Yesterday, we submitted a recommendation to the U.S. government outlining an alternative way to combat supply chain security threats – an approach that incentivizes adoption of technology-based best practices to better protect supply chain security and maintain tech leadership.
In a digital age, global supply chain security is more complex than ever. Critical to achieving supply chain security today is the ability to protect against increasingly sophisticated threats. This requires strengthening our software and hardware supply chains and IT infrastructure. To do this, it is equally as critical that nations with shared democratic values – including trust in technologies – lead in the development and innovation of the most important technologies and robust defenses for them. Governments need to rethink their regulatory approach so as not to erect overly restrictive barriers to trade in technology that undermine this tech leadership and, in the long run, make supply chains less secure.
Until now, governments and non-government actors have attempted to protect supply chains through piecemeal restrictions. A more comprehensive, targeted and technology-enabled strategy is needed. Key to this strategy is an approach that first clearly and carefully identifies key supply chain risks and then, creates incentives for the adoption of best practice mitigation strategies, including digital solutions that target these risks without restricting trade altogether. In a submission Microsoft made to the U.S. government yesterday, we describe how this approach would work and the benefits it would provide.
Following a mandate in a May 2019 Executive Order on Securing the Information and Communications Technology and Services Supply Chain, the U.S. Department of Commerce sought to identify, assess and address information and communications technologies and services (ICTS) transactions that pose an “undue or unacceptable risk” to U.S. national security. Most recently – through a rule published on the eve of President Biden’s inauguration that came into effect yesterday – the Department has taken on broad authority to intervene, review and potentially block any ICTS transaction between U.S. companies and those deemed “foreign adversaries.” The Department of Commerce welcomed input from industry on the rule through a comment period ending yesterday with additional plans to issue a follow-on rule. This rule and the underlying Executive Order are just two of a number of actions taken by the previous administration that looked at restrictions on trade to secure supply chains.
Microsoft shares the goal of strengthening the supply chain. We support, for example, the comprehensive assessment called for in the February Executive Order on America’s Supply Chains. Along with many others, however, we are concerned that the broad discretion granted to the department under the recently enacted rule – combined with its sweeping scope – may undermine, rather than meaningfully advance, its ultimate objective of protecting national security.
As President Biden rightly noted in his recent Executive Order on America’s Supply Chains, strengthening production in the United States and like-minded nations is critical to supply chain security. Individual reviews like those contemplated by the ICTS supply chain rule, however, could undermine that goal. The possibility that any ICTS transaction with foreign adversaries might be reviewed, canceled, or unwound after the fact could lead to debilitating uncertainty, which, in turn, will make it more difficult and expensive for companies to develop and, in the long run, innovate these important technologies.
It is also critical that the United States – and the tech sector in particular – maintains reliable access to foreign markets, as well as to foreign partners or customers. ICTS technologies – like other emerging technologies – are predominantly commercial in nature. Companies must deploy these technologies broadly, typically on a global scale, to recoup the massive investments required to develop them. At best, government actions like the ICTS supply chain rule introduce considerable uncertainty about whether U.S. tech companies can remain reliable suppliers or partners; at worst, they could cut off U.S. companies’ access to global markets, partners or customers, even in or with allied countries that are not willing to risk unreliability. If U.S. companies fall behind in key markets as a result, their place will quickly be filled by others – including in countries or regions that may not share American values.
The risks that this rule and other recent government actions seek to address are real. These risks should be thoroughly evaluated and addressed. However, it is important that any resulting regulatory measures be part of a comprehensive, calibrated and effective supply chain strategy that employs tools other than trade restrictions. Technology-enabled solutions should play a key role.
The solution: how incentivizing risk-mitigating solutions would work
The first step in strengthening supply chain security is to carefully identify the risks. The President’s new Executive Order on America’s Supply Chains offers a vehicle for accomplishing this. Once those risks are identified, industry can then work with the government to define risk-mitigating best practices and tailored technology-enabled solutions. Technology may not eliminate the need for more traditional restrictive measures in all contexts. But in many areas, technology-enabled solutions can both strengthen security and sustain tech leadership.
There are several existing risk-mitigating technologies that can be more widely deployed to bolster supply chain security, many of which we described in a prior submission to the Department of Commerce on export controls and a Microsoft on the Issues blogpost, including:
- Software security technologies designed into software packages or code can address security risks by ensuring trust and preventing software from being exploited by bad actors or for malignant uses. These features include: the ability to deploy trusted software updates, including the firmware of compromised devices; automating security policies to, for example, seek out and prevent placement of user or administrator credentials in software code; and, in appropriate cases once in-development standards are finalized, use of software bills of materials (SBOMs) to convey evidence that software consumers can trust the environment in which software was built.
- Hardware security technologies built into hardware can further protect against supply chain risks. Solutions include hardware roots-of-trust to verify, protect or restore system, data or code integrity; secure co-processors for more robust identity verification; and, in appropriate cases, origin and identity attestation for components in a hardware system.
- Data security technologies can protect exposure of U.S. data through the supply chain. Features include digital rights management, information flow controls, data tagging and, where appropriate, the use of secure virtual or data lockbox environments.
Future innovations in each of these areas, including more advanced security processors that tie hardware, code and data more closely, and artificial-intelligence-based solutions, are also underway.
The government could accelerate the development of these solutions by providing incentives for companies to adopt the best practices and technology-enabled solutions designed to mitigate key supply chain risks. Incentives could include safe harbors that would exclude certain transactions from review and traditional restrictive measures if the parties have used best practice risk-mitigation tools in the technology at issue. A safe harbor and other appropriate incentives would not only ease the regulatory burden that restrictive rules like the ICTS rule otherwise impose, they would encourage broadscale deployment of risk mitigation tools throughout the supply chain.
In the long run, such incentives will expand the market for these tools, leading companies to allocate more resources to the development of more advanced and effective risk mitigation technologies. The virtuous cycle has played out in the automobile industry, where seatbelt technology led to air bags, blind spot sensors and other high-tech life-saving features. Although building safety features into vehicles has not eliminated automobile accidents altogether, it has substantially reduced them and mitigated the injuries they cause. Further, the adoption of these features has created a culture of continuous improvement in the auto industry that has led to more safety innovations over time.
The United States should work closely with allies and like-minded countries to encourage models that similarly incentivize best practice and technology-enabled supply chain risk mitigation measures, and to coordinate technology trade policies more generally. This cooperation would lead to enhanced security and further innovation, while avoiding protectionist and retaliatory measures that could make the world’s democracies, including the United States, less competitive in technology and undermine global supply chain security.
Employed appropriately, a multilateral supply chain security policy that incentivizes adoption of technology-based best practices – rather than one that imposes undue and unpredictable regulatory burdens – will better protect supply chain security and help the United States and other democracies maintain tech leadership. We look forward to continuing to partner with the U.S. Government and a wide range of stakeholders to advance these goals.
 For our full U.S. government submission, see Microsoft’s Comment on the Interim Final Rule on Securing the Information and Communications Technology and Services Supply Chain.
 As the recent attacks on SolarWinds and Microsoft Exchange Server attest, even the most sophisticated technologies of today are not impervious to attack. That said, as Microsoft President Brad Smith recently testified, such technologies and incentivizing their broader deployment (e.g., software patches) can offer significant security advantages.