Departments of Commerce and Homeland Security Release Information and Communications Technology Supply Chain Report | King and Spalding

EVALUATES THE INFORMATION AND COMMUNICATIONS TECHNOLOGY INDUSTRY AND PROPOSES RECOMMENDATIONS FOR THE INCREASE OF NATIONAL PRODUCTION

This is the third in a series of customer alerts regarding intensive assessments of six key supply chains – including supply chains supporting the US information and communications technology industry (“ ICT”) – which President Biden ordered last year pursuant to the Executive Order on US Supply Chains. (the “US supply chain EO 14017”). As we previously reported, EO 14017 required relevant agencies to conduct comprehensive “whole of government” reviews of identified critical supply chains. These reviews were to be undertaken in two stages. The first step required immediate analysis (within 100 days of the decree) of four key supply chains. The second stage called for more intensive, sector-specific supply chain assessments to be completed within a year of EO 14017 – including a report on the national ICT industrial base. In accordance with the second step, the Department of Commerce (“DoC”) and the Department of Homeland Security (“DHS”) jointly published a report on February 24, 2022 entitled “Assessment of the Critical Supply Chains Supporting the US Information and Communications Technology Industry” (the “ICT Annual Report”).

The annual ICT report examines critical sectors and sub-sectors of the ICT industrial base. For the purposes of the annual ICT report, the ICT industrial base consists of communication equipment, data storage and end-user devices, as well as critical software, including firmware and open source software . A list of twenty-seven North American Industry Classification System (“NAICS”) codes used to define the industrial base of ICT is included in Appendix B of the ICT Annual Report. The annual ICT report “assesses current supply chain conditions to [the selected] hardware and software products, identifies key risks that threaten to disrupt these supply chains, and proposes a strategy to mitigate risk and build supply chain resilience.

CURRENT STATE OF THE US INDUSTRIAL BASE AND ASSOCIATED RISKS

The annual ICT report addresses the following areas of concern regarding the current state of the ICT industrial base in the United States: (1) ICT manufacturing; (2) ICT software; (3) ICT workforce; (4) cross-cutting supply chain vulnerabilities of the ICT industrial base; and (5) risks external to the ICT industrial base supply chain.

1. MANUFACTURING ICT

The DoC and DHS conclude that “manufacturing of a wide range of critical ICT hardware products is currently concentrated in Asia”, from components to end products. Key examples that were examined in the report include: (1) printed circuit boards; (2) fiber optic cables; (3) Printed circuit board assemblies and electronic assemblies; (4) routers, switches and servers; and (5) LCD/displays.

The report determined that China’s production share is increasing in all five product categories. For example, China holds 52.4% of global PCB manufacturing sales ($32.7 billion) while the United States holds around 4% ($2.88 billion). The year-long ICT report outlines some of the causes of the shift to China, including market-distorting business practices, subsidization, and significant state involvement in ICT manufacturing operations.

2. ICT SOFTWARE

The annual ICT report examines the software and firmware used in ICT products, which enable “the underlying ICT hardware to function, direct the flow and processing of information, and facilitate a user’s interaction with a technological product. The report describes the growing use of open source software (“OOS”) in software development, stating that “75% of all codebases audited in 2020 contain[ed] at least one open source and open source component comprising[ed] 70% of the overall code. While OOS “has accelerated innovation and delivers economic and societal benefits,” the report also expressed concerns about security vulnerabilities that are built into OOS and incorporated into finished software.

The year-long ICT report also noted that the firmware level of software is “a large and ever-expanding attack surface” and that “hackers have increasingly targeted firmware to launch devastating attacks. “.

3. ICT WORKFORCE

The DoC and DHS identify an urgent need to expand domestic training and education opportunities to create the workforce needed to increase domestic production of ICT products.

4. CROSS-CUTTING VULNERABILITIES OF THE ICT INDUSTRIAL BASE SUPPLY CHAIN

The year-long ICT report identifies several “cross-cutting vulnerabilities impacting the U.S. ICT industrial base,” including persistent challenges due to the COVID-19 pandemic, systemic disadvantages caused by a lack of sufficient domestic investment in ICT manufacturing for decades, over-reliance on single-source and single-region suppliers, insufficient transparency at all levels of the ICT supply chain, threats to the resilience of the supply chain caused by just-in-time inventory management planning and how malicious actors (for exampleinsider threats or counterfeit components) can harm the business of an ICT organization.

5. RISKS EXTERNAL TO THE ICT INDUSTRIAL BASE SUPPLY CHAIN

The year-long ICT report notes that the ICT sector “is also vulnerable to external risks attributable to geopolitical tensions, economic dependencies, labor and climate concerns” and notes that the ICT industry “is particularly vulnerable supply chain shocks. Examples include intellectual property theft and cyber intrusions, excessive reliance on offshoring, the presence of forced labor in the ICT supply chain, and supply chain vulnerability due to climate change.

RECOMMENDATIONS

The DoC and DHS recommend several policy and legislative measures to address threats to the ICT supply chain, including:

1. REVITALIZE THE U.S. ICT MANUFACTURING BASE THROUGH GOVERNMENT FUNDING AND INCREASED USE OF U.S. BUY PROVISIONS

Due to the significant shift of ICT production to Asia, “the ICT manufacturing base in the United States represents a small percentage of the domestic ICT industry and produces low-volume, highly specialized products”. The one-year ICT report recommends supporting the expansion of manufacturing capacity by: (1) utilizing U.S. government procurement and funding incentives such as Title III of the Production Act Defense and the Creating Good Semiconductor Incentives for America (“CHIPS”) Act; (2) offering incentives through the Manufacturing Extension Partnership (“MEP”) of the National Institute of Standards and Technology (“NIST”); (3) the implementation of strong Buy America provisions; (4) encourage the inclusion of ICT manufacturing supply chains in the DoC’s overall economic development strategies; and (5) increasing the participation of minorities in the ICT supply chain.

2. BUILDING RESILIENCE THROUGH SECURE AND TRANSPARENT SUPPLY CHAINS

Several measures can be taken in ICT supply chains to address risks, such as the insertion of counterfeit or used parts into critical hardware components and the injection of malicious software code. The year-long ICT report recommends the implementation of supply chain risk management practices through US procurement requirements and monitoring efforts. The report also recommends building on Executive Order 14028 (Improving the Nation’s Cybersecurity) to create “pilot programs for consumer software and [Internet of Things] labeling; develop minimal elements for a software nomenclature (“SBOM”); and prioritizing security initiatives for open source software.

To this end, the report recommends the creation of an Assured Supplier program for federal government ICT purchases and the establishment of a DoC-critical supply chain resilience program to “identify, monitor and address supply chain vulnerabilities and partner with industry, labor, and other public and private actors to build resilience across the ICT industry,” including in the critical infrastructure sector.

3. COLLABORATE WITH INTERNATIONAL PARTNERS

DoC and DHS recommend enhancing international collaboration to advance common interests in key areas such as joint investment opportunities, information sharing and cooperation on sustainability, labor and safety standards .

4. INVEST IN FUTURE ICT TECHNOLOGIES

The report indicates that significant spending on research and development (“R&D”) is necessary for the United States to remain competitive. Other funding proposals would target improving manufacturing technologies, job training, R&D tax credits and CHIPS funding, as well as investing in minority-serving institutions “to ‘expand the participation of underserved communities in public and private ICT R&D ecosystems’.

5. STRENGTHEN THE ICT WORKFORCE POOL

The year-long ICT report recommends intensive use of federal funds to expand access to computer science and science, technology, engineering, and math (“STEM”) programs while encouraging states to “develop and fund programs by allocating the $42.5 billion Broadband Equity, Access, and Deployment Program funded by the bipartisan Infrastructure Act.

6. COLLABORATE WITH INDUSTRY STAKEHOLDERS ON RESILIENCE EFFORTS

The one-year ICT report recommends strengthening public-private engagement in ICT supply chain and domestic manufacturing projects. In particular, the report urges the Made in America Office of Management and Budget (“MIAO”) and the Made in America Council to “promote national procurement and share best practices used in agencies facing similar challenges.” for procurement and financial assistance projects”.

CONCLUSION

The year-long ICT report lays out a plan for intensive U.S. investment in the ICT industrial base to mitigate risk and spur innovation in this critically important supply chain. Relevant stakeholders should take steps now to determine how best to participate as the process unfolds in the near future.