Salt Typhoon Telecom Hack Rattles Critical Infrastructure

Salt Typhoon: What Happened and Why Does it Matter?  

Salt Typhoon was the “Worst telecom hack in our nation’s history,” Senator Mark Warner, Chair of the US Senate Intelligence Committee.  

Salt Typhoon, a Chinese affiliated hacker group, compromised at least 8 U.S. telecom providers – stealing a large amount of data, including records of government officials and political figures.

The attack was unprecedented in scope and began in 2022. 

The extent of the breach is still unknown, with Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) saying it would be impossible to predict when the hackers would be fully removed from the systems.

Watch our take on the events below:  

 

Downstream Supply Chain Impact 

Jessica Rosenworcel, Chairwoman of the Federal Communications Commission announced the need for “a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future.” 

In our interconnected world, this extends to vulnerabilities in your supply chain.  

Using interos.ai’s data, we see the Salt Typhoon attack impact could ripple out to 3.3 million distinct companies in the extended supply chain of 4 of the largest telecom companies in the US.

We estimate that the affected telecom companies represent a significant portion of the U.S. economy, serving over 350 million wireless customers collectively and generating more than $334 billion in annual revenue.  

If even a fraction of these systems remains compromised, the downstream impact on businesses reliant on secure communications could reach into the tens of billions in economic losses. 

Ted Krantz, interos.ai’s CEO Discusses New Era of Cybersecurity  

“Beyond the immediate blast radius, we must consider the future ramifications. Cyberattacks like this can fuel cascading effects we aren’t yet prepared for—whether that’s enabling more sophisticated surveillance of private citizens or jeopardizing critical infrastructure. Each stolen record costs the economy an average of $169, according to industry data. Multiplied by the potential number of affected individuals, the total economic cost could exceed $15 billion in direct and indirect damages within the next year alone.”

– Ted Krantz, CEO, interos.ai discusses.  

“The FCC’s proposed clarifications and certification requirements are steps in the right direction, but we must also prioritize collaboration between the private sector, regulators, and intelligence agencies to build a modern cybersecurity framework.” 

“This includes leveraging advanced technologies like AI to improve threat detection and response, increasing transparency across supply chains, and fostering global partnerships to address cross-border cyber threats.” 

“The Salt Typhoon attack may be unprecedented in scope, but it is not surprising. We’re in a new era of attacks targeting critical infrastructure.”  

“This is a battle we’ve been preparing for, and one we must pre-empt with innovation and data-fueled risk intelligence.” 

Defend Against Digital Threats

Before disaster hits, Interos’s critical risk intelligence platform helps companies mitigate the financial impacts of multi-tier risks like cyber attacks by continuously mapping and monitoring extended supply chains at speed and scale.  

Learn how you defend against digital threats.

 

It’s That Time of Year Again: US Government Releases New Restrictions List

Authors: Andrea Little Limbago, PhD, SVP, Applied AI and Mackenzie Clark, Senior Computational Social Scientist 

Annual Tradition: End of Year Sanctions and Restrictions

Last week’s release of UFLPA and OFAC restrictions follows a recent trend where widespread export controls are released en masse prior to the new year.  

For instance, in December 2023, the Departments of Treasury and State issued sweeping sanctions targeting Russia’s energy production and export capacity. This was followed a few weeks later by an Executive Order (E.O. 14114) that issued another round of sanctions against financial institutions supporting Russia’s military-industrial base. It was also preceded by two different rounds of Russia-related sanctions on December 1 and November 16. 

Similarly, in December 2022, Treasury issued several sanctions targeting Russia’s financial sector, very much in alignment with those issued last Thursday. This continued the trend from December 2021, when Treasury issued distinct sanctions targeting Belarus and entities associated with human rights abuses.  

The UFLPA also made some end of year additions in 2023, although those were much fewer than the 29 companies added last week, which increased the overall entity list to over 100 Chinese companies connected to forced labor.  

We recently covered two of the latest additions and the potential impact it could reap on global steel and aspartame (a sugar substitute) supply chains (spoiler: tens of millions of companies could be impacted).  

If the past week is any indication of what is to come, organizations should expect more restrictions to follow the path of the recent updates focused on Russian financial institutions and human rights abuses.  

 

The following analysis will answer:  

  • How far do the OFAC and UFLPA-sanctioned companies reach globally?  
  • Which industries are most at risk for potential future sanctions?  
  • How do you react to these and prepare for future sanctions?  

The Latest Round of OFAC Restrictions on Banks and Financial Services in Russia: Who is Impacted?

The latest sanctions announcements from the United States Department of the Treasury and Department of Homeland Security target a wide array of companies in Russia and China. The extended impact of these restrictions, however, have the potential to cascade to companies across the globe. 

On November 21, the addition of Gazprombank — and almost 100 other international subsidiaries and affiliates — to OFAC’s Specially Designated Nationals (SDN) List marked the designation of “Russia’s largest remaining non-designated bank.”  

With Russia’s largest financial institutions sanctioned by not only the United States, but other major countries such as Canada and the United Kingdom, it is important to understand where the risk of exposure to these sanctioned banks may still exist. 

Using Interos data, we analyzed the extended supply chains of Gazprombank, VTB Bank, and Sberbank and identified over 7,500 companies across three tiers of supplier relationships that are either directly or indirectly supplied by one of the banks.  

These numbers are relatively low compared to other supply chain propagation, likely due to decreasing integration of Russian banks with the Western economies since the invasion of Ukraine.  

Nevertheless, the scale is by no means trivial and indicates the stickiness of these relationships. 

Of the potentially exposed companies with supplier-buyer relationships linked to the new sanctioned entities, almost 60% of them are located either in the United States or the United Kingdom.  

When leveraging Interos’ Industry Categories designations, we identified the top three sectors represented across the sanctioned companies as Software and IT Services, Banking and Financial Services, and Business Management Services.  

29 Million Companies Could Face Fines from UFLPA Entity List Additions: Agricultural Products, Metals, and Polysilicon in China

Just one day after the new restrictions targeting the Russian banking industry, 29 new companies were added to the Uyghur Forced Labor Prevention Act (UFLPA) Entity List, bringing the total number of companies on the list to over 100.  

This action primarily targeted companies that produce agricultural goods, specifically tomato paste and tomato products, walnuts, red dates and raisins. Other newly restricted companies include exporters of materials and products derived from aluminum, nonferrous metals, and polysilicon. 

Interos conducted an analysis on the extended supply chain of these companies and identified over 29 million companies across three tiers of supplier relationships that are either directly or indirectly supplied by one of the newly restricted UFLPA entities.  

These companies could be subject to UFLPA fines.  

Again, most of the companies that could be impacted — over 34% of them — are located in the United States, followed by the United Kingdom (9%), India (8%), Germany (4%), and Italy (3%) – and thus could be subject to UFLPA fines. 

Leveraging Interos’s Industry Categories reveal the top three sectors among this group of exposed companies include Business Management Services, Software and IT Services, and Consumer Goods.  

These two scenarios, while distinct, highlight the importance of continuously monitoring suppliers of both services and physical goods to avoid potential fines, seizure of imports and reputational damage.  

Which Industries are Most at Risk Looking Ahead?

Given the ongoing implementation of export controls and industrial policy, organizations should plan for future additions to these and dozens of other restrictions lists. Fortunately, there are a few insights to help look ahead and begin de-risking from future regulatory risks. 

For instance, in September, the Department of Commerce’s Bureau of Industry and Security (BIS) introduced worldwide export controls on critical technologies.  

These include: additive manufacturing items, advanced semiconductor manufacturing equipment, quantum computing items, and gate all-around field-effect transistor (GAAFET) technology.  

A presumption of denial affects countries deemed a national security concern, including Armenia, Belarus, Cuba, Iraq, North Korea and Russia.  

Companies in these industries, as well as other critical and emerging technology industries, and from those countries are at immediate regulatory risk.

Similarly, BIS also has a high priority list focused on Russian products believed to fuel Russia’s military-industrial complex.  

Companies associated with these products, as well as those across a wide range of critical technologies, are much more likely to appear on a restrictions list in the future than those in other product or industry categories. 

Monitoring Risk Exposure with Risk Intelligence Data

Geography is another means for assessing future restrictions risk.  

In addition to companies in those countries, the BIS Country Groups D and E, companies located in – or have a supply chain connection to – the XUAR are also at significantly greater risk of future restrictions inclusion.  

Using Interos data, we identified over 231,000 other companies located in XUAR that may pose future compliance risks in global supply chains.  

When analyzing three tiers of supplier relationships for these companies, Interos data shows the following industries at the highest risk for potential disruptions if restrictions on XUAR companies continue to expand.  

These are the industries with the greatest frequency across companies in XUAR:  

  1. Business Management Services  
  2. Software and IT Services 
  3. Consumer Goods 
  4. Architectural, Engineering, and Design Services 
  5. Building and Civil Engineering Construction  

In short, last week’s additions to the OFAC and UFLPA restrictions lists are consistent with regulatory updates from the past few years.  

Moreover, by leveraging industry, product, and geographic risk management information, organizations can be more proactive in preparing for export controls against companies that meet those criteria listed above.  

Product and industry categories not only provide value for proactively addressing restrictions risk, but also have several other benefits, such as benchmarking and product tracing throughout supply chains.  

Keep an eye out for a forthcoming blog that will detail these new features and how they impact the full lifecycle of supply chain intelligence. 

Have questions today?

New Additions to UFLPA Entity List Show Forced Labor in Supply Chains of 79,000 Companies

Authors: Andrea Little Limgbago, PhD and Mackenzie Clark 

Steel and Aspartame Companies Join UFLPA Entity List 

Last week, the U.S. Department of Homeland Security announced two new additions to the Uyghur Forced Labor Prevention Act (UFLPA) Entity List. Although the law has been in effect for several years, it marks the first inclusion of a steel or aspartame company on the UFLPA Entity List.  

This reflects the expansion of the UFLPA since its inception, as well as the growing concern and risks associated with forced labor in the supply chain.  

Interos has been closely monitoring the UFLPA since it came into effect, along with dozens of other critical sanctions and prohibitions lists and helps illuminate connections to these companies deep within complex supply chains. 

Cracking Down on Forced Labor in Supply Chains 

The UFLPA aims to eliminate forced labor from supply chains through the prohibition on the importation of goods made in part or entirely from forced labor. The law specifically focuses on the Xinjiang Uyghur Autonomous Region of China, but it also applies to all forced labor in all of China. A review of these companies highlights how important it is to maintain visibility across the entire supply chain ecosystem, as small relationships grow exponentially as you move to the outer tiers of a supply chain.  

Two Companies Identified Puts 79,000 Companies at Risk

The two new additions to the UFLPA Entity List are Baowu Group Xinjiang Bayi Iron and Steel Co. Ltd and Changzhou Guanghui Food Ingredients Co. Ltd.  

According to Interos data, these two companies directly supply over one hundred companies (Tier 1), who in turn supply almost 2,500 companies (Tier 2). Those companies, in turn, supply approximately 79,000 companies, and represent almost 280,000 distinct buyer-supplier relationships (Tier 3). 

Importantly, the UFLPA not only consists of an Entity List, but also prioritizes seven industries for enforcement:  

  1. Apparel 
  2. Cotton and cotton products 
  3. Silica-based products 
  4. Tomatoes and downstream products 
  5. Polyvinyl chloride (PVC) 
  6. Aluminum 
  7. Seafood 

The last three industries were added earlier this summer and represent the first new addition of key sectors since 2022.  

With last week’s inclusion of steel and aspartame companies on the UFLPA Entity List, we should prepare for the potential expansion of those key industries in the near future.  

What Would that Impact Look Like on the Chinese Steel and Aspartame Industries?  

Interos data highlights the widespread impact of the Chinese steel industry. There are over 66,000 companies in China that sell steel or steel products. Globally, over 655,000 unique companies buy from those companies (Tier 1), a number that grows to over 2.6 million companies when looking at the buyers from those companies (Tier 2).  

These numbers pale in comparison to the number of buyer-supplier relationships stemming from those 66,000 companies in China that sell steel or steel products. There are 4.4 million relationships stemming from those companies (Tier 1), which balloons out to over 23 million relationships one hop out (Tier 2), and almost 64 million relationships to the next level of the supply chain (Tier 3). Across these tiers, over a third of the companies are located in the United States, followed by India, the United Kingdom, Germany, and France. 

A similar ripple effect appears when looking at producers of aspartame and aspartame-containing products. There are almost 3,000 companies in China that produce aspartame and aspartame-containing products. The impact balloons to over 200,000 companies that buy from those companies (Tier 1), and over two million companies that buy from those 200,000 companies (Tier 2). 

We again see the number of unique buyer-supplier relationships exponentially increase across the companies that sell aspartame and aspartame-containing products. Globally, there are over 500,000 buyer-supplier relationships linked to those companies in China (Tier 1). Those, in turn, are connected to almost 12 million distinct relationships (Tier 2), which explodes to over 60 million relationships at the next tier (Tier 3).  

Again, over a third of the companies are in the United States, highlighting a potential significant risk if the UFLPA expands to include either of these industries as a key sector for investigation. 

Not Just the US: Global Supply Chain Examination is a New Reality 

The United States is not alone in sanctioning human rights violators within supply chains. The European Union, United Kingdom, and Canada, along with the United States, all initially coordinated sanctions in 2021. As Homeland Security Secretary Alejandro Mayorkas explained, “The UFLPA is catalyzing American businesses to fully examine and assess their supply chains….” The same is true elsewhere, as earlier this year the European Parliament adopted a new law aimed at eliminating all forced labor, not just from China, in the supply chain. 

In return, China is taking steps toward enforcing its own law introduced four years ago that creates an ‘Unreliable Entity List’ for companies evading the Xinjiang Uyghur Autonomous Region and exhibiting discriminatory measures against products made there. This puts companies in a dilemma of conflicting regulatory practices between China and the United States, European Union, and other Western democracies. 

Major Regulatory and Financial Risks at Stake 

Aside from the regulatory and reputational implications, there also are growing financial risks. Almost $3.6 billion worth of goods have been seized under UFLPA enforcement, highlighting the financial as well as reputational and humanitarian risks at stake.  

At Interos, we continue to monitor the regulatory landscape, as well as those industries and companies associated with key sectors or products at risk. Flagging the UFLPA alone is not enough to minimize human rights violations within the supply chain. 

Identification is Not Enough: Compliance Requires a Regional View and Cross-Examination of Human-Rights Violation Lists 

 In addition to the UFLPA, Interos also denotes any company located within the Xinjiang Uyghur Autonomous Region, since the UFLPA specifies the additional scrutiny applied to any goods stemming from that region, whether they are on the Entity List or not.  

Moreover, Interos also specifically flags whether a company is on a human rights-related violations list because other restrictions, such as the Global Magnistky Act, address human rights violations and must be integrated into a broader strategy of eliminating human rights violations from the supply chain and addressing the associated regulatory and reputational risks. 

Take Action:  Root Out Forced Labor from Your Extended Supply Chain 

Interos’ continuous monitoring alerts quickly identify the potential impact of additions to new restricted entities lists across their extended supply chain. This visibility empowers companies to get ahead of potential violations both upstream and downstream in their supply chain. 

To identify if you are at risk of using a restricted entity, speak to an expert today.  

 

Hezbollah Device Explosions: A Stuxnet Moment for Supply Chain

Author: Dr. Andrea Little Limbago 

An Inflection Point

Almost six years ago, Bloomberg published a report on Chinese government infiltration of 30 US companies through the technology supply chain. This report was highly controversial within the cybersecurity community and remains openly disputed regarding the validity of inserted ‘spy chips’. Since then, there has been less focus on infiltrated technology supply chains, as the pandemic and trade wars shifted attention away from espionage and toward more traditional industrial policy and risky businesses within the supply chain ecosystem. 

On September 17 and 18, 2024, infiltrated pagers and walkie talkies exploded across Lebanon, escalating the decades-long conflict between Israel and Hezbollah. While investigations remain ongoing, reports point to Israel infiltrating a complex supply chain of devices sold in Hungary, and authorized to sell on behalf of a Taiwanese company, Gold Apollo. While the company sold devices to the broader population, those sold to Hezbollah contained the explosive PETN. As more information becomes available, a picture will likely unfold of complexity and extremely targeted backdoor infiltration of a technology supply chain.  

This past week’s attacks in Lebanon are an inflection point, expanding technology supply chain risks toward supply chain sabotage, and shifting all rules of engagement in supply chain security and modern warfare. Whether or not ‘spy chips’ occurred in the past, given the shift in norms, a line has been crossed, rendering technology supply chain infiltration a growing supply chain security risk in a tenuous geopolitical environment. 

New Rules of Engagement in Modern Warfare 

The supply chain infiltration behind the attacks is on such a distinct scale and scope, it is reminiscent of the turning point from the Stuxnet cyber attacks, described as the world’s first digital weapon. In 2010, reports surfaced that several zero days exploits simultaneously sabotaged Iranian nuclear enrichment facilities. Most research identifies U.S. and Israeli intelligence as the creators of the exploits, which weren’t widely noticed until they spread beyond the Natanz facility.  

Viewed as the first digital weapon to cause physical damage, it shifted all cyber norms and rules of engagement and opened Pandora’s Box to the modern cyber threat landscape. From the 2012 Saudi Aramco attacks where wiper malware destroyed over 35,000 computers to Russia’s BlackEnergy cyber attacks on the Ukrainian energy grid in 2015 and 2016 to Saudi Aramco to Iran’s failed penetration of New York’s Rye dam, physical infrastructure by cyber attacks is no longer unexpected or unprecedented. In fact, earlier this year FBI director Christopher Wray detailed how China is burrowed deeply within US infrastructure.  

The Tipping Point for Security Risk 

In a similar manner, just as Stuxnet upended the norms of cyber behavior and physical destruction, the explosive devices used against Hezbollah will upend all norms behind supply chain infiltration and destructive effects. There already has been a growing national and economic security concern over risky businesses within the supply chain ecosystem. Since 2016, the US has added thousands of companies to a range of sanctions lists, many of which are deemed national security risks.  

Five years ago, the Pentagon blocked military from purchasing phones made by Huawei and ZTE due to national security risks. This has been a growing trend across the globe, as India blocked Chinese apps, China blocked Kaspersky and Semantic, Australia removed Chinese security cameras and so on. These have often been coined backdoor risks, as companies legally enter a supply chain ecosystem without any need for obfuscation. 

These have generally focused on software, not hardware, backdoors into systems. Last week, we may have witnessed the tipping point for hardware backdoor supply chain security risk based on the insertion of illegal or unknown physical parts. While distinct in its execution, there has been growing concern over the security of the hardware supply chain. 

The US CHIPS and Science, in part, targets this risk by incentivizing the manufacturing of semiconductors domestically. Nevertheless, the exploding devices manifest the real-world impact when foundational technologies are used as Trojan horses to carry out military objectives. As we have seen with Stuxnet, once that Pandora’s box is opened, it is a game-changer in the risk landscape and global norms. 

How Can Companies Protect Themselves in this New Norm? 

To prepare for yet another significant disruption shaping the new normal, there are several steps organizations can take.  

First, foundational risk approaches still hold true but require even greater diligence. Perfunctory risk processes are inadequate for this risk landscape. Know your supplier (KYS) takes on even greater importance, not just within direct suppliers but across the entire supply chain ecosystem. This, in turn, requires augmented visibility across your supply chain, a difficult feat due to the hyperspecialized and complex supply chains built over the last few decades where geopolitics was not taken into account. 

Gaining that visibility is just the start, additional context is required. For instance, are any of the thousands of restricted companies present several tiers within your supply chain? In many cases, these companies have already been linked to data exfiltration, it is not a great leap to consider hardware infiltration from these same technology companies.  According to Interos data, 148 (~30%) S&P 500 companies have a direct supplier relationship with a banned company, risking severe civil and criminal penalties, 19% of which are in the Computer and Electronic Product Manufacturing industry.  Beyond these direct (tier-1) suppliers, virtually every S&P 500 company has sub-tier (tier-2, tier-3 and beyond) supplier relationships with at least one at-risk or restricted company.  

This has always posed a regulatory risk, but the national and economic security risks must also feature in supply chain security risk assessments. While last week’s attacks were not via a restricted company, those technology companies on restricted lists represent a more probable pathway to hardware infiltration and warrant heightened alert. 

Tracking the latest in restricted companies is difficult as there is no single consolidated list across all U.S. and international organizations. Fortunately, Interos simplifies this process by surfacing several dozen restrictions lists across the US, Five Eyes, and international governmental organizations, extended across the entire supply chain ecosystem. These companies, especially those in technology, are at the highest risk of technology supply chain infiltration. These companies do not only pose a regulatory risk but could also interdict data or sabotage on behalf of adversaries. 

The stark reality of this new era is that the geopolitical risk stems much broader than restrictions – companies and governments need visibility into all areas of supply chain risk: financial, cyber, ESG, geopolitical and catastrophic risk.

In short, the globalized era of entangled supply chains absent geopolitical considerations is over. 

Supply Chain Security: Time to Double Down 

Almost a decade ago, the fictional political thriller Ghost Fleet imagined a future war beginning with supply chain infiltration. In this futuristic scenario, China hacks the U.S. electronics supply chain, disrupting everything from navigation systems to fighter jets. The digital revolution – or the fourth industrial revolution – continues to shorten the time frame between futuristic scenarios and modern reality.  

As Stuxnet demonstrated almost fifteen years ago, the shifting cyber attack landscape quickly expanded beyond governments and into the public sector. The device explosions in Lebanon similarly crossed a new line and will accelerate the pace at which the technology supply chain is exploited by government and non-government actors alike. Whether the Bloomberg report proves valid or not, the supply chain infiltration of the devices introduces similar supply chain security risks – it’s no longer a matter of if, but when a technology supply chain infiltration will occur again.  

Just as software backdoors have increased in prevalence, the same may soon be true of hardware backdoors, making it all the more critical for a fresh look and reprioritization of supply chain security. 

We are here to help.

 

 

“It’s Going to Get Worse Before It Gets Better” Navigating Supply Chain Geopolitical Risks: Insights from National Security Experts

by Alea Marks & Dianna ONeill

Interos’s new executive insights series, “Voices of Innovation,” hosted a critical conversation on escalating geopolitical threats to supply chain security.

The inaugural session brought together former NSA Director and US Cyber Command head, Admiral Mike Rogers (Ret.)  and Andrea Little Limbago, Ph.D., Head of Applied AI, Interos, and a frequent speaker on geopolitical risk and cybersecurity.

Five Key Quotes

1-Supply Chain Vulnerabilities

In an era of global interconnectedness, supply chains have become increasingly complex and efficient. However, this integration introduces acute new vulnerabilities. Today’s multinational ecosystems can easily encompass thousands of sub-tier suppliers, fueling continued supply chain disruptions that cost the global economy $3 trillion in annual losses.

Admiral Rogers highlighted this double-edge sword, noting the ripple effect across interconnected systems:

“There’s definitely been a tradeoff,” Rogers observed. “The downside is we have to acknowledge, as we can see with CrowdStrike being the latest issue, that we’ve got fundamental vulnerability inherent in the system.”

2-Geopolitics and Corporate Boards

Given the global footprint of many large enterprises, Admiral Rogers highlighted the growing concern among corporate boards regarding geopolitical risk:

“I spend a lot of time talking to corporate boards on geopolitics. They are trying to understand, the world around me seems to be changing. That has implications for my business model, and it has implications for my liability and responsibility.”

Rogers emphasized that companies are increasingly recognizing the need to better understand the global context and for their supply chain operations, identify risks, and develop strategies for risk mitigation and prioritization.

3-Criminals Targeting Supply Chains

In discussing evolving digital cyber threats, Admiral Rogers expressed surprise at the recent trend of criminals targeting digital supply chains:

“I never thought I would see criminals go into supply chain, supply chain route in terms of an attack vector. That was true until about 15 months ago, but we’re now seeing criminals going down this route. So, organizations now are routinely asking themselves, do I understand the dimensions of my supply chain? And what steps am I taking to try to mitigate that risk?”

4-Proactive Risk Mitigation

Anticipating and preparing for potential disruptions emerged as a critical theme. Rogers emphasized the value of proactive planning and regular practice in enhancing an organization’s resilience:

“The more time you put up front in thinking through and anticipating, the better your performance in crisis,” he advised. “I can’t anticipate every scenario, but the more I train, the more I simulate, the more I practice, the more efficient and effective I’ll be in responding to disruption and generating resilience.”

5-Evolving National Security Landscape

The conversation addressed the changing nature of national security, which now encompasses economic security and digital advantage. Rogers highlighted how this shift is leading to increased government involvement in previously private sector domains.

“Governments are getting much more directive and much more broadly involved,” Rogers observed. He noted a significant shift in cybersecurity strategy: “The biggest shifts in [cybersecurity] strategy were, number one, it’s no longer the individual user to hold accountable – it’s the entities that are in the best position to achieve a broad impact.”

Interos Watchtower™: A Strategic Solution

Rogers and Little Limbago also discussed Interos Watchtower™, AI-driven technology that provides personalized risk models to defend against geopolitical threats. Rogers noted the criticality of mapping and prioritizing threats, emphasizing:

“We have got to get to prioritization. Because if we can’t prioritize, if we can’t figure out the best use of limited resources, we got real problems.”

Watchtower highlights vulnerable suppliers based on potential business impact, allowing organizations to prioritize and remediate regulatory, cyber, government intervention, and foreign ownership risks, among others.

Looking Ahead

Admiral Rogers concluded with a sobering yet hopeful outlook:

“It’s going to get worse before it gets better.” However, he noted that more businesses and senior leaders are acknowledging the challenge, stating, “You can’t solve a problem if you don’t acknowledge it.”

The conversation made clear the pervasive nature of geopolitical supply chains impacts. From trade tensions to shifting nation-state alliances, a host of changing global dynamics present new opportunities for disruption. Organizations that fail to  adopt a proactive, technology-driven approach to these realities risk falling behind.

Technologies like Interos Watchtower™ are a significant advancement, offering the personalized, actionable intelligence necessary to enhance supply chain strength and security in a volatile  landscape.

Learn more HERE.

 

 

By Alberto Coria & Daniel Karns

Supply chain leaders are weighing the implications of a power shift affecting America’s largest trading partner. Over the weekend Mexico held its biggest election in history, electing Claudia Sheinbaum its first female president and granting her Morena party an apparent super-majority in Congress that could bring about policy changes.

Markets reacted warily in the immediate aftermath, with one global analyst noting that her victory, “opened the possibility of changes in the Constitution, which alters, or better put, deteriorates the risk balance of Mexico, causing capital to leave the country.”

Mexico surpassed China as America’s biggest trading partner last year. In addition to the political transition, the new administration faces multiple supply chain-related challenges:

Security Risks and Cargo Theft

High levels of violent crime could jeopardize the country’s supply chain stability through relatively common occurrences such as cargo truck hijackings. In 2022, the Mexican federal government reported 7,644 violent cargo truck hijackings—a 3% increase compared to 2021, however; the Transported Asset Protection Association (TAPA Americas) reported that 76,599 cargo truck hijackings occurred during President AMLO’s administration, according to their investigation. A stark contrast to the numbers provided by the federal government.

Major companies including Ford, DJI, Danone, Wal-Mart, Pepsi, and Coca-Cola, have all suffered losses due to stolen truckloads of merchandise in Mexico. The new president, Claudia Sheinbaum, is largely expected to continue AMLO’s approach of “hugs not bullets” for combatting the cartel while simultaneously empowering the military.

Energy Sector and Pemex

Mexico’s national oil company, Pemex, operates under a $102 billion USD debt burden, with the federal government reported to be considering absorbing up to $40 billion USD to assist the company in its ability to service debts. In the past, this debt has regularly affected Mexico’s oil output due to Pemex having to submit late payments to suppliers and alleged corruption within the company.

With the chronic mismanagement of Pemex affecting Mexico’s oil industry, the country’s overall oil production is now less than half of what it was in 2004, despite massive budgetary allocations from the federal government throughout various administrations. Sheinbaum has pledged to remove corruption from Mexico’s energy sector to increase oil production. Sheinbaum is expected to continue AMLO’s policies of leaning strongly on Mexico’s oil production for national revenue and is likely to continue heavily funding Pemex. Under a Sheinbaum administration, customers should not expect any major swings in Mexico’s energy policies.

Mexican Peso and Near-shoring

Mexico’s currency has risen 19% over the past twenty-four months to around 16.7 per USD, now one of the best-performing emerging market currencies due to low volatility and high interest rates. The Mexican Peso is also one of the few major currencies that have gained against the USD this year. This is largely due to the increase of foreign investment in the country through near-shoring and high levels of trade with the U.S.

Sheinbaum is seen as pro-business and is unlikely to enact any policies to deter the ongoing trend of near-shoring given its substantial boost to the Mexican economy. “Turmoil in the U.S.-China relationship has provided Mexico with a historic window to present itself as an alternative to China,” according to a statement from the U.S. Chamber of Commerce.

While the Sheinbaum administration faces significant challenges in addressing security concerns, managing the energy sector, and maintaining currency stability, the near-shoring trend is expected to continue, presenting opportunities for U.S. companies to strengthen their supply chains in Mexico.

Potential Industries at Risk 

Interos monitors supply chain lifecycle risk for some of the world’s largest public and private organizations. Our customers have extensive connections to Mexico-based suppliers, including heightened concentration risk for some sectors, such as chemical manufacturing, due to sub-tier supplier relationships.

The data below illustrates key sectors whose supply chains could be impacted by future administrative or policy shifts under Mexico’s new government.

  • In Tier 1
    • Total: 2,880
    • Top Industries
      • Merchant Wholesalers, Durable Goods
      • Transportation Equipment Manufacturing
      • Chemical Manufacturing
    • In Tier 2
      • Total: 16,251
      • Top Industries
        • Merchant Wholesalers, Durable Goods
        • Merchant Wholesalers, Nondurable Goods
        • Machinery Manufacturing
        • Chemical Manufacturing
      • In Tier 3
        • Total: 26,468
        • Top Industries:
          • Merchant Wholesalers, Durable Goods
          • Merchant Wholesalers, Nondurable Goods
          • Fabricated Metal Product Manufacturing
          • Machinery Manufacturing
          • Plastics and Rubber Products Manufacturing
          • Chemical Manufacturing
          • Transportation Equipment Manufacturing

 

U.S.-China Trade Wars Reignite: White House Announcement on New Tariffs References “Supply Chains” Eleven Times

Sweeping new U.S. tariffs on Chinese clean-energy products are inflaming tensions between the world’s two dominant economies, raising the stakes for risk leaders already navigating concurrent crises in the Middle East and Europe.

The sanctions announced today by the Biden administration target $18 billion in Chinese imports, quadrupling existing levies on Chinese-made EVs, while imposing new tariffs ranging from 50% on solar panels to 25% on other essential sectors including semiconductors, aluminum, critical minerals, batteries and more.

The White House statement repeatedly references shoring up U.S. supply chains amid anti-competitive practices from China, noting “China’s forced technology transfers and intellectual property theft have contributed to its control of 70, 80, and even 90 percent of global production for the critical inputs necessary for our technologies, infrastructure, energy, and health care—creating unacceptable risks to America’s supply chains and economic security.”

The new tariffs build on existing Trump-Biden Chinese sanctions, which the global think tank Tax Foundation estimates will cut long-run GDP by 0.21%, wages by 0.14% and employment by 166,000 full-time equivalent jobs.

The Ripple Effect: How Geopolitical Events Impact Your Supply Chain

 Whether fueled by trade disputes, military conflicts, or regulatory changes, political shocks can reverberate throughout global supply chains, disrupting procurement, production, and distribution.

This dynamic is exacerbated by complex and interconnected supply chains that hide multiple potential sub-tier failure points.

A U.S. Federal Reserve report reveals a heavy dependence on foreign suppliers across various industries, citing the automotive (23.7%), machinery and equipment (18.4%), basic metals (16.8%) and electrical equipment (16.5%) sectors among the top sectors relying on foreign value for exports. This globalized reality necessitates a proactive approach to supply chain risk management.

Beyond Borders: The Globalized Reality of Modern Procurement

 The key to strong collaboration with supply partners includes a heavy emphasis on real-time analysis of the extended supplier base – ensuring all stakeholders are positioned for economic success amid volatility.

Here are five strategies for securing supply chain lifecycle risk for maximum adaptability:

1. Implement Real-Time Monitoring and Intelligence

Real-time extended supply chain monitoring enables organizations to detect and gain intelligence for proactive actions from fluid risk events quickly. One leading global defense contractor used supply chain life cycle risk intelligence from Interos to identify concentration risk in a vital $5 billion weapons program, isolating and mitigating the threat in days, rather than weeks, before there was a ripple effect across the enterprise.

2. Transition to Leading Indicators

Moving from lagging to leading risk indicators ensures organizations keep pace with click-speed disruptions. Interos intelligence on another simmering political issue – China’s potential annexation of Taiwan – reveals U.S. companies have almost 70,000 direct (tier-1) relationships with Taiwanese suppliers. In the event of a Chinese attack, Bloomberg Economics estimates up to $10 trillion in potential losses, or about 10% of global GDP. Interos is the only solution to quantify and score enterprise risk to plan for a crisis at this level, enabling enterprises to tailor their risk register for threat management by exception, at scale.

3. Utilize Predictive and Prescriptive Insights

Supply chains are a big data problem built on massive data sets. By leveraging AI to consolidate and analyze trends, companies can proactively identify vulnerabilities and implement preemptive measures. For instance, a global energy company facing rising levels of ESG risk leveraged Interos’ platform to triple its supplier due diligence capacity in one year, without expanding headcount.

4. Invest in Advanced Supply Chain Mapping

AI-powered continuous supply chain mapping enables companies to proactively identity suppliers facing urgent geopolitical and other risks, at speed and scale. In the case of the Russia-Ukraine conflict, Interos’ platform enabled customers to instantly identify key sub-tier suppliers located in harm’s way for alternate sourcing.

5. Foster Collaboration and Information Sharing

Cross-enterprise teams including finance, operations, risk, procurement and sourcing play critical roles in next generation supply chain risk management. Establishing comprehensive and consistent communication channels for trusted risk intelligence is the foundation for speed and clarity in response. Interos ensures companies better understand and align against systemic threats within a single, intuitive platform.

These strategies are essential starting points in meeting the scale and scope of today’s global disruptions. By navigating multi-factor risk with foresight and innovation, organizations can secure their brand, reputation, and profitability – a win for stakeholder at every supply tier of the supply chain.

Read more about global supply chain threats and opportunities in Invisible Threats: Interos’ Annual Supply Chain Industry Risk survey.