 September period, Israel immediately offered the US data that painted their parochial adversaries as the architect or participant of the air liner assault so that we might attack them. Each country offers or withholds information so as to advance its national interests, and attempts to influence where it cannot command. Israel is no exception and I think that it applies Palmerston better than the US.

Israel ran Jonathan Pollard, a US Navy civilian analyst, as a spy to enormous and ongoing harm to the US. Israel not only used that information to US disservice but further went on to sell or broker that information to the Russians and the Chinese, perhaps others. The impact on the US is still being felt to this day and none of the attempts of his apologist spouse, Esther, will wipe that away. The effects of Pollard's espionage is so great that Director CIA threatened to resign if Clinton pardoned Pollard. (If a US national has strong loyalties, be it religious, tribal, cultural or geographic, that work to the detriment of US interests, then I am also at odds with them.)

Israel is not a devoted friend of the US and it has nothing to do with religion or its democratic governance. (We forget that France was the principal post-partition mentor of Israel before the US.) It is a nation state acting in its best interests, some of which correspond to our own...

Yes, there are tactical interests between the US and Israel. Examples being the identification of certain Palestinian assets to the Israelis... I was in some briefings by Israeli officers in which they used a metaphor that I think circulates within the IDF, as others have heard it, that Israel is like the man atop a burning building that can neither put out the fire or get down off the building. All actions are conducted within that narrow range of options.

Commentary follows on related Israeli collection efforts and how those events receded from the public consciousness. The note on sources for a series on the interaction of AIPAC, American Jews, the State of Israel and the Christian Right also applies here.

Recognition of intel collection events obscured by fog facts

Larry Beinhart, author of American Hero [snippets here] filmed as Wag the Dog, describes "fog facts" as an overlooked class of information that become increasingly obscure with the passage of time. (This analyst would add lack of simple search tool access by scrolling off of the original source, lack of mirroring or mirroring at sites that have an otherwise offensive character, original foreign or foreign language sources, or pre-2004 topical information before the advent of the web that is still less well captured than post-2004 data.):

Fog facts are things that have been reported, somewhere, sometime, but have disappeared into the mist - like the pre-9/11 hints that there were hijackers in our midst. The fog facts can still be found by enterprising reporters, but with time and news space increasingly crunched - and media priorities shifting to the trivial - they usually remain obscure, at least to the general public.

Diplomatic "dead air," from both the embarrassed target and successful collector, combined with dissuasion of national reporting creates fog facts in record time. In the case of Israel, two events have persisted in the public consciousness, out of the fog bank: the Jonathan Pollard and USS Liberty affairs. Almost all other Israeli intel collection efforts against the US have receded into fog facts as if they never existed.

Espionage at the pinnacle of impunity

Consider Bush43 standing before the State Duma (lower house) or the Federation Council (upper house) of the Russian Federation or the PRC's National People's Congress (NPC) or Central Committee of the CCP and making the equivalent declaration:

I have been fortunate to see the character of Israel up close. I have touched the Western Wall, seen the sun reflected in the Sea of Galilee, I have prayed at Yad Vashem. And earlier today, I visited Masada, an inspiring monument to courage and sacrifice. At this historic site, Israeli soldiers swear an oath: "Masada shall never fall again." Citizens of Israel: Masada shall never fall again, and America will be at your side.

Given the level of espionage directed against the US by the State of Israel, the comparison is pointedly appropriate.

 

Israel's espionage efforts against the US, despite Israeli diplomatic statements to the contrary, are long standing, and all too effective. From Who's on the National Security Threat List and why?, 4/27/2004:

The 2000 Annual Report to Congress on Foreign Economic Collection and Industrial Espionage uncloaked to identify six greatest offenders as China, Japan, Israel, France, Korea, Taiwan, and India. I surmise the temporary Russian absence was due to the disruption from the breakup of the former Soviet Union. Taiwan was greatly exercised by being publicly placed among 13 nations designated as a threat to US national security, "including Russia, China, North Korea"... Who doesn't get publicized on the list are our closest allies such as the UK, (then West) Germany, the Netherlands, Belgium, and Canada.

Commercial enterprises and individuals account for the bulk of international industrial espionage activity, roughly three times the percentage due to foreign government-sponsored efforts.  Even developing countries pose a threat as their intel agencies profited from training provided by the USSR, DDR (East Germany), Czechoslovakia, Bulgaria, and even the US and so have created a "reservoir of professionally trained intelligence mercenaries."

Israel's espionage efforts are rivaled by their technology diversion efforts. From the 2005 Israel as serial violator, temporarily the chicken killed to scare the monkeys:

It is appropriate to class Israel as a serial violator in terms of its diversion of US weapons technology and weapons systems embedding US technology to states such as the PRC. Israel regards such sales as essential both to bolster its own defense industry and to secure greater independence from US strictures on its diplomatic action. Israel is also a purchaser of US weapon systems as well as a creator of weapons systems of interest to the US, thus it becomes a multi-edged proposition in purchases, technology, diplomacy, and US domestic politics.

 

Despite its violations Israel has succeeded in deflecting the bulk of US displeasure, thus is was interesting to see the US move to "sideline" Israel from "participating in developing the Joint Strike Fighter because of violations of agreements about arms sales to China."

Whatever one's opinion is of the State of Israel, the state is certainly unique in its ability to target US assets while retaining a more than cooperative relationship with the US.

Security risks in telco supply chains

This analyst would have the same concerns of employing a Chinese telco to build and/or maintain sensitive telecommunications systems, or provide service via their systems, as I would an Israeli firm as we have already had three significant, verified breaches courtesy of Tel Aviv, most notably the breach (also here) of the White House phone system by Telrad during the Clinton administration. I would have equal interest in the master purchase agreement between Sprint and ZTE, and the presence of Huawei of Telrad in telco installations.

PTT (Post, Telegraph and Telephone) applications should be on a national security-level footing regardless of who builds, and the pen testing and on-going monitoring should be done externally. Yes, this approach requires more money, assets and training but that is part and parcel of a national security footing. Witness the recent penetration of the Greek cell phone system (details here) and the recording of calls by senior government officials. Due to both architecture and insufficient patching, the perpetrators were able to penetrate and monitor even as they shielded their efforts.

 

Possible targets must examine their entire supply chain well into the lower tiers, the ostensibly more innocuous the better. Witness the Israeli firm, Amdocs Ltd, which did, and may still do, the bulk of directory assistance calls and call records and billings in the US. It was said that it was virtually impossible to make a landline call without generating an Amdocs record. NSA long felt that while Israel may not have been intercepting the contents of the calls, it did have a perfect "traffic analysis" of who called whom when and for how long. Combine that with external events and you have amazing abilities.

 

Israel penetrates the White House communications network

 

Said to have been operational in 1998 during intense Israeli speculation about US intentions of the ongoing peace process:

The tip-off about these operations [appears] to have come from the CIA... A local phone manager had become suspicious in late 1996 or early 1997 about activities by a subcontractor working on phone-billing software and hardware designs for the CIA. The subcontractor was employed by an Israeli-based company and cleared for such work. But suspicious behavior raised red flags. After a fairly quick review, the CIA handed the problem to the FBI for follow-up...

 

"It's a huge security nightmare,"... "The implications are severe,"... "We're not even sure we know the extent of it...All I can tell you is that we think we know how it was done... That alone is serious enough, but it's the unknown that has such deep consequences."

 

Sources in Israel say intelligence agents infiltrated Telrad, a company that had been subcontracted by Nortel, America's [then] largest telecommunications conglomerate, to help develop a communications system for the White House.

 

Company managers were said to have been unaware that virtually undetectable chips installed during manufacture made it possible for outside agents to tap into the flow of data from the White House.

 

Information being sent from the president to his senior staff in the National Security Council and outside government departments could be copied into a secret Israeli computer in Washington, the sources said. It was transferred to Tel Aviv two or three times a week.

 

One opportunity for Israeli agents to mount the operation arose when Nortel, Telrad and another firm won a 33m contract to replace communications equipment for the Israeli air force. Members of the air force were allowed access to manufacturing areas as a result...

 

As for how this may have been done technologically, the FBI believes it has uncovered a means using telephone-company equipment at remote sites to track calls placed to or received from high-ranking government officials, possibly including the president himself, according to Insight's top-level sources. One of the methods suspected is use of a private company that provides record-keeping software and support services for major telephone utilities in the United States.

 

A local telephone-company director of security, Roger Kochman, tells Insight, "I don't know anything about it, which would be highly unusual. I am not familiar with anything in that area."

 

U.S. officials believe that an Israeli penetration of that telephone utility in the Washington area was coordinated with a penetration of agents using another telephone support-services company to target select telephone lines. Suspected penetration includes lines and systems at the White House and NSC, where it is believed that about four specific phones were monitored -- either directly or through remote sites that may involve numbers dialed from the complex.

 

"[The FBI] uncovered what appears to be a sophisticated means to listen in on conversations from remote telephone sites with capabilities of providing real-time audio feeds directly to Tel Aviv," says a U.S. official familiar with the FBI investigation. Details of how this could have been pulled off are highly guarded. However, a high-level U.S. intelligence source [said] "The access had to be done in such a way as to evade our countermeasures .... That's what's most disconcerting."

Supply chain breach of the US telecommunications network

 

As part of, or in concert with, the Telrad penetration, the FBI was investigating Bell Atlantic and Amdocs Ltd., a "Chesterfield, Mo., telecommunications billing company [that] helped Bell Atlantic install new telephone lines in the White House in 1997":

Amdocs provides billing and customer services to telecommunications companies around the world, including Bell Atlantic, BellSouth, Sprint and Vodafone. The Israeli-owned company has grown at an incredible rate since opening an American base in 1997, tripling its U.S. revenues to more than $600 million in 1999. Amdocs software handles 50 percent of all local calls in the United States and 90 percent of all local calls in Germany...

 

Amdocs, once a small Israeli software company, is the world's leader in the $20 billion telecommunications billing software industry, with expected revenues this year of $1.1 billion, said Debra Katz, an analyst with Gerard, Klaur and Mattison in New York. The company employs 5,600 people worldwide and is run by "an amazingly high caliber of people."...

In what was a stupendous opportunity for traffic analysis, the US offered significant parts of its telephone logs (date, time, duration, to, from, likely more) to Israeli assets:

In 1997, the White House had a new, state-of-the-art phone system installed by Bell Atlantic. The system installed was not the secure, military-installed system for classified conversations but rather a commercially secure phone system. The classified phone lines presumably remain secure and are not involved in the alleged breach, sources said...

 

[A]  senior-level employee of Amdocs had a separate T1 data phone line installed from his base outside of St. Louis that was connected directly to Israel. [Investigation centered on] whether the owner of the T1 line had a "real time" capacity to intercept phone calls from both the White House and other government offices around Washington, and sustained the line for some time... An interceptor could allegedly place the location in the White House or other buildings where phone calls originated Sources familiar with the investigation say FBI agents on the case sought an arrest warrant for the St. Louis employee but Justice Department officials quashed it...

A US cryptographer and security specialist asked the same question that first came to mind when the breach was discovered:

Why should we be freely giving to Israeli corporations information (call records, CALEA information) that requires court orders to obtain in this country?  Such information is obviously sensitive, and the well-motivated efforts to strengthen and protect our national infrastructure should reasonably include mandating that such information not be routinely handled by any foreign entities...

 The balance tipped further in Israel's favor by its ownership of the major Lawful Interception (LI) products producer, Comverse Infosys. As US domestic calls transit telco routers, "Custom computers and software, made by companies like Comverse, are tied into that network to intercept, record and store the wiretapped calls, and at the same time transmit them to investigators":

The [Lawful Interception (LI)] manufacturers have continuing access to the computers so they can service them and keep them free of glitches.  This process was authorized by the 1994 Communications Assistance for Law Enforcement Act, or CALEA... [W]hile CALEA made wiretapping easier, it has led to a system that is seriously vulnerable to compromise, and may have undermined the whole wiretapping system...

 

[Comverse] insists the equipment it installs is secure. But the  complaint about this system is that the wiretap computer programs made by Comverse have, in effect, a back door through which wiretaps themselves can  be intercepted by unauthorized parties.

 

Adding to the suspicions is the fact that in Israel, Comverse works closely with the Israeli government, and under special programs, gets  reimbursed for up to 50 percent of its research and development costs by  the Israeli Ministry of Industry and Trade. But investigators within the DEA, INS and FBI have all told Fox News that to pursue or even suggest  Israeli spying through Comverse is considered career suicide.

Significant elements of the US/EU telecommunications network are neither secure or immune to further interruption or breach from a variety of state and nonstate actors. To focus on only one state, possibly erroneously, only does us harm.

 

President Bush Addresses Members of the Knesset

The Knesset

Jerusalem

Office of the Press Secretary

For Immediate Release

May 15, 2008

 

USS Liberty Summary of Events

USS Liberty Memorial

 

I busted Pollard

By RON OLIVE

Jerusalem Post

Nov 20, 2006 20:18, Updated Nov 20, 2006 20:41

 

telnetd root Backdoor in Vodafone's Ericsson Systems?

Sascha Welter

Betabug

1 March 2006

 

Phone Tapping Scandal in Greece

Sascha Welter

Betabug

02 February 2006

 

Why Jonathan Pollard is Still in Prison?

By EDWIN BLACK

Forward

JUNE 28, 2002

See the section: 'THE CRIME'

 

Allies and espionage

Jane's Intelligence Digest

15 March 2002

Original

Mirror via Nucnews

 

AN ENIGMA: VAST ISRAELI SPY NETWORK DISMANTLED IN THE US

ARTICLE 3 OF 7

By Sylvain Cypel

LE MONDE

05 March 2002

Translated by Malcolm Garris

Original

Mirror

 

The Israeli Spy Flap Will Fade Away, But At What Cost?

By Douglas J. Brown

GOPUSA

February 7, 2002

 

Israeli News Reports On The Fox Series Of Israel Spying On US
IsraelNationalNews.com
12-28-2001

Mirror

 

U.S. phone eavesdropping software open to spying --Fox News

From: Declan McCullagh

Politech

Date: Fri, 14 Dec 2001 14:51:51 -0500

A Fox series of 4 items, of which this is part 3, is mirrored at Cryptome

 

FBI Probes Espionage at Clinton White House - suspected telecommunications espionage

by J. Michael Waller,  Paul M. Rodriguez

Insight on the News

May 29, 2000

Mirror

 

POSSIBLE PENETRATION OF WHITE HOUSE EMAIL BY ISRAELI AGENTS

Weekly  Intelligence Notes
Association of Former Intelligence Officers (AFIO)
26 May 2000

 

Israeli spies tapped Clinton e-mail

by Uzi Mahnaimi

Sunday Times (UK)

May 21, 2000

Original scrolled off

Mirror

 

TECH ASSESSMENT OF ISRAELI SPY ALLEGATIONS

Weekly  Intelligence Notes

Association of Former Intelligence Officers (AFIO)

19 May 2000

 

ISRAEL ESPIONAGE PROBE

Weekly  Intelligence Notes

Association of Former Intelligence Officers (AFIO)
12 May 2000

 

President, Senior Officials Briefed on Possible 'Penetration' of White House Phones

By Carl Cameron

FOXNews

6:57 p.m. ET (2257 GMT) May 5, 2000

Original scrolled off

Mirror

 

The ABC's of Spying

By ROBERT M. GATES

New York Times

March 14, 1999

 

Why Pollard Should Never Be Released (The Traitor)

Seymour Hersh

The New Yorker

January 18, 1999

Mirror

Gordon Housworth



Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  

discussion

  discuss this article

FBI Cisco counterfeit investigation is live fire demonstration of failed supply chain oversight

  #

The recent bureau investigation outlined in FBI Criminal Investigation: Cisco Routers of counterfeit Cisco routers, switches, interface converters (GBIC), and WAN interface cards (WIC) is a long overdue spotlight on the failure to properly manage and assess critical supply chains. Two themes stand out:

  1. Validation of insufficient supply chain analysis at tier: From a supply chain analysis standpoint, the problem is worse that the FBI notes. If the tier 0 is the OEM or top level consumer as it is in the manufacturing sector, then the malicious entry is coming in at tier 4, not tier 3, as the "GSA IT Vendor" is the tier 1. The 'tier 3' to the tier 1 is thus a tier 4 to the OEM/top tier consumer and thus well below superficial oversight limits. Alternately, federal purchasing guidelines were so loose that malicious equipment could be effectively sanitized at tier 2 as noted in the eBay and federal credit card procurement paths. As noted in Foreign vulnerability inherent in US globalization of its commercial and defense supply chains, the lack of effective means and metrics had led to complacency and ignorance.
  2. Probably PLA participation at overt/covert subsidiary: From a motivation standpoint, this analyst believes that the question of "For profit or state sponsored?" is not an 'or' but an 'and,' i.e., both motives are cooperating within the People's Liberation Army (PLA) and have been for well over a decade.

Extensive supply chain 'undersight'

 

While there are many things of interest in FBI Criminal Investigation: Cisco Routers, these caught my eye.

 

Foil #10, "Sub-Contracting Process":

  • Material is coming in via a drop ship GSA vendor to a tier 3 sub, i.e., well below the tier 2 boundary and largely sanitized from the nominal tier 3.
  • The problem is worse that the FBI notes as if tier 0 is the OEM or top level consumer as it is in the manufacturing sector, then the entry is coming in at tier 4, not tier 3, as the "GSA IT Vendor" is the tier 1 and thus well below superficial oversight limits

Foils #13-14, "Directly from PRC" and "Through Foreign Country":

  • Material is sanitized through US and nominal friendly states which confer validation in the absence of investigation.

Foils #15-16, "eBay" and "Government Credit Card":

  • Material apparently bypasses all tracking as a discrete federal group uses their fed credit card or PayPal account to buy from eBay or non-GSA vendor.

Foils #22-23, "U.S. Navy Project":

  • Lockheed Martin is the tier 1, thus the material is again coming in at tier 4 from PRC, whereupon the tier 4 ships direct to the Navy.

Foil #48, "Intelligence Gap"

The scope of criminal activity by insurgent and terrorist groups is vastly underestimated by lay readers; It is as if operational money appears as Minerva from the head of Jupiter, if it is thought about at all. Terrorist organizations build criminal funding arms that have the real possibility of dwarfing the military mission, and in some cases, as I believe is happening in Northern Ireland, they become nearly pure criminal groups with a veneer of rhetoric. None are immune:

[The Red Brigades'] daily life was ruled by economics. Members of the organization spent most of their time raising money to carry out their violent attacks, to buy weapons, to rent new safe houses… The Red Brigades [often] sailed to Lebanon to pick up arms from the PLO. The weapons were them brought to Sardinia where other European groups, such as the IRA and ETA, came to collect their share of the cargo. For this service the Red Brigades received a fee. [To give an idea of the] money required by an armed organization to function, in the 1970s, the Red Brigades had a turnover of $8 to 10 million, equivalent to about $100 million today. This figure was equivalent to the turnover of a medium size Italian company. Generating such vast flow of money required constant attention and absorbed the bulk of the time of the full time members of the organization…

Napoleoni goes on to describe that 2003 market "has merged with the international illegal and criminal economy and together they have a turnover of $1.5 trillion dollars" allocated as:

  • $500 billions are capital flights, money which move from country to country undetected, unreported and illegally;
  • $500 billions is what is commonly known as the Gross Criminal Product, money generated primarily by criminal organizations;
  • $500 billions is the New Economy of Terror, money produced by terror organizations of which 1/3 is represented by legal businesses (which include charitable donations) and the rest comes from criminal activities, primarily drug trade and smugglings.

The bulk of the $1.5 trillion flows into Western economies, it gets recycled in the US and in Europe. It is a vital infusion of cash into these economies.

Tradition of simultaneously 'manning the trenches and the cash register'

As previously noted, "The CCP (Chinese Communist Party) can only maintain its "mandate from heaven" to govern by providing rising economic growth, nor can it maintain the PLA (People's Liberation Army) solely on the "imperial wheat" of government subsidy," thus the PLA was instructed to become largely self-sufficient.

From working notes in 2004:

Official position: Peoples' Liberation Army (PLA) relinquished all commercial investments other than "logistics" in 1999.  Highly visible, high-profile investments handed over.

 

Reality: PLA influence over the economy remains deep and widespread.  The 1999 deadline merely commenced the start of protracted negotiations on who gets what and how Beijing will compensate the military for the revenue lost by handing over its companies. [Includes current value of airlines, pharmaceutical firms, manufacturing and chemical plants, as well as their future revenue stream.]

 

PLA units used the divestiture to shift money-losing firms to local governments even as they kept the best for themselves, blocked audits that would reveal theft and corruption, moved assets into umbrella companies to hide ownership, and allowed departing military officers, their wives or relatives to take over "divested" firms.

 

By 2000 PLA still owned some 10,000 companies selling everything from toilet paper to telecommunications services [Per military analysts, diplomats and China watchers] vastly undervalued at $9.7 billion USD.

 

PLA has a long tradition of simultaneously manning the trenches and the cash register. [Army actions against the Japanese and the Nationalists before and after WW II relied on farming, factory work and other extracurricular activities to support guerrilla operations. Mao Tse-tung cited Ming and Qing dynasty precedents as justification.]

 

China lacks the financial resources to support the PLA solely on the "imperial wheat" of central government funding.

 

PLA's modernization efforts are posting even more aggressive financial demands, yet the Communist Party (CP) needs the PLA as the ultimate defender of its privileged position. Backlash over US-led NATO bombing of the Chinese Embassy in Belgrade [8 May 2000] reduced "pressure to close up shop" of extra-commercial activities.

 

Before 1978, the PLA's business focus was largely limited to production for its own use.  Deng's exhortation to the people to "get rich for the good of China" found fertile ground in the military.  The PLA used its tax-exempt status, warehouses, vehicles and border control to its advantage.  Resulting abuse of power undermined Communist Party credibility, embarrassed CP leadership, while private sector interests undermined military loyalty and left many soldiers with divided loyalties.  PLA greed during the 1997 Asian economic crisis pulled forward the timeline for military divestiture.  PLA was engaging in massive oil smuggling (almost bankrupting China's two state-run oil monopolies) using its border control, ships, warehouses, trucks, private gas pumps and storage tanks to operate the smuggling operation and arbitrage the price difference between dropping world oil prices and China's higher protected prices.  The CP was enraged, recognized the PLA as a corrupting force, and feared that the PLA could endanger CP legitimacy.]

 

July 30, 1998: Military officials in Beijing and analysts abroad believe it will be many years before there is more than "incremental" change in People's Liberation Army ownership of private businesses, the Wall Street Journal reports. Several PLA officials say that lucrative companies, many related to the acquisition and development of weapons systems and related technology, owned by the powerful Headquarters of the General Staff will be exempt from the new rules by the central government. Companies such as the five-star Palace Hotel in Beijing and China Poly Group, a weapons dealer and real estate firm, will keep their military ties.  The PLA is considered the world's biggest business empire. The WSJ cites the recent sale of a PLA-owned restaurant to a private entrepreneur. The new owner pays the PLA a $1,200 monthly fee to "rent" the restaurant's name. "The military stands behind everything we do," says an employee.

PROVENANCE: My notes are unclear on provenance. At the time, was reading Mulvenon and Yang's The People’s Army in the Information Age, notably Jencks' "COSTIND IS DEAD, LONG LIVE COSTIND! RESTRUCTURING CHINA'S DEFENSE SCIENTIFIC, TECHNICAL, AND INDUSTRIAL SECTOR"; Scobell's CHINESE ARMY BUILDING IN THE ERA OF JIANG ZEMIN; Mulvenon's Soldiers of Fortune; Mulvenon and Yang's The People's Liberation Army as Organization, Reference Volume v1.0, notably Finklestein's THE GENERAL STAFF DEPARTMENT OF THE CHINESE PEOPLE'S LIBERATION ARMY: ORGANIZATION, ROLES, & MISSIONS; Magnier's Chinese Military Still Embedded in the Economy; and French's China Moves Toward Another West: Central Asia. Apologies to any that were omitted.

F.B.I. Says the Military Had Bogus Computer Gear
By JOHN MARKOFF
New York Times
May 9, 2008

US, Canadian agencies seize counterfeit Cisco gear

Grant Gross

IDG

02.29.2008

 

FBI Criminal Investigation: Cisco Routers

Section Chief Raul Roldan

Supervisory Special Agent Inez Miyamoto

Intelligence Analyst Tini Leon

January 11, 2008

 

Managing the Risks of Counterfeiting in the Information Technology Industry

KPGM International

Electronics, Software & Services

2005

 

China Moves Toward Another West: Central Asia

By HOWARD W. FRENCH

New York Times

March 28, 2004

 

The New Economy of Terror
By Loretta Napoleoni, author of Modern Jihad: tracing the Dollars behind the Terror Networks
Sign of the Times (UK)

1 December 2003

 

The People's Liberation Army as Organization

Reference Volume v1.0

Ed: James C. Mulvenon, Andrew N. D. Yang

RAND

ISBN/EAN: 0-8330-3303-4

2002 

4. THE GENERAL STAFF DEPARTMENT OF THE CHINESE PEOPLE'S

LIBERATION ARMY: ORGANIZATION, ROLES, & MISSIONS, By David Finklestein

 

Soldiers of Fortune

by James C. Mulvenon

M.E. Sharpe

ISBN-10: 0765605805

November 2000

 

CHINESE ARMY BUILDING IN THE ERA OF JIANG ZEMIN

Andrew Scobell

Strategic Studies Institute, U.S. Army War College

ISBN 1-58487-030-3

August 2000

 

Chinese Military Still Embedded in the Economy

Mark Magnier

Los Angeles Times

January 9, 2000

 

The People’s Army in the Information Age

Ed: James Mulvenson and Richard H, Yang

RAND

CF-145-CAPP/AF

ISBN/EAN: 0-8330-2716-6

1999

5. “COSTIND IS DEAD, LONG LIVE COSTIND! RESTRUCTURING CHINA’S DEFENSE SCIENTIFIC, TECHNICAL, AND INDUSTRIAL SECTOR” by Harlan W. Jencks

 

Gordon Housworth



Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  

discussion

  discuss this article

Foreign vulnerability inherent in US globalization of its commercial and defense supply chains

  #

The US and, and to a lesser degree, Europe have lost control of their defense and commercial industrial supply chains. Exporting capability rather than capacity, the US has increasingly retained only a top tier or integrator role while exporting its tier 2-tier n base. Worse, the US cannot realistically define discrete and net risk as the chains are too opaque for identification and there is decreasing ability to direct sourcing to less risky tiers.

The loss has not come without warning, especially in the seminal analyses of the mid-1980s to early 90s (much of which is cited here) and near-disaster supply chain bottlenecks that nearly sidelined front line equipment during Desert Storm (1990-91).

Having surveyed four decades of research on globalization impacts, we can state that there are virtually no metrics in open source. There are drivers and characteristics but there are no actionable metrics of sufficient robustness to pass the test of falsifiability. At a macro level we are secure that we and some others have the compass right, but actionable information about a specific chain condition and greatest risk at component at tier in the chain is fuzzy at best. Given our supply chain analytic experience, we can see the tracks of bland assumptions without the understanding of how supply networks actually work. Defense and commercial sides of the house share the same problem - insufficient granularity of analysis which if they get there they find that they do not have accurate and timely data. At this point the commercial side generally gives up. The defense side can't so spends much time in Rommel's Wolkenkuckucksheim (Cloud-Cuckoo-Land after Aristophanes). Striped of politeness, almost everyone is guessing although they shroud it in tech speak which pacifies the unknowing.

 

The US manufacturing loss is staggering in its sweep as it includes:

  • Technology (Research Testing Development and Evaluation - RTD&E)
  • Industrial base (tier base capability , knowledge gaining, performance curve and price/volume)
  • Volume (capacity)
  • Availability (conversely product unavailability, product as hostage, withheld or not surged in time of national need)
  • Supply chain (chain complexity masks risky sourcing and possible interdiction)
  • Forensics (undocumented/latent/hostile firmware and/or software additions)
  • Education (learning citadels clustered to engineering and production centers)

Having reviewed analyses of manufacturing globalization for both the defense and commercial sectors, this analyst is of the opinion that the risk to the US has become so great that it should study itself as a reasonable target of economic sanctions (also here), hence the inclusions of citations on that topic. (The Chinese have studied means of countering economic sanctions; can we do no less?)

 

Before globalization there was 'NATO-azation'

 

The issue of dealing with the effects of globalization on US commercial and defense industries has been with us for decades. The 1985 Strategic Materials: Technologies To Reduce U.S. Import Vulnerability, whose advisory panel an Air Force logistics colleague advised me "looks like a 'Who's Who' for the defense department in the 1990's.  Lot of them went on to very senior DoD positions," stated the problem and its complexity well:

Crafting a workable policy [regarding dependence on foreign sources, NATO allies included, for defense material and technology] will be a tricky job.

 

There are three basic policy choices:

  • demand that anything that goes into defense equipment be built in the U.S. from U. S.-sourced components, taking whatever measures are necessary to ensure that all the necessary industries are alive and well in the United States;
  • let the market dictate which industries will be healthy in the United States and look only for the best deals wherever they can be found worldwide; or
  • choose some industries that have to be located in the United States, take appropriate measures to ensure that, and let the rest go with the market.

The first and third require some sort of intervention in the international economy, either supporting the international competitiveness of U.S. companies or protecting, supporting, and subsidizing U.S. companies that cannot otherwise survive. Another approach is to design nothing into U.S. defense systems that cannot be domestically sourced. But this cuts off a great deal of modern technology, a Western strength. In making these choices, the United States will have to decide how dependent we can afford to be, and how much independence we are willing to pay for. If the United States demands self-sufficiency without taking measures to keep U.S. companies alive and competitive, the list of technologies available for defense systems is likely to decrease as time goes on.

 

It will be necessary to decide how to treat dependence on various nations. There are significant differences in being dependent on Canada (already defined as part of the North American industrial base), Britain, our other NATO allies, Mexico, Japan, Korea, etc... Other nations are much less tightly tied to the United States.

 

The high-technology economy is an international one and responds to international market forces. These forces are likely to continue to move industries offshore despite U.S. efforts to will (or legislate) them to stay. In the vast majority of cases, defense business is far too small to provide the necessary clout, particularly when faced with other nations that manipulate their civilian markets to keep their companies healthy. Competition comes from Japan, the smaller Asian nations - Korea, Taiwan, Singapore, etc - and Western Europe...

The US chose the second path by a combination of default and design augmented by partial regulation; Private industry sought performance and integration coupled with higher margin and lower costs. Our current globalization impasse is its direct descendent.

By 2000, the challenges facing the US Air Force were typical of an increasingly globalized and consolidated industrial base:

Between 1990 and 1998, a horizontal and vertical integration took place across all segments of the U.S. aerospace industry. [Driven by a dramatic decline in military aircraft procurement budgets as well as overall defense authorizations since the end of the Cold War,] The number of credible U.S. prime contractors for integrating fighters and bombers fell from seven to two; the number of U.S. missile manufacturers from fourteen to four; and the number of space launch vehicle producers from six to two. By the end of the 1990s, the European defense aerospace industry had also begun to experience a dramatic cross-border consolidation and restructuring. This growing consolidation of defense prime integrators and subsystem suppliers has resulted in increased numbers of strategic and product-specific alliances, international teaming and joint ventures, and cross-border mergers and acquisitions (M&As) among defense firms, together with heightened interest in foreign exports and foreign lower-tier suppliers.

From foreign source to dependency to vulnerability

As early as 1987, US Industrial Base Dependence/Vulnerability. Phase 2. Analysis, had defined three elements of foreign sourcing: (1) a foreign source is a source of supply, manufacture, or technology that is located outside the United States or Canada, (2) a foreign dependency refers to a source of supply for which there is no immediate available alternative in the United States or Canada, and (3) foreign vulnerability, related to foreign dependency. refers to a source of supply whose lack of availability jeopardizes national security by precluding the production, or significantly reducing the capability. of a critical weapon system. While the US has yet to suffer a sustained foreign supplier cutoff "either in peacetime or war," the military and economic balance has now shifted against the US, making it increasingly plausible that the PRC or Russian Federation could directly or indirectly influence 'just-in-time' availability:

One potential scenario simply posits disagreement by the foreign supplier with US policy... Problems such as strikes, political unrest, or natural disasters within the supplier's country are all plausible. Cutoffs might also be created by the supplying nation giving priority to ventures more profitable than DOD contracts, or giving priority to the supplier's home country needs over the United States, especially in times of crisis. Countries external to the supplying country could also create cutoffs - by threatening the supplier, by an overt blockade, or by war. One US study done prior to the end of the Cold War, reminded readers that Japan was within easy bombing distance of the Soviet Union, and thus the USSR could easily cut off critical components for US weapon systems... The USSR test fired two sea-launched ballistic missiles into the Sea of Japan at a time coinciding with Mikhail Gorbachev's April 1991 visit to Japan. Some analysts described the test firings as a "muscle flex" and a "political message for Tokyo." The message, however, has ramifications for the United States also - sources of certain critical supplies are vulnerable to hostility, a situation that creates a possible domino effect on US weapon systems.

Given the shift in manufacturing key component categories from Japan to China, were the US to incur the ops tempo of a second Desert Storm or OIF level endeavor not to Chinese favor, the issue of shortages would not be 'if' but rather 'how many and how soon.' (Nothing has to overt; polite expressions of regret coupled with 'work to rule' responses and the need to service current customers would attenuate/terminate supplies of many critical parts and assemblies needed to sustain the ops tempo.):

Despite the successes of US military weapon systems that used foreign high technology components during the Gulf War, there were moments of uncertainty as to whether the United States would be able to get requested "rush" orders filled for needed components on a timely basis. [On] "nearly thirty occasions, the Bush administration had to call upon foreign governments for help to get delivery of crucial parts for the war effort."... "foreign manufacturers often were reluctant to put the Pentagon's purchase orders ahead of their regular customers' without prompting from their governments, according to officials at embassies here and at the Commerce Department." Of special concern were Japanese suppliers... "The Japanese electronics companies - whose identities have not been publicly disclosed - reportedly said they could not curtail existing commercial contracts, such as orders from VCR, television, and automobile manufacturers, to meet the needs of the US forces in the Gulf." Experts on Japan [also] speculated that Japanese suppliers, in a society geared toward avoiding any military involvement beyond national borders in the post-World War II era, "may have been afraid of domestic political ramifications of favoring military over commercial customers." [An] interview with an unnamed Commerce Department official revealed that the US government "had to 'jump through the hoops' and that the department took the unusual step of asking Japanese government officials at the embassy in Washington for help in prodding Japanese suppliers."

Said of Japan in 1991, the following applies with greater intensity to China. As a calibration, consider a US air and naval intercession on behalf of Taiwan in the Formosa Strait. Leaving aside the likely effort by the Chinese to sink a US carrier battle group, thereby shocking the American populace, one can assume that the entire component supply chain would shut down. Whatever ops tempo the US envisioned would have to come from inventory or alternate supply. Lesser scenarios should have less chain disruption, but a degree of disruption remains high:

The potential for crisis, however, certainly existed and only a common political objective shared by top levels of the US and foreign governments averted more serious problems. The bond between most governments during the war was created by nearly-unanimous outrage over Iraq's aggression; such a bond was both unprecedented and delicate, thus it may be tough to duplicate in the future. Had there not been a common political objective or had the Japanese government, for instance, been more inclined to bow to domestic calls for avoiding contributions to the war effort (and there was considerable pressure within Japan for noninvolvement), it is quite likely the United States would have had to look for other sources to obtain necessary components. Without pre-planning for alternate supply sources, the probability of a favorable resolution would have decreased significantly.

Analogous to mercury accumulation in top tier marine predators, buyers of assemblies, modules and larger finished goods faced with chain opacity will incur rising risk of chain interruption and functional tampering. Without actionable information and the ability to affect chain substitutions, virtually all are now accepting risk by default. See: Confluence of thinking on Chinese outsourcing and supply chain risks from DSB and USCC. From an ICG note:

As we do quite a lot of supply chain analysis, we know why it so often fails, namely the OEM or top tier cannot get the data from their immediate tier who are loath to reveal their chains. Data is shielded, normalized, changed without notification, fictionalized either by surrogate data or simple commercial misrepresentation. Counterfeits add yet another layer on the problem set.

 

From electronic/electrical chain examples we have at hand, many are PRC at tier 2 to tier 5, others are Taiwanese ODMs which means PRC for almost all tiers save design, Japanese chains have PRC, Korean and Singaporean tiers. There are many cases where the OEM or top tier believe that a certain part comes in at tier x in its entirety, but the reality is that a goodly portion comes in PIA down to tier x+3. The PRC presence, either as source or influencer, is overwhelming.

 

Our commercial experience has repeatedly shown that the OEMs don't know what, from where, is in their chains. A common experience is that as the OEM or top tier develops the algorithms of granularity needed to be effective, the data becomes too difficult or costly to obtain. If the OEM demands an identified tier x validate volume and pricing as stated by the purchasing tier (tier x-1), the tier x will validate lest they run afoul of their purchasing tier.

 

As automotive OEMs are phasing out Full Service Suppliers (FSS) by their recognition that they were enduring margin without equivalent value, defense sector firms are enthusing over Performance Based Logistics (PBL) structures which are beginning to blind Defense Logistics Information Service (DLIS) as to what it in a chain and conceivably debase the value of a National Supply Number (NSN). (It should be remembered that DLIS rose from "the World War II era when each of the Military Services operated independently and maintained a separate supply system and procedures for cataloging their items of supply [in which] many items were given a different name by each of the services, making efficient use of available stock impossible.")  [As an aside, buying "Power by the Hour" (PBH) has its merits (also here) but it is disconcerting to see how contractors perceive its profitability.] [ICG note]

Inability to divorce supply chain access from mercantile efforts

Writing in 2004:

The PRC is preoccupied with the US given it current dominance in Asian and global affairs, and see it as the principal "international danger" able to "confront and complicate China's development and rising power and influence in Asian and world affairs." China is mindful that three nations that sought to overturn the prevailing international order of their day, Weimar Germany, Imperial Japan, and the Soviet Union, were punished by an allied coalition of established nations. While I've not see it in print, I cannot but note that the leader of the winning coalition in each case was the United States, a fact that I cannot imagine has been lost on the Chinese.

China is well into the process of creating a mercantile, rather than fungible, market for raw materials that is expressly grounded on the inability of the US or US allies to interdict it. (China's growing mercantile net is of keen interest to this author, but lest I be accused of China bashing, items of equal weight are a Russian kleptocracy class armed with the energy weapon and the implosion of the US Pre-K through 20+ education structure.) See:

Chinese mercantile highlights of interest to this author are:

  • Strategic plan creates mercantile structure that secures energy stocks, raw materials, and crops.
  • Cannot be interdicted by the US or its allies.
  • Delivers export markets for commercial and military production, redirects regional elites to study in China, and extracts diplomatic obedience.
  • Sends large groups of diplomatic and consular agents that meet counterparts at each level of the target country's bureaucracy.
  • Promotes infrastructure projects using Chinese firms, creating a camouflaged posting for People's Liberation Army (PLA) assets.
  • Veiled PLA works have common pattern: tidewater port presence offering partial or complete opaqueness connected by a strassendorf (street city) style of satellite towns connected by new roads to a processing plant at the primary extraction asset, e.g., coal, oil, minerals, timber, etc.

Taken together with China's regional economic might, the PRC is demonstrably capable of building the regional relationships needed to eject the US and in the process become the dominant mercantile center of an Asian trading block that includes Asia's "most vibrant economic sub-region" (China, Hong Kong, Taiwan, South Korea, and Japan).

While I freely admit this macro level view lacks granularity and has yet to be submitted to the test of falsifiability, I do not believe it can be removed from a discussion of sustained supply chain access.

 

A unitary threat exceeding combined prior Soviet and Japanese threats

Economic power is the foundation of military power. The most important single indicator is GDP. Like defense budgets, however, GDP provides only a limited picture of power. It says little about the composition of the economy, such as whether it is spearheaded by leading sectors or dominated by old and declining ones. Other important variables include human capital and technology. The best readily available measure of human capital is the average year of educational attainment. For technology, the best indicator is per-capita expenditure on research and development.

The US now faces a potential threat of chain disruption from the PRC greater than that presented by combined Soviet espionage efforts directed against the US technology base, military, dual-use and commercial, and Japanese commercial inroads against a wide range of commercial products, notably electrical and electronic systems, that were conceived in the US:

  • In the case of the Soviets, the US did not cede manufacturing and design efforts wholesale to the USSR; the Russians had to employ economic espionage (see also B.R. Inman's Senate statement) to get technology and equipment otherwise embargoed to them.
  • In the case of the Japanese, the US had an exceptionally strong commercial competitor periodically balanced by a pro-US government that recognized its privileged place under a US defense umbrella which allowed it to devote its GNP to commercial pursuits; when it was essential to US interests, Tokyo would intervene on our behalf. See Refining a China forecast. (It was an unwritten rule of the Nixon administration that the Japanese were to be allowed to dominate electronics markets in return for their unwavering support of US diplomatic initiatives.)

I submit that the PRC will continue to strengthen the independence its own strategic supply chains, a condition that the US/EU have aided by seconding wholesale the manufacture, now design, and in the offing, unique product standards, to the Chinese. A current example of this effort is the gaining of indigenous, as opposed to Taiwanese owned, semiconductor device fabrication capacity from wafer fab through deposition, removal, patterning, and properties modification.

As for the US/EU, the de facto 'sole sourcing' of much of the US and elements of the EU industrial base to China has already rendered its manufacturing base into Chinese hands at multiple tiers, many of which, as noted above, are opaque to the top tier, integrator and ultimate buyer. Similarly, the export of much of its design process for future products to China-based R&D hives have increased the potential for IP predation and the appearance of peer Chinese competitors before the US/EU products reach market.

 

Just as the Soviet Union pointedly pressed Japan over its commercial and military partnership with the US, so will China both direct its domestic suppliers to comply while pressing Taiwan, Japan and Singapore when any of those states significantly work against Chinese Interests.

 

We have already seen two examples of that pressure, one in Japan and the other in the US. Japan squelched what it described as a 'national security' IP theft from Denso, which is itself a repeat of the humiliation that Cisco received at the hands of Huawei and the PLA, i.e., suppress litigation or your commercial interests in China suffer. In each case, once matters became public, and in the case of Cisco went litigious, the Chinese were able to apply commercial pressure on Cisco and Toyota-Denso to relent or suffer immediate penalty. See two items: Prediction: the Cisco-Huawei IP debacle repeated itself with Denso, and likely for the same reasons and A tipping point in intellectual property protection?

 

I submit that both the US government and private industry would find it instructive to receive the equivalent of the Russia's gas embargo to the Ukraine who surprised all by continuing to tap their allotment, thereby plunging the EU into shortage. European energy sourcing directions shifted in the moment with reliable sourcing and self-sufficiency rising in relation to cost as prime issues.

 

I further submit that the US needs to adopt the Toyota/Denso model of retaining the capacity to design and manufacture a portion of the annual buy of everything that they purchase. Toyota/Denso is the only significant automotive OEM to retain that capacity which also gives Toyota leverage with its suppliers by its understanding the technological, design, manufacturing, component pricing and supply chain tier structure of what it procures.

 

This process was proposed, at least for the defense sector in the 1980s but was not acted upon. In the interval, the US, much like the other automotive OEMs has already surrendered much of its process technology in the form of joint ventures, outsourcings and tier manufacturing, leaving the Chinese only to target mathdata and key design efforts not sourced to the tier base.


Chicken Little's sky may be falling but it is does not fall uniformly


If at a macro level it is plausible that the US/EU are subject to systematic supply chain interruption/embargo by the PRC at the commercial and dual-use level, what is the status for defense items given the near misses of Desert Storm? How do we validate (falsifiability) and prioritize investigation in order to identify the most essential chain elements? Even the salient works of the 1980s-early 1990s were imprecise on granular means of analysis. DoD has been providing guidelines "for evaluating, on a case-by-case basis, the need for Government action to preserve industrial capabilities vital to national security" for some time. Witness the 1996 Assessing Defense Industrial Capabilities handbook. The problem was then, and appears to remain, one of data, rigorous trigger thresholds and chain transparency below the DoD vendor.

It is with some interest that DoD appears to believe that its key systems are intact. A three year 2006 National Research Council effort on Critical Technology Accessibility attempted to answer two questions:

  • What products/components/technologies currently being solely procured from foreign suppliers could significantly disrupt U.S. defense capabilities if access to them were denied (through conflict, embargo, treaty, etc.)?
  • What emerging technologies/products that, if the United States chooses not to pursue domestic production, could significantly disrupt U.S. defense war fighting capabilities if access to them were denied?

In which the NRC Committee:

looked for but did not find an existing, exhaustive database of foreign products/components being procured by the Department of Defense (DoD) and decided to not attempt to develop such a database on current foreign sourcing across the vast numbers of DoD systems. Nor did the committee assess, for each foreign component, the impact of denial on operational capability or try to understand the particular mitigation opportunities and consequences. Finally, it did not develop a collective assessment of the technological and industrial trajectories of emerging technologies that promise to be key to our nation's security. The size and scope of such an effort would have exceeded the time and resources available to the committee, and it became clear from the information provided to it and from its deliberations that this was not the right approach.

In the absence of data, the NRC committee:

did listen to government plans and perspectives, discussed the issues with recognized experts, and independently reviewed source material and past literature. In addition, the members of the committee arrived with substantial background, service, and expertise in these matters.

Without intending to flip, they guessed, or as you prefer, SWAGed. Without data, chain transparency, metrics and algorithmic analyses, how could they do better? We find Fortune Fifty firms in similar predicaments with their supply chains.

Despite these limitations, the NRC Committee was confident that:

Based on the information they received and their own knowledge, committee members were unable to identify any product or technology currently being exclusively procured from a foreign supplier that could significantly disrupt U.S. capabilities or operations should it suddenly become unavailable...

 

If the ]US] were to become strategically dependent on a foreign industrial base for items that are critical or for which the regeneration of a U.S. industrial base would take a long time, the risk would be unacceptable. The committee does not see any signs of that at this time, but the possibility should be taken into account when determining what the U.S. industrial base needs to be for defense purposes. The committee identified four areas of future technological and industrial advancement that warrant discussion: (1) information technology (IT) components; (2) IT services, which include many forms of the capability to manipulate, store, and exploit data and information; (3) nanotechnology; and (4) biotechnology. The committee also identified another area of concern, systems integration capabilities.

The 2006 NRC Committee text strongly echoed, and possibly accepted the findings of, a 2004 Study on Impact of Foreign Sourcing of Systems that "contacted a total of 806 prime contractors and first and second tier subcontractors in order to collect and evaluate information" for systems:

shaped by the recent experiences in Operations Enduring Freedom and Iraqi Freedom. Those operations were conducted largely as "come-as-you-are" conflicts with the combat platforms already deployed to our forces; and they consumed significant quantities of precision guided munitions. As a result, this study is focused on those items that were or would be in high demand and/or consumed during similar future operations.

In the absence of rigorous means and metrics coupled with our case work in supply chain analysis, we question the findings of that 2004 effort:

  • Foreign sources provide limited amounts of materiel for the identified programs.
  • Utilization of these foreign sources for these programs does not impact long-term readiness.
  • Utilization of these foreign sources does not impact the economic viability of the national technology and industrial base.
  • In most cases, domestic suppliers are available for the parts, components, and materials provided by the foreign sources.
  • The results of this study are consistent with recent related studies.

This voluntary survey went down to tier two, identifying a total of "73 first, second, and third tier foreign subcontractors" from Austria, Belgium, Finland, France, Germany, Israel, Italy, Japan, Malaysia, New Zealand, Netherlands, Russian Federation, Singapore, Spain, Sweden, Switzerland, Turkey, and the UK. (DoD has been habitually comforted by UK subs, after that NATO and friendlies.) This analyst is pleased that the questionnaire went to tier two, but the report seems to treat 'tier two' (from any country) as the edge of the world after which one needs to look no further.

Also the test characteristics seem vague, looking to the past ("Supply disruption is not likely since the current suppliers have demonstrated reliability in the past..."), rather than to the future. There was also a repeated implication that if the dollar amounts were small that the risk was low as opposed to cessation of component access regardless of cost. ("Collectively, foreign subcontracts represent about four percent of the total contract value and less than ten percent of the value of all subcontracts for these programs.")

 

The report did not reveal or imply any further granular analysis. Based upon our supply chain analysis, this analyst would want more rigorous analysis, look at lower tiers and other chain characteristics before issuing a similar pronouncement.

Returning to the 2006 NRC report, its recognition of the changing nature of the supply base harkens back to the good works of the 1980s:

The impact of component denial is not a static estimate. The risks entailed in depending on a foreign-produced component are embedded in the strategy of supply management and the diversity of the impacted operational system or force. The size and power of the globalized commercial marketplace are such that we must find a way to exploit the marketplace's value for our security. The risks and benefits of this exploitation are at least as much an issue of acquisition and logistics strategy as they are of estimating foreign intent. The viability of the future assured domestic supply of critical components for the DoD is dependent on the health of the U.S. industrial base in these sectors.

Its recommendations to Under Secretary of Defense for Acquisition, Technology and Logistics (USD(AT&L)) and DIA are interesting, although some are unworkable while others are likely to be ineffective:

  1. [D]evelop a system for monitoring the risks of component unavailability within the procurement and operating elements of DoD... [ICG comment: Having not worked before, and with no better tools and metrics on offer, how will it work now?]
    • A self-certification approach by USD(AT&L) should direct the services and defense agencies to annually prepare a product and supply chain assurance report that identifies important vulnerabilities, potentially significant operational consequences, and recommended mitigation actions... [ICG comment: Self-certification rarely, if ever, works as bureaucracies are loathe to mark themselves deficient; even less likely without clear means and metrics.]
    • [A]nalyze these annual reports to identify DoD-wide vulnerabilities that might not be detected by the individual services and agencies and to warn of worrisome trends in the integrity of the supply chain, ensuring it is not compromised by foreign supply sources... [ICG comment: Unlikely to work as the certifications are suspect, and no metrics are proposed.]
    • [ICG comment: There are, however, some useful questions which could lead to metrics:
      • Where there is a lack of war reserves or stockpiles.
      • Where a weapon system is uniquely in the U.S. inventory and therefore cannot tap into worldwide depots.
      • Where developing an alternative source of supply requires significant lead times.
      • Where the DoD has developed sole-source, single-solution capabilities.
      • Where critical technologies have migrated offshore or been developed there in their entirety.

  2. [D]evelop a system for monitoring U.S. industrial health in strategically important global commercial market sectors that are critical to the availability of components for DoD... [ICG comment: Fine, but how and by what means and metrics?]
  3. [O]organize a systematic method of assessing the health of military systems integration in and for the DoD as well as that of potential coalition partners and adversaries... [ICG comment: Again, how and by what means and metrics?]

The foreign dependency analysis that this analyst would like to see is a Joint Logistics Commanders' 1986 report, A Study of the Effect of Foreign Dependency, summarized in GAO/NSIAD-90-48, that "reviewed 13 DOD weapon systems and found dependencies1 on foreign sources in 8 of them with severe problems in 6. According to the study, these dependencies could result in a total cut-off of the production of these items as early as 2 months into a war mobilization effort for a period lasting from 6 to 14 months.":

To obtain information regarding the lower subcontractor/vendor levels, for 12 of the 13 weapon systems reviewed, the project team performed a limited survey of the market structure supporting the systems. That is, for each of the 12 systems, program officials were asked to identify 5 subsystems and components at the next lower production tier meeting certain criteria2 and this identification continued through the lower production tiers down to the level of basic materials. For the other system, the Sparrow missile, a complete vertical tier analysis was done.3

 

1 A foreign dependency, as defined in this study, is an immediate, serious logistics support problem that affects the combat capability of the United States because of the unavailability of a foreign sourced item.

2 Each subsystem or component had to be (1) complex enough so that the program officials were unable to categorically state that it did not contain any foreign manufactured items and (2) critical enough to production, and complex enough to produce, so that its loss would pose serious problems in meeting production schedules

3 A vertical tier analysis identifies critical items acquired from foreign sources for an individual weapon system down through the tiers of suppliers and evaluates possible production constraints at each level.

Going forward, RAND's effort to assess industrial impacts identified a typology of "cross-border business relationships and activities" then, and still, prevalent in the defense aerospace industry:

  • Cross-border shipments of finished platforms, systems, or major subsystems
  • Licensed coproduction
  • Foreign Military Sales (FMS) coproduction
  • "Partnership" coproduction
  • Codevelopment

All five were supported primarily by "prime/subcontractor [by far and away the leader], marketing agreement, team, joint venture, and parent/subsidiary" structures while the latter three usually involved "relatively greater level of collaboration among participating firms."

 

RAND also segmented USAF objectives relevant to globalization into three categories (economic-technological, political-military and national security-viability) and identified program characteristics it said showed "the most promise for promoting the potential military-political and economic benefits of globalization." This analyst notes that those same characteristics also made it possible to individually and incrementally transfer the US technology base. Note that the primary driver is the defense firm not the government; all other drivers follow:

  • voluntarily structured and often initiated by defense firms rather than by governments on the basis of internal business calculations of market conditions and best business practices.
  • painstakingly structured to satisfy the existing U.S. arms export and technology security regulatory regime and CFIUS.
  • often focus on promoting existing products or modifications thereof, or on specific product market sectors.
  • frequently focus on subsystems, munitions, or discrete components or areas rather than on large, complex programs for the development of entire weapon system platforms.
  • designed to gain and expand active reciprocal market access through new programs.
  • often motivated by a desire to add to a company's product portfolio a highly competitive product in a market sector dominated by another firm or firms.
  • characterized by mutual perception of balanced and complementary bilateral market access opportunities and technology transfer.
  • most aggressive and innovative among these relationships depend on continued reform of the U.S. export control regime in order to achieve their full potential.

RAND’s defense globalization conclusions from 2001 have only accelerated (while they have exploded exponentially in the commercial sector):

  • Numerous innovative cross-border strategic market sector agreements initiated by U.S. and foreign companies are emerging.
  • U.S. aerospace firms are not significantly increasing their acquisition of wholly owned subsidiaries of foreign defense aerospace firms.
  • Teaming and joint ventures with non-UK and non-Europe-based firms are increasing.
  • U.S. industry collaboration with one country's firm increasingly means collaboration with many countries' firms.
  • Consolidated European and other foreign firms mean potentially more equal partners as well as stronger competitors.
  • European and other foreign firms seek U.S. market access but resent barriers.
  • European and other foreign firms view the acquisition of U.S. firms as the most effective means of penetrating the U.S. market.
  • Non-European foreign firms are forming strategic relationships with European and U.S. firms, potentially enhancing competition but complicating standardization and interoperability objectives.
  • European and other foreign industry consolidation present U.S. government and industry with unprecedented opportunities as well as risks.

Yet all of the above are drivers and characteristics which may yet yield metrics, but do not now offer the analyst an actionable means of identifying trigger thresholds.

 

Where are the metrics?

 

Metrics in open source have been difficult to obtain. An effort was made by King and Cameron in 1974 and updated in 1977. Their work was reprised, and remains online, in Appendix A of Strategic Materials: Technologies To Reduce U.S. Import Vulnerability.

 

A more intriguing effort, Conservation, Integration and Foreign Dependency: Prelude to a New Economic Security Strategywas done by David Leech, then at TASC, now Northrop Grumman, in 1993. His was the sole search result on "foreign vulnerability index." Leech proposed the use of Herfindahl-Hirschman Index normally used in anti-trust litigation to "measure the worldwide supply concentration of items, both overall for firms and with firm market shares grouped by country of origin." Along with risk factors it is one of the methods noted in INDUSTRIAL BASE: Assessing the Risk of DOD's Foreign Dependence, GAO/NSIAD-94-104.

 

This author found Leech's approach of sufficient interest to post a fair use excerpt of the GeoJournal piece, with footnotes, dealing with its Foreign Vulnerability Index (FVI). I believe it reasonable to say that Leech believes that:

  • The King and Cameron approach, as with many engineering approaches, will not pass the test of falsifiability.
  • Moran's 4/4/50 rule, which states that if four foreign firms or four nations control more than 50 percent of an international market, that market is considered "vulnerable" and should be monitored, might be a Herfindahl threshold value.

  • The essential problem of assessing the potential for 'concerted effort' in the anti-trust realm is analogous to the essential problem of assessing 'concerted effort' by nations and their industries to deny the US access to their products, services or technologies.
  • Vulnerability is a narrow consideration having to do with tightly defined markets for products and services.

It remains to be seen if Leech's approach falls victim to the problem we frequently see in supply chain analysis, namely that the complexity issue is so great that cost effective, perishable data is not available. I fear that may well be the case, hence the value of inserting a Design Basis Threat (DBT) analysis as we must have actionable values in a low data environment and be able to defend them. See:

Still, Leech is the strongest approach to metrics that this author has seen and deserves exploration anew.

 

Postscript: The Appendices (actually Vol. 2 issued in 1990) of the 1985 Strategic Materials analysis had a specific case study of the strategic value of the carbon fiber market, Case Study: The Advanced Composites Industry.

 

Leaping forward to the present, we see aviation/aerospace, industrial, sporting goods and automotive driving a robust market:

Over the last several decades, the global market for carbon fiber has grown about 12%. Industry experts expect this market to reach $0.9 billion by the year 2010 (around 50 million lbs), with the market for finished carbon fiber reinforced composites parts growing to $9.9 billion. The price of carbon fibers is expected to reach around $5/lb in 2008, a significant reduction in the $150/lb price in 1970 when the market was only around several million lbs.

 

Aerospace markets have led recent demand and are expected to grow at a 19% compounded annual growth rate (CAGR) through 2010. However, industrial applications are taking off, too, with a total combined CAGR of 14% through the end of the decade (this segment currently accounts for around 60% of the current demand). Sporting goods CAGR is estimated at 5% over the same time period, resulting in a total overall projected growth rate of a robust 13%. Wind energy could become the second largest market sector after aerospace by 2010. The following table summarizes some of these applications.

In this thriving environment, the last principal US producer of Acrylonitrile (AN or ACN), the precursor to Polyacrylonitrile (PAN) (See carbon fiber value chain) which is the basis for all aerospace/high end carbon fiber, has passed into foreign hands.

 

Apocryphal stories to the contrary, frogs are smart enough to jump from water whose temperature is elevating; in this skill of self-preservation, frogs are smarter than governments, corporations and self-interested political elites who will stay in the water until it is too late. Once again, low cost has proven not to be low risk.

 

Bibliography Note: While the following list of citations is not exhaustive, I submit that they reasonably constitute a four decade record on globalization and are a good jump point for further investigation.

 

Crafting A Contractor PBL Organization

By John Kotlanger & Ron Giuntini

Performance Based Logistics

29 April, 2008

 

PRC still expanding sub fleet: analysts

THREAT: Many security experts say that China's main objective in upgrading its submarine fleet is the ability to delay or deter US intervention on behalf of Taiwan

NY TIMES NEWS SERVICE, BEIJING

Taipei Times

Tuesday, Feb 26, 2008

 

Strategic Materials

Final Report, Spring 2007 Industry Study

The Industrial College of the Armed Forces, NDU

2007

 

'Power by the Hour': Can Paying Only for Performance Redefine How Products Are Sold and Serviced?

Sang-Hyun Kim, Morris A. Cohen, and Serguei Netessine

Wharton School, University of Pennsylvania

Knowledge@Wharton

February 21, 2007

 

Critical Technology Accessibility

Committee on Critical Technology Accessibility, National Research Council

National Academies Press

2006

Appendix C - Previous Reports on Globalization and the U.S. Military Industrial Base

 

PERP Program - Acrylonitrile

New Report Alert

Nexant

November 2006

 

Letter from China: Is it a 'peaceful rise'? U.S. shouldn't bet on it

Howard W. French

IHT

APRIL 20, 2006

 

Russia and Ukraine Reach Compromise on Natural Gas

By ANDREW E. KRAMER

New York Times

January 5, 2006

 

Measuring National Power

Gregory F. Treverton, Seth G. Jones

Intelligence Policy Center (IPC), RAND National Security Research Division (NSRD)

ISBN: 0-8330-3798-6

2005

 

Measuring vulnerability to U.S. foreign economic sanctions: focused sanctions reduce costs to business.

Askari, Hossein; Forrer, John; Hachem, Tarek; Yang, Jiawen

Business Economics

VOL 40; NUMB 2, pages 41-55

April/1/2005

MIRROR

 

Sanctions Assessment Handbook

Humanitarian Information Centre (HIC)

UN Office for the Coordination of Humanitarian Affairs

2004 last update

 

VALUE CHAIN OF CARBON FIBERS: Issues associated with production, conversion, and supply of PAN carbon fibers into high volume applications.

Presented by: Martin Kokoshka

Grafil Inc.

March 2004

 

Study on Impact of Foreign Sourcing of Systems

Office of the Deputy Under Secretary of Defense for Industrial Policy

January 2004

 

Speed Kills: Supply Chain Lessons from the War in Iraq

by Diane K. Morales and Steve Geary

Harvard Business Review

November 2003

OPEN SOURCE MIRROR

 

Positioning Your Company for Defense Department Work

Helping Remanufacturer's of Service Parts Capture A Highly Profitable New Source of Revenue Through Performance Based Logistics (PBL)

John Kotlanger

November 2, 2003

 

Background Paper of the Millennium Project Task Force on Science, Technology and Innovation

Smita Srinivas et al

United Nations Development Programme (UNDP)

April 18, 2003

 

Going global: U.S. government policy and the defense aerospace industry

Mark A. Lorell, Julia Lowell, Richard M. Moore
RAND MR-1537

ISBN 0-8330-3193-7

2002

 

Certain Issues on China Countering Future Economic Sanctions

By Jiang Luming

The (Chinese) National Defense University

Military Economics Study, November 2001

 

Was America hunting for a new killer submarine?

Global Intelligence Update/Asia Times

April 6, 2001

 

Measuring National Power in the Postindustrial Age

By: Ashley J. Tellis, Janice Bially, Christopher Layne, Melissa McPherson

RAND

MR-1110-A

2000

 

Analyst's Handbook - Measuring National Power in the Postindustrial Age

By: Ashley J. Tellis, Janice Bially, Christopher Layne, Melissa McPherson, Jerry M. Sollinger

RAND

MR-1110/1-A

ISBN/EAN: 0-8330-2803-0

2000

 

Interpreting China's Grand Strategy: Past, Present, and Future

By: Michael D. Swaine, Ashley J. Tellis

RAND

MR-1121

2000

 

How Long Do Economic Sanctions Last? Examining the Sanctioning Process through Duration

Sean M. Bolks, Dina Al-Sowayel

Political Research Quarterly, Vol. 53, No. 2, pp. 241-265

DOI: 10.1177/106591290005300202

2000

ABSTRACT

PDF

 

Task Force on Globalization and Security

Defense Science Board

December 1999

 

The Impact of Economic Sanctions on Health and Well-being

by Richard Garfield

Relief and Rehabilitation Network (RRN)

Overseas Development Institute

RRN Network Paper 31

ISBN: 0-85003-435-3

November 1999

 

Overview and Analysis of the Economic Impact of U.S. Sanctions With Respect to India and Pakistan

James Stamps, Project Leader

U.S. International Trade Commission

Investigation No. 332-406

Publication 3236 September 1999

 

Assessing Defense Industrial Capabilities

DoD Handbook 5000.60-H

Under Secretary of Defense for Acquisition and Technology

April 1996

 

INDUSTRIAL BASE: Assessing the Risk of DOD's Foreign Dependence

Report to the Chairman, Subcommittee on Defense Technology, Acquisition, and Industrial Base, Committee on Armed Services, U.S. Senate

GAO/NSIAD-94-104

April 1994

 

Conservation, Integration and Foreign Dependency: Prelude to a New Economic Security Strategy

David P. Leech

The Analytic Sciences Corporation (TASC)

GeoJournal

Volume 31, Number 2, October, 1993

pp. 193-206

Abstract and order info

FAIR USE excerpt of its Foreign Vulnerability Index (FVI)

 

US Procurement of Weapon Components from Foreign Sources: Policy Implications

Guy J. Fritchman

Major, US Air Force

USAF Research Associate

Program in Arms Control, Disarmament, and International Security

January 1993 (written during spring 1991)

 

Building Future Security: Strategies for Restructuring the Defense Technology and Industrial Base

Office of Technology Assessment

OTA-ISC-530

NTIS order #PB92-208156

June 1992

 

A CALL TO LIFT ECONOMIC SANCTIONS AGAINST IRAQ

Henry B. Gonzalez, (TX-20)

(House of Representatives - June 24, 1991)

[Page: H4929]

 

Industrial Base: Significance of DOD's Foreign Dependence

Report to the Chairman, Subcommittee on Technology and National Security, Joint Economic Committee, U.S. Congress

House of Representatives

GAO/NSIAD-91-93

January 1991

 

The Globalization of America's Defense Industries: Managing the Threat of Foreign Dependence

Theodore H. Moran

International Security, Vol. 15, No. 1, pp. 57-99

Summer 1990

 

Technology and Competitiveness: The New Policy Frontier

B.R. Inman and Daniel F. Burton, Jr.

Foreign Affairs

Spring 1990

 

Holding the Edge: Maintaining the Defense Technology Base - Vol. II, Appendices

OTA-ISC-432

NTIS order #PB90-253345
January 1990

 

Industrial Strength Defense: A Disquisition on Manufacturing, Surge and War

Martin C. Libicki

National Defense University

ADA228966

1990

 

Arsenal of Democracy in the Face of Change: Economic Policy for Industrial Mobilization in the 1990s

D. J. Bjornstad, ORNL Principal Investigator, et al
OAK RIDGE NATIONAL LABORATORY
ORNL/TM-11271
December 1989

 

Industrial Base: Adequacy of Official Information on the U.S. Defense Industrial Base

Report to the Chairman, Subcommittee on Legislation and National Security, Committee on Government Operations, House of Representatives

GAO/NSIAD-90-48

November 1989

 

Holding the Edge: Maintaining the Defense Technology Base

Office of Technology Assessment

NTIS order #PB89-196604
April 1989

 

US Industrial Base Dependence/Vulnerability. Phase 2. Analysis,

Martin Libicki,; Jack Nunn, Bill Taylor

Mobilization Concepts Development Center

National Defense University

ADA189330

NOV 1987

 

US Industrial Base Dependence/Vulnerability. Phase 1. Survey of Literature,

Roderick L. Vawter

Mobilization Concepts Development Center

National Defense University

ADB118637

DEC 1986

 

A Study of the Effect of Foreign Dependency

The Joint Logistics Commanders

Department of Defense,

(Contact No. F33600-85-C-0293), March 1986

Item is often cited, but no direct citation appears.

Brief summary of its foreign dependency analysis contained in: Industrial Base: Adequacy of Official Information on the U.S. Defense Industrial Base

 

Strategic Materials: Technologies To Reduce U.S. Import Vulnerability

Office of Technology Assessment, OTA-ITE-248

NTIS order #PB86-115367

May 1985

Appendix A - Review of Previous Lists and Methods of Selection

Strategic Materials: Technologies to Reduce U.S. Import Vulnerability

Appendix E - Case Study: The Advanced Composites Industry

 

Scientific Communication and National Security

Panel on Scientific Communication and National Security, National Academy of Sciences, National Academy of Engineering, Institute of Medicine

National Academies Press

ISBN-10: 0-309-03332-2

1982

 

Appendix H: Statement of Admiral B.R. Inman for the May 11, 1982, Senate Governmental Affairs Subcommittee on Investigations Hearing on Technology Transfer (140-142)

 

Materials Vulnerability of the United States - An Update

Alwyn H. King

Strategic Studies Institute, U.S. Army War College

April 1977

Via NTIS

Order info

 

Materials and the New Dimensions of Conflict

Alwyn H. King and John R. Cameron

Strategic Studies Institute, U.S. Army War College

December 1974

Via NTIS

Order info

 

Gordon Housworth



InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Weapons & Technology Public  

discussion

  discuss this article

Intellectual Property (IP) risks in Brazil and Mexico

  #

Protecting your Intellectual Property in Mexico, Brazil and China was a recent presentation done in response to a request to compare IP risks in key Western Hemisphere states with those in China. As it is difficult to address three such diverse regions in a short presentation, readers are recommended to also look at:

The Brazilian IP risk is new to the list as it contains:

  • Unique Brazilian characteristics
  • Brazil as a mixed threat environment
  • Condition of ungoverned areas, ill-equipped lawenforcement agencies and militaries
  • Endemic IP abuse environment
  • Moderate anti-IP intellectual environment
  • Pressure to remain preferred Southern Cone regional automobile supplier
  • Brazil as part of China's mercantile strategy
  • Brazil's attractive IP targets

The Mexican IP risk is summarized from the larger Mexican risk horizon as:

  • Unique Mexican characteristics
  • Mexico as a mixed threat environment
  • Piece part/commercial focus fails to include key Mexican factors
  • Drug cartel counterattacks
  • Cartels ability to sever Mexico's national critical infrastructures

Based upon interactions with a number of firms operating in both Brazil and Mexico, it is our opinion that IP risk is either misunderstood or ignored, leaving the firms open to exploitation and acceptance of risk by default.

Gordon Housworth



InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  

discussion

  discuss this article

Themes and variations in Chinese and Indian Intellectual Property protection

  #

Protecting your Intellectual Property in China and India was produced in response to GlobalAutoIndustry's request to contrast issues in Chinese and Indian Intellectual Property protection as part of China and India: Decreasing Costs Across Global Operations, a look at factors, advantages and concerns in Low Cost Country Sourcing (LCCS) to these automotive and component manufacturing areas.

Readers can treat China and India as the 'low cost is not low risk' abstract to separate presentations devoted to each country:

Each offers a much deeper dive into the factors affecting IP, facility and personnel protection in these Asian regions. Readers may consult these two article abstract series for further information on topics mentioned in all three presentations:

Citing the Aberdeen Group's 2005 observation that Chief Purchasing Officers "rate Low-Cost Country Sourcing (LCCS) a top priority over the next three years, and companies plan to double their spending with offshore suppliers by 2008," Wayne Forrest aptly noted:

While the LCCS road looks smooth on the surface and the cost benefits are enticing, there are potholes the size of moon craters for companies that do not properly prepare for all the potential hazards along the way.

Examining the nine tips that Forrest gathered from LCCS industry experts, I can state that the IP protection pothole (tip 2) remain unfilled in 2008, and adversely affects the other eight.

A close examination of the three presentations cited here will offer insight as to why. Feel free to contact us to begin to understand how to respond.

Nine tips for low-cost country sourcing
Wayne Forrest
Purchasing.com
9/1/2005

Gordon Housworth



InfoT Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  

discussion

  discuss this article

The inflection point in reversed capital flow from China to the US has occurred and will accelerate

  #

On the Brownfield side of manufacturing, automotive manufacturers and similar Tier 0 producers; and on the Greenfield side, Venture Capitalists, have driven their respective tier base and investment stable firms to China based solely on piece part or operating cost with no particular thought to what happens when (a) the cost advantage dissolves, (2) the effects of that move - which I call destabilization once its full ramifications become felt (also here and here), and (3) the shifting of money from dollars and treasury notes to investment by Chinese entities at a time when their US/EU competitors are facing relatively higher capital costs.

I wager that many firms don't even have the foresight to look past the piece part cost trap much less the other drivers. With so many sitting ducks, Chinese investors will prosper.

Monaghan speaks of a Chinese inflection point that I submit has already arrived but its structural effects have yet to make a measurable effect:

[B]eneath the excitement of the domestic [Chinese] story emerges the prologue to something perhaps far more important. China and Chinese corporations are no longer simply a destination for capital but a point of origin. A fundamental change has begun. Today, five of the top 10 global companies by market capitalisation are Chinese. We are seeing the first ebb in the tidal flow of capital. China's sphere of influence and responsibility is changing. The fundamentals that created China's success equally pressure China to find new sources of competitive advantage. Chinese capital will flow to those sources as the domestic economy matures. No longer is the local market the sole consideration. China is now actively adjusting focus and capital from internal to international markets. That ebb will become an unstoppable current.

None of the above includes the ultimate destabilizer when the Chinese employ administrative edicts, tariff strictures and noncommutative standards (Chinese products meet the standard but foreign products do not) to force out foreign firms out of China in concert with investments into the home territories of those firms. See Confluence of thinking on Chinese outsourcing and supply chain risks from DSB and USCC.

In any case, Monaghan's inflection point of capital flow had already begun only to be accelerated by weaknesses occasioned by the excesses of the subprime loan fiasco. China and other sovereign state investors will acquire stakes in key US investment banks on the cheap. (Yes, the markets have continued to fall, making some of these investments look less attractive, but were it not for the subprime impact those stakes would not have been available at all, much less than at the negotiated prices.) Monaghan makes what I would call a statement of the patently obvious were it not for the many firms that are unaware:

The implications are as significant as they are far reaching. It impacts everything from talent to technology, capital to competition and revenue to risk. It calls into question the very fundamentals of our investment and strategy in China and the role China will play in our global or regional operations. It implies increasing volatility and the need to ensure our organisations are agile and prepared for change...

It is essential for firms to break out Jack Welch's five strategy review questions:

These should be asked frequently and especially at any change in operating or environmental conditions. (They form a key jump point for our strategic planning and technology forecasting efforts.) Most firms are not doing so with respect to China, or if they are, do not like their implications and so push them aside.

China's Inflection Point
Steve Monaghan
GTNews
15 Jan 2008

Citi Writes Down $18 Billion; Merrill Gets Infusion
Edited by Andrew Sorkin
DealBook/New York Times
January 15, 2008, 6:44 am

The Subprime - Trade Deficit Connection
Thomas Palley
posted on January 7th, 2008 at 9:07

Sub-prime Casualties Who Should Have Known Better
Finding Dulcinea
January 6, 2008 3:05 PM

$9.4 Billion Write-Down at Morgan Stanley
By LANDON THOMAS Jr.
New York Times
December 20, 2007

Case Study: Jack Welch’s Creative Revolutionary Transformation of General Electric and the Thermidorean Reaction (19812004)
Pier A. Abetti
CREATIVITY AND INNOVATION MANAGEMENT
Volume 15 Number 1 2006, pp 74-84

China Investing in Rust-Belt Companies
Auto-Parts Maker Wanxiang Invests in U.S. Partners As Its Ambitions Expand
By PETER WONACOTT
Wall Street Journal
November 26, 2004
Fee archive
Free Mirror

Control Your Destiny or Someone Else Will
James Altfeld's 'Cliffs Notes' version of Jack Stack's A Stake in the Outcome, 2002
PDF
HTML

The GE Way Fieldbook: Jack Welch's Battle Plan for Corporate Revolution
By Robert Slater
McGraw-Hill Professional
ISBN 0071354816
Published 2000

Gordon Housworth



InfoT Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  

discussion

  discuss this article

Who is encircling whom?: China and the US

  #

Economic and military threads are warp and weft of the same cloth, yet too many continue to believe the fallacy that nations that trade together do not war with one another. The reality is that they trade so long as their national cost-benefit analysis tells them to continue doing so. Tipping points exist. The key is to recognize their immergence and be prepared to prosecute them. Short of that, business must address the uncertainties as their governments jostle for advantage.

It is no secret that the US and China have a multi-faceted relationship, one part of which is China's rise, the US, and lesser EU, effort to shape, even control, that rise, and China's countermeasures. At the moment, I rate China better at playing its hand than has the US. Worse, I feel that the broad US posture in both Washington and the UN has unnecessarily alienated potential allies while allowing China an easier path in its patient pursuit of Asian hegemony at a minimum and perhaps more. Following are some thoughts along that road.

Uncertain containment allies in the Pacific

It should not be a secret to readers that part of US efforts to contain China is the creation of marine defense network linking the US with Japan, Australia and India in order to deliver control of the Pacific and Indian Oceans into western hands.

The so-called "golden age" of US-Japanese relations under Prime Ministers Koizumi and Abe came to an end with the election of Yasuo Fukuda, a man definitely not "on the same ideological wavelength" as Bush43. The US had seen, and still hopes to see, Japan as a key component of its defense planning for a generation:

The key calculation for the Pentagon is whether Japanese military assistance will be available to the US should a crisis erupt with China, perhaps over Taiwan or some other cause... "To put it in stark terms, the question for us is whether Japan regards itself as an offshore island of China or of the US."... The official stressed that the US continues to view Japan as an "extremely reliable" ally with which highly sensitive defense cooperation [will] continue.

The resignation of Japanese Prime Minister Shinzo Abe came as a surprise to the US; the election of Yasuo Fukuda over the preferred Taro Aso came as an unpleasant smack:

"Japan is the crown jewel of [US] Asian defense posture. If Japan becomes less reliable, we will have to rethink our plans." Of special concern are US hopes for a defense network which includes the US, Japan, Australia and India. This idea has been the subject of regular exchanges between US officials and their foreign counterparts, most recently on September 9th..

Bush43 had promoted Japan as a new member of the UN Security Council based upon the expectation that Japan would expand its role in global security and assist the US should relations worsen with China:

"We are taking many measures to promote stable relations with China, but it would be irresponsible not to plan for a deterioration. Japan is a big part of this planning." The US concern is that Fukuda will rule out a role for Japan in an anti-China alliance. Should this happen, the US would, in the words of a Pentagon planner, "have to go back to square one for our Asian policy."

Worse, Japan could yet invite China in:

"A nightmare would be if Japan suggests that China joins the alliance. This would defeat its rationale." On the economic front, the US also has concerns that momentum toward reform is slowing [and that] recent requests on privatization and liberalization will meet resistance. The combined result of the potential setbacks on both the security and economic fronts is that US-Japan relations may become, in the description of a White House official, "problematic."

For its part, the Japanese postwar Jekyll & Hyde of diplomatic runt and economic workhorse is winding up. As part of the postwar Pacific realignment, it is interesting to contemplate a nuclear Japan that is not a "US Japan," that Sancho Panza will ride on his own:

The Six Party Talks are no longer an institutional mechanism to terminate the Cold War structure that persists on the Korean Peninsula. It has now metamorphosed into a detente approach predicated on continuous confrontation and coexistence with Pyongyang's die-hard dictatorship. The aim of this approach is to defuse politico-military tensions created by Pyongyang's confidence in the efficacy of the threat and use of nuclear weapons. Yet any transformation of the tensions is expected to occur only in the form of a series of concessions made by North Korea in response to large-scale international economic assistance given to it. Such economic assistance would be provided synchronous with the creation of a post-Korean War peace regime and the eventual formation of a regional multilateral security framework in Northeast Asia. This means the resolution of the North Korean nuclear and abduction issues will have to wait until Korean unification takes place.

Japan is practically the only country capable of providing such a massive amount of aid. However, Pyongyang's impending nuclear threats and indisputable offenses against sovereignty in the form of repeated abductions of Japanese nationals have convinced the Japanese government not to provide aid until Pyongyang has achieved complete denuclearization, scraped its ballistic missiles, and settled the abduction issue. Since this government policy is rooted in a solid national consensus, Tokyo has little room for making compromises, at least in principle.

Furthermore, the Japanese public is now fully aware that Washington has ceased to speak of complete denuclearization (CVID), the HEU programs and, most crucially, the dozen or more rudimentary nuclear warheads that North Korea is believed to possess. It will not take long before the Japanese public realizes that Washington is extending a de facto, if not de jure, recognition of Pyongyang's nuclear power status.

Consequentially, Washington's detente approach will sooner or later cause a backlash in Japanese public opinion, which will force the Japanese government to rethink its strategic calculations and alliance policy. Now that the opposition Democratic Party of Japan has seized control of the upper house of the Diet, Washington can no longer take Japan's followership in diplomacy for granted. Tokyo has become increasingly less pliable to US security interests...

For China's part, Beijing is doing what it can to unwind the last decade's effort of a US China containment policy. One wonders when Japan hits a tipping point, as much by demographics as defense, in its ability to deter the Chinese.

US relations with India are "awkward":

Of greatest concern to the [US] are indications that there is growing Indian hostility to Washington’s hope of turning India into a "new Japan in South Asia", that is, an ally wholly aligned with US interests. US officials had noted with satisfaction the signing in late 2006 of an India-Japan Global and Strategic Partnership but now see it losing momentum. They are confident that relations with New Delhi will get back on track but concede that opportunities have been missed.

The US had hoped to create a trilateral defense relationship with India and Japan as the US felt that that regional multilaterals such at the ASEAN Regional Forum (ARF) deferred to China. (I would were I them.) The US wants "India to see itself as a maritime power" allied with the US/EU rather than a continental power allied with Russia and China.

The strong US-Australian rapproachment ended or was at least curbed with the victory of Prime Minister Kevin Rudd over the hawkish John Howard. Given Rudd's "strong Chinese connections," observers expect Australia to break away from a foreign policy supportive to the US and specifically move to further accommodation with China.

Elections reverse governments, at least in the West, and so regional policy may swing more towards US interests. My point is that the long tail of postwar certainty in US assumptions is waning while I see that of China increasing. Too much of the difference is a US self-inflicted wound.

China strategy patiently executed

My 2004 short trio summarize the approach that China continues to pursue with consummate skill:

'Peaceful Rise' overcoming 'China Threat' opens:

China's regional and global diplomatic initiative, "peaceful rise" or heping jueqi, literally "emerging precipitously in a peaceful way," is a masterful endeavor to extricate itself from the collar of "China threat" imposed by the US. Heping jueqi shows a level of nuance, patience, and simultaneous flooding of regional and global diplomatic channels with a level of personal diplomacy at which the US can only marvel, if indeed, it has recognized.

Heping jueqi is marked by:

  • Diplomatic drive for regional acceptance of PRC's expanding sphere of influence
  • Enshrining China as Asia's predominant economic force
  • Leveraging economic cooperation into political influence over Southeast Asia
  • Offsetting and eventually diminishing US influence
  • Regional and international acceptance of China as the Asian superpower with hegemony over the region

China's controlled 2004 deployment of police/peacekeepers to Haiti marked its end of diplomatic non-intervention. See China reverses a half-century on diplomatic non-intervention as it becomes a model UN citizen.

Hegemons come and go: a renewing Chinese hegemon eyes a mature US hegemon, also 2004, drew on "Chinese open source literature paint an intriguing view of the Sino American relationship":

  • The US is a hegemonic power that is "a major obstacle and competitor for influence in Asia"
  • The US is a superpower in decline, losing global economic, political, and military influence
  • China aspires to be a "major international power and the dominant power in Asia. To that end, China is actively pursuing a multipolar world where it could align with other rising powers such as Russia, Japan, and Europe in order to check or challenge U.S. power"
  • China can counter US power by its pursuit of a multipolar world "where it could align with other rising powers such as Russia, Japan, and Europe"
  • Maintain stable and good relations with the US as it is "an important market for Chinese goods and an important source of science and technology, financial capital, and foreign direct investment--all central components of Chinas rising status and strength"
  • "Although technologically superior in almost every area of military power, [the US] can be defeated, most particularly, in a fight over Taiwan in which China controls the timing"
  • Al Qaeda's 11 September attack changed only Chinas approach to the US but not the fundamentals of its vision

Beijing has continued to pursue this plan with great success, in which success is defined as many incremental steps that do not draw undue backlash on either economic, diplomatic or military fronts. China needs economic growth to stave off domestic unrest, but that restraint has limits.

In July 2006 the Chinese ambassador to the UN, Wang Guangya, uncharacteristically lost his temper of the Security Council's attempt to word a rebuff of Israel's bombing of a UN Observer mission that killed four, one of whom was Chinese:

Without naming any countries... Wang lashed out at "a tyranny of the minority in the council" and vowed that there would be "implications for future discussions" on other subjects. Once the meeting ended, Wang [complained] that the presidential statement had been "watered down," observing in several different formulations that "we have to take into account the concerns of other countries" and predicting that the "frustration" his country felt "will affect working relations somewhat."...

In an earlier era, when the People’s Republic of China tended to conduct diplomacy by tantrum [but] China cares too much about the international order for such revolutionary shenanigans... China now aspires to play an active role on the global stage... The bad news is that China’s view of "the international order" is very different from that of the United States, or of the West, and has led it to frustrate much of the agenda that makes the U.N. worth caring about...

"First world" mentality in a "third world" body

China plainly wishes to join the international community on its own terms. The People’s Republic is a singular entity, a world-class power almost wholly preoccupied with harnessing its internal energies and preventing domestic conflict. Unlike Russia, for example, China has little wish to use the power at its disposal, save to establish a harmonious environment for its "peaceful rise."... China thus cares a very great deal about matters of little concern in the West "territorial integrity," [and] very little about the burning issues in [the US, UK and France. China supports the view of the now expanded "G77 plus China" that the UN] should pay more attention to economic and social issues and less to matters of peace and security...

China’s economy has made it a global force, and the accompanying need for resources has pushed it to forge new ties throughout Asia, Africa and Latin America. The old revolutionary ardor is gone, and China surveys the world with increasing pragmatism and confidence. China is now a status quo power "an exporter of good will and consumer durables instead of revolution and weapons."... Unlike the United States and the West generally, China views the current global situation as fundamentally benign and malleable a setting conducive to diplomacy...

The impact of that economy on US security can be seen in many areas; here are three:

Returning to the diplomatic front:

China has chosen to enmesh itself in global bodies like the World Trade Organization, regional groupings like the six-member, security-oriented Shanghai Cooperation Organization and a vast range of bilateral partnerships. China has begun routinely signing arms-control agreements and antiterrorism conventions. And it has begun playing a more active role at the U.N., contributing troops almost all of whom provide medical or engineering services rather than front-line patrolling as well as policemen to U.N. peacekeeping operations...

China has become so influential a country, such an object of imitation, respect and fear, that you can no longer talk about an "international community" that does not include it. The West has a profound interest in China’s development as a global power and its acceptance, however gradual and grudging, of the rules by which the West has defined global citizenship...

The great issue that divides the U.N. is no longer Communism versus capitalism, as it once was; it is sovereignty [which flies in the face of those who deride the UN for failing to] defend individuals against an abusive state... But this failing is a Western preoccupation: most developing nations, with their history of colonial rule [object] to all such inroads on sovereign rights. [In China] sovereignty has long been a fighting word...

China and the United States are the twin bêtes noires of the U.N.: the U.S. insists on enlisting the organization in its crusades, while China refuses to let any crusade get in the way of national interest. Washington is all blustering moralism; Beijing, all circumspect mercantilism... It’s a truism that the Security Council can function only insofar as the United States lets it. The adage may soon be applied to China as well...

"We don’t want to make anyone feel uncomfortable."

With some accuracy, I fear, certainly in recent years, UN ambassador Wang told his interviewer (Traub) that "blunderbuss diplomacy is the American way "because America is a superpower, so America has a big say." China would appear to have a big say of its own, but that’s not Wang’s view." Wang virtually encapsulated the paragraphs above by saying, "The Americans have muscle and exercise this muscle [whereas] China has no muscle and has no intention of exercising this muscle."

With continuing understatement and self-effacement, Wang clarified the remark with the CCP's need to protect China's peaceful rise and to "reassure all who fear its growing clout. "We don’t want to make anyone feel uncomfortable."" China is well on its delicate, thoughtful path of replacing the US as the Bretton Woods' model world citizen and in the end taking the UN away from the US.

Without correction by the US, that may well happen:

Japan's Evolving Relations with China
by Yoshio Okawara
Association of Japanese Institutes of Strategic Studies
AJISS-Commentary No. 19
14 December 2007
PDF

Australia and Japan: Both Moving in Beijing’s Direction?
Swoop
Published on: December 8th 2007 14:24:55

East China Sea Dispute: Learn from the Australians and East Timorese
By Yasuhiro Goto
Association of Japanese Institutes of Strategic Studies
AJISS-Commentary No. 17
7 December 2007

America, Don't Count on Our Followership
by Masahiro Matsumura
Online Publisher: Yukio Satoh
President of The Japan Institute of International Affairs
The Association of Japanese Institutes of Strategic Studies
4 December 2007
AJISS-Commentary No. 16
PDF

Japan: End of the Golden Age
Swoop
Published on: December 1st 2007 13:34:13

India: Stable but Awkward Relations
Swoop
Published on: November 17th 2007 17:34:22

Japan: US Trying Not to Worry
Swoop
Published on: November 10th 2007 12:20:05

Japan: US Insists on Reform, Japan Temporizes
Swoop
Published on: November 3rd 2007 16:02:08

India: Problems on the Nuclear Question
Swoop
Published on: October 20th 2007 14:36:44

Japan: Complications on Defense
Swoop
Published on: October 20th 2007 14:36:57

Russia: New Puzzles, Same Answers
Swoop
Published on: October 13th 2007 16:45:55

Strengthening Security Cooperation with Australia: A New Security Means for Japan
By Yoshinobu Yamamoto
Association of Japanese Institutes of Strategic Studies
AJISS-Commentary No. 13
9 October 2007

Japan: Back to the Drawing Board?
Swoop
Published on: September 22nd 2007 08:57:12

Is Washington Losing East Asia?
The Drawbacks of Linking Trade and Security in America’s Foreign Policy
Heribert Dieter, Richard Higgott
Paper prepared for the CSGR/GARNET Conference on Pathways to legitimacy? The Future of Global and regional Governance
University of Warwick, 17 to 19 September 2007

Japan and India: A Joint Defense Destiny?
Swoop
Published on: June 2nd 2007 00:09:54

The World According to China
By JAMES TRAUB
New York Times
September 3, 2006

Bretton Woods Institutions
Ngaire Woods
Oxford Handbook of the United Nations
Ed. by Thomas Weiss and Dam Daws
OUP, 2006

China Engages Asia: Reshaping the Regional Order
David L. Shambaugh
International Security - Volume 29, Number 3, Winter 2004/2005, pp. 64-99

Bretton Woods and the UN system - relationship of the International Monetary Fund and the World Bank to the UN
by Hans W. Singer
Ecumenical Review
July, 1995

Bretton Woods Conference Collection: Photographs
IMF Archives: funding Aids
Date(s): [1940-?]-1944, [May 14, 1956?]

Gordon Housworth



InfoT Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  

discussion

  discuss this article

Protecting mobile information in your possession and transiting to/from you

  #

Most encryption approaches have failed due to the delta between the security level that a firm's management seeks to instill and the overhead that their employees are willing to endure. As a PGP user since rev 3 (DOS-based), I can sympathize, but once PGP migrated to Windows and Outlook allowed a toolbar add-in, it has become almost easy.

Many now see the issue as protecting mobile machines and their still shrinking, easily mislaid or stolen flash drives. I submit that users must also protect materials transiting to and from them while they are deployed.

Transparent whole data volume encryption

I recommend Schneier's short item on protecting data on a PC, laptop or otherwise, and associated mass storage items such as jump sticks. Not only is Schneier's approach practical and easy to employ, it is now essential, given the number of mobile computers in use and the rising number of opportunistic and premeditated predators, for virtually any firm:

PGP Whole Disk Encryption locks down the entire contents of a laptop, desktop, external drive, or USB flash drive, including boot sectors, system, and swap files. The encryption is transparent to the user, automatically protecting data.

There are added features such as preboot authentication, anti-key logging and one-time use emergency passphrase. A removed disk cannot be booted when inserted into another computer, nor is there any modification to Windows.

Schneier recommends a two-tier encryption strategy:

Encrypt anything you don't need access to regularly -- archived documents, old e-mail, whatever -- separately, with a different password. I like to use PGP Disk's encrypted zip files, because it also makes secure backup easier (and lets you secure those files before you burn them on a DVD and mail them across the country), but you can also use the program's virtual-encrypted-disk feature to create a separately encrypted volume.

Use multiple tiered passphrases

I go beyond Schneier's two tier strategy to use a tiered set of passphrases, one for PGP transmissions, another for full disk encryption and a third or more for reference volumes so that one passphrase does not reveal all.

Know how to turn off your laptop fast

Know how to quickly turn off your laptop and, if you have to hold down a key or key combination to do it, how long it takes. You may not wish to endure bodily harm before surrendering a laptop, such as in a coffee shop theft, but holding onto it long enough to power it down will not leave the PC on and any volumes in use vulnerable to attack.

Minimize data stores on any mobile device, PC or jump drive

Take note of Schneier's comment to not have excess data on the disks to begin with, i.e., why have to encrypt or risk legal or physical demands to decrypt data:

minimize the amount of data on your laptop. Do you really need 10 years of old e-mails? Does everyone in the company really need to carry around the entire customer database? One of the most incredible things about the Revenue & Customs story is that a low-level government employee mailed a copy of the entire national child database to the National Audit Office in London. Did he have to? Doubtful. The best defense against data loss is to not have the data in the first place.

Use 'transit addresses' wherever you are reasonably at risk

I realize that data scrubbing will be considered too great a trouble for most, and certainly those whose laptop has long become their roving desktop machine, but here is one essential process that I urge, especially for those bound to locals where in-transmission capture is possible/probable: use a 'transit address' when you are travelling that only receives a filtered subset of one's normal traffic.

While enroute to, or within, certain countries, by prearrangement with home office, I only look at the transit address traffic and even that transit traffic may be encrypted. (I also reset my email passphrase.) All mail continues to go to my usual address but then pertinent items are flagged and forwarded (often with abstraction) to the transit address, i.e., if you don't send it, they have more difficulty in intercepting it. I alert colleagues that I am deployed for a time window and am only looking at transit traffic.

You cannot imagine the traffic that flows to and from senior executives and senior technical personnel; they effectively make no differentiation between home office and fragile in-transit and deployed locations where key-logging and other government mandated monitoring efforts are in effect. I say again, you can imagine the volume of traffic laid open to collection. Just capturing email addresses of traffic to and from the target lays a trusted group open to targeted phising attacks. See Malicious marketplace uniting espionage, criminal groups, crackers, terrorism, vulnerable systems, commercial and government targets.

Don't do dumb things

Even the best encryption systems will not protect you if Homo Boobus takes over the keyboard, doing things such as leading your cyphertext with the cleartext title from the subject line, using key words from the text in the subject line, or pasting the encrypted cyphertext above or below the cleartext. I have gotten too many of those from amateurs.

Never, ever send or receive faxes. If it is worth sending, encrypt it and send via email.

But do carry any keys on separate media on your person 24/7, carry the laptop with you 24/7 to prevent physical attack with a Linux boot disk, frequently send random encrypted blocks of text to blunt traffic analysis, etc. People's eyes usually glaze when they hear this but intel collectors and criminals depend upon that resistance.

Putting it all together

One client's staff followed the rules such that we had emcon (emission control) to the point that our Asian hosts grew increasingly frustrated in negotiations. (Our presumption was that our host was not getting the expected level of background information needed to design their response to the client.) Turning the tables a bit, well past the halfway point in the visit I had the client announce that we were going to take the last day off for a special sightseeing tour. Now it was our hosts who had to work under compressed timelines.

Plausibly deniable encryption

For the few that must endure the likelihood of coercive interrogation that would force the prisoner to disclose any and all passphrases, there is plausibly deniable cryptography that clouds the very existence of encrypted volumes:

Encrypted filesystems fail against the Rubberhose Attack [because] traditional encrypted filesystems leak information. While the Bad Guy doesn’t know what the encrypted data is, he is able to see that there -is- encrypted data. Thus, he can beat our spy until all encrypted data has been decrypted.

Most processes by which one hides a data volume so that an inquiring police or immigration officer sees nothing to demand access thereto is usually not for the technical faint of heart. The system that I used, Rubberhose, is no longer supported and its creator is not the speediest in responding. The level of effort is higher on the install side but if you are likely to face coercive interrogation, it has its merits:

Deniable cryptography allows a captive or defendant that does not wish to disclose the plaintext corresponding to their cyphertext to be able to that there is more than one interpretation of the encrypted data, i.e., an investigator will likely know that encrypted material exists on the drive, but will not know how much as so there is an opportunity to keep the existence of the most essential data hidden. Designed by Julian Assange, co-author of The Underground, Rubberhose is named after the decryption tactic it attempts to defeat: Rubberhose Cryptanalysis, in which suspects are exposed to repeated beatings or torture until their password is surrendered.

The best product extant in this area appears to be TrueCrypt but if this cloaked approach is necessary, your systems specialists should evaluate its ability to withstand the expected level of forensic analysis for the hostile states through which you expect to travel.

For most commercial environments, disk and associated data volume encryption, a fast off-switch, transit address usage and excising unnecessary data from the mobile unit will stand you in good stead.

How Does Bruce Schneier Protect His Laptop Data? With His Fists — and PGP
Bruce Schneier
Wired
11.29.07 | 12:00 AM
Mirrored as:
How to Secure Your Computer, Disks, and Portable Drives
Bruce Schneier
Schneier on Security
December 04, 2007

Deniable File System
Bruce Schneier
Schneier on Security
April 18, 2006

Defending against Rubberhose Attacks
Christopher Soghoian
JHU Systems Seminiar
March 9 2004

Gordon Housworth



Cybersecurity Public  InfoT Public  Intellectual Property Theft Public  

discussion

  discuss this article

Confluence of thinking on Chinese outsourcing and supply chain risks from DSB and USCC

  #

Rather than selling US securities, consider China restricting microchip supplies to the west at a critical junction (which would hit Taiwan, the current global producer of electronic componentry). This is no more implausible than Russia restricting energy flows to the Ukraine which despite the repercussions remains a viable distress option. (Think of combining securities with chips.)

Consider a foreign nation-state or its proxy embedding malicious code somewhere in a software developer's global outsourcing tier. (If bugs get in, certainly purpose-crafted malicious code can get in.) The state actor can be camouflaged by the nationality and location of its proxy.

Think of the implications of the Defense Department "inadvertently outsourcing the manufacturing of key weapons and military equipment to factories in China."

These are but three implications of the confluence of thinking from the Defense Science Board (DSB) and the U.S.-China Economic and Security Review Commission (USCC). With its transient task forces drawn from a wide range of industry and commerce, the DSB is as contemplative and low-key as the bipartisan congressional USCC can be public and hawkish.

U.S.-China Economic and Security Review Commission (USCC)

As I consider the DoD to be a harbinger of threats to private industry, I find the concerns of DSB and USCC to have industry-wide significance in both the US and the EU. All the better that this fifth USCC report has shed its historic "harsh rhetoric" in favor of "more objective and supported cooperative efforts" that secured the "unanimous support" of its twelve Democratic and Republican commissioners; Its output defined realistic risks and offered useful responses, starting with industrial consolidation that amounts to a new autarky on the part of the Chinese:

China's consolidation of its state-owned enterprises (SOEs) is guided by a new policy announced in December 2006. The State-Owned Assets Supervision and Administration Commission (SASAC) and China's State Council identified seven strategic industries in which the state must maintain "absolute control through state-owned enterprises," and five heavyweight industries in which the state will remain heavily involved. The strategic industries are armaments, power generation and distribution, oil and petrochemicals, telecommunications, coal, civil aviation, and shipping. The heavyweights are machinery; automobiles; information technology; construction; and iron, steel, and non-ferrous metals. It is estimated that forty to fifty of SASAC's 155 central SOEs fall in the strategic category and account for 75 percent of SASAC's total assets...

The Commission is disappointed that Beijing's efforts to move in the direction of a market economy appear to be slackening. In particular, the government's decision to retain state ownership or control of a large block of the economy is disappointing. In accord with its 11th Five-Year Plan, China has designated a dozen industries, including telecommunications, civil aviation, and information technology, as "heavyweight" or "pillar" industries over which it intends for government to retain control. In addition, 155 of China's largest corporations remain state-owned, including nearly all the nation's largest banks. Much of the economy remains under the Chinese government's strict control. Beijing's provision of subsidies to its pillar industries may damage competitors in other countries - including the United States where companies do not receive such subsidies...

It is precisely these "pillar" and "heavyweight" industries that China will protect to the point of excluding foreign firms. I offered this guidance in an October 2007 advisory but its theme could have been plucked from far earlier work:

China has repeatedly used standards and administrative edicts to hold competitors at bay until Chinese products were in the market, often at established levels that minimized success of any foreign competitor. One that comes to mind is the 'technical issues' barring Blackberries for well over a year until Chinese products were in the market. China has a not so thinly veiled plan to harvest foreign tech, producing indigenous standards which bar foreign standards BUT let Chinese standards compliant products work overseas, i.e., the PRC wants to completely invert all royalty payments while achieving the price volume curves of a global product... I am not the only one to have [observed] that this standards practice is a strategic weapon.

In private - as in group dinner conversations - senior Chinese individuals have specifically stated that US/EU automotive OEMs will be driven out by use of standards, tariffs and administrative rulings. [Personal email advisory]

The USCC is specific with regards to Chinese predation on US Intellectual Property (IP):

[China] enlists engineers and scientists to obtain valuable information from foreign sources ''by whatever means possible - including theft.''

Additionally, industrial espionage provides Chinese companies an added source of new technology without the necessity of investing time or money to perform research. Chinese espionage in the United States, which now comprises the single greatest threat to U.S. technology, is straining the U.S. counterintelligence establishment.

China still is not enforcing its own laws against intellectual property theft.

Of the USCC Commission's 42 recommendations to Congress, ten were seen to be "of particular significance." Of those ten, numbers 2, 3 and 7 are specific to supply chain and IP risk and affect all industrial segments, commercial and defense:

  • Determining the country of origin of U.S. weapon systems components: The Commission recommends that Congress require the Department of Defense to prepare a complete list of the country of origin of each component in every U.S. weapon system to the bottom tier.
  • Ensuring adequate support for U.S. export control enforcement and counterintelligence efforts: In order to slow or stop the outflow of protected U.S. technologies and manufacturing expertise to China, the Commission recommends that Congress assess the adequacy of and, if needed, provide additional funding for U.S. export control enforcement and counterintelligence efforts, specifically those tasked with detecting and preventing illicit technology transfers to China and Chinese state-sponsored industrial espionage operations.
  • Assessing potential Chinese military applications of R&D conducted in China by U.S. companies: The Commission recommends that Congress direct the U.S. Department of Defense to evaluate, and, in its Annual Report to Congress on the Military Power of the People's Republic of China, to report on, potential Chinese military applications of R&D conducted in China by U.S. companies.

The specifics are laid out in the Commission's comprehensive recommendations:

The Impact of Trade with China on the U.S. Defense Industrial Base
8. The Commission recommends that Congress require the Department of Defense to prepare a complete list of the country origin of each component in every U.S. weapon system to the bottom tier...

China's Military Modernization
12. In order to slow or stop the outflow of protected U.S. technologies and manufacturing expertise to China, the Commission recommends that Congress assess the adequacy of and, if needed, provide additional funding for U.S. export control enforcement and counterintelligence efforts, specifically those tasked with detecting and preventing illicit technology transfers to China and Chinese state-sponsored industrial espionage operations...

China's Science and Technology Activities and Accomplishments
20. The Commission recommends that Congress direct the U.S. Department of Commerce to report periodically on the general R&D expenditures of U.S. companies in China, based on protected business proprietary data the Department currently collects.
21. The Commission recommends that Congress direct the U.S. Department of Defense to evaluate, and, in its Annual Report to Congress on the Military Power of the People's Republic of China, to report on, potential Chinese military applications of R&D conducted in China by U.S. companies...

Defense Science Board (DSB)

It would appear that the USCC's 2007 report has been informed by work by the DSB in the 2005-2007 period, notably in the areas of firmware/microelectronics and software outsourcing and tiered manufacturing, encompassing both the buy side and the make side).

By 2005 DSB noted that the US defense side was disturbed by offshoring or "alienation" of critical supply chains, notably for microelectronics:

Pressure on U.S. IC suppliers for high return on invested capital has compelled them to outsource capital intensive manufacturing operations. Thus, the past decade has seen an accelerating trend toward vertical disaggregation in the semiconductor business. Companies whose manufacturing operations once encompassed the full range of integrated circuit activities from product definition to design and process development, to mask-making and chip fabrication, to assembly and final test and customer support, even materials and production equipment, are contracting out nearly all these essential activities...

One unintended result of this otherwise sound industry change is the relocation of critical microelectronics manufacturing capabilities from the United States to countries with lower cost capital and operating environments. Trustworthiness and supply assurance for components used in critical military and infrastructure applications are casualties of this migration. Further, while not the focus of this study per se, the U.S. national technological leadership may be increasingly challenged by these changing industry dynamics; this poses long term national economic security concerns.

[For] DOD's strategy of information superiority to remain viable, the Department requires:

    • Trusted and assured supplies of integrated circuit (IC) components.
    • A continued stream of exponential improvements in the processing capacity of microchips and new approaches to extracting military value from information.

Trustworthiness of custom and commercial systems that support military operations - and the advances in microchip technology underlying our information superiority - however has been jeopardized. Trustworthiness includes confidence that classified or mission critical information contained in chip designs is not compromised, reliability is not degraded or untended design elements inserted in chips as a result of design or fabrication in conditions open to adversary agents. Trust cannot be added to integrated circuits after fabrication; electrical testing and reverse engineering cannot be relied upon to detect undesired alterations in military integrated circuits. [Emphasis in original]

The opportunities for adversarial intervention are great:

Finding: Because of the U.S. military dependence on advanced technologies whose fabrication is progressively more offshore, opportunities for adversaries to clandestinely manipulate technology used in U.S. critical microelectronics applications are enormous and increasing. In general, a sophisticated, clandestine services develop opportunities to gain close access to a target technology throughout its lifetime, not just at inception.

If real and potential adversaries' ability to subvert U.S. microelectronics components is not reversed or technically mitigated, our adversaries will gain enormous asymmetric advantages that could possibly put U.S. force projection at risk. In the end, the U.S. strategy must be one of risk management, not risk avoidance. Even if risk avoidance were possible, it would be prohibitively costly.

By 2007 DSB observed that the US defense side had focused on microelectronics' mating factor, software design, in its concern of "alienation" of critical supply chains, but with a difference. Software and firmware are not parallel "because the microchip fabrication business requires increasingly large capital formation - a considerable barrier to entry by a lesser nation-state. Software development and production, by contrast, has a low investment threshold. It requires only talented people, who increasingly are found outside the United States." (ICG has had a sustaining interest in the supply chain risks and diversion of embedded software within weapons systems. See my 2005, Israel as serial violator, temporarily the chicken killed to scare the monkeys.):

The task force on microchip supply identified two areas of risk in the off-shoring of fabrication facilities - that the U.S. could be denied access to the supply of chips and that there could be malicious modifications in these chips. Because software is so easily reproduced, the former risk is small. The latter risk of "malware," however, is serious. It is this risk that is discussed at length in this report.

Software that the Defense Department acquires has been loosely categorized as:

  • Commodity products - referred to as "commercial-off-the-shelf" (COTS) software;
  • General software developed by or for the U.S. Government - referred to as "Government-off-the-shelf" (GOTS) software; and
  • Custom software - generally created for unique defense applications.

The U.S. Government is obviously attracted by the first, COTS. It is produced for and sold in a highly competitive marketplace, and its development costs are amortized across a large base of consumers, Its functionality continually expands in response to competitive market demands. It is [a] bargain, but it is also most likely to be produced offshore, and so presents the greater threat of malicious modification.

There are two distinct kinds of vulnerabilities in software. The first is the common "bug," an unintentional defect or weakness in the code that opens the door for opportunistic exploitation. [DoD] shares these defects with all users. However, certain users are "high value targets" such as the financial sector and the Department of Defense. These high-value targets attract the "high-end" attackers. Moreover, the DoD also may be presumed to attract the most skilled and best financed attackers - a nation-state adversary or its proxy. These high-end attackers will not be content to exploit opportunistic vulnerabilities which might be fixed and therefore unavailable at a critical juncture. Furthermore, they may seek to implant vulnerability for later exploitation.

DSB reports are recommended reading as, noted above, DoD assets are the 'canary in the coal mine' for the larger set of commercial assets in the US and abroad. (Even when the subject topic seems far afield, the underlying technology discussions have surprising relevance.) Where DoD threats are now, the commercial sector will soon follow. The latest USCC report shows that defense and commercial risks have now substantially intersected.

The full 2007 USCC report is to be released next week. In preparation, I suggest:

ICG's Intellectual Property (IP) Protection Abstracts, September 2006 to June 2007
ICG's Intellectual Property (IP) Protection Abstracts, April 2004 to July 2006

 

U.S. - CHINA COMMISSION CITES SOME PROGRESS YET SOME TROUBLING TRENDS FOR U.S. ECONOMIC AND NATIONAL SECURITY INTERESTS
Press Release
USCC
November 15, 2007

USCC 2007 Report segments, available online 17 November:
2007 Report to Congress Intro
2007 Report to Congress Executive Summary
The Commission's Recommendations

Panel: China's Spying Poses Threat to U.S. Tech Secrets
By David Cho and Ariana Eunjung Cha
Washington Post
November 15, 2007; 11:57 AM

Chinese Spying No. 1 Threat To U.S. Manufacturing
By Foster Klug, Associated Press Writer
Manufacturing.Net - November 15, 2007

National Security and the PC
Posted by Paul Murphy @ 12:18 am
ZDNet
November 14, 2007

Are Foreigners Ruining DOD Software?
Posted by Catherine MacRae Hockmuth
Ares/Aviation Week
10/30/2007 4:02 PM

Building Trustworthy Circuits
Posted by Catherine MacRae Hockmuth
Ares/Aviation Week
10/29/2007 12:48 PM

Report of the Defense Science Board Task Force on Mission Impact of Foreign Influence on DoD Software
Defense Science Board (DSB)
September 2007

Statement of Senator Carl Levin before the U.S.-China Economic and Security Review Commission Hearing on The U.S. China Relationship
Contact: Press Office
Phone: 202.228.3685
February 1, 2007

Satellite surprise highlights U.S.-China gap: official
Reuters
February 1, 2007; 3:12 PM

Russia Bargains for Bigger Stake in West's Energy
By STEVEN R. WEISMAN
New York Times
June 12, 2006

Gas Halt May Produce Big Ripples in European Policy
By MARK LANDLER
New York Times
January 4, 2006

Defense Science Board Task Force On HIGH PERFORMANCE MICROCHIP SUPPLY
Defense Science Board (DSB)
Office of the Under Secretary of Defense For Acquisition, Technology, and Logistics
February 2005

Gordon Housworth



InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  Weapons & Technology Public  

discussion

  discuss this article

Intellectual Property and Outsourcing Risk in India

  #

My presentation, Intellectual Property and Outsourcing Risk in India, given to GlobalAutoIndustry's "India: Leading Offshoring Center or Upcoming Manufacturing Power?" on 1 November, 2007, described India's uniqueness which separates it from other outsourcing and manufacturing regions:

  • India is unique in that risks to personnel and facilities coexist with IP risks throughout its regional supply chain.
  • Personnel and facility risk will rise over time despite prodigious efforts by the Indian security apparatus.
  • Commercial IP threat is presently more from foreign collectors and careless outsourcing in the Indian supply chain which will include outsourcing to China.
  • Indigenous commercial IP threat is largely "entrepreneurial."

Long-term readers of this weblog will not be surprised at the conclusions and their time horizons. This speaking request did, however, prompt a revisiting of previous Indian outsourcing, IP and counterterrorism projections. As an aside, I recommend frequent revisiting of projections; it's often humbling but embarrassment is preferable to an opponent's bullet:

It is my want to revisit projections and forecasts, mine and others, to look for accuracy in both substance and timing; are assumptions still accurate and if not, why not; what new players and tools have entered the market; and what has shifted. The assumptions and the development process are more interesting than the answer as too many people treat a situation in time as something fixed, instead of seeing it as a still frame in a motion picture (where the trick is to predict the next scene).

I found the Indian projections holding true and the risks rising as the target environment we've identified becomes irresistible. Consider this 30 October item on Cisco's plan to treble its manning level in India and place a third of its senior executives in its Globalisation Centre East campus in Bangalore by 2012:

The company's plan to have senior vice presidents, vice presidents, and directors, cutting across all corporate functions, in India is not aimed at cutting costs, but at nurturing talent in India, said Wim Elfrink, chief globalization officer for Cisco, who also heads the new center.

Cisco currently employs about 3,000 staff in India, which it plans to increase to 10,000 by 2010. The new center, which currently has 900 staff, is expected to grow to 3,500 staff by October next year, said Elfrink. Some of the technologies developed in India will be rolled out in other emerging economies, and also in developed countries, he added.

As prodigious as the Indian security apparatus is, I do not believe that it can scale to the growth and dispersal distribution of the target sets.

Bangalore is perhaps the prime example of a city rapidly expanding its satellite nodes to offset rampant congestion. Tyler Cowen flagged it nicely in 2004 and it has not improved:

I mean outsourcing from Bangalore, not outsourcing to Bangalore. Apparently production costs are rising out of control in a city that accounts for a third of India's software exports. The major culprit is congestion; a seven-kilometer commute can now take ninety minutes. Population has grown by a third since 1995, and the new metro and airport are badly behind schedule. Bombay has had similar problems.

The remedy? Madras (Chennai) is rising in popularity as is Calcutta, despite its propensity to elect communist governments.

The bottom line: Indian infrastructure is chaos. This economy has only a limited ability to absord outsourcing ventures. For instance it is common for current enterprises to supply their own electricity and other public services.

The presentation proceeded to encapsulate topics such as:

  • Why and how firms outsource - and where it often leaves them exposed
  • What is missing from traditional outsourcing
  • IP and outsourcing
  • Unique Indian characteristics

India's "al Qaeda" - Lashkar-e-Toiba (LeT)

Lashkar-e-Toiba (LeT), The Army of the Pure, is India's al Qaeda or Hezbollah. Were it not restrained by prodigious efforts by the Indian security apparatus, this Pakistani jihadist group would endeavor to destabilize the Indian state as its ultimate goals go beyond regaining Muslim control of Jammu and Kashmir to nothing less than reestablishing Islamic governance of India, forming a Muslim bloc with other predominantly Muslim states surrounding Pakistan.

The presentation proceeds to outline LeT's attack opportunities which I have come to call the "Two Twofers."

The two "twofers"

"Twofer" rose in American English at the close of the nineteenth century as a term for "two for the price of one" or more generally an "arrangement in which a single expense yields a dual return." LeT has recognized that India presents it with two "twofers":

In the first, LeT has recognized that attacks on outsourcers on Indian soil directly damages the Indian state and its economic capacity, while it opens the potential of striking US and European firms that would nominally be out of its reach.

In the second, what I call the "embedded twofer," an attack on a US or European data center or business process outsourcing (BPO) facility offers the potential of interrupting all the customers of the BPO/data center owner, e.g., attack a bank's data center or BPO unit and you impact all the bank's customers.

Forecasting LeT's attack progression

Extending the "twofer" concept, we forecast this attack progression (2005):

  • Personnel and symbolic targets.
  • Expat data and business process outsourcing (BPO) centers.
  • Manufacturing and development centers.

The former is almost all soft targets - gatherings of personnel. The latter two target groups can cause supply chain disruptions as well as personnel loses.

While I called the attack on the Indian Institute of Science (IISc) in Bangalore (2005) as the first iconic or symbolic target attacked by the LeT, outsourcers and their clients should not overlook LeT's 2001 suicide attack on the Indian parliament. Had it not been chance in a missed cellphone surveillance tip and two road collisions, LeT might well have decimated Parliament House and its occupants.

But far worse in my estimation was the effective failure of the western press to cover an Indian disaster that did not include large number of US/EU national casualties. I am speaking of the 2006 LeT attack on first class passenger trains in Mumbai that followed the IISc attack. More than 200 dead in an attack that was the equivalent of an assault on Manhattan or London. Indians companies must have been relieved at our appalling myopia as little or no damage control was required:

  • Mumbai Suburban Railway has highest passenger density of any urban railway system.
  • Seven bombs placed in first-class "general" compartments (some reserved for women) targeting professional classes.
  • Trains were running from Churchgate, the city-centre end of the western railway line, to the western suburbs.
  • Analogous to the Madrid and London train/tube bombings, 209 killed, over 700 injured.

The risks in India are both real and unfamiliar to many US/EU nationals. The only approach that does not carry a charge of fiduciary breach is to conduct a rigorous vulnerability assessment, then implement the appropriate risk mediation interventions for personnel, facilities, data and IP.

While the presentation can be considered an executive overview, readers are referred here for a deeper dive:

Intellectual property theft: the unspoken unknown of offshoring [ 8/11/2004 ]

India Inc. becomes another outsourcing gold rush: unwary firms get red ink [ 10/27/2004 ]

Emerging Information Technology (IT) themes in India and China [ 2/1/2005 ]

The world is flat save for the depression that we occupy: Friedman on global opportunity and competition [ 4/8/2005 ]

Commercial blindness: a "twofer" attack on the Indian state and US and European outsourcing assets [ 6/28/2005 ]

Multisourcing: belated recovery of forgotten first principles [ 10/18/2005 ]

Multisourcing: belated recovery of forgotten first principles, part 2 [ 10/20/2005 ]

Indian pipedream: "Our campuses are physically secure… The entire perimeter is guarded which we believe enable us to be fully secure" [ 1/14/2006 ]

Striking Mumbai is akin to striking financial centers such as Manhattan or London yet many in the west are oblivious [ 7/13/2006 ]

Cisco to have a fifth of its top executives in India
By 2012, India will be company's development hub and a base for technology and applications that can be deployed worldwide
By John Ribeiro
IDG News Service
October 30, 2007

At least 174 killed in Indian train blasts
Prime minister says 'terrorists' behind attacks
CNN
July 11, 2006; Posted: 10:12 p.m. EDT (02:12 GMT)

Outsourcing Bangalore
Posted by Tyler Cowen
Marginal Revolution
November 4, 2004 at 07:10 AM

Indian parliament attack 'bungled'
CNN
December 17, 2001 Posted: 3:52 AM EST (0852 GMT)

Gordon Housworth



InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  

discussion

  discuss this article

Prev 1  [2]  3  4  5  6  7  Next

You are on page 2

Items 11-20 of 61.


<<  |  November 2019  |  >>
SunMonTueWedThuFriSat
272829303112
3456789
10111213141516
17181920212223
24252627282930
1234567
view our rss feed