More ‘Critical’ Firms Face Tougher Cyber Laws

By Geraint John

Companies in critical industries on both sides of the Atlantic face more stringent cybersecurity regulations as governments seek to boost national security and operational resilience.

New laws passed in the U.S. and Europe call for rapid reporting of significant cyber attacks and ransom payments, improved cyber risk management practices, a greater focus on supply chain partners such as IT and cloud services providers, and stronger collaboration between the public and private sectors.

Crucially, the legislation also extends the range of firms covered from those operating core infrastructure. That includes everything from water and transport to services such as banking, telecommunications, and healthcare, along with manufacturers of food, chemicals, pharmaceuticals, medical devices, and other “essential” products.

White House and SEC Work to Improve U.S. Critical Infrastructure Cybersecurity

In the U.S., the Biden Administration published its National Cybersecurity Strategy at the beginning of March. The first of its five pillars is titled “Defend Critical Infrastructure.” The strategy is aimed at both federal agencies and private-sector companies.

The strategy document argues that “the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.”

As well as targeting critical infrastructure providers, it also pledges to “drive better cybersecurity practices in the cloud computing industry and for other essential third-party services” that these organizations depend on.

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act, which requires companies to report certain types of cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransom payments within 24 hours.

CISA is currently working on implementing the reporting requirements, which must take effect by September 2025 at the latest.

Separately, the Securities and Exchange Commission (SEC) is expected to finalize its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules in April. These will require public companies to report “material” incidents within four business days. They must also provide updates on previous cyber attacks.

European Union Upgrades its Main Cybersecurity Directive

In Europe, the new Network and Information Security (NIS2) directive came into force on January 16th. It replaces the first-iteration NIS law, which has been operating since 2018. NIS2 is designed to strengthen security requirements, reporting obligations, and supply chain cybersecurity.

NIS2 also provides for stricter enforcement, with administrative fines of up to €10 million or 2% of global revenue for non-compliance.

Like the U.S. legislation, NIS2 expands its scope to a broader range of “critical sectors and services,” including information and communications technology (ICT) providers.

The new directive joins a raft of other new European Union laws, including the Digital Operational Resilience Act (DORA) for financial services and the Critical Entities Resilience (CER) Directive, which addresses physical security and terrorism, as well as cybersecurity.

E.U. member states have until October 17th 2024 to transpose NIS2’s measures into national law.

A European Parliament briefing document on NIS2 argues that companies need to invest more in cybersecurity. It cites study data suggesting that E.U. organizations spend on average 41% less on cybersecurity than their U.S. counterparts.

Interos Analysis: Cyber Risk Status in Energy and Healthcare Firms

To assess the impact of this spending gap, and to identify where cybersecurity practices are most in need of improvement, Interos conducted an analysis of cyber risk scores for the top 10 U.S. and European (E.U. plus U.K.) electric utilities, energy, and healthcare (pharmaceutical manufacturing) companies using our newly enhanced cyber risk model.

This analysis found that:

  • Overall company cyber risk scores – calculated from 20 subfactors and 91 attributes at both a firm and country level – vary widely. They go from a low of 59/100 — in the case of a European oil company — to a high of 82/100 for a European renewable electricity generator. The median score of 66 equates to only a “medium” level of cybersecurity protection.
  • At the firm level, U.S. and European companies are on a par, with both having a median score of 62/100. U.S. electric utility and energy companies score four points higher on average than their European counterparts, while in healthcare (pharma) the reverse is true. Again, all scores indicate medium levels of risk, which suggests plenty of room for improvement in cybersecurity practices.
  • The weakest areas of firm-level cybersecurity are in software-as-a-service bill of materials (SaaSBOM) vulnerabilities (average score 35/100), advanced persistent threat (APT) group activities (43/100), and compliance with public cybersecurity standards and frameworks (47/100) – a key element in the new legislation. There is also a big variation of scores between companies in web application security, web encryption, network filtering, e-mail security, and software patching.
  • At the country level, European firms score two points higher on average than those in the U.S. (82/100 against 80/100, indicating low cyber risk). The U.S. is rated significantly higher for its digital infrastructure (92 vs 65), and somewhat higher for cyber governance, resilience, and international collaboration. European countries score 20 points better on average on the risk of data access and manipulation in their business environment and as a geographic target for cyber attacks.

Transparency and Collaboration Vital to Manage Critical Infrastructure Cybersecurity

Cyber risk scores for critical infrastructure firms and their key suppliers, together with the new American and European legislation, are set to bring a new level of openness to cybersecurity.

Last week, during a webinar hosted by Interos, data partners BitSight and Equifax welcomed this development.

Commenting on the new SEC rules, Derek Vadala, chief risk officer of BitSight and a former chief information security officer at Moody’s, said the rules would bring much-needed transparency and culture change to the industry.

While it will take time for companies to understand what the new rules require, those companies that are more open about how they manage cyber risks today – for example, by publishing annual reports – are in a better position than those that do the bare minimum, Vadala argued.

The credit reference agency Equifax is also following this approach. It has published a cyber strategy and roadmap report for the past three years. According to Zach Tisher, its vice president of security risk, strategy and communications, “Security should not be a trade secret.”

As well as more open disclosure, Tisher argued that:

  • Employers need to bake cybersecurity into employees’ compensation plans to incentivize and reward good behavior.
  • Training must move away from the one-hour annual compliance session and be tailored better to staff needs.
  • Point-in-time questionnaires sent to suppliers and third parties aren’t sufficient; instead, real-time monitoring of cybersecurity controls is necessary.
  • Better collaboration with partners and vendors is vital to manage growing supply chain threats and requirements.

Third-party risk management has been the biggest trend in cybersecurity during the past couple of years, Tisher noted. “Supply chain is a top threat vector and it’s increasing all the time.”

This means that companies need to focus their cyber risk management efforts as far upstream as their sixth parties (tier-4 suppliers), he added.

Modeling Supply Chain Cyber Risk in a Disrupted World

By Andrea Little Limbago

On March 2, the Biden Administration announced a new National Cybersecurity Strategy. The need for a strategic change should not come as a surprise — Interos’ 2022 Resilience survey of 1,500 procurement and cybersecurity leaders revealed supply chain disruptions from cyber incidents alone cost enterprises $37M annually. Estimates of the global annual cost of cybercrime exceed ten trillion dollars.

Interos is closely monitoring the rising costs of cyber disruption and the continuously changing state of play, among other factors. We’ve refined and updated our cyber risk factor, one of the six factors within the Interos i-ScoreTM, in light of these and other trends shaping cybersecurity. The enhancements include a new cyber behavior model to detect potentially harmful cyber activity regardless of public disclosure, along with combining commercial cyber ratings, vulnerability information (CVEs), threat assessment (Mitre ATT&CK®), cyber events, regulatory compliance, and operating country regulations and risks into a single score.

You can read about those details in our press release. This blog will focus on those strategic factors driving these changes and the challenges in developing a solution that delivers cybersecurity insights to non-experts, all within the backdrop of the generational shift underway in the international system.

Trends Driving The Need for Change in Cyber Risk Modeling

To address the growth in scope and scale of cyberattacks (and their ripple effect across the supply chain) the Biden administration’s new National Cybersecurity Strategy is putting more responsibility on vendors and service providers. This is part of a larger trend prompting organizations to prioritize long-term collective investment in cyber resilience – and is reflective of Interos’ collective resilience approach to cyber.

Cyber leaders are also increasingly acknowledging the human element and assessing those risks through a socio-technical lens. This has led to both a focus on user interactions as well as the growth in new compliance frameworks and regulations. That’s why the enhanced Interos cyber risk factor accounts for compliance with CSF V1.1, NIST SP 800-53, PCI DSS V3.2.1, and other standards, as well as the global expansion of data privacy and cybersecurity regulations.

To that end, an organization’s geographic location plays a crucial role in both compliance and data risk levels. This variation stems from differing levels of data sovereignty which depend on the localized cyber and privacy environment. Risks surrounding the concentration of the physical infrastructure underpinning the internet also pose a significant challenge, as seen in the case of Russia’s cyberattack on ViaSat’s services in Ukraine or the disconnection of undersea cables which happened in Scotland and France.

The adoption of collective resilience (creating shared supply chain and operational strength) is accompanying our broader understanding of the range of cyber risks, which is why collaboration is prioritized in national and international cyber strategies. As Alejandro Mayorkas, the Secretary of Homeland Security, noted, “We have to drive the entire ecosystem to be more cyber vigilant.”

Developing Interos’ Enhanced Cyber Risk Model

Tackling Key Challenges in the Cybersecurity Landscape

Development of this new model address two core challenges:

  1. Aggregating Data into Intuitive Formats: The difficulty of integrating disparate data sets in a timely manner and presenting them in an intuitive, explorable format. We recognize that many cybersecurity tools are designed for information security professionals, making them inaccessible to others involved in risk management.
  2. Understanding Behavior: The importance of understanding both threat actors’ and defenders’ behaviors and integrating that knowledge to identify the most relevant risks.

Cyber has an interesting data problem in that there is a data deluge and a data desert at the same time – meaning there is so much data, but it’s not always the relevant data. The Interos model addresses the above challenges by focusing on integrating and presenting the range of these trends (over individual data points) to capture the core areas of vulnerabilities, threats, compliance, and adverse cyber events. Through this holistic approach we can provide a comprehensive view of cybersecurity risks across the entire supply chain ecosystem, from vendors and service providers to critical infrastructure and sensitive data.

We also utilized the extensive community work and expertise from federal organizations like NIST CVE and MITRE’s ATT&CK framework while accounting for both opportunistic and targeted threats by identifying industries/groups most susceptible to targeting, and vulnerabilities most likely to be exploited. Our approach also focused on quantifying data risks across locations by merging different data types to capture the diverse data sovereignty and global risk environments — a project we presented at Black Hat cybersecurity conference a few years ago.

Implications and Value: Uncovering Hidden Cyber Risks and Enabling Proactive Measures

The implications of this new model are vast. It highlights areas of risk that often are not brought together, allowing users to take action to decrease cyber risk. This may include reaching out to critical suppliers that may be at risk and coordinating a plan to elevate their defensive posture, or identifying those key parts of their supply chain located in areas where the data may be more at risk due to an adverse regulatory environment.

The Interos model surfaces a range of cyber risks, while contextualizing those risks within a broader supply chain risk framework. For instance, users can identify who might be at high cyber risk as well as high financial risk, since these suppliers may not have the resources to grow their defensive posture or could be extremely vulnerable to insolvency if attacked given the cost of breaches.

Personal Observations: Expanding Access to Cyber Risk and Addressing Global Challenges

Two particular aspects of this project are especially important to me, in terms of their ability to address broader systemic challenges across the industry that have significant implications for the future:

  • Addressing the cyber industry’s gatekeeper problem, which restricts risk assessment access to those with information security technical expertise. Interos’ updated model marks a significant stride towards broadening access to cyber risk assessment outside of an enterprise’s Security Operations Center.
  • Further integrating supply chain risk and cyber risk, particularly in the context of a re-globalized world economy, technological bifurcation, and the geopolitical fracturing of the internet. This integration is essential for fostering cyber vigilance and tackling the challenges presented by emerging technologies and global competition.

A modernized approach to cyber risk will be an essential tool for organizations exploring how to adapt to a changing global order whose shifts are being felt across supply chains, geopolitics, and technology development. Interos’ enhanced model for evaluating cybersecurity risk across supply chains signifies a significant step towards that goal.

By expanding access to meaningful cybersecurity information, through a multi-factor, supply chain-wide approach, we can enable organizations to proactively manage and mitigate risks on a far greater scale than ever before, bringing non-cyber experts into the decision room, and fostering resilience and success in this ever-evolving global landscape.

Western Firms at Risk of Indirectly Supplying the Russian War Machine

By Geraint John

North American and European companies have been urged to ensure that they are not inadvertently supporting Russia’s war effort in Ukraine by facilitating trade through third-party intermediaries.

A year on from its invasion, the U.S. government and the European Union (E.U.) are concerned that Russia is evading stringent sanctions and export controls by importing vital products through neighboring and “friendly” countries.

Earlier this month, the U.S. Departments of Commerce, Treasury, and Justice issued a joint compliance note asking multinational firms to “exercise heightened caution” and be “vigilant in their compliance efforts” to avoid items such as advanced semiconductors and other electronic components ending up in Russian hands.

The E.U., meanwhile, says it is investigating a surge in exports from European companies to customers in countries such as Armenia, Kazakhstan, and Kyrgyzstan, which have increased their trade with Russia since sanctions were introduced in March 2022. It is also reportedly planning to ask these countries to enhance their trade monitoring.

A new Interos white paper notes that the number of restrictions on Russian entities – around 2,500 currently active with more than 1,100 imposed in 2022 alone – are “unprecedented in their scale, scope, and breadth.”

Russia Import Restrictions Are Being Circumvented by “Friendly” Countries

Analysis of official trade data by three economists at the European Bank for Reconstruction and Development (EBRD) found “evidence suggestive of intermediated trade via neighboring economies being used to circumvent the sanctions.”

While E.U. and U.K. exports to Russia “dropped sharply” after the imposition of sanctions, exports to Armenia, Kazakhstan, and Kyrgyzstan (the CCA3) – part of the Eurasian Customs Union alongside Russia and Belarus – increased by between 15% and 90%.

Shipments to CCA3 countries covering almost 2,000 sanctioned products, including armaments, chemicals, dual-use technologies, and sensitive machinery, rose by an additional 30% relative to other goods, according to the EBRD. U.S. exports to Russia and the CCA3 followed a similar pattern last year, albeit at lower volumes.

At the same time, Armenia, Kyrgyzstan and Georgia all recorded “significant increases” in exports to Russia (see chart). This, says the EBRD paper, suggests that new supply chains have been set up to channel sanctioned products to Russia from these countries, “not necessarily with the knowledge of the Western exporter.”

But direct sales to Russia also remain a concern. This week, PBS News accused a major American machine-tool manufacturer of flouting export controls by supplying a Russian distributor with vital spare parts, which could be used for military purposes, for months after those controls were imposed last year.

Exports to Russia From Armenia, Kyrgyzstan, and Georgia – January 2020-August 2022

Separate analysis by the Silverado Policy Accelerator, a U.S. non-profit organization, published in January argued that former Soviet states “have become key transshipment points for goods that are ultimately sent to Russia.”

It also noted that Russia had significantly increased its imports from non-sanctioning countries such as China and Turkey. These included semiconductors (see chart), machinery, and heavy trucks, as well as consumer goods such as smartphones and domestic appliances.

Exports of Integrated Circuits to Russia From China and Hong Kong – January-November 2022

In recent months, U.S. officials have called on China, Turkey, South Africa, and the United Arab Emirates ( UAE), among other countries, not to help Russia evade its sanctions.

Together with their E.U. and U.K. counterparts they are also reported to have visited the UAE to express concern that it is becoming a key shipment hub for electronic components and other sensitive products being re-exported to Russia.

The E.U. recently imposed sanctions on a Dubai-based subsidiary of the Russian state-owned shipping company Sovcomflot, a key player in supporting the country’s energy revenues, as part of a new package of measures.

Russian Interests and Indirect Business Relationships

Russian ownership of foreign entities is one potential type of supply conduit of sanctioned goods into the country.

Interos’ global relationship platform highlights 166 entities based in the UAE that are wholly or partially owned by Russian interests.

Similar numbers are located in both Armenia and Hong Kong, according to the data, although these are dwarfed by the thousands of entities registered in European countries such as the Czech Republic, U.K., Germany, Latvia, Bulgaria, and Italy.

Another source of supply is links between Western firms and intermediaries in countries accused of supplying Russia’s war effort. Our analysis here reveals:

  • Almost 700 relationships between Russian end customers and 170-plus distinct suppliers in China, Turkey, India, Uzbekistan, and other Central Asian countries.
  • More than 8,100 relationships between these suppliers and over 1,750 distinct Western firms in the U.S., Canada, E.U., and U.K.

What this shows is that the global network to support deliberate or inadvertent illicit trade with Russia – so-called “supply chain washing” – is extensive and the risks of breaching sanctions and export controls are high.

“Red Flags” to Watch Out For

In their “tri-seal compliance note” published on 2 March, the U.S. Department of Commerce (DOC), Department of the Treasury and Department of Justice (DOJ) urged companies to be on the lookout for “warning signs of potential sanctions or export violations.”

It listed 13 common “red flags” to watch for, including:

  • The use of shell companies to obscure ownership, origin, and funding sources
  • A reluctance by customers to share information on product end-use
  • Last-minute changes to shipping instructions
  • The use of residential addresses and personal e-mail accounts
  • Transactions with entities that have little or no web presence
  • Routing of products through transshipment points in China, Turkey, Armenia, and other countries that have boosted trade with Russia.

The note emphasizes that the DOJ “has pursued criminal charges against those who it alleges are using front companies and intermediate transshipment points to evade Russia-related U.S. sanctions and export controls”.

Separately, the DOC’s Bureau of Industry and Security has published a compendium of its investigations into sanctions busting in several countries, including Russia, to illustrate the legal and financial penalties that can result from non-compliance.

A group of E.U. countries, including France and Germany, has also recently been pushing for tougher action against companies found to be circumventing sanctions and aiding Russia’s war effort.

A Call to Action to Uphold Russia Import Restrictions

In the light of these warnings and developments, procurement, supply chain, and business leaders at Western companies should:

  • Screen both existing and new customers using the latest U.S., E.U. and other restrictions lists – information that is updated regularly on Interos’ Resilience platform.
  • Understand the direct and indirect relationships their organizations have with firms in high-risk intermediary countries for sensitive and sanctioned products.
  • Ensure that their due diligence and risk management programs empower staff to report any concerns and potential breaches of sanctions rules in a timely manner.

Although Russia has clearly been able to obtain many products from alternative sources in the year since Western sanctions were massively stepped up, there is little doubt it is paying a high price (literally) for Vladimir Putin’s actions.

Stories about microchips being removed from washing machines and other consumer products to supply its military machine suggest that its ability to weather the ever-growing list of restrictions has been limited so far.

However, as the war drags on further into its second year, alternate supply chains may begin to pick up more of the slack – hence the current focus and call to action by U.S. and European governments directed at companies around the world.

The World in Flux: Preparing for Unthinkable Risks

By Andrea Little Limbago 

Globalization is undergoing a significant transformation. Along geopolitical fault lines, global economies are decoupling, while simultaneously like-minded countries are seeking greater integration. This reglobalization of the international system is defining the new normal, introducing a range of opportunities as well as risks.  

The shockingly swift collapse of Silicon Valley Bank (SVB), China’s announcement seeking greater technological self-sufficiency, California’s record-breaking snowfall and floods, and the U.S., U.K., and Australia trilateral pact announcement, all occurring around the same time, are indicative of this new normal.  

As the International Monetary Fund’s Managing Director noted, organizations need to “think of the unthinkable” to better build toward resilience in light of disruptions. This requires a mindset shift regarding systemic risk – moving from a siloed view of “known” risks (e.g., the shutdown of a single supplier with poor credit) to a multi-faceted approach that accounts for hyper-dependencies in a world routinely shocked by unforeseen risks (e.g., the 48-hour collapse of an industry-leading and deeply connected bank). Organizations that successfully build on and expand their risk mindset to encapsulate the multitude of economic, political, climatological, and technological transformations underway will be at a competitive advantage going forward; those that fail to do so will be ill-equipped to navigate these “unthinkable” risks. 

Multi-faceted Risk and Supply Chain Catastrophe in a Reglobalized World (aka The New Normal)

Traditional risk frameworks crafted over the last few decades are inadequate to address today’s risk landscape consisting of hyperconnected digital economies and multi-layered business ecosystems. That does not mean they aren’t useful — they’re simply not flexible enough to keep pace with modern change.  

The first quarter of 2023 alone has witnessed a series of shocks that were once unthinkable. Ransomware infiltrated a major supplier in the semiconductor industry and propagated across technology and defense communities, causing a $200M hit to its revenue, as well as a $250M hit to a customer. The Middle East may be on the verge of a major transformation following an unprecedented, China-brokered deal to reestablish diplomatic relations between longtime bitter foes Saudi Arabia and Iran. The deal reflects a shift in the balance of power and China’s growing influence in the region. And now SVB – dubbed the tech industry’s banker – experienced the second largest bank failure in U.S. history, with ripple effects from China to Europe. 

 These “unthinkable” events reflect a new status-quo for all manner of risks. For cyber risk, an expanded mindset that includes, but also looks beyond, vulnerabilities is essential. Threats, regulations, and anomalous behavior must also be part of a coordinated cyber risk mindset. On the geopolitical front, organizations must account for changing fault lines which continue to foster new alliances and new divisions. And for financial risk, solvency is foundational, but as the events with SVB illustrate, continuously monitoring solvency alone is not enough. A more nuanced view of financial risk is required to achieve operational resilience against financial volatility in the new normal.  

 For example, in addition to solvency, volatility of equity returns often represent a timelier examination of the business risk of a company. Equity markets are more sensitive to new information and can react more quickly than solvency metrics based on accounting measures reflect. SVB is particularly instructive. For the five years from 2018-2022, SVB Financial’s market fluctuations largely behaved within an expected range. However, in the 47 trading days between January 3, 2023 and March 9, 2023, SVB experienced volatility outside of the expected range it exhibited the previous five years.  

By monitoring stock price volatility outside of historical expectations, organizations can gain a more complete picture of business risk. 

Risk Ecosystems in the New Normal

Despite the splintering of many historic trade ties along geopolitical fault lines, the new normal will remain defined by interdependence. The pandemic demonstrated how shocks can propagate across industries and countries, as did Russia’s invasion of Ukraine. In addition, over the last year, global democracies collaborated at unprecedented (for modern times) levels, inspiring a sanctions regime against Russia that continues to grow. Russia’s invasion also stimulated enormous shocks that rippled across interdependent supply chains, from key metals to wheat and grains to natural gas. Organizations that believed themselves immune from the ripple effects were soon exiting Russia, some of which have since seen their stock prices impacted due to direct exposure to the conflict.  

In a similar manner, the contagion impact of the SVB collapse continues to garner scrutiny. For instance, customers of HR software startup Rippling experienced payroll delays because it relied on SVB to process the transactions. Thousands of corporate payrolls have been impacted even if they weren’t direct SVB customers. In the new normal, “invisible” software supply chains like this are taking on a greater importance as an expanded view of critical business relationships comes to include everyone from buyer to supplier, investor, or borrower. 

These kinds of connections and dependencies affect every industry. Interos’ analysis revealed the top seven industries with business relationships to SVB include: software, biotechnology, healthcare equipment and supplies, communications equipment, pharmaceuticals, semiconductors and semiconductor equipment, and IT services. This diversity shows how far-reaching the effects of such a collapse may be.  

Moreover, the contagion concerns are not limited to the U.S. Many Chinese companies are scrambling in light of the collapse. Based on Interos data, roughly 11,000 companies have direct ties to Chinese companies with business relationships with SVB. European banks also experienced a decline in stock prices as contagion fears spread, with Credit Suisse shares falling to a record low on Wednesday. 

Operational Resilience in the Face of Potential Supply Chain Catastrophe

A range of forces has ushered in a once-in-a-generation global supply chain transformation –the pandemic, escalating geopolitical tensions, climate change, economic anxiety, and emerging technologies. Global trade is expected to reach a record $32 trillion, while at the same time the pace of global trade growth has slowed and allyshoring is reshaping trade patterns. During a time of heightened transformation, what was unthinkable in previous eras must be imagined — and mitigated against today and tomorrow. 

A siloed or outdated approach to risk is not enough to achieving operational resilience amid sweeping global changes, Organizations must continuously monitor a range of new and emerging risks and gain visibility across their extended supply chain. With an expanded view of risk, organizations can also proactively identify potential vulnerabilities in their supply chain and more easily conduct the due diligence required to inform key decisions – such as alternative suppliers, diversification, and reshoring strategies.  

Shifting mindsets toward the unthinkable is unfortunately a core component of operational resilience in this new normal. Working together to build collective resilience – through innovations in technology, processes, and collaboration – will be the best defense against the risks you can’t imagine today. 

Interos supports organizations seeking to minimize these risks through advanced risk intelligence, supply chain scoring, and relationship discovery technologies that automate assessment, detection, and incident response. This gives procurement and other supply chain leaders a powerful way to quickly produce a list of at-risk suppliers for due diligence and continuous monitoring. 

For more information, contact Interos Customer Success: [email protected] 

Escalating Restrictions & Sanctions Threaten to Fragment Global Trade and Supply Chains

By Geraint John

Restrictions on global free trade and supply chain relationships are flying around like Chinese “spy” balloons over North America were just a few weeks ago.

Last month, China slapped sanctions on U.S. defense giants Lockheed Martin and Raytheon, ostensibly because of their arms sales to Taiwan. But the move was widely interpreted as retaliation for the U.S. government’s decision a few days earlier to blacklist six Chinese companies it accuses of being involved in China’s surveillance-balloon program.

So far this month, the American military has shot down one high-altitude Chinese balloon and three unidentified objects over U.S. and Canadian airspace. China denies U.S. government claims that the balloon was spying on sensitive installations. Their government claims it was used purely for weather monitoring.

Regardless of whose version is true, these tit-for-tit sanctions are part of an escalating technology war between the U.S. and its allies and China that threatens to blow apart the international trading system as we know it.

Global Trade Restrictions Have Increased Sharply

As with geopolitical tensions, trade restrictions on goods, services and foreign investment have increased sharply in recent years. From 2018, when the Trump administration imposed tariffs of up to 25% on many Chinese imports, to December 2022, the number of worldwide restrictions more than doubled to around 2,500, according to data from the International Monetary Fund and Global Trade Alert.

A new Interos white paper reveals that Russia displaced China as the most targeted country for restrictions last year, following its invasion of Ukraine. More than 1,100 restrictions were imposed on Russian entities in 2022 – almost six times more than China.

Russia is also well ahead of Iran and China in terms of the total number of restrictions imposed by other nations since 1981 (see chart).

Chart Showing the top recipients of Global sanctions and restrictions. Russia leads significantly, with Iran and China in a close heat for second place. Syria is fourth and North Korea is fifth.

On the opposite side, the U.S. dwarfs other countries in the number of restrictions it issues (around 8,000 during the past 40 years). And it has dozens of restricted entity lists across different government departments and industry sectors.

Prominent examples include:

  • The Department of Commerce’s Entity List, which sets out export licensing requirements for hundreds of foreign-owned businesses.
  • Sections 889 and 5949 of the National Defense Authorization Act banning the use of certain Chinese products and services for military purposes.
  • The Department of Homeland Security’s UFLPA Entity List for the Uyghur Forced Labor Prevention Act, which bars imports of tainted products from the Xinjiang region of China.

Keeping up to date with the ever-expanding list of prohibited firms and ensuring your organization doesn’t fall foul of new trade rules has become a more complex task. Which is why restrictions risk is one of the six risk factors captured and updated continually in Interos’ Resilience platform.

Implications for Global Supply Chains in Light of Trade Sanctions Against China

Standing back from the detail of these multiple lists and regulations, it’s important to consider the broader implications of the spiraling number of restrictions on international supply chains.

During the past couple of years, the U.S. has implemented progressively tighter and more far-reaching rules around the sourcing of Chinese components and sales of American semiconductors and chip-making equipment to Huawei and other Chinese tech firms.

This is having a dramatic impact on the ability of these companies to scale up production and manufacture products.

Last month, China’s semiconductor industry body issued a strongly worded statement condemning action by the U.S., Japan, and the Netherlands to deny its members vital equipment.

Such measures would “destroy the global semiconductor ecosystem”, it claimed.

Trade Restrictions on China Signal Broader Supply Chain Trend

While complaining loudly and portraying itself as the defender of free trade and globalization – as it did at the World Economic Forum’s meeting of political and business leaders in Davos in January — China is also flexing its trade-restriction muscles.

It has, for example, threatened to stop the export of solar panel manufacturing equipment to the U.S. China dominates the supply chain for this crucial clean-energy technology and could — in a mirror image of its own semiconductor woes — impede American efforts to beef up its domestic solar industry.

Although trade between China and the U.S. grew strongly last year, economists and other critics argue that protectionism, “decoupling,” and politically led moves towards “friend-shoring” (or “ally-shoring”) could have negative consequences for the global economy and supply chains in the years ahead.

These include higher prices, lower efficiency, less innovation, wasted public money through ineffective subsidies and industrial policies, and diminished levels of resilience.

As FT columnist Martin Wolf cautioned in a piece on the “new interventionism” last month: “Fragmentation is very easy to start. But it will be hard to control and even harder to reverse.”

Get more information on trade restrictions, sanctions, regulatory changes and their impact on the global supply chain by reading our latest white paper – the Red Tape Revolution.