The global architecture of supply chains is changing in front of our eyes. The 5G debate and now the COVID-19 pandemic have made us aware of how interconnected the world is and how much we rely on each other. This momentum must be captured. Important decisions about how to re-define supply chains are imminent, and security must be placed at the heart of these decisions.
Tech and policy experts’ intense focus on the 5G debate must join a much-needed and broader conversation about supply chain security. Yes, the importance of 5G to the digital transition cannot be denied. But by limiting the conversation to the telecom sector rather than adopting a more holistic approach, Europeans are missing an opportunity to address looming tensions driven by the technological rivalry between the great powers.
The New Era of Technological Fog
The tech-related value chain has never been as opaque and complex as it is today. The design, development, manufacture and maintenance of the communications systems and technologies the world relies on is becoming more and more complicated. Constant evolution and a lack of visibility only exacerbate these challenges. As highlighted by the National Institute of Standards and Technology, the number of entities that influence systems and technologies throughout their life cycles is constantly growing. A survey by Deloitte found that 87 percent of respondents had faced a disruptive incident involving a third party in the last two to three years. But companies, organisations and users are often not even aware of who has had contact with the products and services that constitute the backbone of their critical operations. This situation presents a major cybersecurity challenge. Verizon data show that nearly 75 percent of attributed breaches are perpetrated from the third party ecosystem.
The fog only thickens when you consider the geopolitical rivalry that blends national security issues with economic competition. This context transforms supply chain security from an IT security issue into a political struggle. The outcome of this process is often an opaque compromise which attempts to reconcile technological needs with political goals. The Prague Proposals and the EU report on coordinated risk assessment of 5G network security are good examples. Both emphasize that while assessing risks related to 5G development, entities should take into consideration a broad array of potential threats. The Prague Proposals, especially, underscore that in addition to technological risks, policymakers must also anticipate potential political, legal and economic threats.
Clearing the Air
Hopefully, the publicity surrounding the 5G security debates leads to a more nuanced conversation about the security of the whole supply chain in the digital sector. Supply chain security is no longer solely a corporate responsibility. States’ use of technology and digital processes in their geopolitical charades has made them key players. States and international organisations, including the EU, can no longer be bystanders in these debates. They must assume a more active role, promoting well-developed cybersecurity practices that are supported by strategic decisions.
Strategic decisions made in Brussels to build and maintain digital autonomy can serve as a framework for this engagement. To start, the EU and individual member states should make an inventory of the digital developments, technologies, processes, services and sectors that will be critical in the near future. This process should also assess where Europe is in terms of potential, autonomy and dependency on third parties. These first steps must be treated as pouring the foundation for a comprehensive EU technological and industrial strategy. If anything, the outbreak of COVID-19 around the world and the subsequent shift to remote work arrangements demonstrate how quickly our understanding of “critical” might evolve. Two months ago, who would have thought that Netflix and other streaming platforms would become an important element of the European response to a global pandemic?
For this process to have any impact, it should be followed by investments in the designated strategic areas, including investments in education, R&D, innovation and digital market development. Such a new European model should be developed in close cooperation with trusted partners. The development of a road map for joint projects in the most relevant areas, backed up by adequate funding, would be a good start.
Trust but Verify
Naturally, this process should not lead to a new “tech-isolationism” or the creation of a technological autarky – either of which would lead to technological fragmentation that would be harmful to the whole global system. Supply chain security is truly a global challenge that requires global responses. Therefore, even though key decisions must be made with trusted allies, limiting this conversation to a small group of like-minded countries would be counterproductive. All sides must know that the global digital economy will thrive only if the international community lays down solid security foundations.
A joint commitment to responsible, security-oriented behaviour will be key. The stakes are high – intentions and declarations will need to verified. The EU and its member states will need to be able to implement relevant security verification processes. The decision to establish the EU cybersecurity certification framework is an important step in this direction. It won’t solve all the political problems nor mitigate all threats, but it will allow basic mechanisms needed for the implementation of security foundations to be built. To increase the efficiency of this certification across Europe, the EU and its member states must invest in the capabilities (related to infrastructure, technology and human resources) that will truly enable the process to work. The processes of verification cannot be limited to technological layers – they’ll also have to address investments, legal obligations and more.
Any effort to address supply chain insecurity must be backed by concrete mechanisms that increase market responsibility. As Wheeler and Simpson argue, all respective stakeholders need to be part of this discussion. The first issue to address is under which circumstances and in which sectors government intervention is needed, as well as what mandatory security requirements are necessary.
When intervention is appropriate, regulatory mechanisms will need to be fine tuned to mitigate risks without hampering innovation and entrepreneurship. Simply placing greater regulatory demands on businesses will not solve the problem of responsibility being spread across numerous layers and levels of the digital infrastructure. Top-down approaches must be accompanied by practical cooperation as well as support for bottom-up industry initiatives, which are often oriented towards self-regulation.
Can the EU Be a Driver of Change?
Supply chain security is a political problem with huge implications for organisations that rely on digital technologies and the whole global economy. It involves significant challenges. For example, how can companies with limited capabilities and power influence global suppliers? And how can they deal with third party risks?
With the announcement of the new European Commission, many expect a “new opening” in EU digital policies. But new is not always good. The 5G security debate activated many important processes – like the Prague Proposals – and the past few years saw several important cybersecurity decisions made. More than a new opening, what is needed now is a bold and decisive broadening of these debates to the digital sector and new technologies in general. Supply chain security across all key digital sectors must be treated as a matter of strategic importance going forward. And it must be integrated into broader digital policy.
Currently, Europe is in an important phase of the negotiations over the Multiannual Financial Framework for the next seven years. The outcome of these negotiations will serve as a litmus test of the EU’s determination to develop a strong European technology sector. The budget currently proposed for investments in digital aspects does not fully reflect the EU’s supposed needs and ambitions. It must be refined if the EU wants to play a dominant role in the industries of the future. Economic prosperity and European security are both at stake. Financial investments must come hand in hand with strategic developments. The industrial, digital and competition agendas announced by the new European Commission have the potential to do what needs to be done. This chance cannot be wasted.
About the Author
Joanna Świątkowska is Assistant Professor at the University of Science and Technology in Cracow. She was formerly Programme Director of the European Cybersecurity Forum (CYBERSEC) and Senior Research Fellow at the Kosciuszko Institute.