In 2014, the Western District of Pennsylvania indicted five People’s Liberation Army (PLA) members, charging the Chinese military officials with corporate espionage. This was the first nation-state indictment for cyber-espionage and served as an inflection point after years of intellectual property (IP) and personally identifiable information (PII) theft. Since then, the U.S. has increasingly relied on indictments, bringing what had been classified discussions into boardrooms and to the public’s attention. This ‘name and shame’ strategy is but one piece of the puzzle in countering digital espionage and malicious activity. Over the last year, the U.S. government and democracies across the globe have increasingly relied on another strategic tool: blocking and sanctioning entities with links to foreign adversaries.
Following on the heels of sanctioned Russian and Iranian entities, Chinese companies and individuals are increasingly ostracized from the U.S. economy for a range of violations. The Department of Commerce’s addition of eleven more excluded entities on Monday expands the growing list of Chinese firms and individuals linked to human rights violations in Xinjiang. The increased prominence of restricted entities not only highlights evolving national security challenges, but also introduces a range of security and compliance risks into enterprise supply chain ecosystems.
The Growing List of Restricted Entities
There is a long history of corporations carrying out state-sponsored or state-backed activities. Today, this manifests in three core areas: the competitions in emerging technologies, artificial intelligence (AI), and national security playing out between democracies and authoritarian regimes; human rights violations enshrined in government policy; and digital attacks on critical infrastructure. As the chart below (focused on China) illustrates, the number of restricted entities continues to grow.
The 5G race best exemplifies the technology and national security focus on restricted entities, with growing distrust about security and data access. Huawei and ZTE are the most prominent companies to come under public scrutiny and government sanction. Huawei has drawn particular scrutiny due to its marketshare as the world’s top telecom supplier and second largest phone manufacturer. The fines, sanctions, development restrictions, and inclusion on entity lists aim to surface and address digital and national security risks posed by these companies. The related chip wars similarly reflect the desire to secure digital supply chains with trusted components. Federal organizations have been banned from using Huawei and ZTE equipment, while the private sector is growing vocal in their distrust as well.
Just as the 2014 PLA indictments ushered in the growing deployment of indictments in response to digital attacks, restrictions similar to those imposed on Huawei and ZTE are increasingly applied to other companies deemed security risks. In May, the Department of Commerce’s Bureau of Industry and Security added two dozen Chinese companies linked to weapons of mass destructions and military activities. In June, the Pentagon named twenty companies with alleged links to the PLA. Huawei is included in this list, as is video surveillance firm Hikvision, and telecom and mobile companies. The focus on trusted technologies is not limited to China. Russian cybersecurity company, Kaspersky, is also banned from use by both U.S. civilian and military agencies.
The second group of restricted entities focuses on those linked to human rights violations. The U.S. recently imposed new restrictions against 33 companies for human rights violations, many of which are tech companies (i.e. facial recognition tech) following the June passage of the Uighur Human Rights Policy Act. This is part of a broader U.S. government effort to investigate companies that knowingly benefit from the human rights violations in Xinjiang. Last month, Chinese officials were similarly sanctioned for human rights violations, a response both to protest suppression in Hong Kong as well as human rights violations against the Uighur population.
Finally, the naming and shaming and blocked entity strategy is increasingly employed against foreign entities targeting critical infrastructure, especially through cyber-enabled activities. In addition to election interference, sanctions have targeted Russian entities for conducting cyberattacks on the U.S. energy grid. The financial services sector is another critical industry frequently targeted by foreign adversaries, resulting in subsequent additions to the restricted entities list. For example, Iranian entities and the company, ITSec Team, were sanctioned for a series of attacks on banks and stock markets.
Compliance Challenges & Reputational Risks Ahead
As the examples above highlight, there is a growing whole-of-government approach across the Departments of State, Defense, Treasury, and Commerce to block, sanction, and name entities linked to foreign adversaries. These restricted entities add national security, reputational, and compliance challenges that propagate throughout a supply chain ecosystem. The compliance requirements for each are distinct and reflect the increasing challenges of ensuring global supply chains are disentangled from restricted entities.
This issue continues to grow in scope and complexity. Section 889 of the National Defense Authorization Act further restricts any federal contractors from using Chinese telecommunications products and services. The Office of Foreign Assets Control (OFAC) lists over a dozen countries on its blocked entities list as well as a growing list of individuals and organizations. For example, Iran’s Mobarekeh Steel Company has been a restricted entity since 2018 due to linkages to the Iranian military, but OFAC recently expanded the restrictions to include their subsidiary companies, including one based in Germany. This latest restriction prohibits “U.S.-based companies and individuals from transacting with them and expose anyone doing business with them to potential penalties.” For financial institutions, this restriction on the metals trade may not be on the radar, but due to a January executive order, financial institutions risk sanctioning if they facilitate this trade.
Internationally, other democracies are also blocking entities linked to authoritarian regimes. The United Kingdom introduced a sanctions regime aimed at penalizing entities linked to human rights abuses, including those in Saudi Arabia and Myanmar. Last week’s Huawei ban by the United Kingdom in 5G networks builds upon broader U.S. efforts to secure 5G networks and illustrates the global nature of these restrictions. The Russian oil giant, Rosneft, was sanctioned earlier this year due to ties to Venezuela’s Maduro regime. India recently banned 59 Chinese apps.
These are dynamic geopolitical times, not just for U.S.-China relations but for a growing range of global challenges. China’s recent sanctions and restrictions targeting U.S. entities and the U.S. executive order ending Hong Kong’s special status further illustrates how corporations and their supply chains are increasingly entangled in geopolitics. While compliance considerations must be top of mind when it comes to restricted entities, governance and cyber risk assessments must similarly account for whether these entities are present within a global supply chain ecosystem. The externalities of these geopolitical tensions will continue to disrupt supply chains in multiple ways and reinforce the urgency for a holistic approach to risk, as well as the necessity for agility and visibility across supply chains for greater resilience and security.
To learn more about how sanctions, geopolitical events, impending regulations will impact your global supply chain – and how to get ahead of supply chain risk, visit interos.ai.
Dr. Andrea Little Limbago is a computational social scientist specializing in the intersection of technology, national security, and society. As the Vice President of Research and Analysis at Interos, Andrea leads the company’s research and analytic work regarding global supply chain risk with a focus on governance, cyber, economic, and geopolitical factors. She also oversees community engagement and research partnerships with universities and think tanks and is a frequent contributor to program committees and mentorship and career coaching programs. She has presented extensively at a range of academic, government, and industry conferences such as RSA, SOCOM’s Global Synch, BSidesLV, SXSW, and Enigma. Her writing has been featured in numerous outlets, including Politico, the Hill, Business Insider, War on the Rocks, and Forbes. Andrea is also a Senior Fellow and Program Director for the Cyber and Emerging Technologies Law and Policy Program at the National Security Institute at George Mason and a Fellow at the Atlantic Council’s GeoTech Center. She is an industry advisory board member for the data science program at George Washington University, and is a board member for the Washington, DC chapter of Women in Security and Privacy (WISP). She previously was the Chief Social Scientist at Virtru and Endgame. Prior to that, Andrea taught in academia and was a technical lead at the Joint Warfare Analysis Center, where she earned the Command’s top award for technical excellence. Andrea earned a PhD in Political Science from the University of Colorado at Boulder and a BA from Bowdoin College.