Supply Chain Vulnerabilities from China in U.S. Federal Information and Communications Technology, April 2018. This research report was prepared at the request of the U.S.-China Economic and Security Review Commission to support its deliberations.
“The U.S. government needs a national strategy for supply chain risk management (SCRM) of commercial supply chain vulnerabilities in U.S. federal information and communications technology (ICT), including procurement linked to the People’s Republic of China (China or PRC). This strategy must include supporting policies so that U.S. security posture is forward-leaning, rather than reactive and based on responding to vulnerabilities, breaches, and other incidents after they have already damaged U.S. national security, economic competitiveness, or the privacy of U.S. citizens. This study uses a comprehensive definition of “U.S. government ICT supply chains” that includes (1) primary suppliers, (2) tiers of suppliers that support prime suppliers by providing products and services, and (3) any entities linked to those tiered suppliers through commercial, financial, or other relevant relationships. U.S. federal government ICT supply chains are multi-tiered, webbed relationships rather than singular or linear ones. The supply chain threat to U.S. national security stems from products produced, manufactured, or assembled by entities that are owned, directed, or subsidized by national governments or entities known to pose a potential supply chain or intelligence threat to the United States, including China. These products could be modified to (1) perform below expectations or fail, (2) facilitate state or corporate espionage, or (3) otherwise compromise the confidentiality, integrity, or availability of a federal information technology system…”