Supply Beacon Vol. 4 – Cyber Mercenaries, Chip Complications, and a whole lot of China

January 24, 2022
The Top 5 Supply Chain News Stories You Need to Know
The Supply Beacon is your monthly resilience digest, the 5-minute supply chain and security news drop you can’t afford to miss, delivered with insights from the experts at Interos. Know what you need to – fast.

Facebook says 50,000 users were targeted by cyber mercenary firms in 2021

Private surveillance and hacking groups have used Facebook and Instagram to target at least 50,000 people in over 100 countries, according to a published investigation by Meta, Facebook’s parent company.

The existence of private companies that use sophisticated digital tools to expose secrets from people’s work and private lives—sometimes in legal-but-ethicallydubious ways—is no secret. What this new study shows is that the surveillance-for-hire industry that was previously thought to focus on spying on a handful of companies and services actually includes a much more expansive spider-web of connections. Meta’s investigation outlines private-sector mass surveillance on a scale never before shown.

The perpetrators, so-called “cyber mercenaries” who operate at the behest of governments and private entities, were shown to target Journalists, human rights advocates, activists, dissidents, clergy, politicians, and their families – sometimes resulting in torture or worse.  

The ultimate goal of the work Meta’s study is to prompt a broader discussion about the surveillance-for-hire industry. They recommend strengthening transparency and “know your customer” laws, deepening industry collaboration to counteract surveillance firms, and increasing accountability through new legislation and export control laws. 

Interos InsightThe Meta investigation revealed seven surveillance businesses worldwide that employ illicit surveillance. These firms’ customers were numerous and diverse, both commercial and governmental. Companies mentioned here are at risk of getting banned or put on ESG or cyber-related restricted lists. A recent example is Israel’s NSO Group, creator of Pegasus spyware, which the US Commerce Department put on its Entity list — a move that sent the company spiraling towards bankruptcy.  

Spyware and the privatization of cyber weapons are serious threats to national and personal security. Clients must be aware of related companies in any part of their supply chain that might compromise their business, negatively affect their clients-or wind up on a restricted list like NSO. Interos provides this transparency to companies and their clients via an AI-powered platform that alerts users to threats like these as soon as they are discovered. 

We have taken this research a step further: An active internal Interos study has captured data on dozens of countries purchasing surveillance technology from private entities. Some countries are repeat offenders, purchasing this type of software many times over. Interos integrates government surveillance policies and accountability into its cyber risk model and continues to track those governments and companies exploiting the hacking-for-hire market and putting corporate data at risk. To account for the rapid pace of change in the cyber-warfare space, our cyber model is not static and evolves with the changing risk landscape to provide even more comprehensive data to help our customers assess the true risk in their supply chain.  

Nation-state cyber capabilities are increasingly abiding by the “pay-to-play” model: any government — even those with limited resources — can purchase these surveillance and hacking tools from private firms. The software companies conceal who their clients are, making it harder for defenders to find the actual source.  

An Interos map (below) reveals the global proliferation of surveillance software sold to governments and private entities: 

Why your organization needs a software bill of materials 

Summary: The recent Log4j vulnerability exposed systemic problems in how businesses build and monitor their use of open-source software. The Log4j vulnerability was almost immediately weaponized and exploited by criminal gangs who used this exploit to plant crypto-hijacking and other malware. Organizations rushed to find all instances of the exposure in linked libraries, but most had no clear overview of where such instances existed in their systems. Google’s research showed that more than 8% of all packages on Maven Central have a vulnerable version of Log4j in their dependencies.  

CISA has created a dedicated Log4J webpage to provide an authoritative, up-to-date resource with mitigation guidance and resources for network defenders, as well as a community-sourced GitHub repository of affected devices and services. Organizational leaders should also review NCSC’s blog post, “Log4j vulnerability: what should boards be asking?” for information on Log4Shell’s possible impact on their organization as well as response recommendations.  

Interos Insight: The first line of defense is a good software and dependency inventory  

In last month’s Supply Beacon, we referenced CISA’s SBOM (Supply Chain Bill of Materials) educational webpage and their work relating to Executive Order 14028. This EO requires the government’s critical software vendors to supply SBOMs for their products and employ automated tools to maintain trusted source code supply chains.  

Over the past month, Log4J has emerged as one of the most severe cyber threats to date. The silver lining of this unfortunate vulnerability is that it is likely to hasten SBOM adoption. It is a concrete example illustrating the need to be fully informed of your cyber exposure across your entire enterprise. Never before has it been more important to map and monitor your whole supply chain. Interos can help partners establish automated mapping, arming them with the visibility to invest in the right, trusted technology while cataloging the use of open source and third-party software to deliver a complete and accurate SBOM with visibility into the supply chain to the nth degree.  

Chip Makers Contend for Talent as Industry Faces Labor Shortage 

Summary: In yet another challenge for the semiconductor industry, the world’s largest chipmakers are fighting for workers to staff the billion-dollar-plus facilities they are building to address the ongoing chip shortage.  

A dwindling supply of qualified workers has worried semiconductor executives for years. That fear has manifested to a far greater degree than anticipated due to the global labor shortage, a pandemic-fueled demand for all things digital, and a race among governments to bolster their local chip-manufacturing capabilities.  

Interos Insight: The US alone expects a shortage of up to 300,000 semiconductor workers by 2025. In recent Interos’ research, we cited the shortage of skilled laborers as a significant issue in the semiconductor supply chain, possibly disrupting the desired outcome of legislative efforts and related investments in production facilities.

The two primary areas expected to face shortages are technicians to run the plants and researchers to design the newest chips. The semiconductor firms are implementing new recruiting plans, and US chip manufacturers are lobbying for more foreign work visas to fill the gap. With semiconductor chips a geopolitical flashpoint for the 21st century, making silicon work appealing is a matter of national security. Leading Taiwanese universities are launching semiconductor-specific courses together with TMSC, and 12 Chinese universities have already created chip-focused colleges to fill the void. Even with growing demand, employment in semiconductors in the United States has remained a problem for the past decade and will likely require substantive policy changes to combat.  

U.S. chipmaker Magnachip, China’s Wise Road end $1.4 bln merger deal 

Summary: Chinese private equity firm Wise Road Capital Ltd. and US chipmaker Magnachip Semiconductor Corp. abandoned their $1.4 billion merger agreement struck in 2021. The Committee on Foreign Investment in the United States (CFIUS) had suspended the transaction during the summer, pending its review of the deal due to national security risks. According to the parties’ announcement, they couldn’t obtain CFIUS’s approval despite months of costly attempts. With an uncertain future, Magnachip could not make concrete strategic plans, affecting its equity valuation. It has hired JPM Morgan as an advisor as it attempts to find another buyer a year later.  

Interos Insight: Over the past few years, cross-border transactions involving any technology or sector deemed critical and a risk to US national security has experienced a significant surge in CFIUS investigations. US protection over semiconductor assets is unspectacular; what was notable and unexpected is CFIUS’ involvement in a transaction between two non-US companies. CFIUS’s jurisdiction is triggered by a takeover of (or certain types of investments in) a “US business.” Other than Magnachip’s Delaware parent company, which essentially serves as a holding company, the business has no US entities and no US employees. Its research, development, and functional operations are all located and conducted outside the country. While some may think that CFIUS’ jurisdiction over any particular deal is limited, the Committee is obligated to act whenever anything seen as critical to the US defense, intelligence and national security community is involved. In this case, it was the supply chain for semiconductors. After the enactment of the Foreign Investment Risk Review Modernization Act (FIRRMA), Treasury and other Departments have dedicated considerable resources to expanding and developing CFIUS’ authority to identify concerning transactions.   

Under CFIUS’s expanded regime, some transactions (including takeovers of companies with technology subject to US export controls) must be reported. Parties should not overlook the possibility that regulators could intervene after definitive agreements are signed and sometimes even after closing had been consummated for years. However, even in those cases where the mandatory filing triggers are not present, a voluntary filing is still warranted. Interos’ supply chain maps help customers identify the ownership, the extended relationships as well as the financial and regulatory risk of companies to which your organization is connected, enabling businesses to identify potential FIRRMA concerns before they manifest.  

Biden signs bill banning goods from China’s Xinjiang over forced labor 

Summary: US President Joe Biden signed into law legislation that bans imports from China’s Xinjiang and imposes sanctions on individuals responsible for forced labor in the region. 

The Uyghur Forced Labor Prevention Act is part of the US pushback against Beijing’s treatment of the China’s Uyghur Muslim minority, which Washington has labeled genocide. The bill passed late December after lawmakers reached a compromise between House and Senate versions.   

Key to the legislation is a “rebuttable presumption” that assumes all goods from Xinjiang, where Beijing has established detention camps for Uyghurs and other Muslim groups, are made with forced labor. It bars imports unless proven otherwise.  

The Uyghur Forced Labor Prevention Act cements the Administration’s sights on three products in particular: cotton, of which Xinjiang is one of the world’s largest producers; tomatoes; and polysilicon, a material used to produce solar panels.  

Interos Insight: The Act is the latest in intensifying US penalties against China for alleged abuse of ethnic and religious minorities. Earlier in the year, US Customs and Border Protection (CBP) within DHS started to detain cotton products and tomato products produced in China’s Xinjiang Uyghur Autonomous Region  

Country or, in this case, region-specific restricted lists are growing by the day. Just the week before Biden signed the Act, the US government put investment and export restrictions on dozens more Chinese companies, including top drone maker DJI, accusing them of complicity in the oppression of China’s Uyghur minority and helping the Chinese military. Human rights risk, are almost impossible to track throughout your extended supply chain with manual methods like surveys or spreadsheets, a challenge that will only grow as these restricted lists continue to expand. Interos’ mapping provides insight into every restricted list, with a scoring system that not only ensures compliance but helps you assess potential exposure and avoid reputational or operational harm so you can source with confidence

And a Follow-up: 

Minmetals confirms China rare earths merger, creating new giant 

Summary: Since we last discussed the matter in last month’s Beacon, final details of China’s newly formed massive and global force in the Rare Earths space were confirmed. The consolidation gives China the ability to control pricing, increase efficiency, and secure its strategically crafted dominance and competitiveness. Three of China’s Big Six rare earth groups will team up in a merger to create the world’s 2nd-biggest producer, a state-owned enterprise. 

The group would have significant pricing power for some rare earth elements such as dysprosium and terbium, which are essential for producing high-performance magnets. 

Interos Insight: This consolidation comes at a critical time as Washington grapples with US and Allied dependence on Chinese rare earths. In response, a February executive order identified critical minerals as one of four key areas in need of a complete review and improved policy options to address related risks to the supply chain. Considering the importance of rare earths to national security, it would not be a stretch to imagine a related US State Dept Strategy for our Allied partners or potential inclusion of the Chinese critical mineral companies on section 1260H of the National Defense Authorization Act for Fiscal Year 2021, since they are “military-civil fusion” operators in the Chinese Industrial base.”  

A bipartisan piece of legislation (Restoring Essential Energy and Security Holdings Onshore for Rare Earths Act) has already been introduced in the US Senate. It would force defense contractors to stop buying rare earths from China by 2026. It would track and disclose the country of origin of certain rare earth metals used in systems delivered to the military. Companies with any component in their supply chain that requires rare-earth materials will want to keep abreast of related policy and legislative developments 

That’s this month’s Supply Beacon. Looking to learn more about supply chain risk and operational resilience? Check out Got a suggestion for next month’s newsletter? Send us the scoop at [email protected] or tweet us at @InterosInc!

View next

Ensure Operational Resilience

Request Contact

Build operational resiliency into your extended supply chain:

  • 889 compliance – ensure market access
  • Data sharing with 3rd parties and beyond – protect reputation
  • Concentration risk – ensure business continuity
  • Cyber breaches – assess potential exposure
  • Unethical labor – avoid reputational harm
  • On-boarding and monitoring suppliers – save time and money