How to protect your US-China supply chain from spies

DIY cyber-security measures that companies should be taking if their supply chain stretches between the world’s two biggest economies.

With talk of Chinese intelligence officers stealing US trade secrets, Twitter troll armies directed by states and massive computing power in the hands of criminals, ensuring the cyber security of supply chains has never looked more important.

The World Economic Forum estimates the cost to the global economy of cybercrime at $445 billion a year, more than the annual GDP of oil-rich Norway and significantly more than Hong Kong's. 

Tried and tested methods for minimising the risk of a hack include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on potential threats.

In an age of fast-moving technology however, these tactics need to be augmented with companies’ own high-tech armour.

“Who you decide to partner with in the value chain of assets that you bring in, whether it’s hard or soft assets, whether it's data, chip or a board – that’s going to become an incredibly important component of the assembly of systems from cars to phones,” Norm Judah, enterprise chief technology officer at Microsoft, told FinanceAsia.

Employing new technologies such as blockchain and ensuring the provenance of data will become an integral part of the defensive weaponry at the disposal of companies, say experts in the field of cyber security.

Of course, what companies don’t want is to have is so much protection in place that it stultifies innovation or creates too much friction for clients, including new and potential ones.

Microsoft has research and sales operations in China and takes the approach that having some deterrent is prudent, but it also prepares staff for an inevitable breach. China ranks 25th out of 50 countries in the US Chamber of Commerce’s international IP index, a comparative measure of intellectual property rights around the world.  

The Redmond, WA-based software giant sees a collaborative culture as the best way of staying ahead of the competition.

“That diversity of thought and opinion creates wonderful things,” Judah said.


Governments are grappling with the problem of how to protect corporate and state company software and hardware supply chains from sophisticated cyber-terrorism, malware and data theft against a backdrop of alarming headlines.

Bloomberg reported on October 4 that Super Micro Computer motherboards containing Chinese spy chips were detected at about 30 companies including Amazon and Apple. Super Micro, Apple and Amazon have called for a retraction of this story.

“I’d be incredibly surprised if someone hadn’t tried to exploit chips. It’s such a great way, an undetectable way, to gain access to someone else’s computers,” Rob Sloan, cybersecurity research director at WSJ Pro told FinanceAsia, although he thought such breaches would be reserved for the highest value targets such as government secrets.

US politicians have accused Chinese equipment makers Huawei Technologies and ZTE of posing a security threat. Heightening the general sense of alarm, an alleged Chinese spy was arrested earlier this month in Belgium, charged with conspiring to steal trade secrets from GE Aviation and other companies. 

Taken together such news impacts confidence in Chinese components, making procurement managers hesitate when it comes to sourcing the cheapest or best components, wherever they might find them, and potentially raising the cost of their products and making them less competitive.

Top American IT manufacturers like Microsoft, Intel, Hewlett-Packard, IBM, Dell, and Cisco sourced  an average of 51% of their parts from China between 2012 and 2017. These companies are key suppliers to the US government, according to an April report prepared for the US-China Economic and Security Review Commission.

Washington is preparing a raft of legislation to help fortify supply chains.

“There will not be a higher legislative priority in the next Congress [January, 2019 to January, 2021] than the supply chain,” Josh Kallmer, vice president of policy at Washington, D.C.-based trade association, Information Technology Industry Council, told FinanceAsia. ICI’s members include the world’s largest tech companies – from Apple and Microsoft to SAP.

US legislation in the works includes: The Federal Acquisition Supply Chain Security Act of 2018; The Prohibition on Procuring Chinese Telecommunications Services or Equipment; and The Enhance Cybersecurity for Small Manufacturers Act of 2018. It remains too early to tell which will be the most significant piece of legislation, or whether they will be modified, combined or even eliminated.

The US government has already enacted The National Defense Authorization Act in August, which strengthened the Committee on Foreign Investment in the United States (Cfius), a body that reviews proposed foreign investments in US businesses to determine if they threaten national security. The revamped Cfius is now more able to hinder the outflow of US advanced technology overseas.

US President Donald Trump blocked the mega $117 billion merger between Singapore-based Broadcom and Qualcomm in March citing national security concerns.

However, business professionals and cyber security consultants question how effective a national, rule-based approach can be in a world where data flows across borders and supply chains are becoming more international and complex. Also, in a world of rising geopolitical tensions there are no current agreed norms of what is acceptable cyber behaviour nor consequences for flouting the rules.

The Budapest Convention on Cybercrime signed in 2004 is hopelessly outdated and has not been ratified by countries including Russia, noted Dmitry Samartsev, chief executive officer of, the cybersecurity unit of Russian bank Sberbank at the Sibos conference this month in Sydney.

While only a tiny fraction of cyber threats are state directed, they can be pernicious.

“The vast majority of countries now have some level of offensive cyber security capability,” Sloan said. The most successful attacks will be stealthy, you won’t even know you’ve been hacked.

“It’s very old fashioned to send spies out to embassies nowadays,” said Sloan, who worked at the UK Ministry of Defence from 2002 to 2008.


As more and more companies deploy artificial intelligence, IT professionals are becoming increasingly concerned about the provenance of the data that feeds these algorithms. A malicious entity could inject bias or otherwise corrupt the data in ways that would be undetectable.

The digital signature systems that industry uses for cyber security are no longer valid, Microsoft’s Judah said. 

“The data is the one that scares me – he notion of the provenance of the data – was it or was it not biased when you got it? We don’t have the tools to detect that today,” he told FinanceAsia

Companies generally select suppliers based on the quality of their components. One measure of quality assurance is Six Sigma certification, which shows suppliers have attained a high level of quality by weeding out defects in the manufacturing process. Judah said that companies should start including some kind of proof of provenance of data in their selection of suppliers. 

New technology could be deployed to help authenticate data in a distrustful world, such as distributed ledger technology.


Likhit Wagle, a consultant at IBM, sees everyone having their personal information stored on a block, which will be immutable, in the not-too-distant future. This will help authenticate identities, making financial services from getting a mortgage to financing procurement more convenient.

At the moment, standardisation among blockchains is an issue and the prohibitive cost of offering blocks to customers is slowing progress, he told FinanceAsia.

When all else fails, companies should go 'old school' and backup digital records on a separate medium at a secure location.

Sloan recommends vintage 1950s technology such as recording onto reels of tape as a safe and relatively cheap storage solution. He also notes long-range radar may be more reliable in disputed waters, such as the South China Sea, than the Global Positioning System (GPS) which can easily be tampered with.

“It’s worth companies thinking about what happens if this technology that we rely on for business functions goes wrong – what do we fall back on?” Sloan said.

Sony Pictures executives dusted off its fax machines in 2014 after their emails were hacked allegedly by North Korea.

¬ Haymarket Media Limited. All rights reserved.
Share our publication on social media
Share our publication on social media