The Supply Chain State of Information and Communication Technologies

Supply chain has long been a concern in the U.S., particularly as it related to information technology. Knowing the “who, what, when and where” of products is essential to protecting U.S. security and interests. In response to provisions in the Biden Administration’s May 2021 cyber executive order, the Departments of Commerce and Homeland Security issued the, Assessment of the Critical Supply Chains Supporting the U.S. Information and Communications Technology Industry report. In it, identifies key risks and challenges within the Information and Communications Technology (ICT) industrial base supply chain, with a path forward to addressing these concerns and bolstering resiliency.

Specifically, the federal entities examined the supply chains supporting communications hardware such as satellites and GPS equipment; computing and data storage hardware such as personal computers, servers and ATMs; end-user devices such as laptops, handsets and displays; and critical software including open-source software and firmware.

The largest concern the report finds, and unsurprisingly so, is that the U.S. is a world leader in technology innovation, yet most of its hardware manufacturing takes place in other countries. For example, the production of Printed Circuit Boards (PCBs) and displays are largely concentrated in China. In 2018, China led the world in global sales of PCB manufacturing claiming 52% of the market, while current U.S. global production of PCB’s is estimated to be about 4%. Though measures such as Section 808 of the FY 2021 NDAA will begin to prohibit DOD from sourcing PCBs from China and other regions in 2023, there is more work left to do it re-develop a strong PCB industrial base in the U.S., the report argues.

The assessment also found that due to the complexity and cost of the ICT supply chain, many Original Equipment Manufacturers (OEMs) are outsourcing firmware development to third party suppliers. Naturally, ICT OEMs find it attractive to outsource manufacturing capabilities so that they can focus on product design while fulfilling needs for mass production at low cost. To put things into perspective, data in the appendix of the report reveals that Taiwanese companies led in revenue for electronic manufacturing services and original design manufacturing in 2020, claiming nearly 81% of the global market. The U.S. made up only 14% of the global market that same year.

The report also identified a large reduction in U.S. workforce for ICT production and manufacturing, along with aging and unsustainable facilities. Although software development is a growing field within the U.S., industry reports struggle in finding qualified employees both in manufacturing and software development.

The cost to all this? Increased outsourcing leads to increased security risks due to the lack of transparency in suppliers’ programming and cybersecurity standards. Moreover, the overreliance on single-source foreign suppliers leads to supply disruptions, as made apparent by the COVID-19 pandemic and Russia-Ukraine conflict. Adds the report, “The current state of the ICT industrial base supply chain leaves the United States overexposed to a variety of externally derived risks stemming from intellectual property theft, economic dependencies, weak labor standards and climate concerns,” according to the report.

Recommendations and Industry Impact:

Commerce and DHS offer a set of eight recommendations to form a strategy in addressing supply chain vulnerabilities and strengthening resiliency.

The report calls for a whole-of-government approach to strengthen the U.S. supply chain, in conjunction with efforts from industry and other non-government entities. Contractors can expect continued pushes from federal agencies for domestic supply chain contingencies within procurements. “The Departments of Commerce and Homeland Security have already begun to take steps aimed at mitigating risks identified in the report. These actions include investing in domestic manufacturing capacity and workforce development, developing supply chain security frameworks, collaborating with international partners to improve resiliency, investing in ICT research and development efforts as well as reducing cyber risks,” according to the introductory note of the assessment.