Cybersecurity & Tech

Three Key Questions to Define ICT Supply Chain Security

Tatyana Bolton, Mary Brooks, Kathryn Waldron
Friday, August 27, 2021, 8:01 AM

To make progress on supply chain security, the U.S. government will need to clarify its goals; create a cohesive, forward-thinking strategy; and offer alternatives to a cold divestment of Chinese ICT products.

Capitol During Construction, 2016 (Architect of the Capitol,; U.S. Government Work,

Published by The Lawfare Institute
in Cooperation With

On July 15, the Senate Committee on Commerce, Science, and Transportation held a hearing to discuss how to bolster the security and resiliency of America’s critical supply chains.

Thankfully, the need to prioritize supply chain security is an area of all too rare bipartisan agreement. Both sides of the aisle made it clear that they understand the importance of finding ways for the U.S. government to work efficiently across its own departments and with the private sector to better protect the systems, processes and networks that undergird virtually every aspect of people’s daily lives.

Unfortunately, this sense of vague agreement appears difficult to translate into tangible progress—partly for partisan reasons; partly because the issue is broad, complex and often requires specialized knowledge; and partly because no one seems to be on the same page about describing the problem. The July hearing demonstrated this all too well: The subject area was incredibly broad, expert witnesses were packed seven to a panel, good ideas were dropped with no follow-up, and everyone’s pet issues were shoehorned into the discussion. That day, the hearing traversed from industrial equipment manufacturing to jetliner fuel to semiconductors and back—taking several detours to discuss drone security, climate change and workforce challenges along the way.

In many ways, the Commerce Committee hearing was a microcosm of the greater problem with the U.S. government’s supply chain security efforts: the disjointed push for urgent, ad hoc responses to a world-order-defining challenge. Simply put, the U.S. government does not have a cohesive vision for securing its critical supply chains. And it needs one.

In the absence of a national strategy—one that negotiates the difficult line between being broad enough to meet the challenge while narrowly defined enough to actually make decisions—the U.S. government will continue to duplicate efforts and work at odds with other departments and sectors.

In recent months, our team at the R Street Institute has focused its efforts more narrowly on the security challenge of the information and communications technology (ICT) supply chain. We believe that in order to define a strategy, the Biden administration should answer the following questions:

  • What are the United States’ end goals on ICT supply chain security?
  • What should be the focus of an ICT supply chain security strategy—specifically regarding domestic challenges and international threats?
  • How should success for this security challenge be defined?

Recognizing and Defining the Challenge

The confluence of several events explains why it has suddenly become popular to talk about ICT supply chain security. At the national security level, it’s the rise of the “China challenge”—ongoing technological competition with China, most frequently viewed through the lens of the Huawei debate. There is also the increasing severity—and, possibly, pace—of ICT supply-chain-related hacks and close calls over the past several years: everything from SolarWinds to famously unconfirmable rumors of a large-scale microchip compromise. And then, of course, the coronavirus pandemic—with its shortages of everything from toilet paper to semiconductors—impressed on the American people the necessity of making sure the general supply chain is robust, diversified and reliable.

These and other concerns have spurred undeniably excellent work in the ICT supply chain security space—efforts by academic institutions, international organizations, public policy institutes, trade associations and others. For its part, the Biden administration undoubtedly realizes security must be a top priority, signing a number of executive orders and emphasizing the appointment of talented cybersecurity policy leadership at the highest levels of the executive branch. Congress has also jumped into the discussion, cueing up myriad hearings, launching initiatives such as a supply chain task force and debating a raft of legislative proposals.

The federal government has also streamlined and enhanced supply chain security efforts and their authorities. Most notably, the Cybersecurity and Infrastructure Security Agency was elevated to a full-fledged agency in 2018, under the Department of Homeland Security, increasing its capacity to be a leader in this space. The establishment of a Supply Chain Risk Management (SCRM) task force and an update to the Committee on Foreign Investment in the United States were also particularly welcome developments.

However, agreeing on urgency and importance is not the same as defining the problem. And that task is made more difficult when the security needs and tools for the ICT supply chain seem to be…well, everything. Securely designed software components? That’s the ICT supply chain. Making sure U.S. companies have physical access to rare earths and minerals needed for manufacturing semiconductors? Supply chain. Working with allies to diversify sources of materials? Making sure taxes and regulations favor innovation? Building security in from the beginning? Check, check, check.

There are no one-size-fits-all approaches to any of these areas. And, of course, there will always be trade-offs. But it is precisely because ICT supply chain security is so multifaceted that it is so important to ensure that leaders are on the same page.

The Importance of a Strategy

Strategy is critical because it establishes a common goal that guides agencies in policymaking and provides the framework for collaboration and cohesion of vision. Strategy is difficult to devise, devilish to agree upon, and often painfully reductive when one considers competing demands. But without it, security boils down to ad hoc government responses based on urgent yet contradicting concepts. Consider, for example, the long-standing struggle by the federal government to coordinate its cybersecurity response in the absence of clear, consolidated guidelines—creating inefficiencies, confusion and the duplication of efforts. While many security challenges can and will continually evolve—making it impossible to cross them off the list and declare them “solved”—there is still progress that can and should be made toward existing goals. To do that, though, efforts must be aligned in an effective strategy.

Questions That Any Strategy Must Answer

In the interest of furthering discussion, we offer the following outstanding questions—generated in part through discussions with the Secure and Competitive Markets Initiative (SCMI) coalition—that we believe the Biden administration must clearly address before the government can agree on a strategy.

What is the goal? The main part of any strategy is the establishment of the end goal—a description of where we want to go. The Biden administration is adamant that the U.S. government and its allies need to work together to create a secure supply chain, but the administration has not clearly defined what a “secure” supply chain is. A common understanding of what security means needs to exist at the federal level—as well as how to know when it has been achieved. For example: Is security geographically based? If so, will the Biden administration be able to measurably improve supply chain security by moving away from Chinese products, though the alternatives might be less reliable?

These are questions that only a clear set of goals can answer. The current ambiguity is unsustainable, leading only to a slide toward risky policies such as decoupling. A clear goal gives policymakers a vision against which all other policies and tactics can be judged.

What is the focus? How much of the United States’ response should be about China, and how much of it should be concentrated on its own capabilities?

Because the issues of ICT security and counterbalancing China’s ambitions are so deeply intertwined, it is often unclear whether the United States is aiming to bolster its own defenses or to hamstring China. Attempting to stop companies such as ASML from selling China the technology needed to build advanced microprocessors, for example, seems like an instance of the latter. By contrast, recommendations to invest billions of dollars in chipmaking within the United States sounds like the former. While the United States could do both, the Biden administration should be clear about the focus, rationale, trade-offs and sustainability of each path.

Recent congressional efforts such as the CHIPS for America Act and the United States Innovation and Competition Act—and the China-heavy language surrounding some of the bills’ debates—do little to clarify whether the United States is focused on securing the nation’s own supply chains or is instead aiming to prevent China from gaining an edge. In the Trump administration, this issue surfaced frequently. Simply, clarifying motives will facilitate a clearer strategy.

What does success look like? Along with goals and a clear focus, the United States needs to clearly define success. Western allies have long been asking U.S. officials pushing for the rip-and-replace of Chinese products in allied nations for their proposed alternative. To have a strong, smart strategy, the United States will need to create an alternative, forward-thinking solution to cold divestment from Chinese ICT products and clarify the nation’s metrics for success to both domestic and international audiences.

Part of that task lies in being transparent not only about the United States’ goals but also about its motivations in establishing those goals—whether, for example, those are aimed solely at promoting U.S. security or whether instead (or in addition) there are elements more targeted toward preserving economic strength, military advantage or global standing. Necessarily, the United States’ interpretation of success will be based on the goals that are set out, as well as the lens through which victory is viewed.

Moving Forward on a Strategy

These three questions are foundational to any U.S. strategy on ICT supply chain security. The United States must describe its goals, identify a focus and define success.

China’s “Made in 2025” vision and “Five-Year Plans” direct the country toward a common goal. While that style of governance and market policy are absolutely not something that the United States should aspire to emulate directly, lacking a coherent, unifying strategy of its own will leave the public and private sectors playing catch up, rather than leading.

This post was informed by conversations with members of the SCMI Coalition, but it does not necessarily reflect the opinions of the coalition at-large.

Tatyana Bolton is the policy director for R Street’s Cybersecurity and Emerging Threats team. Most recently, Tatyana worked as the senior policy director for the U.S. Cyberspace Solarium Commission focusing on U.S. government reorganization and resilience portfolios. Tatyana previously served in various program management positions at Strategic Systems Programs for the U.S. Navy including budgeting, program management, and contracting. Ms. Bolton is fluent in Russian and earned her MA from Georgetown University’s Walsh School of Foreign Service Security Studies Program, and a BA from the Ohio State University.
Mary Brooks is a public policy fellow at the Wilson Center. Most recently, she was a fellow for the Cybersecurity and Emerging Threats team at the R Street Institute. She was also the lead researcher and associate producer for The Perfect Weapon (2020), an HBO documentary that explores the rise of cyber conflict as a key feature of modern inter-state competition. Prior to that, she served as the special assistant for a DC-based international human rights law firm dedicated to freeing political prisoners. She graduated cum laude from Harvard University with a bachelor’s degree in government and a language certificate in Arabic.
Kathryn Waldron is a former Fellow with the Cybersecurity and Emerging Threats team at the R Street Institute. She is currently pursuing a PhD in Economics at George Mason University. Her work centers around the intersection of technology, geopolitics and economics

Subscribe to Lawfare