The information and communication technologies infrastructure in the United States is made from parts sourced all around the world. Now a task force of the Congressionally-sponsored Cyberspace Solarium Commission has laid out a plan for the nation to reduce dependence on untrustworthy global sources in the so-called ICT supply chain. With highlights, task force senior director Robert Morgus joined Federal Drive with Tom Temin.
Insight by Carahsoft: Learn how the FedRAMP PMO and its partners believe the end result of many of ongoing initiatives is a better, faster and cheaper cloud security program by downloading this exclusive ebook.
Tom Temin: Mr. Morgus, good to have you on.
Robert Morgus: Thanks for having me, Tom.
Tom Temin: It looks like the Commission and the task force that you had is really going way past the idea of simply banning Chinese made telecom gear and growing something in the United States. Correct?
Robert Morgus: That is correct. Yeah. In our March 2020 final report, the US Cyberspace Solarium Commission called on the US government to take steps to reduce critical dependencies on untrusted ICTs, as you mentioned. In addition to recommendations to improve intelligence and information sharing around supply chain core to the Commission’s recommended approach was the creation of an ICT industrial based strategy, which would ensure a more trusted critical technology supply chain, and the availability of ICT or sort of key telecommunications providers and other technology providers. The white paper which we just released a couple of weeks ago is the Commission’s effort to further build out and lay out a strategy and recommendations for implementing this.
Tom Temin: And I think maybe the most important of the five basic recommendations in the report, or the most ambitious, maybe, is ensuring minimum viable manufacturing capacity. And I presume that means in the United States to replace what is necessarily purchased from overseas sources.
Robert Morgus: So it is very important. And it does and it doesn’t mean the United States. So one of the things that we call attention to in the report and the Commission feels very strongly about is that any approach to securing our high tech supply chains and building more industrial capacity needs to be built on a firm foundation in partnership. And that doesn’t just mean partnership with the American private sector, although that is obviously a key constituent. It also means looking at allies and partners, not only ally and partner governments, but also ally and partner companies, right. So Nokia, Ericsson, Samsung, they’re all extremely critical to this sort of next generation of telecommunications equipment, 5g. The US right now doesn’t have a really good 5g telecommunications equipment provider. So we’re going to need to rely on and partner with, frankly, companies who we deem more trustworthy for whatever reason, whether it’s sort of their ability to withstand pressure from the Chinese government, or their physical location, which allots them greater security or the sort of ability for them to manufacture in interested areas.
Tom Temin: And just a curiosity question, as you envision it does it go beneath the layer of semiconductors and IC, integrated circuits, an industry that’s going through a lot of changed consolidation and mergers and consolidations, there’s been some big ones, just in the last couple of months, billions of level types of acquisitions. But does it go below that to other areas of supply?
Robert Morgus: Yeah. So when we took a look at supply chains, we started by looking at critical technologies as a whole, that’s a broad umbrella characterization, we quickly realized we needed to narrow down to really focus on telecommunications and networking equipment. And that ended up being sort of the last chink in the supply chain. But if you go down and you look at this supply chain for teleco equipment, it’s very similar to other critical technologies, where you have raw materials, you have to both mine them and refine them. Then you have to take those and turn them into component parts. Semiconductors are one of those, but you also have important packaging, and you have other important equipment that goes into that. So when we wrote this report, when we looked at sort of the challenges facing the United States, not just the United States government, but the nation as a whole in the private sector, we looked at not only sort of critical dependencies on companies that produce semiconductors, obviously, Taiwan Semiconductor Manufacturing Corporation is arguably I think at this point, one of the most important companies in the world, they provide the basis for much of the fabrication capability in semiconductors. And by the way, we don’t necessarily think that’s a bad thing. We think it’s something that we need to be sort of paying attention to and note, but we also looked at sort of shortcomings when it comes to mining critical rare earth materials, rare earth elements and things like silicone, which we can mine, but we struggle to refine in the sort of the same manner or the same scale as some countries with more lax environmental controls.
Tom Temin: Yeah, it’s gotten much more fussy, really, semiconductor manufacturing over the last 20 30, 40 years as the lines get smaller and some of the deposition materials get more rare. So and you mentioned Taiwan semiconductor. I mean, that must be a pretty big danger because the nation of Taiwan is pretty badly threatened I would say by the People’s Republic of China.
Robert Morgus: Taiwan is a really interesting challenge for us. Obviously, its proximity to China and the history there makes it potentially a risky proposition. If we are 100% dependent on Taiwanese fabrication capability for semiconductors, I don’t think anyone would say that we can sleep sort of peacefully at night with that reality. And there are a number of reasons for that. And it has very little to do with Taiwan and much more to do with China. But you know, one of the things that we take a hard look at in the report is the US sort of diplomatic relationship with Taiwan, and whether we need to reassess some of our policies toward Taiwan in order to bring them closer. I think there’s going to be a period in the future, Taiwan is crucial not only to the United States in the context of semiconductors, but also to China, in the context of semiconductors. Right now, they’re doing a great job of supplying to both sides. Some would suggest that in the future, that that’s a reality, that’s going to be tough for them to maintain and they’re going to have to go in one direction or the other. China has already begun to build their own fabrication capability. If you look at the capability, though, it’s a couple of generations behind when we talk about semiconductors, behind Taiwan in particular. One of the key sort of elements of the strategy for us is we need to recognize the importance of Taiwan and ensure that they recognize that we recognize the importance of Taiwan, and we bring them close, right. They’re an important, important partner in this endeavor.
Tom Temin: And there’s some other things that you suggest here besides the manufacturing side, and including, I guess, maybe on the manufacturing side, it would be nice if Silicon Valley was silicon again, and not software, but it could be a long time coming. Protecting the supply chains from compromised through better intelligence, information sharing and product testing. That’s not precisely related to the CMMC initiative of the Pentagon, of the Defense Department. But it does have to do with that idea of keeping the supply chain in trust, through your case, product testing and information sharing. And I guess, Information Protection also.
Robert Morgus: Yeah, I think that’s right. Right now, there are a myriad of programs in the US government focused on both supply chain risk sort of analysis and information sharing. But what we lack is a sort of coherence or cohesiveness, to all of those different programs. CMMC is one, you also have State Department running the Clean Networks Initiative, which is another. You have NIST doing some work, you have Commerce doing some work, you have the EOs, Bulk Power for one, the telecommunications supply chain EO. You have all of these different initiatives across government that aren’t necessarily woven into a cohesive strategic approach. And that’s one of the things that we recognize, we call on the US government to do in this report in our recommendations, we need a Northern Star, right, a North Star that guides all of this activity so that we have everybody working in the same direction. If we don’t have that, we’re gonna have inefficiencies within these initiatives, within these programs. We might even have programs that are pulling in opposite directions.. And when you look at our primary competitors in the space, for example, China, they have several strategies that make sure that they have a whole of government, whole of nation approach to this pressing challenge. One of the first things that I think US government, and frankly, this falls on the executive branch, can do to help solve some of the tension or the issue that we have when it comes to sort of this coherence or cohesiveness is identify a lead agency, right. Right now, you sort of look around the federal government, and you say, okay, DoD is obviously in charge of DoD aspects of the supply chain, that’s probably okay, we can probably keep it that way. But who’s working with critical infrastructure, who’s working with information technology companies, who’s working with this, that and the other thing, especially outside of the federal government, right. Some would say DHS, some would say Commerce. And both are doing very good projects, they have very good initiatives. But sometimes it’s difficult for a company or someone out there in the private sector to know who they’re supposed to be liaising with on this. And then the other piece of it is better intelligence support, right. One of the comparative advantages, I would say, for the federal government when it comes to security issues like this is intelligence networks, right. They have both human and technical intelligence collection capability that’s not really rivaled in the private sector. I’m not saying that the private sector should dictate the intelligence collection that we have, you run into pretty quick sort of conflict issues right there. But there’s more that we can do to get pressing intelligence out there into the private sector to help inform private sector decision.
Tom Temin: Alright. So there’s going to be a new Congress seated in a couple of months. And what does the Commission think? Or what do you think should be the first thing they do with respect to cyberspace with the supply chain that your task force deals with?
Robert Morgus: Sure. The first thing I think we need is a strategy here. And Congress can play a role in that basically through directing the executive branch to develop one. I think that’s probably the very first thing that needs to happen. Then I also think we need to take a hard look at what we’re doing to incentivize this sort of reinvigoration of manufacturing both in the United States and in partner countries. We saw a bunch of proposals, proposed bills in Congress, and some pieces of these bills made it into the drafts of the National Defense Authorization Act. I’m thinking about things like the Chips Act, the American Foundries Act, the USA Telecommunications Act, all of which had incentives essentially for domestic manufacturing. We need to take a hard look at how it were approaching that. In the report, we advocate for an approach that we call clustering, where one of the challenges that we face is competing with these global integrators. Huawei and ZTE are the ones that come to mind. They can achieve economies of scale because they are able to produce sort of everything throughout their supply chain. We don’t have that advantage, we’re not going to have these monopolistic sort of massive hardware manufacturing companies, but we can do is collocate. So we can have one piece of supply chain collocated with another piece of supply chain, that’s one way that you can begin to achieve some of those economies of scale. So we call on the Department of Commerce along with a few others to do this viability study to identify places where we might be able to achieve these types of economies of scale. That will require congressional action once we have sort of a plan of action there.
Tom Temin: Yeah, we had a place in Idaho once that was a big memory chip maker. I think people forget, it doesn’t have to be in California or Taiwan.
Robert Morgus: Indeed, yeah. Micron is still there.
Tom Temin: Good. Well that’s good to know we got something going out there. Robert Morgusis senior taskforce director at the Cyberspace Solarium Commission. Thanks so much for joining me.
Robert Morgus: My pleasure Tom. Thanks a bunch.