Spyware and Sanctions Create Emerging Supply Chain Risks

On the surface, the recent spyware campaign by the Vietnamese government against U.S. politicians may not seem relevant to supply chain risk. That would be a faulty assumption. More than 70 governments have deployed spyware over the last decade. While government officials and journalists are often the targets, the private sector is not immune. Businesses located in countries with governments deploying spyware and pursuing digital authoritarianism – widespread data and internet control – face a heightened risk of data exfiltration.

But spyware doesn’t just create cybersecurity risks, it also creates regulatory risk. Earlier this year, the Biden Administration introduced new restrictions on spyware companies due to the security risks they pose. Along with the UFLPA, these additions reflect a growing focus on human rights violators. These changes acknowledge “the increasingly key role that surveillance technology plays in enabling campaigns of repression and other human rights violations.”

In the new normal defined by geopolitical fault lines and a splintering of cyber norms, both the deployment and production of spyware should be a growing consideration for supplier due diligence and risk assessments.

The Proliferation of Spyware

Spyware is a form of malicious software installed on devices to collect information without the owner’s consent. Previously, governments had a near monopoly on these capabilities. However, thanks to the privatization of spyware, offensive cyber capabilities continue to proliferate among state and non-state actors. NSO Group, Cellebrite, and Candiru are just a few of the companies selling spyware. A recent Interos analysis assessed the number of spyware companies linked to national governments. The number reached into the double digits in some cases.

Global map showing how many spyware companies have been linked to a national government, by region. Hot spots include Mexico, Columbia, Morocco, Nigeria, Saudi Arabia, and Thailand.

These numbers only reflect the open source disclosure of spyware. In reality dozens of governments now possess some level of offensive cyber capabilities, the majority of which remain classified. China leverages spyware for widespread espionage campaigns, while reporting has linked numerous governments to Pegasus spyware. This year’s ODNI (Office of the Director of National Intelligence) Annual Threat Assessment notes “commercial spyware and surveillance technology, probably will continue to threaten U.S. interests.” ODNI estimates the commercial spyware industry to be worth $12 billion. Vietnam’s targeted deployment of spyware reflects this growing risk.

Spyware and Restrictions

The proliferation of commercial spyware and surveillance technologies is not only a security risk. It is also reshaping the regulatory environment. Section 889 of the 2019 NDAA was among the most expansive prohibitions against the use of surveillance technologies by federal agencies and their partners. Focused on Huawei, Dahua, ZTE, Hytera, and Hikvision, and their subsidiaries, Section 889 reflects the growing risks of surveillance technologies due to both data exfiltration risks as well as regulatory risks.

While Section 889 focuses on dual use surveillance technologies, this year’s Executive Order explicitly addresses commercial spyware focused on surveillance and data exfiltration. It has already resulted in several more companies being flagged as surveillance risks. This includes the addition of Intellexa and Cytrox to the Entity List. Initially, restrictions such as Section 889 largely focused on companies partnering with the United States governments. However this has been extended to a broader commercial restriction following the inclusion on the Entity list. This is not only a U.S. concern; the E.U. has called for a ‘de facto’ moratorium on spyware in May, while Australia has similarly debated controls on commercial spyware.

Looking Ahead: The Splinternet & Supply Chain Risks

Just as globalization and supply chains continue to be upended along geopolitical fault lines, so too does the internet. Reflecting opposing norms toward digital government intervention and data privacy, today’s siloed and fractured “Splinternet” introduces new digital risks across a company’s supply chain. Digital authoritarianism, wherein governments seek digital sovereignty and control over the Internet and the data passing through it, is on the rise and is powering the proliferation of spyware. While democracies are not immune from the use of spyware for national security, authoritarians are much less constrained on their use of offensive cyber capabilities across a growing population of targets.

The ODNI Annual Threat Assessment summarizes the national and commercial risks posed by digital authoritarianism and offensive cyber capabilities. Revelations of Vietnam’s use of spyware is not surprising to those following the expansion of digital authoritarianism. Over the last few years, Vietnam has adopted increasingly stringent data restrictions, including mandating local data storage and government control over data. These laws have prompted comparisons to Chinese digital authoritarianism and the data trap which eliminates corporations control over their own data.

Vietnam also is a top contender for companies seeking to diversify supply chains away from China. While it may provide favorable labor and economic environments, Vietnam’s cyber risks are often overlooked. While governments are more-frequently targeted than corporations by spyware, history has proven that it’s only a matter of time before business are equally under fire by adversaries with espionage or profit motivations.

Diversification with Cybersecurity and Regulatory Risk in Mind

As companies explore reshoring and supply chain diversification, the cybersecurity risk environment must be part of the calculation. A growing component of this analysis is the offensive deployment of spyware for data exfiltration. Similarly, surveillance technologies within a supply chain are also at heightened risk of regulatory fines and penalties. These heightened risks reflect ongoing geopolitical and technological transformations and introduce a range of opportunities and risks.

Those who prioritize and design operational resilience in sync with these transformations will gain a competitive advantage and be better prepared for the new normal compared to those who remain focused on the risks of yesteryear.

To learn more about how to identify and combat risks related to spyware in your supply chain, contact Interos. 

Child Labor is a Growing Risk Across American Supply Chains

By Geraint John and Taiwo Ogunbayo

Child labor is an issue most often associated with countries in the developing world – but it’s also a growing risk for companies with supply chains in the United States.

Investigations by U.S. government agencies, research firms, non-governmental organizations and media outlets reveal a spike in the number of children working illegally for U.S.-based suppliers, some of them used by major American companies. Since the beginning of 2022, Interos has identified 139 companies implicated in breaches of child labor regulations in the U.S. alone.

In June, an ESG advisory firm owned by Goldman Sachs downgraded U.S. supply chains from “medium” risk to “high” risk, in part because of the treatment of migrant and other children.

Aside from financial penalties for non-compliance with child labor laws, U.S. firms run the risk of damaging their brand reputations by being associated with illegal practices taking place within their domestic supply chains.

A Global Problem Mirrored in the U.S.

Child labor is a growing problem globally. Around 160 million children aged 17 or under – almost 1 in 10 of the world’s population – were working in factories, on the land or in other jobs in 2020, according to Unicef.

This figure was up by over 8 million on 2016 estimates, with agriculture accounting for more than 70% of children in work.

However, this growth is not limited to traditional hotspots in Sub-Saharan Africa, Pakistan, India and other developing countries. In February, the U.S. Department of Labor announced a crackdown after the number of child labor law violations jumped by 69% since 2018 and 283% since 2015 (see chart).

The U.S. Fair Labor Standards Act (FLSA) of 1938 sets a minimum working age of 14 and limits the number of hours that can be worked by minors under 16. The act also bars those under 18 from working in hazardous occupations.

The labor department’s most recent data shows that:

  • The U.S. government has successfully prosecuted 835 cases involving the illegal employment of more than 3,800 children in U.S. fiscal year 2022.
  • The annual number of cases involving children working in hazardous jobs almost doubled, to 688, between 2015 and 2022.
  • Fines for child labor law violations totaled almost $4.4 million in FY 2022 – up 315% on 2015.

 

Cases Reflect Migration and Labor Market Conditions

Since 2022, Interos has documented 139 companies implicated in breaches of child labor regulations in the U.S. Our analysis found that:

  • These entities are connected to more than 600 U.S.-based customers, heightening the risk of child labor violations for those companies.
  • The sectors with the highest incidence of violations include food services and restaurants, transportation equipment manufacturing, and administrative support services.

Media reports over the past year have highlighted a number of cases in these and other industry supply chains of major U.S. and foreign companies. For example:

  • An investigation by Reuters last year discovered underage children being used in auto parts factories supplying South Korean car makers Hyundai and Kia in Alabama.
  • Earlier this year, a Wisconsin-based cleaning supplier used by JBS Foods, Cargill, Tyson Foods and other meat processing firms was fined $1.5 million for illegally employing more than 100 minors at sites across eight U.S. states in the south and Midwest.
  • The Department of Labor investigated a Michigan-based snack-food and cereal manufacturer supplying household-name brands after being called out in a New York Times article.

Migrant children are particularly at risk. There has been a big rise in the number of Central American children sent unaccompanied by their parents to work in the U.S. More than 250,000 are reported to have entered the country in the past two years alone.

Another contributing factor is the state of the U.S. labor market. With firms in many industries hit by rising wage costs and a shortage of workers, pressure on state legislators to relax some FLSA regulations has intensified.

To date, 14 states – including Arkansas and Iowa – have proposed or enacted laws that weaken federal restrictions on child labor, according to the Economic Policy Institute.

With an increasing number of states relaxing their child labor regulations, the U.S. is likely to see a continued rise in the number of reported and investigated cases over the next few years.

Child Labor Requires Focus and Visibility

Perhaps because it is regarded as a “developing world problem”, child labor has not been as high on the ESG agenda for many Western firms as either environmental issues or other working conditions such as forced labor.

A recent Interos survey of 750 procurement leaders in the U.S., Canada, the U.K. and Ireland found that child labor ranked the lowest of nine ESG activities, in terms of the progress made with suppliers to tackle it during the past three years (see chart).

Almost one-quarter of the 400 U.S. respondents in aerospace & defense, financial services, energy, healthcare and federal government reported either no progress or regression on child labor. Only 10% believed this type of supply chain risk was “not applicable” to their organizations.

Chart showing survey results ranking progress made by procurement executives in resolving ESG issues - child labor is last.
One of the main barriers to making progress with suppliers on child labor, as on other ESG issues, according to our survey findings, is a lack of sub-tier visibility.

A common source of supplier risk in several recent U.S. cases is recruitment agencies, which are often present two or three tiers deep in the supply chain. Several have been blamed for supplying children to customer workplaces without properly verifying their ages or legal status.

Not knowing who your tier-1 or tier-2 suppliers use for staffing, other services such as cleaning and catering, as well as product manufacturing, in turn results in a lack of awareness about both child labor risks and specific instances of illegal activity.

Just 16% of U.S. procurement leaders were confident they would be aware of a supplier ESG violation in most or all of their supply chain tiers within 48 hours (see chart).

Pie chart showing visibility levels procurement leaders have on ESG supply chain violations. Most would not be aware of ESG violations within 48 hours in most tiers of their supply chains.

 

What American Leaders Need to Do

To manage domestic regulatory and reputational risk around child labor effectively, U.S. procurement and supply chain leaders need to:

  • Strengthen sourcing policies and supplier codes of conduct to make it clear that the illegal use of child labor in U.S. operations is unacceptable.
  • Ensure that contractual terms specify the right to on-site audits of direct and, in certain circumstances, indirect suppliers to check they abide by federal and state child labor laws.
  • Invest in software tools to map multi-tier supplier relationships, model supplier ESG risks, and continuously monitor events involving the potential use of child labor.
  • Keep a close watch on suppliers in sectors implicated in employing illegal child labor, such as cleaning services, contingent staffing, and low-valued-added product manufacturing.
  • Assess child labor risks and mitigation plans in regular review meetings with key suppliers.

The growing catalog of evidence and convictions demonstrates that child labor is not an issue that U.S. companies should be concerned about only in their foreign supply chains; it is one that also requires action in multiple industry sectors within America itself.

As with other forms of ESG risk, complacency is not a safe route to compliance.