Can governments kick their Chinese manufacturing addiction?
Connecting state and local government leaders
The real issue is not who might be compromising the supply chain, but rather that the supply chain can be compromised, leaving broad swaths of industry left to wonder about their security rather than actually know.
Economics and politics surrounding manufacturing sometimes have a way of making things that are ultimately detrimental seem practical and even unavoidable. Momentum gets established, and before long, whole industries and populations are caught up in a situation.
To give an example: In the 1970s and ‘80s, political decisions turned high fructose corn syrup into a dominant force in the U.S. food industry. More recently, however, there has been a growing awareness that this form of sugar could be problematic. In fact, many experts concluded that the widespread effects of HFCS has led to an obesity epidemic in America, and some studies have found connections between HFCS and opioid addiction.
What does this have to do with technology? Stick with me.
Political decisions that distort the market often have unintended consequences. This phenomenon, of course, is not limited to food. We are seeing it in technology today. Largely due to decisions and subsidies, China has become a globally dominant force in manufacturing of all types, including technology. These decisions have made it virtually impossible to compete in the Western world without leveraging Chinese manufacturing as part of the supply chain.
Virtually all major technology vendors, regardless of what country they call headquarters, is completely reliant on Chinese manufactured chips, including sub-assemblies (both hardware and compiled code). This is true for large and small players alike, and it includes fully manufactured end products from large sub-contracted manufacturers. It is practically inescapable.
In October 2018, Bloomberg Businessweek published a now-infamous expose on how almost 30 U.S. companies were compromised after engineers at Amazon found a tiny microchip, “not much bigger than a grain of rice,” affixed to one of its servers’ motherboards and reported it to authorities. While the report was denied by Amazon, it raised the level of suspicion of foreign manufacturers. Now, the U.S. government is moving to ban federal contractors from using certain technology equipment provided by Chinese technology manufacturers like Huawei, ZTE, Hikvision and others.
The true issue is not who might be compromising the supply chain, but rather that the supply chain can be compromised, leaving broad swaths of industry left to wonder about their security rather than actually know. The real solution (at least from a security perspective) should not center around who is providing the hardware, but rather that the hardware and software can be independently verified as clean.
The fact is that organizations procuring technology today have little alternative than to trust their suppliers because they are unable to properly inspect hazy supply chains and pre-compiled code bases. The risk is likely much greater than is generally acknowledged, largely due to the nature of security itself.
Members of my organization, SoftIron, which is known for data center storage appliances, have regular conversations with procurement officers in defense, intelligence and other sensitive industries like insurance, health care and finance. They are all too aware of the supply chain challenges and are increasingly keen to find a solution, but like with HFCS, it’s exceedingly difficult to find manufacturers that aren’t ensnared by the politics and economics – even when they may say up front that they’re not.
Ultimately, industry needs to get to a place where trust is no longer required to know that organizations are installing “clear box” solutions into their racks. This starts with increasing numbers of people at all stages of the procurement process asking the right questions. Where is the hardware manufactured? How much of it is done domestically? How much is assembled from overseas or by subcontractors? Is the code that operates the hardware all compiled from source? Can that source code be inspected? (Would you be surprised to find that virtually no vendors can/will show you pre-compiled source code that your team can audit?) Can the provenance of every component be proved? Is every assembly and subassembly an accurate manifestation of design intent? Trust ultimately needs to be replaced with transparency and audits.
When organizations start to get concrete answers to these questions, gain the ability to self-audit software and know the provenance of their hardware, the industry will be in a much healthier place. This is the way it should be for all vendors, especially those delivering sensitive and/or critical environments.
Today there are many more foods available on the shelves without added HFCS. It started with people checking the labels and letting vendors know what they did and did not want.