$600B of IP theft from DoD’s network represents a strategic, competitive problem for the US.
In 2017, the U.S. Trade Representative released a report detailing “the state of IP protection and enforcement in U.S. trading partners around the world.” Now rather famously, that report estimated that intellectual property theft costs the U.S. between $225B and $600B annually, with much of that value driven by theft of trade secrets and the forced technology transfers that are so often a condition of doing business in China.
In an era of growing competition between the U.S. and China, this theft costs more than just dollars. Of course, it represents a loss for American companies that invest significant R&D money to create new technologies and systems. It also erodes the U.S. military’s technological edge — over the past decade, Chinese hackers have stolen valuable information on major systems and platforms1 like the Patriot missile system, the F-35, Littoral combat ships, and the Navy’s submarine cryptographic systems2. How can the United States maintain a technological edge when China steals technology to leapfrog development without investing their own money into research and development?
Despite multiple memoranda of understanding and other diplomatic breakthroughs over the years, Chinese IP theft has remained an enduring fact of the cyber world. The US government is now starting to meaningfully mobilize to protect government networks, defense contractors and other American companies from Chinese espionage and hacking.
The Department of Defense is taking steps to shore up suppliers and contractors.
Though not entirely due to IP theft, recent years have brought steadily increasing scrutiny and restrictions on Chinese technology companies for their role in espionage and hacking of companies belonging to the defense industrial base.
One of the most impactful policy changes to date is Section 889 of the FY2019 National Defense Authorization Act, which effectively bans technology made by five Chinese companies: Huawei, ZTE, Dahua, Hikvision, and Hytera. Section 889 has two provisions: part (A) prohibits the USG from buying any equipment, system or service that includes equipment or services from those banned Chinese technology or surveillance companies. Part (B) goes even further, requiring that federal government contractors certify that their entire global supply chain, not just the part of the business that contracts with the U.S. government, is excised of equipment, system or service from those banned Chinese technology or surveillance companies.
China, as well as other U.S. adversaries, understand that they do not have to break into the DoD or OPM networks to generate economic, military, and intelligence gains — though they have proven capable of doing that before too, evidenced by the 2008 Russian intrusion into DoD networks and the 2015 OPM hack executed by China. Rather, they know that the entire system is only as secure as its least secure supplier, and that the path of least resistance often runs through poorly-secured, strategic third party vendors.
Strategic suppliers make excellent targets because they often have weaker security controls than the organizations they supply. They often have smaller IT budgets due to their size and may not have the same advanced technology available to larger organizations. Many smaller suppliers also believe that they aren’t a target. This may have been true years ago, but we see now that attackers have since shifted tactics. Instead of targeting specific organizations, adversaries now routinely and opportunistically scan for any insecure system, regardless of who owns it. Once an insecure system is found, attackers compromise and attack.
In addition to Section 889, the DoD has taken other steps, issuing its own Departmental guidance to shore up the security of the defense industrial base. The Department released Department of Defense Directive 5000.01 – The Defense Acquisition System3 that focuses on cybersecurity and supply chain risk management. In that document, Deputy Secretary of Defense David L. Norquist writes, “Security, cybersecurity, and protection of critical technologies at all phases of acquisition are the foundation for uncompromised delivery and sustainment of warfighting capability.”
From Section 889 to DoDD 5000.01 and other recent announcements like DIU’s Blue UAS4 program (which selected 5 U.S. small drone manufacturers to avoid supply chain risks and compete with Chinese drone company DJI), the DoD has begun concerted efforts to secure the defense industrial base from theft and compromise by U.S. adversaries in the name of national security.
Decoupling from China has become a USG-wide effort.
Though the Section 889 prohibitions specifically affect defense contractors, the Administration has begun pulling other levers of government power that suggest a nascent decoupling — at least technologically, if not economically — from China. GSA and NASA have followed the DoD’s lead, adding the same interim Section 889 rules to the Federal Acquisition Regulations (FAR)5. Other agencies have taken steps to restrict the purchase and use of Chinese technology in the United States.
We’ve seen the FCC designate Huawei and ZTE as national security threats, pushing U.S. telecoms to rid their networks of Chinese technology and preventing them from using Huawei in 5G infrastructure. As a result, Verizon just announced that Samsung6 will build out its next-generation network. Pressured by the U.S. to implement their own Huawei bans, European nations are looking to Nokia and Ericsson to rise up as true competitors to Chinese telecoms as the United Kingdom and France mull the path forward.
The Department of Commerce has added Huawei and, later, 38 of its subsidiaries7 to the Entities List, which imposes a license requirement for all items subject to the Export Administration Regulations (EAR). As of May 2020, no U.S. company, nor any company that uses U.S. technology, can sell directly to Huawei without a license granted by the Commerce Department. This includes companies like the Taiwan Semiconductor Manufacturing Company (TSMC) and China’s own Semiconductor Manufacturing International Corp., both of whom use U.S. technology in chipmaking. Analysis conducted by the Semiconductor Industry Association appearing in Forbes8 estimated that the U.S. owned 47% of the 2019 global semiconductor market, while China held only 5%. China is thought to be four years behind the U.S. in its domestic chipmaking technology. The move by the Commerce Department hamstrings Huawei by preventing it from sourcing the chips it needs to make 5G hardware.
The State Department recently launched the “Clean Network” program, which aims to remove “untrusted” Chinese technology from five key areas in addition to 5G networks: telecoms carriers, cloud services, undersea cables, apps, and app stores. The most notable outcomes of this effort to date have been the Trump Administration’s bans of Tik Tok, the incredibly popular app owned by Chinese media company ByteDance, and Tencent’s WeChat, a social media and messaging app popular in China, ostensibly over national security concerns9 related to data security and data privacy. If retaliatory bans and restrictions between the US and China accumulate, global technology companies may have to choose between giving up a large portion of their international business or decentralizing and segmenting their operations, as Tik Tok owner ByteDance is currently considering.
The process of decoupling technology is murky and complicated.
These and other policy changes illustrate a major shift in the way the United States secures its strategic supply chain, especially for information technology components. This shift also raises several questions about the efficacy and execution of decoupling policies. Who bears the cost burden of coming into compliance? Is total compliance realistically achievable? How many links in the chain does a company need to go in order to ensure adequate security?
With these new rules in place, companies will no longer be able to use the least expensive IT components, most or all of which are manufactured in China. What’s more, most companies are not market movers and therefore have limited control over their global supply chains. Vertical integration is simply not an option for the small and medium suppliers that make up the defense industrial base.
The true cost of compliance may also total more than the replacement cost of prohibited devices in a company’s network. Even if a company possesses the will, the personnel, and the money to excise its network and supply chain of banned devices, FAR regulations do not allow contractors to perform work for the government for free. This puts federal contractors in the ultimate Catch 22: there exists a contractual obligation to remove banned equipment from the supply chain, but a lack of approved resources to perform the work necessary to become compliant.
Even setting aside cost concerns, full compliance with policies like Section 889 is incredibly challenging. Law and policy are unclear as to whether a single employee bringing a Huawei smartphone to work would represent a breach of contract. Often, companies lack total visibility into the assets on their networks, resulting in incomplete inventories that might overlook a banned device. In Expanse’s engagements with customers, we almost always discover assets and devices the customer did not realize they owned. These discoveries include networking infrastructure like routers, firewalls, and VPN logins, remote access exposures like Telnet and RDP servers, unsanctioned cloud assets, and unencrypted logins and development environments. Common events, such as a merger or new acquisition, one division of a company deploying a new IT product, or an employee standing up shadow IT, make it nearly impossible for IT security leaders to know exactly what is running on their network at all times.
Our own research highlights the difficulty of the U.S.-China technology divorce. Among the Fortune 500, Expanse found that one in five companies are in violation of Section 889, with banned devices on their networks including building control systems, cameras, firewalls, routers, VPNs, web servers, and wifi access points. The most common categories of noncompliant devices we discovered on F500 networks were web camera and digital video recording systems (38% of all exposures), wifi access points (21% of all exposures), and core routers (11% of all exposures). The remaining 30% of noncompliant devices included other services such as building control systems, firewalls, VPNs, and web servers.
This poses an infinite regress problem for any meaningfully-sized company, who must have a deeper understanding of their supply chain and business practices to ensure compliance. Business leaders, especially those steering companies in the defense industrial base, must know what activities their contractors are performing, whether their organization leases commercial IP space from a local ISP who might use Huawei networking infrastructure, whether their international offices issue banned devices to employees, or whether approved hardware might be shipped with pre-installed banned software like Kaspersky antivirus. Expanse is helping these organizations create a continuous, accurate, and complete inventory of the Internet assets on their network, so that they better manage and mitigate risk and comply with Section 889 and other regulations.
The view from Silicon Valley.
Most technology companies aspire to be ubiquitous, global brands. From Google and Facebook to Huawei and ZTE, the goal of technology companies is to get their capability or tool into the hands of as many users as possible. The effects of this new approach to supply chain security will make it more difficult for American companies to become truly global brands. They will pay higher prices for components and likely be locked out of large international markets—like the 1.4 billion people in China—due to the fragmentation of the Internet and decoupling of technology.
On a larger scale, the US moves force all technology companies to decide whether they want to be an American company or an international company. If a company chooses to pursue international expansion, it might be banned from contracting with the Department of Defense and the rest of the US government because of the risks in its supply chain.
On balance, these new supply chain security policies have generated some good incentives, especially by encouraging better cyber hygiene, better auditing, and better awareness and visibility of companies’ supply chains. But it also makes it harder for companies to do business with the US government, many of whom want to spur innovation in national security.
As the US continues down the likely path of decoupling from China, it will be more important than ever for stakeholders to have better visibility and understanding of the components that make up their supply chain, so that they can effectively navigate these policy changes and new requirements. Expanse can help your organization build an accurate inventory of your global Internet assets and discover risky devices and communications that might impact your supply chain security.