Month: November 2022

By: Alberto Coria, Klaudia Kokoszka and Trent Chinnaswamy

Since the onset of the COVID-19 pandemic, China has pursued a strict zero-COVID policy, employing draconian containment measures to limit transmission. This approach has limited fatalities but also severely impacted China’s economy, ensnarled global supply chains and —this past week — has fostered some of China’s most-visible protests and public dissent in years.

Several dozen protests across at least 22 cities may further imperil supply chain stability and, according to our analysis, could significantly affect companies reliant on Chinese electronics and metal wholesalers. The Chinese government’s as-yet-unknown response to the protests could prompt even greater disruption. Our analysis anticipates a simultaneous crackdown on protests and gradual loosening of some COVID restrictions — but nothing is certain.

Interos recommends reviewing your company’s footprint and potential concentration risk in the identified areas, to take early action and prevent any supply chain disruptions in your company’s ecosystem.

Protests in China and Supply Chain Disruption

It is worth noting that protests in China are rare – given the government’s massive surveillance apparatus and history of swift and brutal responses — which include censorship, imprisonment, and the “re-education through labor” of dissidents and activists. Many of the recent protests were sparked by the news of 10 deaths from an apartment fire in the city of Urumqi, Xinjiang Province — where emergency services were allegedly delayed from reaching the fire due to zero-COVID policies.

The protests have quickly spread across Xinjiang, with hundreds gathering in Beijing, Shanghai, Wuhan, Nanjing, and Zhengzhou. The largest confirmed protests against China’s zero-COVID policies so far have been under 1,000 people each, in major metropolitan areas.

Chinese security forces have so far tried to subdue protests through nonlethal force, with mixed success. It is assumed that many of the citizens protesting have been arrested, in addition to one confirmed report of a BBC journalist being beaten and detained. The government has so far struggled to immediately censor the online appearances of the protests, but all evidence of the unrest has been removed within an hour of posting.

Industry Impact of China’s Protests: Electronics and Metals Supply Chain in the Crosshairs

China’s current economic woes are difficult to overstate. Prior to the protests, profits at Chinese industrial companies had fallen 3% from January to October due to COVID lockdowns hindering activity.

The impact of the protests themselves has —so far —been much more limited. This is because the protests are occurring in areas where government lockdowns have already shuttered business.

The most immediate supply chain disruption connected to the protests themselves have occurred at Foxconn’s now-notorious facility in Zhengzhou. Workers expressed their fury after pay was disrupted due to a COVID-19 lockdown. Foxconn claims the lockdown and subsequent unrest have caused the company to miss this year’s production targets which would primarily impact Apple, Inc.

The next major supply shift, and the impact on China’s national production, will depend entirely on the Chinese government’s response to the protests and how — if at all — the government’s zero-COVID policy changes.

According to Interos analysis, electronics parts wholesalers are among the top 10 industries in all of the cities affected by protests. Metal wholesaling is also a prevalent industry in Nanjing, Shanghai, and Urumqi. Should further disruption occur due to the government’s response to the protests, we can expect that these industries would be affected disproportionately.

Beijing Likely to Increase Security and Online Censorship to Quell Protests

As the Chinese Government decides how to act, the country has reported its highest-ever COVID-19 infection rates. On November 23^rd, the government announced that over 30,000 cases were detected, the highest single-day total for the country. This puts the Chinese government in a double-bind, as tightening COVID restrictions could spark more fury, but relaxing restrictions could let the virus loose on a country that is not prepared, medically or politically, for an upswing in cases.

Interos analysis concludes that based on the central government’s response to prior instances of dissent, such as the pro-democracy protests of Hong Kong in 2019 and the Beijing protests prior to the National Congress, it is likely for the central government to curtail the spread of protests through increased security measures, stronger shows of force, and online censorship.

However, a crackdown on protests coupled with tightening COVID restrictions could create additional pressure on Western businesses (many of whom are already under fire for connections to the Chinese government’s various human rights abuses) to relocate to more-favorable areas such as India.

What’s Next for the Supply Chain? Certain zero-COVID Policies Loosened at Provincial Level, While Others Tightened

Below are three likely potential scenarios:

• The central government begins a more widespread loosening of zero-COVID policies, similar to their approach in Guangdong.
• Zero-COVID policies continue to be implemented in areas of high transmission, following the policies that Xi Jinping has indicated in recent national addresses.
• Zero-COVID restrictions are broadly increased as the central government attempts to double down on its efforts, and uses the restrictions as a way to further limit

Interos analysis finds it most-likely that amidst government crackdowns on protests, certain zero-COVID policies will be loosened at the provincial level to ease international business, while others will be tightened in favor of increased security and political suppression.

This approach allows the central government to continue its zero-COVID policy, while beginning to address some of the economic challenges that it has put on the country. The central government directly linked the initiative to a desire to protect its suffering semiconductor sector, and bolster its technological development as a whole.

Some provinces in China have already been able to slightly loosen their respective COVID restrictions, with the central government hoping to reduce disruption to the transport of goods, industrial activity, and international investment. In Guangdong province, local officials received direction from the central government in early November that they would no longer have to track secondary close contacts of confirmed COVID cases. Additionally, the local officials were directed to ease the ability of foreign business executives to travel into the region.

Similarly, following the recent protests in the Xinjiang cities of Urumqi and Korla, the two cities announced that they would begin to ease certain zero-COVID restrictions and reopen businesses and restart public transportation.

However, nothing is certain. According to some estimates, an unrestrained outbreak of the Omicron variant could kill as many as 1.5 million people in the 80+ age group alone. With China’s rising case numbers, limited hospital beds, low vaccination rates (and less-effective vaccines), and Xi Jinping’s recent consolidation of power the government may opt to maintain or even increase restrictions.

Given the precariousness of the situation, the case for active, continuous, and multi-tier supply chain monitoring has never been clearer.

Recommended Actions for Improving Supply Chain Resilience

Interos recommends taking the following actions to promote supply chain resilience:

• Communicate frequently with key Chinese suppliers (or suppliers you know to be reliant on China) to determine the production impacts of government restrictions on COVID and protests.
• Ascertain whether suppliers in China are preparing for an increased governmental security posture.
• Identify which 4^th and 5^th party Chinese suppliers are critical to your direct suppliers.
• Prepare for a potential disruption in goods shipping out of Chinese ports due to zero-covid measures by identifying alternative suppliers or adjusting expectations accordingly for delays.
• Ensure compliance with the Uyghur Forced Labor Prevention Act (UFLPA), as protests against the zero-COVID policy are one of many risks emerging from the Xinjiang region

Organizations looking to understand where the next big supply chain shock is coming from – and which suppliers they need to engage with to mitigate the impact – should consider investing in supply chain visibility and operational resilience solutions. In times of turmoil, knowing who you are connected to, and how those parties will be impacted by unfolding events, can make the difference between continuity of operations and disaster. It’s no wonder then, that most organizations plan to implement supply chain visibility solutions by Q2 2023 — a fact we learned from our annual supply chain industry survey.

By Interos Labs (Andrea Little Limbago & Joshua Clarke)

This week’s disclosure of a Russian firm masquerading as an American company highlights yet again the potential security concerns hidden within software supply chains.

The company, Pushwoosh, provides coding language and data processing for companies building software applications. Its code allows software developers to track and profile app users to customize the notifications they receive.

While Reuters’ exclusive story noted Pushwoosh’s integration with the Centers for Disease Control and Prevention (CDC), that agency was far from alone. Interos’ own analysis has identified additional industries and countries most at-risk of exposure to Pushwoosh code and potential data breaches.

We have also noted some of the tell-tale signs that organizations need to be on alert for regarding company ownership and location.

Pushwoosh and the Digital Supply Chain

At a time of growing concern over the national security threats within the information and telecommunications (ITC) supply chain, the Pushwoosh revelations are yet another reminder of the challenges and complexity of modern digital supply chains. Following on from last year’s investigations into JetBrains, a software company founded by three Russian engineers based in the Czech Republic, the Pushwoosh revelations have sparked similar concerns over foreign ownership risks.

They are also the latest reminder of the challenges and complexity of modern digital supply chains.

Pushwoosh is integrated with thousands of applications in major app stores and includes tracking software that allows Pushwoosh to collect sensitive Personally Identifiable Information (PII).

Depending on the application, the PII includes precise geolocation and health history information, “which could allow for invasive tracking at scale”, according to an expert quoted in the Reuters story.

Pushwoosh claims to be a Maryland-based company, but Russian filings list it in Novosibirsk, Russia. Instead of revealing its Russian location, Pushwoosh has previously listed under California and Washington, D.C. area addresses.

This deception not only masked the foreign ownership risk, but — considering Russian data collection policies — also put customer data at risk of seizure by Russian security services.

Hiding in Plain Sight?

Based on our analysis of Pushwoosh’s presence within global supply chains, we identified the top 10 industries and countries affected (see table).

Top 10 Industries and Countries for Pushwoosh Customers

While US software firms had the greatest single country-industry exposure, the prevalence may be much more limited in comparison to other supply chain vulnerabilities, such as Log4J.

Nevertheless, among those identified are several European industrial firms, a major US publisher, a cybersecurity company and Ukrainian telecom and transportation providers.

Pushwoosh has a breadth of Russian connections, including relationships with the following entities, some of which are on US restrictions and prohibitions lists:

• TNT (Russian TV station, parent company Gazprom)
• Ozon (aka the “Amazon of Russia”)
• Rambler Media
• Yandex
• Mail.ru Group Limited

Pushwoosh’s significant footprint and integration across restricted and/or highly influential Russian companies should have been an early indicator of risk that warranted additional investigation of foreign influence.

Moreover, when looking into a range of open-source activity, it becomes clear that major Pushwoosh contributors have strong Russian connections or are Russian themselves. This underlines the growing importance of the Software Bill of Materials (SBOM), which not only is a security risk but will be a compliance risk as federal regulations continue to address SBOM requirements.

Gaining Visibility Across Your Supply Chain

This latest example of digital supply chain vulnerability comes on the back of a year of high-profile discoveries. Pushwoosh reflects the digital supply chain risks that can emerge from untrusted technologies within a company’s ecosystem.

Importantly, this is a case of a vendor deemed trustworthy, and so it remained off the radar until the recent exposure. The movement toward trusted networks was already well underway; Pushwoosh will likely reinforce the message that additional due diligence of ICT vendors is necessary.

At Interos, we provide the visibility into your extended supply chain, including identifying sanctioned foreign companies and their supply chain partnerships. We recommend reviewing your own extended supply chain to confirm whether Pushwoosh is present. Very often untrusted vendors are not in the first tier but rather are hidden in the second tier, third tier,

If you are concerned about the presence of Pushwoosh in your digital supply chain – or want to increase the resilience and visibility of your entire supply chain – contact Interos here.

By Alberto Coria, Operational Resilience Consultant

A pending freight railroad strike on December 4th — driven largely by railroad companies’ refusal to grant workers dedicated sick leave — could shut down most major U.S. railroads and upend supply chains across industries. 

Based on Interos’ unique supply chain analysis of the railroad supply chain, the most-affected industries are likely to be the automobile, chemical, energy, and agricultural verticals — with follow-on impacts reaching virtually every U.S. business and consumer. The strike could cost the U.S. economy as much as $2 billion per day. 

While organizations looking to get in front of the issues can take steps to mitigate them and bolster operational resilience — it’s unlikely that even the most proactive organization would be fully insulated from a disruption of this magnitude. 

Why Is a Freight Railroad Strike Potentially Happening?

In August of 2020, twelve railroad unions joined forces to sue Class 1 railroads over proposed benefits changes in their contracts, which included restricting access to certain medications and changing healthcare networks. By October of 2021, the courts had ruled in favor of the unions, stating that the Class 1 railroads would need to resolve the issues in good faith negotiation, directly with the twelve unions. This decision by the court ultimately granted the unions the legal right to a freight railroad strike if they could not reach an agreement with the Class 1 railroads. 

By July 2022, the Biden administration began to take an interest in the proceedings, and through the National Mediation Board requested both sides to report to Washington D.C. for a “public interest” session designed to create a voluntary agreement. When the negotiations broke down, the Biden administration created an emergency board to try and reach a consensus.

On August 15, 2022, both the unions and Class 1 railroads reached an impasse in negotiations, causing a 30-day “cooling-off” period to be established. At the end of this cooling-off period, on September 15, 2022, the unions would be legally able to strike. 

Hours before the rail unions were set to announce a nationwide freight railroad strike, both sides reached a tentative agreement after twenty hours of negotiations mediated by U.S. Labor Secretary Marty Walsh. The unions then had to return to their members and call for a ratification vote to fully approve the agreement. By the end of October, two unions — the Brotherhood of Maintenance of Way Employees Division and the Brotherhood of Railroad Signalmen — had voted against ratification of the agreement due to the lack of inclusion of paid sick leave.

The unions and the Class 1 railroads now have until November 19 to reach a new agreement, before the unions are legally allowed to strike — which means that companies need to be aware of their dependency on the freight railroad supply chain as soon as possible.

The Supply Chain Impact: Automobiles, Energy, Chemical, and Agriculture Industries Most Affected

While a shutdown of Class 1 railroads would have far-reaching effects across virtually every industry, Interos’ analysis found the following verticals would see the most immediate and severe impact:

Automobiles

In the U.S. there are between 25,000 to 30,000 carloads of vehicles and auto parts moved by rail per week. This is due to much of the U.S. auto industry having their parts, or the car itself, assembled in Mexico, Canada, and the United States. Shipping by rail within North America is the most efficient way for companies to deliver automobiles to customers or dealerships, leading to nearly 75% of new vehicles in the U.S. being moved by freight rail. 

Energy

On average, over 300,000 barrels of crude oil and 5 million barrels of propane are transported by rail in the U.S. every day. Additionally, 75% of coal produced in the U.S. is transported by rail. Given that coal makes up ~22% of U.S. electricity generation, the effect of a rail labor strike on energy prices will be drastic. Disruptions to the energy industry will occur in the lead-up to the deadline, as railroads cannot leave hazardous materials unattended in the case of a strike. This will cause railroads to curtail shipments prior to the actual strike.

Chemicals

20% of all chemical transportation in the U.S. is done via rail and Class 1 railroads moved an average of about 34,000 carloads per week of chemicals in 2021. This reliance on rail transit leaves the industry highly exposed to a rail labor strike. Over 50% of all rail chemical carloads consist of industrial chemicals, including soda ash, caustic soda, urea, sulfuric acid, and anhydrous ammonia. Additionally, 70% of the ethanol  an additive in most gasoline — produced in the U.S. is transported by rail. 

Agriculture

Anytime there is uncertainty surrounding a rail labor strike in the U.S., the fertilizer industry loses five shipping days due to the ramp-down that is required to curtail shipments of hazardous materials prior to the deadline. Additionally, due to the recent shutoff of natural gas supplies to Europe, 80% of European production of fertilizer has been halted. A strike would only further destabilize an already-fragile fertilizer industry — significantly disrupting all of U.S. agriculture and food production. The industry is highly exposed to a rail labor strike. 774,000 carloads of corn, 296,000 carloads of wheat, and 299,000 carloads of soybeans were transported by rail in 2021.

What Actions Can I Take to Prepare for Railroad Supply Chain Disruptions?

While a deal between unions and Class 1 railroads is still a viable option, railroads will begin to curtail operations in the week before December 4th to ensure they can shut down safely and comply with regulations in case of a freight railroad strike. 

Interos recommends firms begin acting to ensure their supply chains remain resilient and unaffected as soon as possible, by taking proactive measures and coordinating with suppliers. Our recommendations include:

• In times of capacity restraints resulting from a freight railroad strike, logistics carriers may prefer customers who have already been shipping via different methods. Clients should leverage existing relationships with logistics carriers. 
• Proactively identify alternative shipping methods with critical suppliers before the impact of the shutdown may be realized. 
• The industry with the greatest exposure to rail strikes is the chemicals industry as a disproportionate share of chemical products are shipped via rail. Interos recommends identifying suppliers providing chemical products, or that are themselves reliant on chemical products, which would therefore be most sensitive to railroad supply chain issues.
• During the leadup to the last period of uncertainty surrounding a labor strike in September 2022, hazardous materials were the first shipments to be curtailed due to U.S. government dangerous goods regulations. Interos recommends evaluating any hazardous shipments that may be curtailed within a 5-day range of the December 4th deadline.

Organizations looking to understand where the next big supply chain shock is coming from – and which suppliers they need to engage with to mitigate the impact – should consider investing in supply chain visibility and operational resilience solutions. Most organizations plan to implement them by Q2 2023 — a fact we learned from our annual supply chain industry survey.