Both physical and digital supply chain vulnerabilities can have cascading effects on the global economy and national security. Two critical examples include:
- US dependence on foreign production of the main components used in generic drugs. Trade disputes and economic crises can stop the flow of medicines and affect the health and economic welfare of tens of millions of individuals in the United States and other countries.1Congressional Research Service, COVID-19: China Medical Supply Chains and Broader Trade Issues, updated December 23, 2020, accessed March 26, 2021, https://crsreports.congress.gov/product/pdf/R/R46304
- US dependence on foreign-produced semiconductors for military and commercial products. As the manufacturing and assembly of key components shifts to markets in East Asia, particularly China,2Department of Defense, Fiscal Year 2020: Industrial Capabilities: Report to Congress, January 2021, accessed March 26, 2021, https://media.defense.gov/2021/Jan/14/2002565311/-1/-1/0/FY20-INDUSTRIAL-CAPABILITIES-REPORT.PDF the United States is susceptible to sudden interruptions in supplies and deliberate efforts to degrade the integrity of the products.
The interconnected global networks of manufacturing, transportation,3Vivian Yee, “Ship Is Freed After a Costly Lesson in the Vulnerabilities of Sea Trade,” New York Times, March 29, 2021, accessed April 3, 2021, https://www.nytimes.com/2021/03/29/world/middleeast/suez-canal-ever-given.html and distribution contain many instances where supply chain problems can have magnified effects. To protect against these diverse risks requires understanding which types of goods and sectors of the economy are critical. It also requires assessing the state and characteristics of supplies, trade networks and policies, inventory reserves, and the ability to substitute products or processing facilities. Assuring the performance of physical and software/IT supply chains is essential for a functioning, prosperous society and for national and economic security.
Finding 4: Resilient, trusted supply chains require defense, diversification, and reinvention.
One of the goals of the United States’ National Strategy for Global Supply Chain Security4“National Strategy for Global Supply Chain Security,” Department of Homeland Security, last published July 13, 2017, accessed March 26, 2021, https://www.dhs.gov/national-strategy-global-supply-chain-security is to “foster a resilient supply chain.” As part of its strategic approach, the national strategy works to prepare for, withstand, and recover from threats and disruptions. “Executive Order 13806 of July 21, 2017: Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States“5Executive Order 13806 of July 21, 2017: Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States,” Federal Register 82 (142) (July 26, 2017), accessed March 26, 2021, https://www.govinfo.gov/content/pkg/FR-2017-07-26/pdf/2017-15860.pdf states that “a healthy manufacturing and defense industrial base and resilient supply chains are essential to the economic strength and national security of the United States” and requires a report detailing the current state of supply chains that are essential for national security. The Interagency Task Force report6Department of Defense, Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States, Report to President Donald J. Trump by the Interagency Task Force in Fulfillment of Executive Order 13806, September 2018, accessed March 26, 2021, https://media.defense.gov/2018/Oct/05/2002048904/-1/-1/1/ASSESSING-AND-STRENGTHENING-THE-MANUFACTURING-AND%20DEFENSE-INDUSTRIAL-BASE-AND-SUPPLY-CHAIN-RESILIENCY.PDF in response to the executive order recommends decreasing the fragility and single points of failure of supply chains and diversifying away from dependencies on politically unstable countries.
It is difficult to know the full range of potential threats and disruptions for a given supply chain. For multitiered supply chains, the primary suppliers may not have information on each of the suppliers at the third or fourth tier and will not have accurate or up-to-date information on the trustworthiness of the sources of components, e.g., circuit board component suppliers. The multiplying, dynamic effects of supply chain disturbances are often not deterministic. In cases of deliberate sabotage of a resource, there may not be observable indicators, as with the insertion of hidden back doors in software. Resilient supply chains address a portion of these uncertainties through risk-reduction strategies and greater supply chain transparency.
For some supply chains, resilience may be attained by increasing defenses through greater trade enforcement and strengthening key segments. For some supply chains, diversifying the sources and manufacturing locations, in partnership with allies, is an effective strategy. Adversaries are creating strategic vulnerabilities and weaknesses in US supply chains; a key area is the design and manufacture of advanced electronics. To address this growing risk, the strategy exemplified in the Defense Advanced Research Projects Agency’s (DARPA’s) Electronics Resurgence Initiative7“DARPA Electronics Resurgence Initiative,” DARPA, last updated April 2, 2020, accessed March 26, 2021, https://www.darpa.mil/work-with-us/electronics-resurgence-initiative involves developing new technologies for alternative materials, designs, and production processes.
Finding 4.1: Critical supply chains are pervasive and challenging to defend.
Presidential Policy Directive 21 (PPD-21), “Critical Infrastructure Security and Resilience,” defines critical infrastructure to be those “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”8White House, “Presidential Policy Directive – Critical Infrastructure Security and Resilience,” February 12, 2013, accessed March 26, 2021, https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil There are eighteen critical infrastructure sectors. The Sector-Specific Plans discuss critical infrastructure resilience and include the supply chains in the risk management or risk mitigation section of some sector plans.
Supply chain attacks can be hard to detect and defend against. The Department of Defense’s (DoD’s) report, Department of Defense Strategy for Operating in Cyberspace,9Department of Defense, “Department of Defense Strategy for Operating in Cyberspace,” July 2011, accessed March 26, 2021, https://csrc.nist.gov/CSRC/media/Projects/ISPAB/documents/DOD-Strategy-for-Operating-in-Cyberspace.pdf highlights the critical issue of supply chain vulnerabilities and the risks of US reliance on foreign suppliers. The range of supply chain attack opportunities is large—including design, manufacturing, servicing, distribution, and disposal segments of the supply chain—and challenging to detect.
Appendix B discusses the cyberattack of FireEye, involving the theft of its penetration testing toolkit, and the breadth of a comprehensive cyber espionage campaign centered on SolarWinds’ Orion network monitoring software. More than eighteen thousand commercial and government targets, including Intel, Microsoft, California state hospitals,10Laura Hautala, “SolarWinds hackers accessed DHS acting secretary’s emails: What you need to know,” c|net, March 29, 2021, accessed April 16, 2021, https://www.cnet.com/news/solarwinds-hackers-accessed-dhs-acting-secretarys-emails-what-you-need-to-know/ the National Nuclear Security Administration,11Natasha Bertrand and Eric Wolff, “Nuclear weapons agency breached amid massive cyber onslaught,” Politico, December 17, 2020, accessed March 26, 2021, https://www.politico.com/news/2020/12/17/nuclear-agency-hacked-officials-inform-congress-447855 and dozens12Raphael Satter, “U.S. cyber agency says SolarWinds hackers are ‘impacting’ state, local governments,” Reuters, December 23, 2020, accessed March 26, 2021, https://www.reuters.com/article/us-global-cyber-usa-idUSKBN28Y09L of federal, state, and local government agencies, downloaded compromised updates, all with the goal of extracting valuable intelligence while remaining undetected.
Finding 4.2: A broadened view of stockpiles increases resiliency.
Creating additional supplies or increasing production capacity contribute to creating stockpiles in a supply network. Adding more production capacity in the United States, or encouraging allies to undertake similar actions, is the focus of recent legislative efforts.
The Coronavirus Aid, Relief, and Economic Security Act (CARES Act; P.L. 116-136) strengthened reporting requirements to delineate the domestic versus foreign production of finished drug products and active pharmaceutical ingredients. While the CARES Act requires the National Academies of Sciences, Engineering, and Medicine to evaluate the US medical product supply chain, options for increasing the security and resilience of this supply chain are still under consideration.13Congressional Research Service, FDA’s Role in the Medical Product Supply Chain and Considerations During COVID-19, September 1, 2020, accessed March 26, 2021, https://crsreports.congress.gov/product/pdf/R/R46507
The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 202114Samuel K. Moore, “U.S. Takes Strategic Step to Onshore Electronics Manufacturing,” IEEE Spectrum, January 6, 2021, “The semiconductor strategy and investment portion of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 began as separate bills in the House of Representatives and the Senate. In the Senate, it was called the American Foundries Act of 2020, and was introduced in July and called for $15 billion for state-of-the-art construction or modernization and $5 billion in R&D spending, including $2 billion for the Defense Advanced Research Projects Agency’s Electronics Resurgence Initiative. In the House, the Creating Helpful Incentives to Produce Semiconductors (CHIPS) for America Act, was introduced in the 116th Congress by Senators John Cornyn (R-TX) and Mark Warner (D-VA), and Representatives Michael McCaul (R-TX) and Doris Matsui (D-CA), and offered similar levels of R&D,” accessed April 16, 2021, https://spectrum.ieee.org/tech-talk/semiconductors/processors/us-takes-strategic-step-to-onshore-electronics-manufacturing includes provisions to enhance the security of the semiconductor supply chain. It incentivizes investment in facilities and equipment in the United States for semiconductor fabrication, assembly, testing, advanced packaging, or R&D. It strengthens the United States’ capacity to develop and produce cutting-edge semiconductors domestically through federal funding, promotes greater global transparency around subsidies to identify unfair or opaque forms of support that distort global supply chains, and provides funding support to “foreign government partners to participate in a consortium in order to promote consistency in policies related to microelectronics, greater transparency in microelectronic supply chains, and greater alignment in policies toward non-market economies.15”US Sen. Mark R. Warner (D-VA), Bipartisan, Bicameral Bill Will Help Bring Production of Semiconductors, Critical to National Security, Back to U.S., press release, June 10, 2020, accessed March 26, 2021, https://www.warner.senate.gov/public/index.cfm/2020/6/bipartisan-bicameral-bill-will-help-bring-production-of-semiconductors-critical-to-national-security-back-to-u-s
“Executive Order 13817 of December 20, 2017: A Federal Strategy to Ensure Secure and Reliable Supplies of Critical Minerals” defines “critical mineral” to be “(i) a non-fuel mineral or mineral material essential to the economic and national security of the United States, (ii) the supply chain of which is vulnerable to disruption, and (iii) that serves an essential function in the manufacturing of a product, the absence of which would have significant consequences for our economy or our national security.”16“Executive Order 13817 of December 20, 2017: A Federal Strategy To Ensure Secure and Reliable Supplies of Critical Minerals,” Federal Register, December 20, 2017, accessed March 26, 2021, https://www.federalregister.gov/documents/2017/12/26/2017-27899/a-federal-strategy-to-ensure-secure-and-reliable-supplies-of-critical-minerals Based on country production and import reliance, thirty-five minerals were deemed critical minerals. For some of these critical minerals,17germanium, graphite (natural), hafnium, helium, indium, lithium, magnesium, manganese, niobium, platinum group metals, potash, the rare earth elements group, rhenium, rubidium, scandium, strontium, tantalum, tellurium, tin, titanium, tungsten, uranium, vanadium, and zirconium increased domestic production is possible,18National Strategic and Critical Minerals Production Act, H.R. 2531 — 116th Congress (2019-2020), accessed March 26, 2021, https://www.congress.gov/bill/116th-congress/house-bill/2531. The bill aims to increase the domestic supply of critical minerals through the policies in the executive order intended to decrease the time to obtain mining permits.
The DoD is working to ensure reliable supplies of rare earth minerals by increasing domestic production and processing capabilities.19Department of Defense, DOD Announces Rare Earth Element Awards to Strengthen Domestic Industrial Base, press release, November 17, 2020, accessed March 26, 2021, https://www.defense.gov/Newsroom/Releases/Release/Article/2418542/dod-announces-rare-earth-element-awards-to-strengthen-domestic-industrial-base/ The department has taken steps to increase stockpiles, reduce reliance on Chinese sources, partner with private industry to increase production of rare earth magnets, and accelerate the development of new rare earth mineral processing technologies, and is seeking to increase funding for domestic production of rare earth minerals for munitions and missiles. To increase domestic production of rare earth minerals, mining-reform legislation is needed. The current mine-permitting process takes approximately ten years, when timelines of two to three years may be possible. Cooperative agreements with like-minded countries may also increase the supply available to the United States. South Africa, Canada, Australia, Brazil, India, Malaysia, and Malawi have rare earth minerals; China, Russia, and the United States hold 82.6 percent of the world’s production and reserves.20Marc Humphries, Rare Earth Elements: The Global Supply Chain, Congressional Research Service, December 16, 2013, accessed March 26, 2021, https://fas.org/sgp/crs/natsec/R41347.pdf
Finding 4.3: By creating new materials and new design and manufacturing technologies, the United States can eliminate critical dependencies on foreign sources.
The DARPA Electronics Resurgence Initiative21“DARPA Electronics Resurgence Initiative,” DARPA is in the fourth year of a long-term, $1.5 billion effort to reinvent defense electronics both to improve performance and to respond to foreign efforts to shift innovation in electronics away from the United States. The program currently includes applications of the new materials, chip designs, chip manufacturing technologies, and new methods for increasing security in a variety of defense systems. At present, the United States imports 80 percent of its rare earth elements directly from China.
The DARPA Electronics Resurgence Initiative supports the goals of the “Executive Order 13953 of September 30, 2020: Addressing the Threat to the Domestic Supply Chain From Reliance on Critical Minerals From Foreign Adversaries and Supporting the Domestic Mining and Processing Industries.” The transformation of microelectronics is DoD’s top modernization priority. A critical, fundamental risk is the US dependence on foreign semiconductor chip manufacturing, dominated by microelectronics fabrication plants in vulnerable Taiwan and South Korea.
Approach 4: Develop supply chain resilience strategies for a broadened set of critical resources, conduct assessments with allies.
The United States must establish criteria for determining which supply chains are critical and develop supply chain assurance strategies based on knowledge of the current supply network and the creation of alternative pathways, processes, and materials.
Such strategies must incorporate:
- A supplier nation’s trade and export policies and the effects of sudden changes,
- A nation’s near-monopoly of a key resource,
- Alternate supply lines available to the United States,
- Baseline capacities and resources, and
- The ability to reestablish commercial operations in locations having lower risk.22Congressional Research Service, COVID-19: China Medical Supply Chains and Broader Trade Issues, R46304, April 6, 2020, updated December 23, 2020, accessed March 26, 2021, https://crsreports.congress.gov/product/pdf/R/R46304
For information systems and networks, the United States should develop and test cybersecurity resilience strategies and performance standards for increased cybersecurity in systems that support supply chains for critical resources.
Recommendation 4: Conduct regularized assessments in the United States and in allied countries to determine critical supply chain resilience and trust, implement risk-based assurance measures. Establish coordinated cybersecurity acquisition across government networks and create more experts.
Recommendation 4.1: Implement a framework that identifies and establishes global data collection on critical resources.
“Executive Order 14017 of February 24, 2021: America’s Supply Chains,” will conduct a review of critical supply chain vulnerabilities affecting both government procurement and also that of the private sector. This review will address the changing nature of critical supply chains as “manufacturing and other needed capacities of the United States modernize to meet future needs.”23“Executive Order on America’s Supply Chains,” White House, February 24, 2021, accessed March 26, 2021, https://www.whitehouse.gov/briefing-room/presidential-actions/2021/02/24/executive-order-on-americas-supply-chains/; “Executive Order 14017 of February 24, 2021, America’s Supply Chains,” Federal Register, March 1, 2021, https://www.federalregister.gov/documents/2021/03/01/2021-04280/americas-supply-chains It will examine dependence on foreign suppliers, measures of resilience, and a range of sectors including energy, semiconductors, key electronics and related technologies, telecommunications infrastructure, and key raw materials. Strategies to increase critical supply chain resilience include “a combination of increased domestic production, strategic stockpiles sized to meet our needs, cracking down on anti-competitive practices that threaten supply chains, implementing smart plans to surge capacity in a time of crisis, and working closely with allies.”24“The Biden Plan to Rebuild U.S. Supply Chains and Ensure the U.S. Does Not Face Future Shortages of Critical Equipment,” accessed March 26, 2021, https://joebiden.com/supplychains After this initial review, the administration plans to ask Congress to enact a mandatory quadrennial critical supply chain review to institute this process permanently.
To conduct this critical supply chain review, the administration should develop a set of criteria for determining resources that are critical to the nation with respect to public health, national security, economic security, and technological competitiveness. These criteria should encompass critical resources beyond high-technology products, to include IT and computer systems and infrastructures, and lower technology products that are important for high-technology competitiveness, e.g., steel, auto parts, and other portions of US manufacturing industries. These criteria should be developed by the White House Office of Science and Technology Policy (OSTP) in coordination with relevant executive branch agencies and departments and with the active participation of private industry. Because critical resources are dynamic in nature and are constantly evolving, this should be a recurring, ongoing initiative.
The administration should use existing fora for international outreach to foster data collection and information sharing for assessments of critical resources and critical supply chains. It should also identify where US funding will strengthen supply chain assurance in partner countries, particularly those with a strong rule of law and a commitment to intellectual property protection. The assessments must address where key resources (e.g., pharmaceuticals,25OECD and European Union Intellectual Property Office, Trade in Counterfeit Pharmaceutical Products, (Paris: OECD Publishing, 2020), accessed March 26, 2021, https://doi.org/10.1787/a7c7e054-en; Agnes Shanley, “Focusing on the Last Link,” PharmaTech, September 2, 2018, accessed March 26, 2021, https://www.pharmtech.com/view/focusing-last-link; Eurohealth, Quarterly of the European Observatory on Health Systems and Policies 24 (3) (2018), accessed March 26, 2021, https://www.euro.who.int/__data/assets/pdf_file/0011/382682/eurohealth-vol24-no3-2018-eng.pdf?ua=1 agricultural products26Clara Frezal and Grégoire Garsous, “New digital technologies to tackle trade in illegal pesticides,” OECD Trade and Environment Working Papers 2020/02, OECD Publishing, accessed March 26, 2021, https://doi.org/10.1787/9383b310-en) are manufactured and sourced, and how this impacts the robustness of US supply chains, the ability to manufacture the key resources in the United States, and other issues concerning supply chain threats and vulnerabilities. The United States-Mexico-Canada Agreement (USMCA) in its “Rules of Origin” chapter provides a model for agreements with like-minded countries.27“Agreement between the United States of America, the United Mexican States, and Canada 7/1/20 Text,” Office of the United States Trade Representative, accessed March 26, 2021, https://ustr.gov/trade-agreements/free-trade-agreements/united-states-mexico-canada-agreement/agreement-between/ The United States Trade Representative would develop trade agreements that help strengthen supply chains.
Recommendation 4.2: Fund and broaden federal oversight of supply chain assurance to include all critical resources.
Congress should establish an annual reporting requirement that assesses the supply chain assurance for all critical resources, to be assigned to the Department of Homeland Security (DHS) with support from the Office of Management and Budget (OMB). The Cybersecurity and Infrastructure Security Agency (CISA) will contribute assessments of the cybersecurity of the supply chains included in the annual report. This report should determine priorities for supply chains deemed critical to US national and economic security and national health. Congress should require that federal budget requests affecting critical supply chains are based on these priorities.
The administration should develop an approach to address risk management for supply chains beyond those already associated with information technology and computer systems. The administration should extend the work by NIST to model critical assets and components for information systems,28“NISTIR 8179, Criticality Analysis Process Model: Helping Organizations Decide Which Assets Need to Be Secured First,” National Institute of Standards and Technology, April 11, 2018, accessed March 26, 2021, https://csrc.nist.gov/News/2018/NISTIR-8179-Criticality-Analysis-Process-Model to critical resources as described here. This effort will delineate the data—for both physical supply chains and software/IT supply chains—required to perform supply chain assurance assessments.
Recommendation 4.3: For the United States, the administration must develop a geopolitical deterrence strategy that addresses critical digital resources and digital supply chain assurance.
State-based cyber-enabled threats to the integrity of global supply chains—impacting both physical (as seen in disruption to global logistics and manufacturing activity in the wake of the NotPetya ransomware attack29Andy Greenberg, “The Untold Story of NotPetya, the most Devasting Cyberattack in History,” Wired, August 22, 2018, accessed March 26, 2021, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/) and digital (as illustrated in the wake of the SolarWinds compromise) supply chains—increasingly represent costly and high-impact challenges. The national cyber director, as part of the National Cyber Strategy, should develop a geopolitical deterrence strategy that enables the US government to leverage all tools of US power—from diplomacy, to sanctions, cyber, and military activity—to exercise deterrence. The administration should evaluate the potential for (i) continuous evaluation of digital supply chains to enable prompt detection of malicious activity targeting these supply chains, and (ii) prompt detection, combined with improved supply chain resilience and timely actions in response to the detected activity, to decrease the likelihood of cyberattacks. Continuous evaluation of supply chains for critical digital resources30A key enabler of continuous evaluation comprises software configuration databases which will permit visibility and traceability of software/IT supply chains. These require development. would be coordinated and managed by CISA as part of its role in managing federal cybersecurity risk.
Recommendation 4.4: Conduct regular physical and software/IT supply chain assessments in the United States and with allies, focused on intersecting vulnerabilities with cascading consequences.
The administration should establish with allies and partner nations a test program for supply chains and reporting on supply chains’ status and test results. This reporting would address the readiness status of both public and private sector supply chains, and the results of exercises that test the preparedness, adequacy, and resiliency of supply chains against a range of conditions and scenarios, much like stress tests for the financial sector.
- Because most of the supply chain data are held by private companies, a key issue is whether the private sector will provide enough data about its supply chains, or can be incentivized to do so. Questions to address include: what is the minimal information that is needed to calculate these performance measures, and will the resultant tests provide useful results across the situations of interest? will the private sector give these data, given its competitive positions? what is the best estimate of the metrics subject to the data availability constraints? Thus, the tests must show these estimates can be developed using acceptable access to the private data, or must determine a narrower set of criteria to test against.
Due to the many factors bearing on cybersecurity resilience, including the growing threat of sophisticated cyberattacks by major adversaries, the administration should develop software/IT supply chain resilience risk assessments that incorporate the effects of new standards and tools to measure cyber vulnerabilities, improved information sharing (including intelligence information on nation state-supported cyberattacks and ransomware denial of service attacks), designs for improvements that protect against systemic vulnerabilities, and new technologies such as cloud-based services.