《DOC&DHS:美国ICT产业关键供应链评估报告(英文版)(87页).pdf》由会员分享,可在线阅读,更多相关《DOC&DHS:美国ICT产业关键供应链评估报告(英文版)(87页).pdf(87页珍藏版)》请在三个皮匠报告上搜索。
1、 ASSESSMENT OF THE CRITICAL SUPPLY CHAINS SUPPORTING THE U.S.INFORMATION AND COMMUNICATIONS TECHNOLOGY INDUSTRY PREPARED BY:U.S.DEPARTMENT OF COMMERCE AND U.S.DEPARTMENT OF HOMELAND SECURITY FEBRUARY 24,2022 2 Introductory Note From Secretary of Commerce Gina M.Raimondo and Secretary of Homeland Sec
2、urity Alejandro Mayorkas Over the past year,the Departments of Commerce and Homeland Security have worked in concert to evaluate the strength and resilience of the information and communications technology(ICT)supply chains pursuant to Executive Order 14017,on“Americas Supply Chains.”The resulting r
3、eport,Assessment of the Critical Supply Chains Supporting the U.S.Information and Communications Technology Industry,was drafted by our departments after consulting with hundreds of stakeholders from across the ICT industry,the Federal Government,and the academic community.We would like to thank tho
4、se who have contributed to this report through public comments,briefings,and consultations.The enclosed report evaluates the current supply chain conditions facing the ICT industry,identifies key risks that threaten to disrupt those supply chains,and proposes a strategy to mitigate risk and strength
5、en supply chain resiliency.The importance of having resilient and secure supply chains supporting the U.S.ICT industry cannot be overstated.The unprecedented disruptions brought on by the COVID-19 pandemic have emphasized the need to take immediate action.The Departments of Commerce and Homeland Sec
6、urity have already begun to take steps aimed at mitigating risks identified in the report.These actions include investing in domestic manufacturing capacity and workforce development,developing supply chain security frameworks,collaborating with international partners to improve resiliency,investing
7、 in ICT research and development efforts as well as reducing cyber risks.Promoting a more secure and resilient ICT supply chain is going to take a whole-of-government approach,working together to protect and strengthen the very supply chains that keep our economy running and our communities safe.How
8、ever,government cannot accomplish this goal alone-there is also important work to be done by the private sector and other non-governmental partners.We look forward to working with the ICT industry and other domestic and international partners to take actionable steps in implementing measures identif
9、ied in the assessment that build resilience and security throughout the ICT supply chain and across our nation.Gina M.Raimondo Alejandro N.Mayorkas Secretary of Commerce Secretary of Homeland Security Executive Summary On February 24,2021,President Biden issued Executive Order(E.O)14017 on Americas
10、Supply Chains,which directed a whole-of-government approach to reviewing risks in,and strengthening the resilience of,supply chains supporting six industries that are critical to U.S.economic prosperity and national security.1 As part of this comprehensive review,E.O.14017 directed the Departments o
11、f Commerce and Homeland Security to conduct a one-year assessment of the supply chains for critical sectors and subsectors of the U.S.information and communications technology(ICT)industrial base as defined by the respective agencies.In response,the Departments of Commerce(DOC)and Homeland Security(
12、DHS)have prepared the following assessment of the supply chains supporting communications hardware,computing and data storage hardware,end-user devices,and critical software including open-source software and firmware.The U.S.ICT industry serves an important role in our economic and national securit
13、y,producing the technologies relied on by individuals,industries,and governments to connect,innovate,and protect our society.However,the COVID-19 pandemic and related disruptions have exposed structural vulnerabilities in both domestic and global supply chains that resulted in the reduced availabili
14、ty of critical ICT products and tested the resiliency of the ICT industry.The following assessment evaluates the current supply chain conditions for select hardware and software products,identifies key risks that threaten to disrupt those supply chains,and proposes a strategy to mitigate risk and st
15、rengthen supply chain resiliency.A summary of these findings is detailed below.Summary of Key Findings Current State of ICT Manufacturing and Related Challenges:The United States continues to lead in ICT development and innovation in many product categories.However,the production of many products su
16、ch as printed circuit boards(PCBs)and displays has become increasingly concentrated in China,along with electronics assemblies.For a limited number of products studied such as fiber optic cables,the United States still maintains a domestic manufacturing base.Current State of the ICT Software Sector
17、and Related Risks:The nature of the current ICT software ecosystem creates several security risks.The ubiquitous use of open-source software can threaten the security of the software supply chain given its vulnerability to exploitation.Furthermore,the complexity of the ICT supply chain has led many
18、Original Equipment Manufacturers(OEMs)to outsource firmware development to third party suppliers,which introduces risks related to the lack of transparency into suppliers programming and cybersecurity standards.Current State of the ICT Workforce and Related Risks:The outsourcing of ICT manufacturing
19、 has resulted in a significant reduction in the domestic ICT production and manufacturing workforce.Comparatively,the domestic software developer and 1 U.S.President.Executive Order.“On Americas Supply Chains,Executive Order 14017 of February 24,2021,”86 Fed.Reg.,11849,(March 1,2021):11849-11854.3 e
20、ngineering workforce,which makes up 40 percent of the U.S.ICT workforce,is expected to grow significantly based on current hiring trends.However,in both segments manufacturing and software development industry stakeholders reportedly struggle to find qualified employees across occupations.Cross-Cutt
21、ing Supply Chain Vulnerabilities Impacting the U.S.ICT Industrial Base:Structural vulnerabilities across the ICT supply chains have presented several risks that have become more apparent as a result of disruptions caused by the COVID-19 pandemic.These include the lack of a domestic ecosystem for man
22、y segments of ICT production,overreliance on single-source and single-region suppliers,and the difficulty in maintaining product integrity due to complex supply chains.These vulnerabilities increase the potential for supply chain disruptions and complicate product and supply chain security efforts.E
23、xternal Risks to the ICT Industrial Base Supply Chain:The current state of the ICT industrial base supply chain leaves the United States overexposed to a variety of externally derived risks stemming from intellectual property theft,economic dependencies,weak labor standards and climate concerns.Reco
24、mmendations to Strengthen ICT Supply Chain Resiliency To address these and other risks identified in the assessment,and to strengthen supply chain resiliency,the Secretaries of Commerce and Homeland Security recommend implementation of the following comprehensive strategy.1.Revitalize the U.S.ICT Ma
25、nufacturing Base:Support domestic investment and production of key ICT products,potentially including printed circuit boards(PCBs)and semiconductors,through appropriate federal procurement incentives and funding of programs like Title III of the Defense Production Act and the Creating Helpful Incent
26、ives to Produce Semiconductors for America Act.2.Build Resilience through Secure and Transparent Supply Chains:Promote supply chain risk management practices through procurement and monitoring efforts such as implementing an Assured Supplier Program for PCBs for Federal Government and establishing a
27、 Critical Supply Chain Resilience Program at the Department of Commerce.3.Collaborate with International Partners to Improve Supply Chain Security and Resiliency:Improve international engagements through existing fora to advance shared interests in the ICT industry.These interests include bolstering
28、 supply chain security and diversity for critical products,strengthening trade enforcement,and enhancing participation in international standards development.4.Invest in Future ICT Technologies:Sustain the research and development(R&D)ecosystem through federal programs and legislation by supporting
29、and expanding programs aimed at bringing nascent technologies to market as well as advancing manufacturing technologies.5.Strengthen the ICT Workforce Pipeline:Support and expand programs that attract,educate,and train the ICT workforce by enhancing computer science curricula and 4 investing in mult
30、iple secondary and post-secondary pathways,including through registered apprenticeships,career and technical education programs,and community college programs.Grant investments should be aligned with employer-led sectoral partnerships that ensure training is linked to real-world job opportunities.6.
31、Ensure Sustainability Remains a Cornerstone of ICT Development:Promote adoption of enhanced labor and environmental standards and the adoption of more sustainable ICT production facilities through financial incentives and government programs.7.Engage with Industry Stakeholders on Resiliency Efforts:
32、Strengthen public-private engagements to promote awareness and adoption of risk mitigation techniques and best practices for securing the ICT supply chain.8.Continue to Study the ICT Industrial Base:Conduct further industrial base studies on critical ICT products such as PCBs and related microelectr
33、onics to monitor industry developments and guide long-term policy planning.5 Table of Contents Executive Summary.2 1.Introduction.8 2.Methodology.11 2.1 Scope of Work.11 2.2 Research Methodology.12 2.3 Stakeholder Engagements.13 3.Overview of the ICT Industrial Base.15 3.1 Evolution of the ICT Indus
34、trial Base Market Structure.15 3.2 Overview of Critical End-Uses of ICT Products.17 4.Current State of ICT Manufacturing and Related Challenges.21 4.1 Upstream Components:Printed Circuit Boards.21 4.2 Upstream Components:Fiber Optic Cable.24 4.3 Upstream Assembly:Printed Circuit Board Assemblies and
35、 Electronics Assemblies.27 4.4 Downstream Products:Routers,Switches,and Servers.28 4.5 Downstream Products:LCDs/Displays.31 5.Current State of the ICT Software Sector and Related Risks.33 5.1 Background on the Software Supply Chain.34 5.2 Overview of Open-Source Software.36 5.3 Open-Source Software
36、Supply Chain Risks.38 5.4 Firmware Overview.40 5.5 Firmware Risks.41 6.Current State of the ICT Workforce and Related Risks.44 6.1 ICT Hardware Manufacturing Workforce.44 6.2 ICT Software Workforce.47 6.3 Human Capital-Related Risks.50 7.Cross-Cutting Supply Chain Vulnerabilities Impacting the U.S.I
37、CT Industrial Base.54 7.1 Ongoing COVID-19-Related Supply and Demand Shifts and Bottlenecks.54 7.2 Lack of Ecosystem for Electronics Production.55 7.3 Single Source and Single Region Suppliers.57 7.4 Lack of Visibility of Junior Tier Suppliers.59 6 7.5 Inventory Management.62 7.6 Maintaining Hardwar
38、e and Software Integrity along the ICT Supply Chain.63 7.7 Extended Supply Chains.68 8.External Risks to the ICT Industrial Base Supply Chain.69 8.1 Theft of Intellectual Property and Cyber Intrusions.70 8.2 Economic Risks.71 8.3 Forced Labor Risks.73 8.4:Climate Risks.74 9.Recommendations to Streng
39、then ICT Supply Chain Resiliency.76 Appendix A.83 Appendix B.85 Appendix C.86 7 1.Introduction The Information and Communications Technology(ICT)industry produces the technologies that individuals,companies,and governments alike rely on to connect,develop,and protect our society.The reliance on ICT
40、products across all sectors of the economy makes the industry of critical importance to U.S.economic growth and national security.However,over the past few decades,the United States has ceded manufacturing of much of the ICT supply chain to Asia.The disadvantage of off shoring manufacturing has beco
41、me apparent during the COVID-19 pandemic when the U.S.ICT industry experienced severe supply chain disruptions.The COVID-19 pandemic as well as other conditions have reduced the availability of critical ICT products.In response to these and supply chain disruptions in other industries,on February 24
42、,2021,President Biden issued an Executive Order(E.O.14017)on Americas Supply Chains,which aims to build resilient,diverse,and secure supply chains supporting six critical industries to ensure U.S.economic prosperity and national security.2 E.O.14017 directs the Departments of Commerce and Homeland S
43、ecurity to conduct a one-year assessment on the supply chains for critical sectors and subsectors of the U.S.ICT industrial base,as determined by the Secretary of Commerce and the Secretary of Homeland Security.Pursuant to E.O.14017,the scope of the following assessment includes a study of the suppl
44、y chains supporting communications hardware,computing and data storage hardware,end-user devices as well as critical software including open-source software and firmware.The ICT industry is a key contributor to the U.S.economy and domestic employment.While economic measurements of the ICT industry v
45、ary,the Bureau of Economic Analysis(BEA)estimates that in 2019 the digital economy accounted for$2,051.6 billion or 9.6 percent of gross domestic product(GDP).The digital economy has increased its contribution to the U.S.economy since 2005,when it represented 7.8 percent of GDP,with real value-added
46、 averaging 6.5 percent annual growth compared to only 1.8 percent for the overall economy.34 While significant,these figures may underrepresent the importance of the ICT industry for the U.S.economy.For example,enterprise software systems can have a compounding effect on economic growth through the
47、substantial benefits and economies of scale that they provide to small businesses.In addition to its contribution to the economy,the ICT industry is a major provider of high-quality domestic employment.In 2019,over 2.1 million people were employed in the computer systems design and related services
48、sector,or about 1.3 percent of total employment,up from 1.1 million in 2005.56 ICT-related occupations such as computer and information technology(IT)2 U.S.President,Executive Order,“On Americas Supply Chains,Executive Order 14017 of February 24,2021,”86 Fed.Reg.,11849,(March 1,2021):11849-11854.3 B
49、ureau of Economic Analysis,“Updated Digital Economy Estimates June 2021,”U.S.Department of Commerce,June 28,2021,https:/www.bea.gov/system/files/2021-06/DE%20June%202021%20update%20for%20web%20v3.pdf.4 In its definition of the digital economy,the BEA includes 1)infrastructure,or the basic physical m
50、aterials and organizational arrangements that support the existence and use of computer networks and the digital economy,primarily information and communications technology(ICT)goods and services;2)E-commerce,or the remote sale of goods and services over computer networks;and 3)priced digital servic
51、es,or services related to computing and communication that are performed for a fee charged to the consumer.While these categories do not map precisely to this reports ICT focus,there is significant overlap.See https:/www.bea.gov/data/special-topics/digital-economy.5 Bureau of Economic Analysis,“Upda
52、ted Digital Economy Estimates June 2021,”U.S.Department of Commerce,June 28,2021.https:/www.bea.gov/system/files/2021-06/DE%20June%202021%20update%20for%20web%20v3.pdf.6 Bureau of Labor Statistics,“Household Data Annual Averages,”U.S.Department of Labor,accessed November 19,2021,https:/www.bls.gov/c
53、ps/aa2019/cpsaat01.pdf.8 positions also tend to pay higher salaries.In May 2020,the median annual wage for this occupation category was$91,250,more than twice the median annual wage of$41,950 for all occupations.7 Employment rates in computer and IT occupations are also projected to grow by 13 perce
54、nt from 2020 to 2030,faster than the average for all occupations.8 However,the ICT industry currently faces a significant need of qualified workers to meet expected increases in demand.The ICT industry is an important employer of Americans,and the industry will require significant investment in work
55、force education and training to remain globally competitive.Resilient and secure ICT supply chains are critical to U.S.economic and national security because ICT products and services are widely used across the economy,including in systems used by the government and critical infrastructure sectors.9
56、 Without secure sourcing and technologically advanced systems,systems supporting critical infrastructure,such as electric power grids,gas lines,and industrial control systems,will face greater risks of disruption and compromise.In addition,ICT products are subject to a range of inherent and introduc
57、ed risks due to the numerous critical components inside each product.10 The ICT sector is also vulnerable to a variety of external shocks which risk disrupting supply chains and impact U.S.economic and national security.Supply chain shocks threaten employees and firms at all stages of production.In
58、fact,across the economy companies can expect losses equal to almost 45 percent of one years profits over the course of a decade due to supply chain disruptions.11 Disruptions that originate at the firm-level can propagate through supply chain networks to impact suppliers and customers,affecting not
59、only direct affiliates but indirectly linked firms.12 In 2016,after earthquakes struck a part of Japan central to silicon production,closely linked Chinese companies suffered abnormal negative stock market returns.13 These firm-level effects can have substantial country-level consequences:by one est
60、imate,the Great East Japan Earthquake of 2011 led to a 0.47 percent decline in Japanese GDP as a result of input-output linkages.14 These disruptions can impact not only the affected companies but also employees,as companies seek to cut costs by reducing their workforces or limiting wage increases.T
61、he impact from the COVID-19 pandemic and the resulting global shortages of critical ICT components have highlighted the weaknesses of long and globally concentrated supply chains 7 Bureau of Labor Statistics,“Computer and Information Technology Occupations,”U.S.Department of Labor,accessed November
62、19,2021,https:/www.bls.gov/ooh/computer-and-information-technology/home.htm.8 Ibid.9 ICT is also a growing and critical component of the global and domestic transportation industries.ICT provides logistical efficiencies,greater transparency of goods movement,and,increasingly,greater safety and mobil
63、ity for travelers who benefit from the integration of GPS-assisted navigation systems,emergency response applications,or advanced crash-avoidance systems such as vehicle-to-everything(V2X)communications.10 Carl McCants of Defense Advanced Research Projects Agency,Meeting with U.S.Departments of Comm
64、erce and Homeland Security,(Virtual Meeting,October 15,2021).11 Susan Lund et al.,“Risk,resilience,and rebalancing in global value chains,”McKinsey Global Institute,August 6,2020,https:/ Christoph E.Boehm,Aaron Flaaen,and Nitya Pandalai-Nayar,“Input Linkages and the Transmission of Shocks:Firm-Level
65、 Evidence from the 2011 Tohoku Earthquake,”The Review of Economics and Statistics 101(1):60-75,https:/doi.org/10.1162/rest_a_00750.13 Li Ding et al.,“The contagion and competition effects across national borders:Evidence from the 2016 Kumamoto earthquakes,”International Journal of Production Economi
66、cs 235(2021):108-115.https:/doi.org/10.1016/j.ijpe.2021.108115.14 Vasco M.Carvalho et al.,“Supply Chain Disruptions:Evidence from the Great East Japan Earthquake,”The Quarterly Journal of Economics 136 No.2(2021):1255-1321.https:/doi.org/10.1093/qje/qjaa044.9 and the consequences of their disruption
67、.A variety of factors have coincided to produce unprecedented shortages:pandemic recovery and economic stimulus in parts of the world increased demand;factory shutdowns in key production locations constricted supply;and global labor shortages strained production and distribution networks.Supply shor
68、tages and shipping constraints are expected to continue through 2022,with negative consequences for GDP growth in the United States and the rest of the world.15 While ICT firms recognize the risks posed by their supply chains,one 2021 survey indicated that only 16.7 percent of firms in the IT/Tech/E
69、lectronics industry were interested in completely transforming their supply chain strategy,the smallest share of any industry.Despite the difficulties of shifting and otherwise enhancing the resiliency of firm production networks,it remains clear that action needs to be taken to better insulate the
70、ICT industry from future disruptions.In accordance with E.O.14017,this assessment defines critical sectors and subsectors supporting the ICT industry,evaluates the current supply chain conditions,identifies key risks that threaten to disrupt those supply chains,and proposes a strategy to mitigate ri
71、sk and strengthen supply chain resiliency.This report is organized into nine sections.The next section describes the methodology employed to research and prepare this industrial base assessment.The third section provides an overview of the ICT industrial base and defines critical end-use markets for
72、 ICT industrial base products.The fourth section reviews the current state of the ICT manufacturing base and supporting supply chains and identifies associated risks.The fifth section analyzes the current state of the ICT software sector and related risks.The sixth section assesses the composition o
73、f the U.S.ICT workforce and its ability to meet the needs of the industry and broader economy.The seventh section identifies the supply chain vulnerabilities that exist across the industry and the eighth section details other external risks that threaten to disrupt,constrain,or eliminate the critica
74、l supply chains that support the ICT industrial base.The final section provides recommendations to mitigate identified vulnerabilities and risks and strengthen the resiliency and security of the supply chains supporting the U.S.ICT industrial base.15 Sara Johnson,“Supply imbalances bring higher infl
75、ation and lower growth,”IHS Markit,October 21,2021.https:/ 2.Methodology 2.1 Scope of Work This report provides an assessment of the supply chains for critical sectors and subsectors of the ICT industrial base,as determined by the Secretary of Commerce and the Secretary of Homeland Security.For this
76、 assessment,the scope of the ICT industrial base consists of communications equipment,data storage,and end-user devices,as well as critical software including firmware and open-source software.These products were identified in part based on the Department of Homeland Securitys Cybersecurity and Infr
77、astructure Security Agencys(CISA)National Critical Function criteria which describes the functions of government and the private sector so vital to the United States that their disruption,corruption,or dysfunction would have a debilitating effect on national security,economic security,public health
78、or safety.16 Within this defined scope,this assessment focuses on the supply chains of a select number of components,devices,and software foundational to multiple facets of the nations ICT industrial base.In addition to criticality,these components,devices,and software were selected to exemplify bro
79、ader trends impacting the U.S.ICT supply chains and to identify opportunities for the U.S Government and industry to build resilience.This assessment primarily focuses on the manufacturing needs,challenges,and risks inherent to the supply chains of key hardware products and inputs and evaluates the
80、footprint of the U.S.manufacturing base within the ICT supply chain.The supply chain assessment also evaluates the human capital needs and challenges required to produce or develop critical hardware and software.This report provides an actionable strategy for the Federal Government and industry to b
81、egin implementing measures that build resilience and security within the supply chains for critical sectors of the ICT industry.The recommendations are intended to complement recent and ongoing studies conducted in this industry by Federal agencies.Accordingly,this report does not assess the supply
82、chains for semiconductors,critical minerals and batteries as these studies were completed through the 100-day reviews as directed by Executive Order 14017.17 In addition,while information and communications technology and services(ICTS)security is an important issue within the ICT industry,there are
83、 other ongoing efforts to improve the security of such technology and service transactions and to address cybersecurity measures.These efforts include work being done pursuant to E.O.13873,Securing the Information and Communications Technology and Services Supply Chain,and E.O.14028,Improving the Na
84、tions Cybersecurity,respectively.18 Given this reports focus on manufacturing issues,cyber risks will be addressed 16 Cybersecurity and Infrastructure Security Agency,“Executive Order 13873 Response:Methodology for Assessing the Most Critical Information and Communications Technologies and Services”
85、,U.S.Department of Homeland Security,April 2020,https:/www.cisa.gov/sites/default/files/publications/eo-response-methodology-for-assessing-ict_v2_508.pdf.17 Executive Office of the President,Building Resilience Supply Chains,Revitalizing American Manufacturing,and Fostering Broad-Based Growth:100-Da
86、y Reviews under Executive Order 14017,June 2021,https:/www.whitehouse.gov/wp-content/uploads/2021/06/100-day-supply-chain-review-report.pdf.18 U.S.President,Executive Order,“Securing the Information and Communications Technology and Services Supply Chain,”Executive Order 13873 of May 15,2019,”84 Fed
87、.Reg.,22689,(May 17,2019):22689-22692;U.S.President,Executive Order,“Improving the Nations Cybersecurity,”Executive Order 14028 of May 12,2021,”86 Fed.Reg.,26633,(May 17,2021):26633-26647.11 primarily in the context of product integrity across the supply chain.Other relevant topics that are excluded
88、 to avoid duplicative actions include ICT-related services such as cloud services and the protection of personal and sensitive data which are being addressed in the E.O.efforts mentioned above.2.2 Research Methodology Literature Review and Collation Scorecard The assessment of the U.S.ICT supply cha
89、in conditions is supported by a review of 74 reports and articles from academic,industry,and government sources.To collate the research,the working group drafting this assessment developed a rubric or“scorecard”comprised of ten categories of distinct elements of the ICT industrial base.The categorie
90、s are listed below,and further defined in Appendix A.1.Essential Goods,Materials and Services 2.Financials/Business Practices 3.Supply Chain Capacity and Procurement 4.Policy and Legal 5.Manufacturing and Logistics 6.Cybersecurity Risks 7.Risks to the Supply Chain and Impacts on the Nation 8.Researc
91、h&Development and Innovation 9.Initiatives and Recommendations 10.Human Capital and STEM Education Each research input was analyzed using this scorecard framework and collated based on relevance to each of the ten analysis fields.This organizational approach enabled the prioritization of internal re
92、search activities and facilitated the drafting of the report based on topical references.Federal Register Notice of Inquiry Comments On September 20,2021,the Department of Commerces Bureau of Industry and Security(BIS)published a Federal Register Notice of Inquiry soliciting comments from the public
93、 on the overall health of the supply chains for critical sectors and subsectors of the ICT industrial base and recommendations for policies and actions to strengthen supply chain resilience.BIS received a total of 35 comments from U.S.and foreign businesses,industry associations,private individuals,
94、and U.S.and foreign government entities.The comments covered the identification of:1)critical goods and materials that underlie the ICT supply chain,2)manufacturing or other capabilities necessary to produce or supply these materials,3)risks that threaten to disrupt,strain or eliminate the supply ch
95、ain,4)resilience within manufacturing and distribution of the ICT industrial base,allied and partner approach to the prioritization of critical ICT goods and services,and 5)specific policy recommendations that would strengthen supply chain resiliency for the ICT industrial base.Each comment was revi
96、ewed and incorporated where appropriate into this assessment to ensure adequate representation of stakeholder perspectives.12 Data Collection The interagency body collected data from a variety of sources including survey data and statistical figures from the Bureau of Industry and Security,the Burea
97、u of Economic Analysis(BEA),the Census Bureau,the Economic Development Administration,and the International Trade Administration.Each database was queried using 27 North American Industry Classification System(NAICS)codes,provided in Appendix B,that represent the previously defined scope of the ICT
98、industry.To establish this scope,the DOC and DHS developed a list of NAICS codes based on the defined scope of the ICT industry and cross-referenced this list with BEAs 2021 Digital Economy taxonomy.Additional data were provided by the U.S.Patent and Trademark Office and international organizations
99、such as the Organization for Economic Cooperation and Development and the International Telecommunication Union.This data highlighted recurring themes such as labor skill shortages,domestic innovation and competitiveness,the relative strength of manufacturing exports,and ICTs significance within the
100、 larger digital economy.2.3 Stakeholder Engagements Stakeholder engagements were held with U.S.government and private sector partners to garner input to further inform the report and aid in the assessment process.U.S.Government Stakeholders To ensure adequate representation of crucial ICT government
101、 stakeholders and leverage specialized expertise and perspectives,an interagency body was established with members from:Department of Homeland Security(DHS)o CISAs National Risk Management Center(NRMC)o Office of Strategy,Policy and Plans(PLCY)Department of Commerce(DOC)o Bureau of Industry and Secu
102、rity(BIS)o International Trade Administration(ITA)o National Institute of Standards and Technology(NIST)o National Telecommunications and Information Administration(NTIA)o U.S.Patent and Trademark Office(USPTO)o Economic Development Administration(EDA)The core body met regularly to coordinate each o
103、ffices contributions to this report.Furthermore,the working group sought the advice of a small council of representatives from across the U.S.government to inform the analysis and recommendations of this report.Industry Stakeholders In preparation for the drafting of this report,members of the inter
104、agency body consulted with representatives from ICT companies and industry associations to adequately assess the critical supply chains supporting the ICT industrial base.Industry representatives provided insights on the scope of critical sectors and subsectors and the current supply chain challenge
105、s impacting the ICT industrial base.In addition,all members of the ICT industry were invited to participate in a virtual public forum held on October 29,2021;over 350 people registered for the forum.During 13 the event,five speakers from U.S.businesses,industry associations,and an academic instituti
106、on presented proposals to mitigate the risks facing critical supply chains supporting the ICT industrial base.19 19 More information on the ICT Forum including a transcript can be found here:https:/bis.doc.gov/ictforum.14 3.Overview of the ICT Industrial Base The U.S.ICT industrial base is highly sp
107、ecialized and depends on complex,global supply chains that are geographically concentrated.Evaluation of the current conditions of the ICT industry requires context and an understanding of the evolution of this market as well as an understanding the criticality and widespread applications of ICT pro
108、ducts.This section details how the ICT industrial base has evolved over time followed by descriptions of select ICT products and their critical applications which reflect the importance of ensuring ICT supply chains are secure and resilient.3.1 Evolution of the ICT Industrial Base Market Structure O
109、ver the past 30 years,the ICT industrial base has evolved from being vertically integrated to being one that is highly outsourced,with most major brand companies outsourcing nearly every step of and input into the manufacturing process.Beginning in the mid-1980s,original equipment manufacturers(OEMs
110、)in the computer industry,such as IBM and Cisco,that traditionally managed end-to-production services,began outsourcing manufacturing and software development to specialized technology companies,such as Intel(microprocessor chips)and Microsoft(operating software),and to contract manufacturers.20 Con
111、tract manufacturers are companies that perform manufacturing services for other companies on a contractual basis.To produce a computer,these OEM companies could no longer design and manufacture their own computer chips or develop operating system software,but instead,so that their equipment was comp
112、atible with everyone elses,outsourced these needs to companies specializing in those products,such as Intel and Microsoft.This process,called vertical specialization,led ICT OEMs to focus on design and innovation of new and improved technologies.21 Over time,OEMs have increasingly adopted this busin
113、ess model with many companies eliminating all manufacturing capabilities.These OEMs now add value primarily through research and development,product design,and marketing new technologies to their customer base.By 2006,leading computer companies,including Dell,HP Inc.(formerly Hewlett Packard),Acer,a
114、nd Apple,had completely outsourced their notebook manufacturing operations.22 The U.S.ICT industry reflects this evolution of the OEMs.The United States is the worlds leader in technology innovation,but most hardware manufacturing takes place in other countries.During the 1990s,as ICT OEMs shed manu
115、facturing capabilities,contract manufacturing companies acquired these production facilities and began consolidating the market to offer the full suite of production services,including specialized design manufacturing for components and software.23 Today,43 percent of the electronics assembly market
116、 is outsourced to contract 20Annelie Evermann,“The ICT Sector in the spotlight:Leverage of public procurement decision on working conditions in the supply chain,”Electronics Watch Consortium,(2014),https:/electronicswatch.org/the-ict-sector-in-the-spotlight_723519.pdf.21 Esther de Haan and Irene Sch
117、ipper,“CSR Issues in the ICT Hardware Manufacturing Sector”,Centre for Research on Multinational Corporations(SOMO),September 1,2005,https:/www.somo.nl/csr-issues-in-the-ict-hardware-manufacturing-sector/.22Annelie Evermann,“The ICT Sector in the spotlight:Leverage of public procurement decision on
118、working conditions in the supply chain”.23 Esther de Haan and Irene Schipper,“CSR Issues in the ICT Hardware Manufacturing Sector”.15 manufacturers.The remainder is assembled by OEMs for their brand products.24 Within the ICT contract manufacturing industry,two distinct models emerged the electronic
119、s manufacturing service(EMS)model and the original design manufacturer(ODM)model.The EMS pertains to contract manufactures that oversee the entire production process on behalf of the OEM while the OEM maintains control over the product development process.The ODM model involves contract manufacturer
120、s managing both the product design and manufacturing processes while the OEM controls marketing and brand development.25 The figure below details the end-to-end services involved in the typical ICT hardware product life cycle.In the current OEM-EMS model that dominates the ICT industry,brand-name co
121、mpanies may only oversee production design and preferred suppliers and the final connection to their customers.The bulk of the manufacturing and actual procurement is managed by EMS or ODM companies.Figure 1:End-to-End Services for the Product Lifecycle Source:Centre for Research on Multinational Or
122、ganizations26 One of the primary reasons that ICT OEMs have eliminated manufacturing capabilities is low profit margins and the need for mass production to make a profit,so instead they concentrate on 24 Randall Sherman,“Now Available!The Worldwide OEM Electronics Assembly Market 2021 Edition,”.Neva
123、da City:New Venture Research,July 2021,https:/ Esther de Haan and Irene Schipper,“CSR Issues in the ICT Hardware Manufacturing Sector”.26 Ibid.16 product design,especially for consumer and legacy technology goods.To overcome these margins,contract manufacturers set up production in Taiwan,China and
124、other Asian economies to provide manufacturing services for many products at once,which limits downtime.In particular,factors such as lower labor costs,subsidies,infrastructure benefits,availability of capital and land,and a central location in Asia lured high volume consumer product EMS assembly to
125、 China.For example,Foxconn increased its employment from 47,000 people to 1.1 million from 2004 to 2014,with 99 percent of those employees located in mainland China.27 Also,the vertical specialization and segmentation of the ICT industrial base has led to a geographic specialization whereby certain
126、products and services are sourced from single regions or countries.28 EMS and ODMs source components,subsystems,and parts from other suppliers,and any one product may contain thousands of components.This has led to economies of scale where an ICT manufacturer may mass produce and specialize in one c
127、omponent.Today,many components are manufactured in Asia,and in particular China,Japan,and Taiwan.Production of low-value component production followed assembly production to China,as low value component producers were pressured to provide just-in-time product and low-cost delivery to the assembly pl
128、ants.However,some specialized components that require more advanced technical processes are still produced outside of Asia.Section 4 provides an in-depth analysis of the supply chains of selected components.While the United States remains the leader in the design and innovation for the ICT sector,Ch
129、ina leads in manufacturing.This shift is evident in the U.S.share of global electronics manufacturing,which has declined from 30 percent to five percent over the past 25 years.29 The current market structure,with its geographic concentration of manufacturing in Asia,bears significant risk.To fully c
130、apture the implications that the current market structure has on the ICT hardware supply chains,section 3.2 provides an in-depth assessment of three major end-use markets.3.2 Overview of Critical End-Uses of ICT Products The intent of this section is to outline the breadth and importance of the ICT
131、sector by providing descriptions of selected products and product categories,their importance to the U.S.industrial base,and the subsequent need to assess the supply chain.The products covered in this section are divided into three general categories:communications hardware,computing and data storag
132、e hardware,and end-user devices.Many ICT products could fall into more than one of the three categories,but these broad categories cover many critical ICT products.This section does not provide an exhaustive list of ICT products;instead,it is meant to include illustrative examples,and the inclusion
133、or exclusion of a specific product does not signify whether it is a priority.Communications Equipment 27 Guillaume Delautre,“The distribution of value added among firms and countries:The case of the ICT manufacturing sector,”International Labour Organization,January 2017,https:/www.ilo.org/wcmsp5/gr
134、oups/public/-dgreports/-inst/documents/publication/wcms_544190.pdf.28 Timothy Sturgeon,Presentation on“Supply chain resilience and smart reshoring in massively modular industries:The case of ICT,”Virtual Forum for Risks in the Information Communication Technology Supply Chain,(Bureau of Industry and
135、 Security,October 29,2021).29 Comments of IPC and USPAE(the U.S,.Partnership for Assured Electronics)to Request for Information,“Risks in the Information and Communications Technology Supply Chain,”86 Fed.Reg.52127,(Sept.(September 20,2021),(IPC and U.S,Partnership for Assured Electronics USPAE,Nove
136、mber 45,2021).17 Communications equipment enables instant connection with people and information worldwide.This vast category includes broadcasting equipment(i.e.,radio and television studio equipment,transmitting and receiving antennas,satellites,cable television equipment,and GPS equipment),as wel
137、l as telecommunications equipment(i.e.,goods that facilitate wireless and wireline networks such as undersea cables,modems,fiber optic cables,bridges,routers,and gateways).30 Telecommunications equipment enables digital communication,expands access to data,and transforms the way enterprises and cons
138、umers work,learn,and interact.31 Communications equipment holds strategic importance to the United States as the backbone of U.S.critical communications infrastructure.For example,emergency services depend on broadcasting and telecommunications equipment such as portable radios used by first respond
139、ers,as well as equipment used by FirstNet,the emergency wireless broadband network.32 Communications equipment also allows for the smooth operation of many other vital sectors,including the transmission of financial transactions by banks and the management of mass transit and air traffic control.33
140、Importantly,telecommunications equipment provides the foundation for next-generation networks,including fifth generation wireless networks(5G).As 5G deployment continues,expected benefits include enhanced connectivity that will spur innovation across various vertical sectors,such as healthcare,energ
141、y,and transportation.The United States was a leader in telecommunications equipment manufacturing,producing one-third of the worlds telecommunications equipment,until the late 1990s.34 Industry consolidation through mergers and acquisitions reduced the number of U.S.firms,and business miscalculation
142、s by some U.S.equipment producers caused major players to exit the telecommunications infrastructure market.35 These trends were exacerbated by Chinese state support for its domestic producers through non-market policies and practices such as forced technology transfer,intellectual property theft,ma
143、rket distorting subsidies,and other types of state support which stifled innovation and competition in the industry.36 These practices accelerated a decline in U.S.manufacturing for communications hardware.Today,while U.S.firms are not absent from the communications hardware market,the amount of man
144、ufacturing in the United States has decreased significantly.Computing and Data Storage Computing equipment includes widely used items like personal computers,servers,and ATMs.These devices are often paired with data storage products ranging from hard disk drives(HDDs)30 NAICS Manual 2017 North Ameri
145、can Industry Classification NAICS System,United States,2017,(Executive Office of the President,Office of Management and Budget,2017.31 IBM Cloud Education,“Networking,”IBM,March 17,2021,https:/ of FirstNet,”FirstNet,Accessed February 2,2022,https:/ Wilson,“Inside the High-Stakes World of Designing f
146、or 911 Operators,”Fast Company,March 22,2021,https:/ Sector Specific Plan,”CISA,2015,https:/www.cisa.gov/sites/default/files/publications/nipp-ssp-communications-2015-508.pdf 34 Robert D.Atkinson,“Who Lost Lucent?:The Decline of Americas Telecom Equipment Industry,”American Affairs Journal,August 20
147、,2020,https:/americanaffairsjournal.org/2020/08/who-lost-lucent-the-decline-of-americas-telecom-equipment-industry/.35 Ibid.36Robert D.Atkinson,“How Chinas Mercantilist Policies Have Undermined Global Innovation in the Telecom Equipment Industry,”Information Technology and Innovation Foundation,June
148、 22,2020,https:/itif.org/publications/2020/06/22/how-chinas-mercantilist-policies-have-undermined-global-innovation-telecom.18 and solid-state drives(SSDs)to magnetic tape and USB sticks.Together,computing and storage devices allow businesses to manage the growing quantities of data that are produce
149、d each year.37 The computing and data storage industries are vital to the U.S.economy.Today,high-performance computing can track financial services and aid in the development of cures for diseases,while quantum computers will eventually support many sectors including banking and logistics.38 Compute
150、r servers are also gaining importance as more organizations rely on cloud storage powered by server equipment.39 Although U.S.companies are leaders in computing and data storage,much of the manufacturing process now takes place in Asia.40 One example is the 2021 HDD market:the first and second posit
151、ions of market share by global revenue were occupied by two U.S.companies,Seagate and Western Digital;however,Southeast Asia has been a top manufacturing location for HDDs in recent years.41 Southeast Asia recently replaced China as the top location for HDD manufacturing because U.S.tariffs and incr
152、easing labor costs in China make production less appealing.42 While the U.S.remains crucial for R&D activities in these sectors,limited U.S.manufacturing capabilities are a cause for concern.End-User Devices End-user devices include a range of ubiquitous products,including laptops,tablets,handsets,a
153、nd displays.These devices enable employees to work virtually,connect students to remote learning,and provide access to emergency services.From hospitals to small businesses,all facets of the economy are dependent on end-user ICT devices to operate.In 2018,it was estimated that 84 percent of U.S.hous
154、eholds owned a smartphone and 78 percent owned a desktop or laptop computer.43 The COVID-19 pandemic has only increased demand for end-user devices.Shipments of desktops,notebooks,and tablets increased dramatically in 2020 as workers and students made a rapid shift to virtual operations.44 The U.S.p
155、ersonal computer market,for example,experienced 37 Tom Coughlin,“175 Zettabytes By 2025,”Forbes,November 27,2018,https:/ is high performance computing,”NetApp,accessed January 27,2022,https:/ quantum computing could change financial services,”McKinsey&Company,last modified December 18,2020,https:/ c
156、omputing could transform the logistics industry within the next decade,”DHL,last modified September 24,2020,https:/ Sai Vennam,“What is cloud computing,”last modified August 18,2020,https:/ Sascha Segan,“Silicon,USA:Technology Thats Actually Made in America,”PC Magazine,September 2,2021,https:/ Metz
157、,“Where in the World Is Google Building Servers?,”Wired,July 6,2012,https:/ 68 Million HDDs Shipping in 3Q21,”Storage Newsletter,October 12,2021,https:/ Temphairojana,“Seagate to invest$470mln in Thailand over next 5 years,”Reuters,February 10,2015,https:/ Aaron Lee and Willis Ke,“HDD manufacturing
158、cluster formed in Thailand,”Digitimes Asia,March 12,2020,https:/ U.S.Census Bureau,“Computer and Internet Use in the United States:2018,”Census.gov,October 8,2021,https:/www.census.gov/newsroom/press-releases/2021/computer-internet-use.html.44 IDC,“Personal Computing Devices-Market Share,”December 1
159、3,2021,https:/ its fastest growth in 20 years during the pandemic.45 This unprecedented demand,along with supply chain disruptions for components,has led to production backlogs and delays.46 Historically,technological innovation has led to lower prices and more advanced devices,resulting in greater
160、convenience and innovation for consumers.U.S.companies remain global leaders across many product categories for end-user devices,and U.S.-branded products are sold worldwide.However,many end-user devices are low-cost,high-volume products that use established technology,and,to the extent some of thes
161、e devices were produced in the United States at one time,most of that production shifted out of the United States beginning in the 1980s.Given that consumer hardware production is generally a low-margin business,it is difficult for new entrants to succeed in the market without relying on a software
162、or services portfolio to make money.Further,as explained later in this report,it is often not cost-competitive to manufacture in the United States.47 This has created an environment where many U.S.companies are leaders in designing end-user devices,and those devices are necessary for the economy to
163、function,but current U.S.manufacturing of many of those devices is limited or nonexistent.In conclusion,the U.S.ICT hardware industrial base has evolved to be a highly globalized industry with complex supply chains.U.S.companies continue to lead in design innovation and represent premier,global bran
164、ds for products in key end-use markets,including communications equipment,computer and data storage,and end-user devices.However,ICT manufacturing has largely shifted to Asia,and to China in particular.The next section will review the current state of manufacturing for many of these products and hig
165、hlight specific,associated risks.45“Gartner Says Worldwide PC Shipments Grew 10.7%in Fourth Quarter of 2020 and 4.8%for the Year,”Gartner,January 11,2021,https:/ Jon Swartz,“HPs PC Sales Hit a Wall,but CEO Says We Are Selling Everything We Can Produce,”MarketWatch(MarketWatch,August 26,2021),https:/
166、 Christina Bonnington,“Why Hardware Makers Rarely Make Their Money from Hardware,”Slate Magazine(Slate,August 5,2018),https:/ 4.Current State of ICT Manufacturing and Related Challenges U.S.ICT OEMs remain on the leading edge of innovation,but manufacturing for a wide range of critical ICT hardware
167、products is currently concentrated in Asia.This section analyzes the current state of production for several key products to demonstrate opportunities and challenges for building supply chain resilience throughout the ICT industrial base.The following subsections highlight examples from each stage o
168、f the ICT manufacturing process,including upstream components,assembly,and final products.The analysis provides an overview of the manufacturing process,where global production is concentrated,and market barriers to supply chain diversification.The list of selected components and devices is by no me
169、ans exhaustive,and the exclusion of a specific component should not be considered an indication that this technology is insignificant or lacks supply chain vulnerabilities.Instead,the intent of this section is to further demonstrate how the broader ICT hardware supply chain functions and highlight p
170、roduct-specific risks that need to be considered when addressing supply chain resiliency.The discrete risks identified in this section build on broader,cross-cutting vulnerabilities that will be addressed in section 7 of this report.4.1 Upstream Components:Printed Circuit Boards Unassembled(bare)pri
171、nted circuit boards(PCBs)are the map for the placement and interconnection of semiconductors,passive components,and electronic connectors48 that enable the electronic functions of an end product.Semiconductors and other components do not work until they are assembled onto a PCB.PCBs are in all ICT h
172、ardware,including in telecommunications hardware and end-user devices,and are also widely used in many other sectors,such as automotive,defense,and medical technology.The interconnect and component placement pattern of each PCB is unique to that board.Some PCBs have a standard footprint,such as PCBs
173、 for computer motherboards,memory modules,and certain display modules;and after assembly they can be used in different brands and types of equipment.However,most PCBs are customized for a specific product.Different environments and end-uses require different specifications for optimal performance so
174、 there are many different types of PCBs,including flexible,rigid for lead-free solder(widely used in consumer devices),rigid for lead solder(used for harsh environments such as automotive and defense/aerospace),and boards combining flexible and rigid sections(which are often used in medical and defe
175、nse/aerospace as flexible sections are used on curved surfaces while rigid sections accommodate key components and input devices).In addition,boards can be made with one or multiple layers.Just as PCBs come in a wide range of types and designs,PCB makers vary in their specialization.For instance,onl
176、y some companies can manufacture flexible boards,high layer count boards,or specialty PCB-type products for semiconductor packaging.Taiwan is home to half of the ten largest PCB companies.Only one U.S.firm,TTM Technologies,is in the top ten globally;the remainder are located in Japan and China.Europ
177、e 48 E.g.,Board to board connectors 21 also has PCB companies,though none of them are as large as the Asian and U.S.firms.49 However,much of the manufacturing of PCBs takes place in China.Manufacturing Footprint.PCB production in the United States is primarily for low-volume,high-mix specialty board
178、s,such as those used in industrial,medical,defense,and aerospace products.Large scale PCB manufacturing is concentrated in Asia,particularly in China,Japan,Taiwan,and South Korea.In recent decades,U.S.manufacturing of PCBs declined as China and other Asian countries increased production.According to
179、 the trade association IPC International and the U.S.Partnership for Assured Electronics(USPAE),approximately$11 billion worth of PCBs were produced annually in the United States prior to the shift in production to Asia in 2000-2001.50 In 2000,North America had the largest number of PCB facilities g
180、lobally,with approximately 780.By March 2020,that number had fallen to an estimated 230,while the number of facilities in China increased to 1,480 over that time.Approximately 150 of those facilities in China were owned by companies headquartered outside China.51 Figure 2:March PCB companies and Fac
181、tories estimated in 202052 China leads the world in global sales of PCB manufacturing,with a 52.4 percent share($32.7 billion)of the market in 2018.In contrast,approximately$2.88 billion worth of PCBs are produced in the United States,and the current U.S.global production share of PCBs is at an esti
182、mated four percent.53 In the past two decades,China overtook Japan and the United States,which were the global leaders in 2000,as seen in Figure 3.Taiwan,Korea,and Southeast Asia are also growing manufacturing locations.54 49 Dr.Hayao Nakamura,“Big Gets Bigger and Faster:The Annual NT-100 Largest PC
183、B Manufacturers”,Circuits Assembly,July 23,2021,https:/ Comments of IPC and USPAE to Request for Information,86 Fed.Reg 52127.IPC and the U.S.Partnership for Assured Electronics(USPAE)Comments.51 Nakamura,“Big Gets Bigger.”52 Nakamura,“Big Gets Bigger.”53“Global PCB output value will reach US$66.1 b
184、illion in 2020,and China will account for half of the global market”Eolane,2019.54 Ibid.22 Source:EolaneFigure 3:Relocation of PCB Manufacturing Source:Eolane Chinas rapid rise as the leader of PCB manufacturing was due to a variety of factors.The Chinese government subsidized the constr
185、uction and equipment of PCB manufacturing plants.In addition,while there is some U.S.production of PCB laminate,most of the chemicals required for PCB manufacture is produced overseas,and PCB manufacturing equipment and materials are easily available in China.56 Clustering of input materials,PCB man
186、ufacturing,and associated assembly in East Asia reduces production costs and transportation time.However,China is less competitive in leading-edge PCB technologies,and most Chinese-based PCB production is destined for low-end,high-volume consumer electronics.The key risks facing the U.S.PCB supply c
187、hain include:Facility inefficiencies.U.S.plants are often older than their Asian counterparts,meaning they lack automation and rely on costly manual labor,which inhibits their ability to increase production.The facilities face a catch-22 situation where inefficiencies prevent them from winning signi
188、ficant projects,yet the plants cannot upgrade for efficiency without more capital from significant projects.According to IPC and USPAE,“electronics manufacturing is a notoriously thin-margin business,making it difficult toupgrade costly manufacturing equipment.”Such upgrades are necessary to perform
189、 55 Ibid.56“Bringing Back PCB Manufacturing is Easier Said than Done”Printed Circuit Design and Fab,March 2021,Vol.38.No.3,Circuits Assembly,16.23 sophisticated work,to meet customer needs,and to achieve“the capabilities,quality standards,and cost-efficiencies necessary to compete in the global econ
190、omy.”57 Heavy dependence on U.S.defense contracts.U.S.PCB manufacturing companies often are small and medium sized businesses that do not have the capacity for large scale production,nor do they have the capital to purchase additional equipment,so they concentrate on specialty PCBs for defense,medic
191、al,or industrial use.While U.S.manufacturers have an advantage in quality,performance,and lead time,they struggle to complete on price.Many U.S.producers say they would not survive without defense contracts.58 Thus,beginning in 2023,Section 808 of the National Defense Authorization Act(FY 2021)prohi
192、bits the Department of Defense(DoD)from sourcing PCBs from China and other covered nations without a waiver.59 However,focusing solely on PCB production for DoD will not create the economies of scale to re-develop a significant PCB industrial base for commercial uses in the United States.In summary,
193、PCBs are essential for the electronic functions of ICT hardware as well as for a wide array of automotive,defense,and medical devices.In the past 20 years China has overtaken the U.S.as the global leader in PCB manufacturing and sales.The small PCB industry left in the U.S.leads in quality and perfo
194、rmance,but lack efficiencies created by automation technologies.Thus,the market has become specialized and dependent on government and defense procurement and limited production for highly regulated specialty electronics for medical and industrial use.U.S.PCB facilities must overcome these risks for
195、 long-term viability.4.2 Upstream Components:Fiber Optic Cable Fiber optic cable is a transmission medium that sends large amounts of data through strands of glass using light beams.It is the core technology behind subsea cable networks that transfer 99 percent of all international data.Fiber optic
196、cable also supports connectivity at both the national and local levels.Nationally,it carries long-haul traffic across the country,including data that originates on wireless networks.Locally,it can serve as“middle-mile”transport to carry data between neighborhoods,and it is increasingly used for“last
197、-mile”transport to deliver high speed broadband services to community anchor institutions,businesses,and consumers homes.Demand for fiber optic cable has grown significantly in recent years as the use of fiber has increased in our nations telecommunications networks.The Fiber Broadband Association e
198、stimates that 43 percent of Americans have access to fiber infrastructure today.60 Manufacturing fiber optic cable involves three primary steps.First is the production of glass preform:glass rods are treated with chemicals that prevent light from escaping.Next,the glass preform is heated to“draw”the
199、 melted glass into ultrathin strands,known as“bare fiber,”that maintain the same chemical properties as their source rods.Finally,the bare fiber is covered in a 57 IPC and USPAE Comments;see also Flex comments 58 BIS report,article https:/www.bis.doc.gov/index.php/documents/technology-evaluation/237
200、8-u-s-bare-printed-circuit-board-industry-assessment-2017/file BIS report,article https:/www.bis.doc.gov/index.php/documents/technology-evaluation/2378-u-s-bare-printed-circuit-board-industry-assessment-2017/file 59 U.S.Congress,H.R.6395-116th Congress(2019-2020):William M.(Mac)Thornberry National D
201、efense Authorization Act for Fiscal Year 2021,January 1,2021,https:/www.congress.gov/bill/116th-congress/house-bill/6395.60“Fiber Broadband Enters Largest Investment Cycle Ever,”Fiber Broadband Association,last modified January 5,2022,https:/www.fiberbroadband.org/blog/fiber-broadband-enters-largest
202、-investment-cycle-ever.24 protective coating(plastic resin,woven textiles,braided metals,or any combination thereof,depending on the end-use of the cable).Some manufacturers perform all three steps,while others specialize in just one of these production steps.Manufacturing Footprint.The major global
203、 producers of fiber optic cable include Corning,Yangtze Optical Fiber and Cable(YOFC),Furukawa,Hengtong Group,and FiberHome.61 Corning is a U.S.-headquartered firm,and the others are headquartered in China or Japan,suggesting that while the United States maintains an industrial base a large share of
204、 fiber optic cable manufacturing also takes place in Asia.62 Against this backdrop,the global supply chain for fiber optic cable is increasingly centered in China.In 2000,China supplied 3 percent of global imports of bare fiber and 3 percent of the worlds final optical cable imports.By 2017,the coun
205、try supplied 12 percent of the worlds raw fiber imports and 31 percent of global optical cable imports.63 This dominance has come from rapid growth in Chinese production capacity during that time period.Chinas market-distorting trade practices,provision of subsidies,and significant state ownership o
206、f optical fiber companies have also been central to this transformation.In 2019 alone,the Chinese government provided subsidies ranging from 350 million RMB to 511 million RMB(approximately$50-73 million USD per company)to the Chinese optical fiber cable producers FiberHome,ZTT,and Hengtong.64 Fiber
207、Home is fully controlled by a Chinese state-owned entity,as are several major China-headquartered producers of raw materials needed for optical fiber cable,such as aramid fiber.65 While U.S.exports of optical cable have grown in dollar value,the U.S.share of global exports has diminished as China ha
208、s outpaced the United States in capacity.In 2000,the United States represented 26 percent of global exports in optical cable.By 2017,that share reduced by half to 13 percent.66 After China and the United States,Mexico,Japan,and Germany were the next three leading exporters of fiber optic cables to t
209、he world in 2017.67 The United States maintained a positive trade balance in optical fiber cable with the rest of the world for nearly 70 percent of the period from 2002-2020.68 61“Top 10 US and International Fiber Optics Suppliers,”Thomas Publishing Company,accessed January 27,2022,https:/ Profile,
210、”Corning Incorporated,accessed January 27,2022,https:/ Us,”YOFC,accessed January 27,2022,https:/ Profile,”Furukawa Electric,accessed January 27,2022,https:/www.furukawa.co.jp/en/company/outline.html;“Our Company,”Hengtong Group,accessed January 27,2022,http:/ Contact,”FiberHome,accessed January 27,2
211、022,https:/ United Nations,UN Comtrade Database,https:/comtrade.un.org/,cited as the source by International Trade Administration,U.N.TradeTop Partners(HS Codes 900110 and 85447000,China optical cable and raw fiber imports to the world),Trade Policy Information System(TPIS),https:/tpis1.trade.gov/cg
212、i-bin/wtpis/prod/tpis.cgi.64“Commission Implementing Regulation(EU)2021/2011,”European Union,last modified November 18,2021,https:/eur-lex.europa.eu/eli/reg_impl/2021/2011/oj(exchange rate as of December 31,2019).65 Ibid.66 United Nations,UN Comtrade Database,https:/comtrade.un.org/,cited as the sou
213、rce by International Trade Administration,U.N.TradeTop Partners(HS Code 85447000,U.S.optical cable imports to the world),Trade Policy Information System(TPIS),https:/tpis1.trade.gov/cgi-bin/wtpis/prod/tpis.cgi.67 Ibid.;.(top 5 import suppliers of fiber optic cables to the world).68 U.S.Census Bureau
214、,Foreign Trade Division,https:/www.census.gov/foreign-trade/index.html,cited as the source by International Trade Administration,TradeStats Express(HS Code 854470),https:/www.trade.gov/tradestats-express-national-and-state-trade-data.25 U.S.demand for fiber optics is expected to grow significantly,d
215、riven by the Biden-Harris Administrations priorities to support high speed broadband deployment through various programs funded through the American Rescue Plan and the Infrastructure Investment and Jobs Act(IIJA),as well as the Federal Communications Commissions Rural Digital Opportunity Fund(RDOF)
216、.In anticipation of increased demand,companies have publicly announced new investments in domestic capacity totaling$275 million in 2021.These include Cornings$150 million investment in North Carolina,69 Prysmian Groups$50 million investment in North Carolina,70 CommScopes$50 million investment in N
217、orth Carolina,71 and Sterlites$25 million investment in South Carolina.72 While fiber optic cable supply is expected to increase in the near future,the industry is currently facing challenges related to supply and demand shifts and bottlenecks,which are discussed in Section 7.Key risks facing the U.
218、S.fiber optic cable supply chains include:Impact of Chinas excess capacity.According to viaPhoton,a U.S.-based fiber optic solutions provider,China currently has over 300 million kilometers of excess fiber capacity and“estimates suggest that capacity will grow to nearly 600 million kilometers by 202
219、4,300 million kilometers of which will outpace Chinas internal demands.”73 By comparison,the worlds total production of optical fiber in 2020 was close to 500 million kilometers.74 When Chinese firms export their surplus production to other countries,prices often fall and competitors may struggle to
220、 stay in business.In this context,industry observers have closely followed the European Commissions recent anti-dumping decision on single-mode optical fiber cables from China,which are now facing tariffs of up to 44 percent.75 Applicants successfully argued that increased low-cost imports from Chin
221、a had prevented European Union(EU)firms from benefiting from the 2016-2019 demand growth,despite increases in production and sales.EU producers added that these profitability barriers prevented them from investing in emerging technologies such as 5G.76 In the United States,by contrast,the fiber opti
222、c industry is expected to benefit from domestic stimulus measures,but it will remain important to monitor Chinas excess capacity moving forward.In summary,the U.S.manufacturing base for bare fiber and optical cable is expected to grow steadily as demand increases with the deployment of 5G and the ex
223、pansion of broadband access.69“Corning and AT&T Expand Collaboration as Corning Works to Meet Record Broadband Deman and Support Growth of U.S.Manufacturing,”,Corning Incorporated,September 28,2022,https:/ Group to invest$50 million to expand production technologies and create 50 jobs in Claremont,”
224、Catawba County Economic Development Corporation,September 7,2021,https:/www.catawbaedc.org/news/Prysmian_September_2021.71 Virginia Annable,“CommScope revamping,investing in plants,”Hickory Daily Record,June 16,2021,https:/ establishing operations in Kershaw Country,”South Carolina Office of the Gov
225、ernor,June 23,2021,https:/governor.sc.gov/news/2021-06/stl-establishing-operations-kershaw-county.73 Comments of viaPhoton,to Request for Information,86 Fed.Reg.52127(Sept.20,2021),(viaPhoton,November 4,2021).74 Mitch Jacoby,“As telecom demands grow,optical fibers will need to level up,”Chemical&Eng
226、ineering News,March 16,2020,https:/cen.acs.org/materials/photonics/telecom-demands-grow-optical-fibers/98/i10.75 Wei Shi,“Chinese optical-fibre cables face punitive EU tariff,”Informa Tech,November 19,2021,https:/ AD669-Optical fibre cables(OFC),”European Commission,last modified January 27,2022,htt
227、ps:/trade.ec.europa.eu/tdi/case_details.cfm?id=2479.26 However,the supply chain is currently impacted by supply and demand shifts and bottlenecks.Globally,U.S.share of the worlds imports has diminished as Chinas companies continue to flood the market with excess supply that is largely enabled by Chi
228、nese government subsidies.While the United States is still a key producer of fiber optics manufacturing,Chinas excess capacity remains a global problem that will likely require coordinated actions to address.4.3 Upstream Assembly:Printed Circuit Board Assemblies and Electronics Assemblies Semiconduc
229、tors,connecting components and passive components are placed on,or connected to,the printed circuit board to create a PCB assembly(PCA).PCAs are the parts that run the electronic functions in ICT,consumer,automotive,industrial,medical,and defense/aerospace goods.According to Census,in 2019,U.S.compa
230、ny sales of PCAs(NAICS 334418)were$22.2 billion.However,most of the sales price for PCAs is for the cost of inputs,not from the PCA manufacturing process.The value-added for the PCA manufacturing process itself was only$6.2 billion(30 percent of sales).Semiconductors are the highest value inputs int
231、o the assembly process,with other inputs such as other components assembled on and to the printed circuit board,the PCB itself,and materials used in the assembly process(solder,aluminum,etc.)making up the balance of inputs.77 Both PCA and final product assembly are done either by the brand name manu
232、facturers(OEM)for their own use,or by EMS companies who assemble electronics on contract,as previously discussed.Globally,43 percent of all electronic goods assembly is done by EMS companies rather than the OEMs.78 In 2018,the end-use markets for EMS assembly were communications(36 percent share),co
233、mputer(23 percent share),consumer(17 percent share),industrial(9 percent),medical(3 percent),automotive(7 percent),and defense/aviation/other transport/other(5 percent).79 Manufacturing Footprint.China is the leading location for EMS production,especially for cell phones,laptops,and other high-volum
234、e ICT and consumer electronic goods.In addition,EMS and ODM companies are mainly headquartered in Asia,and Taiwan in particular.As shown in Appendix C,among the top 20 EMS and ODM companies in 2020,14 companies are headquartered in Asia,with 11 of these companies located in Taiwan and Taiwanese-base
235、d EMS and ODM companies comprise nearly 82 percent of the global market.80 The largest EMS firm,Taiwanese company Foxconn/Hon Hai,reported revenues of$160 billion in 2020,three times that of second-ranked Pegatron(Taiwan).81 77 2017-2019 Annual Survey of Manufacturers,2019(ASM):Summary Statistics fo
236、r Industry Groups and Industries in the U.S.:2017-2019,United States Census Bureau.78 Now Available!The Worldwide OEM Electronics Assembly Market.79“Global EMS Market Grew 15%in 2018 to nearly$542 Billion,”EPS News,July 24,2019,https:/ Bloomberg L.P.,“Market share graph for global EMS/ODM companies
237、2017 to 2020,”accessed December 2021.See Appendix C.81 Michael Buetow,“How M&A and India Will Reshape the Electronics Manufacturing Landscape”,Circuits Assembly Online,May 26,2021,https:/ Despite Chinas dominance,worldwide growth is occurring in many locations.Mexico,which was once the hub for assem
238、bly for the North American market prior to Chinas rise,has started to restore EMS production,especially for ready to ship items like televisions and displays.82 Eastern Europe is a hub for the European assembly industry,though assembly for European companies also takes place in China and Southeast A
239、sia.India is growing as an EMS hub;however,infrastructure issues and the general business climate have hindered its growth.83 Southeast Asian countries,including Thailand,Malaysia,and Vietnam,are also budding locations for EMS.84 Lastly,the United States leads in EMS production for low volume high m
240、ix products like medical/industrial and defense/aerospace electronics.Key risks facing the U.S.PCA and Electronic Assemblies supply chain include:Counterfeit or used parts.More awareness of counterfeit or used parts surfacing from Chinas board and product assembly industry came during the dot-com bo
241、om in the 2000s.Reportedly,Chinese workers in assembly plants secretly produced extra products and sold the products themselves,or sold rejected components disguised as new products.85 Recent shortages of needed components on an unpredictable basis has led to use of third-rate suppliers,and a reviva
242、l of counterfeit,substandard,and parts not to specification from China through alternate distribution channels.86 For example,Japanese manufacturer Jenesis ordered chips from the Chinese e-commerce site Alibaba that failed in testing,and were proven to be counterfeit.87 In summary,PCAs and electroni
243、c assembly production is heavily dependent on EMS companies dominated by Chinese production.U.S.production is limited to low volume specialized products like medical/industrial and defense/aerospace electronics.The concentration of production assembly in China has increased the risk of counterfeit o
244、r used components being inserted into products,potentially damaging product integrity and brand reputation and creating a possible security risk.Chinas centralized supply chains are an advantage that pose a threat to the U.S.s ability to compete in the PCAs and electronics assembly industry.4.4 Down
245、stream Products:Routers,Switches,and Servers Networking equipment such as routers,switches,and servers are critical for transmitting data,distributing data processing and applications,communicating across devices,and connecting networks.Different types of networking equipment are used by consumers,e
246、nterprises,network operators,and communications service providers.Routers,switches,and servers consist of various components such as the motherboard,central processing unit(CPU),power supply,hard 82 Doug Donahue,“Mexico:A new Hub for Electronics Manufacturing”,I Connect007,September 28,2018,https:/
247、Can Make$300-bn electronics by 2026,”The Hindu,January 20,2022,https:/ Michael Buetow,“How M&A and India Will Reshape the Electronics Manufacturing Landscape.”85 Robb Hammond,“Chinas New Export Laws are Placing Lives in Jeopardy,”AERI,Accessed February 2,2022,https:/ Computing U.K.,“Counterfeit,Subs
248、tandard Chips are Penetrating the Supply Chain,Industry Insiders Warn,”Communications of the ACM,September 20,2021,https:/cacm.acm.org/news/255667-counterfeit-substandard-chips-are-penetrating-the-supply-chain-industry-insiders-warn/fulltext.87 Dev Kundaliya,“Counterfeit and Substandard Chips are pe
249、netrating the supply chain,industry insiders warn”Computing.co.uk,Sept 20,2021 https:/puting.co.uk/news/4037363/counterfeit-substandard-chips-penetrating-supply-chain-industry-insiders-warn.28 drives,random access memory(RAM),PCBs,and many others.As a result,the final products can be very complex,wi
250、th a single server containing between 3,500 to 4,000 components.88 While the United States has several leading companies that supply networking equipment(i.e.,Dell,HPE,IBM),most production is concentrated in Asia through EMS companies,which Taiwanese headquartered companies dominate(i.e.Foxconn,Inve
251、ntec,Wistron).The supply chain for networking hardware,like the broader ICT industry,is global and generally follows the OEM-EMS model described in Section 3.Figure 4 portrays a typical production process that,while varied,may involve thousands of steps with the networking hardware products passing
252、through many borders before reaching their final destination.89 Figure 4:A Server Global Value Chain Source:APEC Services in Global Value Chains:Manufacturing-Related Services 90 Manufacturing Footprint.Geographically,Asia,and,in particular China,leads globally in the final assembly of networking eq
253、uipment manufacturing.Taiwanese EMS or ODM companies account for 90 percent of global server manufacturing and approximately two-thirds of their final assembly for servers is in China.91 China has developed an ecosystem for electronics system manufacturing through decades of targeted investments,whi
254、ch has conferred advantages with respect to capital,labor,and supplier and demand base.92 These manufacturing clusters are evolving in East and Southeast Asia for various components in networking hardware.In addition to cost efficiencies,the production and assembly cluster ecosystems allow for faste
255、r product upgrades and customization implementation.Consequently,there is no significant capacity 88 Matt Kimball,“Do You Know Where Your Servers Come from?Heres Why Securing the Supply Chain Matters,”Forbes(Forbes Magazine,May 19,2020),https:/ Comments of Telecommunications Industry Association to
256、Request for Information,86 Fed.Reg.52127(Sept.20,2021),(TIA,November 4,2021).90“Services in Global Value Chains:Manufacturing-Related Services,”APEC,https:/www.apec.org/publications/2015/11/services-in-global-value-chains-manufacturing-related-services.91 Colley Hwang,“Views from Taiwan(10):The Stru
257、cture of the Server Sector,”DIGITIMES(DIGITIMES Inc.,August 9,2021),https:/ Comments of Flex to Request for Information,86 Fed.Reg.52127(Sept.20,2021),(Flex,November 4,2021);Comments of HP to Request for Information,86 Fed.Reg.52127(Sept.20,2021),(HP,November 3,2021).29 outside of China for key comp
258、onents of the networking hardware manufacturing supply chain such as power supplies.Fortunately,networking equipment manufacturers have recently taken steps to shift to a more geographically dispersed supply chain.This could be due to increased demand in the United States and Europe for key end uses
259、,such as datacenters.For some companies,the COVID-19 pandemic has demonstrated that single-market mass production is not sustainable in the long term.Various ICT manufacturing facilities shut down in China at the onset of the pandemic,causing disruptions to the supply chain.93 Major Taiwanese compan
260、ies including Inventec,Quanta,Wistron,Foxconn,and Mitac,have also moved factories back to Taiwan or expanded factories in other countries,including the United States,Mexico,the Czech Republic and Germany.Recently,some U.S.companies have increased final assembly of networking equipment in the United
261、States to provide for the U.S.market.94 U.S.companies have acknowledged that tariffs and cybersecurity concerns are leading to the shift away from Asia.Contracts with the U.S.government may also act as a positive incentive to increase production domestically.95 Because of increasing transportation c
262、osts,EMS providers also see opportunities to increase the final assembly of larger products like switches and server racks in the United States.96 Key risks facing the U.S.networking hardware equipment supply chain include:Increasing competition and price pressures on U.S.companies.Demand for networ
263、king equipment is expected to grow in the coming years due to increased demand for cloud computing and other internet services.While there are still many sources of U.S.-branded networking equipment,Chinese companies such as Huawei and Inspur are gaining global market share in routers,servers,and ot
264、her networking technology.As a result,there is increasing competition and price pressure for U.S.companies,especially in foreign markets.In summary,networking hardware,like much of the ICT industrial base,is largely produced by Taiwanese EMS companies with production concentrated in China.Recent sup
265、ply chain disruptions and transportation costs have motivated some firms to diversify production and assembly locations,including moving production facilities to the United States.However,because significant capacity for key portions of the networking hardware supply chain do not currently exist out
266、side of China,efforts to relocate facilities will require significant time and investment.93 Vipul Kumar,“China plus One an Emerging Supply Chain Diversification Strategy,”Supply and Demand Chain Executive,October 4,2021,https:/ Packard Enterprise Becomes the Only Major Server Manufacturer to Ship t
267、he Worlds Most Secure Industry-Standard Servers with U.S.Country of Origin,”HPE(Hewlett Packard Enterprise,December 9,2021),https:/ Barclay Ballard,“Foxconns Wisconsin Plant Wins Google Server Contract,”TechRadar(TechRadar,November 24,2020),https:/ Comments of Flex to Request for Information,86 Fed.
268、Reg.52127(Sept.20,2021),(Flex,November 4,2021).30 4.5 Downstream Products:LCDs/Displays Liquid Crystal Displays(LCDs)are used in a variety of devices including smartphones,computer monitors,and televisions.By layering upstream components such as glass substrate,electrodes,liquid crystal,PCBs,and a l
269、ight source,LCDs can produce visual images on screen.Many products outside the ICT industry are increasingly dependent on LCD panels as well,especially within the automotive,healthcare,and education sectors.There are a variety of sizes and types of LCDs ranging from large flat panel displays to smal
270、ler LCD panels used for smartphones.Manufacturing Footprint.Historically,the LCD panel supply chain has been concentrated in East Asia,though it has shifted between various countries.Over the past decade,China has become the largest location for LCD manufacturing followed by Taiwan,South Korea,and J
271、apan.China supported the growth of its LCD industry by providing government subsidies and reduced taxes to domestic display manufacturers.97 As a result,most Chinese LCDs are sold below cost and there is no cost-effective way to diversify production out of China.Because of the concentration in China
272、,any disruptions in the region will have an oversized effect on the display supply chain,as demonstrated by Chinas 2021 power supply shortages which reduced display production.98 There is almost no LCD production outside of East Asia,but other countries in the Americas and Asia may be positioned to
273、emerge as potential alternative locations with significant engagement from industry and governments.99 Unlike other product categories,China leads in both LCD manufacturing and sales activities among its domestically headquartered firms.Chinas BOE Technology and China Star Optoelectronics Technology
274、(owned by TCL Group)are leaders in large LCDs while Tianma Microelectronics leads in smaller panels.Chinese companies share of global flat panel display production capacity increased from approximately 0 percent in 2011 to 46 percent in 2019 and is forecasted to reach 62 percent by 2023.100 Korean h
275、eadquartered firms LG Display and Samsung were former leaders that have lost market share to their Chinese rivals.However,Korean firms still hold an advantage in manufacturing newer display technologies such as organic light-emitting diode(OLED)panels.101 There are no major U.S.companies involved in
276、 LCD production nor is there significant LCD manufacturing in the United States.97 Shuhei Ochiai,“Subsidized Chinese Makers Squeeze Asias LCD Industry,”Nikkei Asia(Nikkei Asia,April 21,2019),https:/ Adam Hwang and Rebecca Kuo,“Output of Panel Components,LCD Modules in China Falls 30%Due to Power Res
277、trictions,”DIGITIMES(DIGITIMES Inc.,October 18,2021),https:/ Steve Shen and Jingyue Hsiao,“India Reportedly to Invest US$20 Billion to Develop LCD Panel Industry,”DIGITIMES(DIGITIMES Inc.,May 31,2021),https:/ Charles Annis,“Boe Becomes Worlds Largest Flat-Panel Display Manufacturer in 2019 as China
278、Continues Rise to Global Market Dominance,”Omdia,June 4,2021,https:/ Kotaro Hosokawa,“LG and Samsung in Full Retreat before Chinese Flat-Panel Onslaught,”Financial Times,April 28,2020,https:/ Key risks facing the U.S.LCDs/Displays supply chain include:Supply Chain Consolidation in China.As noted abo
279、ve,China has provided targeted support to its domestic display manufacturers,and competition among suppliers within China is intensifying with the emergence of new domestic suppliers.These factors have led to sharp increases in the global supply of liquid crystal display panels made in China and mad
280、e by China-based brands,while production in other countries such as South Korea has decreased.102 In summary,Chinese companies hold a significant share of the global production of LCDs.Buttressed by Chinese government non-market policies and practices,Chinese firms dominate the industry while their
281、competitors struggle to compete with their artificially low-priced products.Since displays are important in other sectors,lack of manufacturing diversity may increase supply chain risks in other product areas outside of ICT.102 Adam Hwang and Rebecca Kuo,“Panels to Be in Oversupply in 2022,Says Hann
282、star Display VP,”DIGITIMES(DIGITIMES Inc.,November 12,2021),https:/ 5.Current State of the ICT Software Sector and Related Risks Software can be defined as the set of instructions that tell a computer how to work.It is a dynamic product:it undergoes changes from its point of inception to the end of
283、its use.Updates are required to improve functionality,accommodate changes to the operating environment,and to apply patches to resolve bugs or vulnerabilities.Software is rarely built from scratch today.Rather,it is typically compiled from existing code libraries,both open source and proprietary,wit
284、h new software code developed to provide specific capabilities on top of the sourced code.Software is ubiquitous and found in all information and communications technology.It enables the underlying hardware to function,directs flows and processing of information,and facilitates a users interaction w
285、ith a technology product.The type and purpose of software varies.Pursuant to Figure 5,a stack of software is a group of programs that work to enable a technology product to function as intended:Figure 5:Software Stack103 Applications software is the most familiar type of software as it performs func
286、tions for an end-user.Middleware software helps to enable communications and connectivity between applications and is typically found in complex system environments.Examples where middleware software is used include web servers and extract,transform and load tools.The operating system(OS)performs cr
287、itical functions as it manages both computer hardware,software resources,and provides the common services needed to load computer programs into memory and then execute them.The OS is the enabling interface between middleware and application software and the hardware.It performs boot functions,device
288、 drivers control specific devices that are connected to the computer,like a printer or mouse,and provides utilities that assist the user in performing tasks,like running back ups or anti-virus scans.A product may also include hypervisor software which creates and runs a virtual machine.This can allo
289、w for multiple instances of an operating system to share the virtualized hardware resources.At the lowest level of this stack is firmware,which provides the necessary instructions for how the device communicates with the computer hardware.104 While there are various types and purposes of software in
290、 the software stack,the focus of this section is on open-source software and firmware,as they are ubiquitous across the sector and 103Margie Semilof and James Montgomery,“Software Stack,”TechTarget,updated November 2020,https:/ Security Resource Center,National Institute of Standards and Technology,
291、https:/csrc.nist.gov/glossary/term/firmware.33 present unique supply chain security issues.Open-source software(OSS)is“software that can be accessed,used,modified,and shared by anyone.OSS is often distributed under licenses that comply with the definition of“Open Source”provided by the Open Source I
292、nitiative and/or that meet the definition of“Free Software”provided by the Free Software Foundation.”105 A feature of OSS is that anyone can inspect,modify,and enhance the source code and it is usually obtained by accessing a publicly available software library.Firmware is software which provides th
293、e necessary instructions for how the device communicates with the computer hardware.106 The following subsections provide background on the software supply chain,an overview of open-source software and firmware,and a review of risks pertaining to open-source software and firmware.5.1 Background on t
294、he Software Supply Chain Regardless of the type,“software is an enduring capability that must be supported and continuously improved through its life cycle.”107 The graphic portrayed in Figure 6 provides a high-level depiction of these life cycle steps.108 The cycle begins with a concept that is sha
295、ped into requirements associated with a given software project.Software is then built and compiled to produce a viable component that is tested and then integrated into hardware and other software.A software supply chain is the entire sequence of events that impacts software from the point of origin
296、 where it is designed and developed,to the point of end-use.Each sequence and element in this chain affects the software in some manner and can contribute to its assurance level or introduce a weakness that can be exploited.The supply chain includes the software code itself as well as the systems an
297、d tools used by developers,proprietary and open-source software repositories,signing keys,compilers,and download portals.The entities that comprise the software supply chain can include multiples of developers and technology providers.In many instances,the author of a given open-source software comp
298、onent is unknown.It is also unusual to find a single company responsible for the entirety of a software code base.105 Open Source Code,NIST S 6106.01,December 6,2018,https:/www.nist.gov/document/finals610601ver1pdf 106“Glossary:open source software”,Computer Security Resource Center,National Institu
299、te of Standards and Technology,https:/csrc.nist.gov/glossary/term/firmware.107 J.Michael McQuade and Richard M.Murray(co-chairs)Gilman Louie,et al.,“Software is Never Done:Refactoring the Acquisition Code for Competitive Advantage,”Defense Innovation Board,March 21,2019,https:/media.defense.gov/2019
300、/Mar/26/2002105909/-1/-1/0/SWAP.REPORT_MAIN.BODY.3.21.19.PDF.108 Dr.William R Nichols and Scanlon,Dr.Thomas,“DoD Developers Guidebook for Software Assurance,”Software Engineering Institute Carnegie Melon University December 2018,p.16.34 Figure 6:The Software Life Cycle109 Software is developed on a
301、global scale.The United States dominates the global marketplace for software in terms of revenue(see Figure 7 below)with$313.7 billion in revenue anticipated in 2022,growing to$409.9 billion by 2026.110 As detailed in Section 6,currently,the United States has the largest software developer labor for
302、ce;however,the Asia Pacific region has the highest growth rate for software developers.To that end,forecasters believe that,by 2024,India will overtake the United States as the largest software developer population center.Latin America has the second largest growth behind the Asia Pacific region.Eas
303、tern Europe also is a global hotspot for software development.111 109 Dr.William R Nichols and Scanlon,Dr.Thomas,“DoD Developers Guidebook for Software Assurance,”Software Engineering Institute Carnegie Melon University December 2018,16.110“Technology Markets,Software,”Statista,August 2021,https:/ M
304、any Software Developers Are There in the World,”Daxx,September 23,2021,https:/ Figure 7:Projected 2022 Global Software Revenue Comparison112 5.2 Overview of Open-Source Software Open-Source Software(OSS)plays a critical role in todays software ecosystem,with 75 percent of all audited codebases in 20
305、20 containing at least one open-source component and open source comprising 70 percent of the overall code.113 OSS is found throughout the software stack.The universal desire for faster innovation fundamentally requires that software developers reuse code frequently and efficiently.This,in turn,has
306、led to a critical dependence on OSS libraries borrowed from third-party ecosystems.These third-party components and packages represent the building blocks of modern software development.114 Unlike proprietary or“closed”software which restricts who can access,use,and change the source code,open-sourc
307、e software is source code that anyone can inspect,modify,and enhance,and is obtained by accessing a software library.This library contains prewritten code that is available for reuse by a developer to create software programs and applications.A 2020 industrial base assessment conducted by the Bureau
308、 of Industry and Security at the U.S.Department of Commerce,which was completed by 389 U.S.ICT participants that develop security-related products,provides insight into the use of OSS in the U.S.ICT industry.More than 50 percent of respondents indicated the use of open-source software in 24 of the 5
309、5 product types that were detailed in the assessment.Well-known software and cybersecurity companies were among the most frequent users of OSS,reporting that 100 percent of the products they identified in the survey contain OSS.This finding demonstrates the ubiquitous nature of OSS in hardware and s
310、oftware technologies developed by large firms within the U.S.ICT industrial base.Respondents identified network security devices such as deep packet inspection(DPI)appliances,firewalls,security information and event management tools,network infrastructure 112“Technology Markets,Software,”Statista.11
311、3“2021 Open Source Security Risk Analysis Report,”Synopsys,Accessed October 2021,https:/ State of the Software Supply Chain,”Sonatype,https:/ devices such as routers and gateways,and other products such as printers,scanners,and supervisory control and data acquisition(SCADA)systems as the types of p
312、roducts for which they frequently used OSS.Figure 8 below portrays specific hardware and software technologies with the highest percent of OSS integration as reported by respondents.Web proxy and content filtering technology was the most frequently identified product,with 65 percent of respondents w
313、ho design,manufacture and/or sell web proxies integrating their hardware and software technologies with OSS.Similarly,62 percent and 60 percent of respondents supporting networked SCADA systems and networked connected health systems or devices identified use of OSS,respectively.Figure 8:Frequency of
314、 Respondents Indicating Use of Open-Source Software by Hardware/Software Technology115 Product Categories 40 The global supply of open-source libraries continues to grow exponentially,fueled by new versions of existing projects constantly being released,and by the creation of new projects.Currently,
315、the four largest revenue producing open-source ecosystems contain a combined 37,451,682 components and packages.These same communities released a combined 6,302,733 new versions of components/packages over the last year and have commenced723,570 new projects in support of 27 million developers world
316、wide.116 Microsofts GitHub,the worlds largest repository for open-source code with 40 million users and 206 million code repositories,Web Proxies/Content Filtering 7 28 Virtual Private Network(VPN)12 20 Switches-Enterprise/ISP Grade 18 6 4 Firewalls-Network Appliance 9 6 11 Software Defined Networki
317、ng(SDN)solutions 8 16 Network Intrusion Detection Systems(NIDS)2 22 End Point Detection&Response(EDR)1 22 Deep Packet Inspection(DPI)Appliance 8 15 Gateways-Enterprise/Internet Service 11 3 9 Firewalls-Cloud 12 18 0 5 5 Frequency of Identification Hardware Software Both 115 Note:Excludes“
318、Other Other Products.”National Security Assessment:Use of Select Software in Information and Communications Technology,Bureau of Industry and Security,U.S.Department of Commerce,July 2021.116 Ibid.37 reported that over 10 million new developers joined and over 44 million new projects were created in
319、 2019 alone.”117 Chinese software developers rely heavily on GitHub,the worlds largest open-source code repository with 40 million users and 206 million code repositories.China has been one of the fastest growing users outside of the United States.Chinas Ministry of Industry and Information Technolo
320、gy(MIIT),one of Chinas most prominent technology policymakers,has championed the importance of the country having its own domestic open-source alternatives.To build its own version of GitHub,MIIT picked Gitee to construct an“independent,open-source code hosting platform for China.”118 The project wi
321、ll be headed by a consortium led by Open-Source China,a Shenzhen-based firm and Gitee.This new hosting service is considered to be a government-led effort with support from research universities and participation from the private sector,and includes a group of ten organizations,including Huawei.Gite
322、e claims to have“hosted more than ten million open-source repositories and provided services to over five million developers so far.”119 In the coming years,it will be worth watching the potential growth of the Gitee platform given the backing of the Chinese government and several large private sect
323、or firms.5.3 Open-Source Software Supply Chain Risks The availability of open-source software has accelerated innovation and provides economic and societal benefits,but it can also pose risks,especially if it is implemented in organizations without robust cybersecurity practices.The most basic chall
324、enge with OSS security can be the lack of a single responsible entity to help organizations find or fix a security issue.There is no responsible entity to make a“fix”and often there is not an immediate release of an alert identifying the security issue.Instead,organizations submit a“pull request”in
325、an open-source repository or one of the developers would review the reporting and resolve the security issues.Given the already vast and growing use of OSS,the urgency and importance of ensuring that OSS is secure and can be trusted cannot be overstated.In 2021,there was a 650 percent global increas
326、e in software supply chain compromises aimed at exploiting weaknesses in upstream open-source ecosystems.Comparatively,the same statistic was 430 percent in 2020.120 Bad actors are no longer waiting for public vulnerability disclosures to pursue an exploit.Instead,they are seizing the initiative to
327、insert new vulnerabilities into open-source projects that support the global software supply chain and then exploit these vulnerabilities.A recent example of an OSS security vulnerability is a flaw in Apaches Log4Shell software library.Log4Shell has become an internet vulnerability that has affected
328、 millions of computers and involves an obscure but nearly ubiquitous piece of software,Log4j.According to the Wall Street Journal,“software developers use the Log4j framework to record user activity and the behavior of applications.Distributed free by the nonprofit Apache Software Foundation,Log4j h
329、as been downloaded millions of times and is among the most widely used tools to collect information across corporate computer networks,websites,and applications.An Apache 117“The 2021 State of the Octoverse,”GitHub,Inc.,2021,https:/ Liao,“China is Building a GitHub Alternative called Gitee,”TechCrun
330、ch+,August 21,2020,https:/ Ibid.120“2021 State of the Software Supply Chain,”Sonatype.38 spokeswoman said the way Log4j is inserted into different pieces of software makes it impossible to track the tools reach.”121 Because of the Log4j security flaw,hundreds of millions of devices are at risk and t
331、he flaw allows attackers to execute code remotely on a target computer,which could let them steal data,install malware,or take control of the affected system.Cybersecurity company Akamai Technologies,Inc.has tracked ten million attempts to exploit the Log4j vulnerability per hour in the United State
332、s.122 In addition,foreign governments are taking advantage of the flaw,as security company Mandiant Inc and Microsoft Corporation have traced attempted compromises that exploit the flaw to hackers with suspected links to China and Iran.DHSs Cybersecurity and Infrastructure Security Agency(CISA)Direc
333、tor Jen Easterly says that the Log4j security flaw is the“most serious”vulnerability shes seen in her decades-long career,and it could take years to address.123 To remediate against the flaw,CISA suggests organizations immediately identify internet-facing devices that have Log4j and ensure that security teams respond to alerts related to these devices.Organizations should also install a web applic