IT Supply Chain Vulnerabilities from China

06/22/2017

2017-06-16 By Danny Lam

East Asia has played a role in the US / World microelectronics supply chain since the end of WWII, beginning with production of equipment for the U.S. forces occupying Japan, later assembly operations in places like Hong Kong, Taiwan, South Korea, Singapore, Malaysia, and when PRC “opened”, onto China.

While past issues with East Asian advances in the information technology (IT) supply chain as it moved “up market” revolved around fair trade practices and opening of markets to foreign firms by Japan in the 1980s, these are disputes between nominally market oriented regimes that were either democracies or authoritarian regimes transitioning toward democracy.

As such, the emerging newly industrialized economies (NIEs) of East Asia and Japan fitted well into the U.S. grand strategy where economies prospered under U.S. protection. Access to the U.S. (and world) markets under the dominant liberal economic order in turn created prosperity.

In turn, U.S. allies contributed to the defense of the alliance resulting in a virtuous cycle of “win-win” for U.S. and its allies.

Optimistic assumptions about the People’s Republic of China (PRC) since the “opening” by Deng Xiao Ping in 1984 led policy makers to presume that this process would continue, with China becoming transformed by economic reform spilling over into political reform, and ultimately, go down the well-trodden path of transition from authoritarianism to democracy in East Asia. Instead of following this path, the PRC’s communist regime was re-invigorated by the Deng reforms and avoided the fate of the collapse of communist regimes in Europe and USSR.

Looking forward from the perspective of 2017, there is no sign or evidence that the Communist Party of China regime will collapse or politically reform.

As such, the PRC has become a formidable economic rival to the U.S. and allies, backed by a political system that is ideologically the antithesis of the liberal economic order.

At a minimum, this means that great power rivalry between the PRC and the U.S. led system has returned. Beyond that, it is a fundamental challenge to the western system of rules based order.

The explosion of PRC-based and offshore firms in the global supply chain from the 1990s to present means that the PRC regime controls substantial portions of the IT supply chain directly. Indirectly, via their outsized influence and ability to threaten nearby U.S. allies like Japan, South Korea, and Taiwan, the PRC’s threat to the IT supply chain cannot be underestimated in the event of war with the U.S. or allies.

The global liberal economic order, or free trade regime, was architected on the presumption of free trade between economic rivals that are beyond being military or geopolitical rivals.

The PRC rejects this notion and by their action (e.g., claiming most of the South China Sea in violation of the United Nations Convention on the Law of the Sea (UNCLOS), a treaty signed and ratified by PRC), have made clear their intent to upend this order.

Under such circumstances, their participation in the U.S. government IT supply chain raises serious concerns both now and in the future.

What are IT Supply Chains?

They are:

Linked activities associated with providing material or services from a raw stage to end user as a finished IT product or service, including but not limited to product or service necessary for product conception / design stage to delivery to end user, sustainment, enhancement to end-of-life, decommissioning, and disposal.

The rationale for this expanded definition is to include issues that arise beyond hardware issues. The vast majority of IT systems today have a large and growing share of software or services whose value added exceed the hardware. A hardware oriented view of IT supply chains will leave this inadequately addressed.

For example, an IT product that contains a Programmable Logic Device (PLD) manufactured by a firm like Xilinx or Altera is commonly used in many DoD systems; or an Application Specific Integrated Circuit (ASIC) typically manufactured in an offshore foundry could be designed on software tools from vendors like Cadence, Mentor, Synopsys, or Avant! that in turn integrate free / shareware design elements from Spice, Magic, Berkley IC tools, et al, which in turn make use of process / facility specific tools from IC foundries like TSMC, Global Foundries, et al.

Traditional definitions of IT that focus on hardware (e.g., anti-counterfeit IC programs) tend to overlook each of these entry points in the design of a particular device as vulnerabilities that are “baked in” before the product is manufactured.

Likewise, in a modern state-of-the-art IC manufacturing facility, many of the machinery and equipment inside are now routinely connected to the internet so that real time operational data can be transmitted to suppliers and manufacturers of the equipment.

They, in turn, utilize the data to make real-time adjustments and tune their machines to improve performance.

In theory, these linkages are potentially both a risk in terms of loss of IP and knowhow, and in practice, a potential entry point for tampering with the entire facility’s operations and equipment.

U.S. Government IT Supply Chain Past and Present

There are very few “islands” or “vertical markets” that can truly be said to be solely or primarily intended for a “US Government IT Supply Chain” (i.e., supplies of specialized nuclear weapons components such as firing sets, krytrons that have very limited applications otherwise).

But the vast majority of components and services that are in the US Government IT Supply Chain are commercially available components that more often than not are not subject to controls under regimes like the Munitions List or other regimes like the Missile Technology Control Regime (MTCR) or Nuclear Suppliers Group (NSG) or the Wassenaar Arrangement (WA) for conventional arms and dual-use goods and technologies.

The People’s Republic of China is a member of MTCR, NSG, but not the WA.

The problem of dual use technologies was a limited (and manageable) problem up until the 1960s when there was a clear differentiation between civilian and military technologies, with the exception of weapons of mass destruction (WMDs) like chemical and biological weapons that have always been “dual use.”

Chemical and pharmaceutical / biologics plants are inherently dual use and difficult to regulate.

Hence, WMD controls have extensively relied on international conventions like the Chemical Weapons Convention (CWC), The Biological Weapons Convention (BWC) and norms that, by and large, have limited their use but not proliferation of capabilities.

IT Supply Chain Development

In the IT space, the problems do not avail themselves to export controls as the industry from its inception has almost always (with very few exceptions) been a dual use technology. Up until the 1970s, that distinction was maintained because DoD had enforced MilSpec requirements on much of their acquisitions that precluded the use of most civilian microelectronics with unique defense requirements like electromagnetic pulse (EMP) resistance.

The DoD represented a sizable portion of the overall market, at least until the 1970s and, in parallel, funded much of the cutting-edge research and development (R&D) in microelectronics. Between these two, the DoD was able to able to maintain both control of key technologies in the hands of American firms and also ensure that supply chains for U.S. developed technologies were mostly kept “in country.”

The first planar IC was invented and patented in 1960.

After a decade, momentum for the new IC design reshaped the industry. From the mid-1970s onwards, all this changed as the world begun to converge on metal oxide semiconductor technology (MOS, N-MOS, P-MOS) and then complementary metal oxide semiconductor technology (CMOS).

These technologies were, at that time, regarded by DoD as unsuitable for defense applications as they were difficult to shield against EMP. But for the civilian sector they became a boom as they were considerably cheaper to produce than MilSpec ICs and, moreover, as volumes increased, prices fell dramatically.

The explosion of civilian microelectronics began first in the U.S. and the rapid expansion of capabilities through silicon scaling (Moore’s Law) resulted in exponentially falling prices for the entire IT supply chain.

Moore’s law drove reduction in component costs because every two years it doubled the number of transistors placed in the same surface area, which can be “harvested” either in some combination of lower costs or higher performance.

On the other hand, software is driven by increasing returns to scale, whereby the incremental cost per copy is close to zero excluding distribution costs.

Both of these phenomena are in turn augmented by the “network effect” whereby commonality and compatibility (or interoperability) in turn increased the utility of each individual platform.

By the early 1980s, the civilian microelectronics industry began to converge on CMOS as the dominant technology. Military electronics demand steadily fell, and with it, their ability to keep up with the rapid rate of obsolescence in the industry.

By the late 1980s, it was clear that military electronics fell generations behind.

Fortuitously, the collapse of the Soviet Bloc beginning in 1989 and ending with the dissolution of the USSR in 1991 meant that nuclear war became an unlikely prospect.

Defense Secretary William Perry took advantage of this by issuing the Perry Memo in 1994 that effectively banned MilSpec and ordered Commercial Off-the-Shelf (COTS) electronics in all but a few specialized applications.

Thus, between 1994 and the early 2010s, the two industrial bases effectively merged.

Globalization Impacts on IT Supply Chain

In parallel with this phenomenon of rapid technological change was the process of globalization.

At first, the phenomenon resulted in the movement of the IT industrial base abroad to locations like Europe and Japan in the 1950s, but as their costs rose and their firms moved “up market,” opportunities were created for lower tier players like Singapore, Hong Kong, Taiwan, and South Korea in the 1970s, to be followed by locations like Malaysia, Thailand, China, Vietnam, etc. from the 1990s onwards.

By the late 2010s, the global electronics supply chain became dominated by players in East Asia — though the U.S. maintains a substantial lead in high value-added activities like design and manufacture of parts with high margins (e.g. Qualcomm, Intel, etc.).

A majority of consumer and commercial electronics today are manufactured (or assembled) in East Asia.

Return of Great Power Politics and Peer Competitors

The ending of the cold war with the U.S. as the lone superpower ushered in an era of optimism that Russia would become a “normal” liberal democratic nation like the G7 in so much that Russia was made a member of the G8 from 1997 until expelled in 2014 after invading Crimea. China was a different issue. The Kissinger-Nixon strategy to detach the Peoples Republic of China (PRC) from the Soviet Bloc was an expediency of cold-war politics. Deng Xiao Ping’s reforms that began in 1984 were greeted with high hopes that economic liberalization would result in political liberalization. It was in this context that the General Agreement on Tariffs and Trade (GATT) application of the PRC was received in 1986. That optimism was crushed by Tiananmen in 1989.

But optimism never really left the free trade community that continued to negotiate with the PRC and ultimately led to PRC’s accession to the World Trade Organization (WTO) (GATT successor organization) in 2001.

The emergence of Russia as a great power that is no longer a part of the G7/8 consensus (liberal democratic market economies) that violated a key post war norm (that borders cannot be altered by force or the threat of force) is a pivotal event.

But more importantly, the admission of the PRC to the WTO was based on an assumption that they would rapidly become democratic —- as every authoritarian regime like South Korea, Taiwan, etc. did. So sure of this transformation were WTO negotiators that it was written into the accession protocol that the PRC would be automatically treated as a market economy 15 years after joining WTO. Meanwhile, both the U.S. and EU have refused to accede to granting PRC Market Economy Status.

The PRC initiated legal action at the WTO in December 2016 against the EU and U.S. on this issue.

Prima facie, it is probable that when it is finally adjudicated in two years, the PRC will likely win this case.

This creates major issues.

The WTO, and its predecessor GATT, was never intended to be an organization for peer competitors or great power rivals. A look at the founding members of the GATT shows that it consisted of nations that were (at least at the time of accession) unlikely to be at war or engaged in great power rivalry with each other. Few foresaw that Czechoslovakia would join the USSR (1948), Republic of China would become People’s Republic of China (1949), and Cuba (1959) and Burma (1961) would both became socialist Republics.

Except for China, the wars that disrupted trade in the organization were initially regional conflicts like India-Pakistan but there were no rivalries between the UK, U.S., France, etc. that threatened to break out into war. The moderation of great power rivalries and dominance of wealthy, successful, developed liberal democratic market economies and the expected progress by others toward this norm was a given. By 2014, it was clear that these assumptions were no longer valid.

When Russia invaded Crimea and then fought a proxy war in the Ukraine, it formally signaled the return of great power politics and rivalry. Russia was expelled from the G8 and then sanctioned. The PRC, likewise, embarked on a great “sea grab” in a very similar manner in the South China Sea.

This, together with the massive PRC military buildup, raised questions as to what was the PRC’s ultimate intent.

In parallel with these geopolitical developments is the steady expansion of PRC capabilities throughout every aspect of the IT supply chain.

The PRC extensively aided their allies like North Korea, Pakistan, etc. in acquiring WMDs and other capabilities that are threatening to the U.S. and its allies. A critical question is what risks do the U.S. and allied supply chains face if a key node (e.g., Taiwan (TSMC), South Korea, Japan, or facilities inside PRC proper like Foxconn) are seized or if they join a PRC led embargo against the U.S.

Then there is the question of what if war breaks out?

Globalized supply chains that may be adequate in peacetime and manageable may quickly become a quagmire in a high intensity conflict.

During World War II, America could rapidly mobilize domestic industries to war production and with few exceptions, there were few major shortages of war material.

The present globalized supply chains have never experienced a high intensity war involving two or more great powers. Their performance under stress cannot be assured based on what we know today.

Conflicting Loyalties / Interests

The U.S. government is not the largest funder of R&D. Since the 1970s, industry funded R&D is larger and more dynamic than many government funded initiatives. Today, industry spends roughly three times as much as the Federal government in funding R&D. Moreover, other nations like South Korea and Japan routinely exceed the U.S. in funding R&D. China (2% GDP) is rapidly catching up to US levels (2.7% GDP) and as of 2015 exceed EU-28 and the UK.

Industry is now at the cutting edge of innovation in the most dynamic areas of IT, whether it be state-of-the art microelectronics manufacturing, “Internet of things (IoT), data analytics, cloud computing, and artificial intelligence.”

As such, their concerns are with rapid penetration of their markets (defined globally) that lead to revenues with high and profitable growth. In many instances, the fastest and most accessible growth markets are in China. (e.g., Qualcomm in wireless ICs).

Procurement by U.S. government entities, in contrast, tend to be slow and cumbersome, leading many entrepreneurs to deemphasize the U.S. market. DoD’s Defense Innovation Unit Experimental (DIUx) is an attempt to address this issue.

These efforts, however, do not address the PRC’s strategies of demanding access to technologies (including both commercially and militarily sensitive) as a condition for participation in their markets.

In at least one known instance, transfer of civilian IT technology (facial recognition for 2008 Beijing Olympics), had the unintended effect of having the technology either cloned or deployed to eliminate much of the U.S. intelligence network in and around Beijing between 2010-12.

Allies and the IT Industrial Base

Historically, allies have been regarded as part of the “trusted supplier” network.

However, the PRC has become extremely active in both manipulating the political systems of targeted allies as well as in exploiting the vulnerabilities of suppliers outside of the USA. For example, Canada is presently in negotiations with the PRC on a free trade deal.

The PRC have made clear that their goal is geopolitical.

That is to say, PRC wants to eliminate Canada’s ability to use national security concerns against PRC state owned enterprises from investing in sensitive industries or technologies like directed energy weapons, or to assert jurisdiction on Chinese nationals in Canada.

In many instances, acquisitions of suppliers to the DoD on major programs or exploiting relatively looser export control regimes, etc. of allies have been valuable as a technique to gain access to sensitive technologies.

Technology Controls: Committee on Foreign Investment in the United States (CFIUS) and Allied Counterparts

Canada’s government recently approved the takeover of a Canadian supplier of satellite communications equipment, Norsat, by Hytera Communications that supplies the US Military and many other sensitive customers.

Norsat’s takeover is an example of this kind of maneuver that drew a formal rebuke from U.S.-China Economic and Security Review Commissioner Michael Wessel. But it is likely too little, too late.

In many instances, these problems with PRC “stealth acquisitions” of sensitive technologies and firms have only surfaced in hindsight after the technology transfer occurred.  i.e. prior to a proposed acquisition being submitted for approval, the PRC buyer(s) would have already had access to many sensitive files and knowhow as a part of the acquisition and due diligence process.

These issues are over and above the ease with which PRC agents and operatives secure visitor and immigration visas to the U.S. and allied countries and then exploiting their status as allied nationals.

A major component of the system to limit PRC acquisition of sensitive technologies is via the screening of foreign investments. However, when the PRC is a major customer of firms like Qualcomm it is possible for them to demand transfer of technologies as “civilian” and as such, bypass any technology export control review. The PRC has also used “anti-trust” investigations and fines as leverage routinely.

Given that many technologies are dual-use and also not tightly controlled (e.g., deep sea offshore drilling technology) and available from many suppliers, it is likely that many transactions have occurred “below the radar” and often not rise to the level to be screened.

In particular, agencies like CFIUS only screen acquisitions when it is proposed. But at the time such a transaction is proposed, it is more than likely that as a part of the acquisition process and due diligence, the PRC entity has already acquired a good look at the technology even if the transaction is rejected. It is, in many cases, too little, too late.

Sometimes, CFIUS screenings fail to see the ramifications of the proposed acquisitions.

As an example, a PRC state entity HNA Group, who owns and operates Hainan Airlines with close ties to the Peoples Liberation Army/Navy (PLA/PLN), was permitted to take over Ingram Micro in a deal valued at $6 billion. Ingram Micro is a major distributor of electronics products including many potentially sensitive items for companies like Cisco and Apple.

Such a takeover may appear innocuous from a technological transfer perspective; however, it also opens the door for a PLA/PLN affiliated firm to have detailed data on who is buying what electronics equipment (and where they are physically located).

Beyond that, it opens the path for such equipment to be tampered with en route.

Despite these concerns, the acquisition sailed through CFIUS review.

Summary

Existing legislative initiatives to secure the U.S. government IT supply chain largely predate the re-designation of Russia and the PRC as peer competitors and the return of great power politics.

The ramifications of a return to great power politics that sets out the second largest economy in the world (PRC) and Russia as a peer competitor to the U.S. on a global system of free trade have yet to be recognized. Moreover, the subsidiaries of the PRC (e.g., North Korea and Iran), are presently on a confrontational course with the U.S. and allies.

The PRC recognizes the motives of North Korea and has chosen to do nothing about it despite the threat to the international system. North Korea is being actively aided and abetted by the PRC and will likely pose an existential threat to the U.S. within fewer than 5 years.

During the cold war, any trade between the Soviet Bloc and the U.S. and allies were strictly monitored and controlled. It is an anomalous situation whereby the U.S. and allies greatest threat is at the same time the largest trading partner with a state dominated, non-market politico-economic system whose publicly stated objective is to wrestle the dominant role from the U.S.

As it stands, the PRC has achieved world domination using their tactics.

From steel, to aluminum, and solar photovoltaics (PV), including many other commodity products like rare earths, Vitamin C, etc., their strategy of cut-throat competition by heavily subsidized state firms to eliminate non-Chinese competitors has succeeded.

It is a matter of time before similar tactics are applied to many products in the IT supply chain.

The U.S., in collaboration with the Organization for Economic Co-operation and Development (OECD) nations, still has an opportunity to halt and reverse some of the PRC’s gains before it is too late.

The question is whether the U.S. will provide the leadership necessary to do so.