Twenty years ago, the most common disruption to supply chains was factory fires. Today, that landscape has shifted considerably. Globalization has led to distributed supply chains. Artificial intelligence-fueled logistics allow just-in-time delivery of components. However, efficiency also has bred brittleness. There is too little slack in the system for resilience in the face of disruption.
Today there are a few big sources of disruption. Climate change is causing more extreme-weather events that are a major source of disruption. COVID-19 led to new purchasing modalities and patterns, and when combined with labor shortages it continues to confound retail and consumer supply chains. Rising trade tensions with China, fueled by jockeying for economic and national security superiority, along with sanctions lobbed across the Pacific, continue to disrupt technology supply chains. Lastly, new threats like ransomware are introducing new risks to manufacturers.
As we consider this new normal of supply chains, with new risks and threats, a new approach is needed to secure our technology supply chains. While the focus in this article is on technology supply chains, these principles apply to broader resiliency aspects and broader supply chains as well.
1. We must illuminate supply chains, so you can see what you’re buying and from whom.
While most organizations have a good handle on their direct suppliers, few know who their second-tier suppliers are. On the software side, the Software Bill of Materials (SBOM) initiative seeks to help provide this illumination. As vendors begin requiring SBOMs from their suppliers, we can ultimately get an inventory of all the software libraries and building blocks that go into a final product or service.
2. We must be able to make risk- and threat-informed decisions about suppliers.
For example, software that relies on an unmaintained open-source library may represent risk. Similarly, products from Chinese companies may represent a threat. The 2023 National Defense Authorization Act includes language that requires the Department of Homeland Security to only buy software for critical functions that has no known vulnerabilities. Additionally, the Department of Commerce has outright banned products from Chinese like Huawei in certain sectors.
3. At a national level, we need to shape the ecosystem of trusted suppliers by investing in American and allied manufacturers.
The recently enacted “CHIPS+Science” bill includes $54 billion in appropriations to fuel domestic manufacturing in wireless and semiconductors. For wireless, $1.5 billion of grants will be doled out by the National Telecommunications and Information Administration to U.S. companies to fuel rebuilding the American telecom manufacturing ecosystem that has atrophied over the past 20 years and been sold for parts to Europe. For semiconductors, massive subsidies will help rebuild semiconductor development in the U.S.
4. We must invest in American innovation so that the next wave of technology is already in the U.S. and doesn’t need to be offshored.
American universities and industry need to lead R&D and bridge those technologies across the valley of death, so new science and technology innovations accrue to the U.S. GDP. The science half of the “CHIPS+Science” bill includes hundreds of billions of dollars in new authorizations for U.S. science agencies like Department of Energy, National Aeronautics and Space Administration, National Institute of Standards and Technology, and National Science Foundation. Hopefully Congress will come through with the needed appropriations to energize these ambitions.
5. We need to go on the offense.
As we’re seeing with sanctions against Russia, it’s possible to hold at risk an entire nation’s economy through systematic constraints on supply chains. More targeted effects can be achieved with more narrow manipulation of specific supply chain elements. If bad actors are tampering with U.S. supply chains, we need to interdict them.
We are at a unique point in time. We face new risks and threats. We have significant new federal technology investments on the horizon. By understanding the interplay, we can create a more secure technology supply chain that deals with these new risks and threats.
