The Manufacturer’s Dilemma

On the outside, the iPhone looks like the pinnacle of cool Californian tech. Open it up, however, and the device seems a lot less American. Its components might have been designed in the United States, but they’re assembled in China, as are a dizzying range of other popular products: televisions, sneakers, even drones and defense equipment. That fact creates a glaring security threat—one that Western firms and governments are only now beginning to tackle.

Using Chinese suppliers seems to make good economic sense for Western firms. After all, Chinese labor remains very cheap: Such work accounts for just $10 of the total cost of an iPhone today (top models of which go for more than $1,000). That’s why, according to a recent tally by the Economist, “of the production facilities operated by Apple’s top 200 suppliers, 357 are in China,” while just 63 are in the United States. (One of the reasons Steve Jobs originally hired Apple’s now CEO, Tim Cook, was because he was expert in managing such supply chains.)

But clever financial arrangements don’t always make for smart politics—or secure systems. Globalizing the supply chain may make business sense, but it has turned Western companies into vulnerable geopolitical targets. In 2017, Maersk, the world’s largest shipping company, was hit by the NotPetya virus. The ransomware, developed by hackers working for Russian military intelligence and originally directed against Ukraine, rendered Maersk essentially nonoperational for two weeks. In ports around the world, including Elizabeth, New Jersey, trailers soon piled up, unable to deliver or receive cargo. Theorists call attacks like this “hybrid warfare,” where irregular methods are mixed into conventional war-making to target social and political weak points. In an age of these asymmetric threats, firms like Maersk are now on the front line. “[T]his problem was of a magnitude never seen before in global transport,” a Maersk customer told Wired.

According to a high-level source, speaking confidentially, major consumer brands are trying, with some success, to curb their exposure to Chinese companies. Makers of lower-end products, however, remain dangerously exposed. If their suppliers or subcontractors tinkered with a product at any point along the supply chain, in most cases the customer would never find out. Defense contractors, which make products infinitely more complex than sneakers or even smartphones, face even trickier problems with their Chinese supply chains.

The culprit doesn’t need to be a Chinese company or national, of course: It can be anyone wishing to harm the main manufacturer or its home country, or it can be a proxy operating on behalf of a rival company or country. Defenders of the current order argue that fear of the economic losses that would result if such subterfuge were revealed provides sufficient deterrence. But political pressures and national conflicts have overridden economic reasoning plenty of times in the past, and the hostile intelligence agencies that might insert backdoors into components have no vested interest in global economics.

Tinkering with economic supply chains for intelligence- and other national security-related reasons is not a new idea; indeed, Western countries have long done just that. In the 1980s, the CIA, according to former Air Force Secretary Thomas Reed, inserted sabotaged software into a Soviet oil pipeline, causing it to explode. Five years ago, Edward Snowden revealed that the U.S. National Security Agency had inserted backdoor espionage tools into U.S.-made internet routers being exported to Syria. And in February, the New York Times reported that the United States was accelerating a George W. Bush-era practice of inserting faulty parts into Iran’s aerospace supply chains, which appears to have caused some of the country’s test rocket launches to fail. Such disruption and sabotage are unlikely to affect large parts of any product’s supply chain, but the psychological and consumer damage caused by even a minor mishap can be immense. Just as parents are scared away from baby food by the report of a single piece of glass, so the damage done by sabotage could cause permanent distrust in a given product or manufacturer.

Hundreds of years ago, attacking a supply chain meant cutting off supplies to a besieged castle or sinking merchant ships. Today, governments can conduct these attacks covertly through proxies. Chinese companies have cornered the market for inexpensive high-tech parts and products. If these suppliers abruptly decided to stop servicing their Western clients, there would be little U.S. and European companies could do to respond. Sure, manufacturers would revert to alternative suppliers—yet in countries where empty shelves are unknown, the social shock alone would be highly destabilizing.

Thus far, Western fears—and attempts by countries and companies to protect themselves—have largely focused on China, with claims of hardware backdoors and worries about the 5G giant Huawei. Yet every country involved in a company’s supply chain poses a potential risk. While a government may have no malign intent, local terrorists or criminals often do. According to the British Standards Institution, the country’s certification body, terrorists target supply chains at least once every seven days; the most frequent victims are Egypt, India, Thailand, and Colombia.

Today’s supply chains are so complex that it’s virtually impossible for Western companies to know exactly where everything they make comes from or is assembled. The World Intellectual Property Organization noted in its 2017 annual report that smartphones’ different components all “have their own global supply chains. For example, a chip may be designed by a specialized U.S. company for a smartphone supplier; it is then manufactured in China and packaged in Malaysia.” Although firms actively try to manage risk, “most companies simply have no way of knowing all the participants in their supply chain,” said Michael Essig, a professor of supply management at Bundeswehr University in Munich.

“Let’s assume that a global company like Volkswagen has around 5,000 direct suppliers and that each has around 250 subcontractors. That means that the company has 1.25 million second-tier suppliers. With each additional step, the supply chain grows exponentially,” Essig calculated. So does the risk of attack. And that’s just the hardware. Software supply chains can be just as murky. “Perhaps a software supplier has a subcontractor in China who delivers important lines of code,” Essig said, and the end consumer has no way of identifying which sections were compiled where. Jerker Hellström, the head of the Asia and Middle East program at the Swedish Defence Research Agency, warned that “companies can just stop sending software updates.”

Identifying every risk may be impossible. After all, most foreign companies in the supply chain are benign actors that don’t deserve to be held collectively responsible. And diversifying away from every possible risk would result in crippling costs. So firms and governments should focus on improving resilience, not just mitigating risk. Disruptions, backdoors, and sabotage might be inevitable; how companies cope with them will make a critical difference.

For businesses, that means taking a lesson from militaries, which regularly prepare for different threats—and for unpredictable scenarios. Armies don’t sit on their hands after war-gaming one possibility; they reimagine and retrain constantly. In a similar fashion, today’s global companies should regularly practice reconfiguring their supply chains in case of emergency. They can also identify which components are most critical and ensure they have a second, safer supplier—ideally one close to home—lined up in case their first is compromised.

The trouble is that after years of outsourcing, there aren’t many Western companies with the ability to act as a second source. Crucial manufacturing expertise has been lost in the West, especially in high-tech manufacturing. That’s even more reason to start looking for such companies before the problem hits. Western conglomerates—and even ministries of defense—may want to consider supporting the creation of critical businesses on their shores. Using local suppliers is always more expensive than relying on labor from lower-wage countries, but supply chain disruptions can prove even more expensive.

Governments should also provide incentives for firms to act. If a major tech, logistics, or defense company’s operations are disrupted, it’s far from the only victim. NotPetya, the virus that hit Maersk, also infected Mondelez, the snack food giant that, among other things, makes Oreo cookies. Maersk’s misfortune, meanwhile, left its customers without daily supplies including grains and steel.

Given the thoroughly globalized nature of today’s economy, companies can’t protect themselves from every disruption. Trying to create an iron dome around any Western country’s economy in the name of national security would be foolish. But assuming that supply chains will survive hybrid warfare unscathed is an even greater folly.

Elisabeth Braw directs the Modern Deterrence project at the Royal United Services Institute.

This article appears in the Spring 2019 issue of  Foreign Policy.