Since 2019, COVID-19 has been followed by a series of events with worldwide reverberations that disrupted supply chains, awakening the US and its allies to the fragility of the manufacturing ecosystem and its dependence on foreign producers. On November 27, 2023, the White House announced the inaugural meeting of the White House Council on Supply Chain Resilience—a whole-of-government approach to addressing global supply chain challenges. As this council begins its work, it will have to deal with several major global challenges, opportunities, and trends, including influencing how the US understands, monitors, and manages its supply chain risk.
Increased tensions between the US and China, as they compete for regional power and influence, have led the US to rethink its supply chain coupling to China. The US is now actively pursuing “friend-shoring,” “nearshoring,” and other techniques to reduce its dependence on China. Major initiatives, such as the Indo-Pacific Economic Framework for Prosperity, are intended in part to solidify a group of partners with common interests to both counter Chinese global influence and strengthen the resilience of US allies and trade partners to reinforce supply chains.
Similarly, we’ve seen a series of disruptions as the US and its allies have responded to Russia’s invasion of Ukraine. The US response, which has included sanctions and seizure of assets, has impacted Moscow’s military and economic power, including reducing its percentage of global trade. In turn, Russia has sought to disrupt global energy disrupt global energy and food supply chains. As a result, Ukraine-supplied natural gas, crude oil, technology (e.g., microprocessors), grains, and sunflower oils have decreased significantly. Russia has also increased its partnerships with Iran, China, North Korea, and other anti-Western actors, including, in some cases, to increase supply chain, cyber, and other covert capabilities against the West. Evidence of Russian’s efforts to enhance these partnerships include the September 2023, meeting between Russian President Vladimir Putin and North Korean leader Kim Jong Un and Russian Foreign Minister Sergey Lavrov’s meeting with Iran President Ebrahim Raisi shortly after the October 7 attacks by Hamas terrorists in Israel.
The terrorist attack by Hamas in Israel has exacerbated instability in the region and beyond. This unprecedented attack by one of Iran’s proxies—in addition to those proxy forces in Lebanon, Yemen, Syria, and Iraq—has already set the stage for military battles now occurring across the region, and with additional actions expected.
Iran’s proxies have a history of conducting cyberattacks against the US and its allies, including against critical infrastructure targets. Iran and its allies also have used non-explosive kinetic weapons to strike critical infrastructure, such as oil refineries in Saudi Arabia and ships in the Persian Gulf. These attacks are not only meant to damage the targets but also to send a message about the ability to upset world trade and normal business, with the potential to adversely impact the US and its allies’ critical supply chains and various vital infrastructure sectors.
This volatile threat environment is a significant threat to the health and protection of our vital supply chains and critical infrastructure sectors. The US and its allies were already facing shortages of things like baby formula, chemotherapy drugs, antibiotics, and fuel. Add port backups, semiconductor problems, and dozens of other supply chain obstructions, and our way of life, economic prosperity, stability, and safety and security are obviously under siege.
IMPACT ON CRITICAL INFRASTRUCTURE AND SUPPLY CHAIN
Given ongoing actions and past behavior by US adversaries, it is possible to assume at least five critical infrastructure sectors may be targeted to one extent or another: Energy, Critical Manufacturing, IT, the Government Facilities Sector, and Water and Wastewater Treatment. There are specific elements of these sectors that may be especially attractive to our foes or otherwise are more at risk:
Critical Trade Routes
The location of the current Middle East conflict—separate from the fighting in Ukraine and the tension playing out in the Taiwan Strait on any given day—as well as the fact that Iran and its proxies are situated in a region that is one of the most important in the world in terms of energy supplies, means they can potentially pose a significant risk to the Energy and Critical Manufacturing Sectors.
Specifically, heightened vigilance for increased risks to vessels transiting the Persian Gulf and three important choke points—the Strait of Hormuz, the Bab-el-Mandeb Strait, and the Suez Canal, which account for approximately 17% of global oil trade, by volume—is crucial. Bad actors interested in asserting their influence have been targeting these assets and supply routes. Since November 19, dozens of cargo and oil vessels have been attacked, seized, and hijacked. These incidents carried out by Iran directly or its proxy Houthi Rebels in parts of Yemen, reflect the fragility of US interests and other global trade passing through the region. These actions have already resulted in negative trade impacts including rerouting of shipping routes, the need for US and allied military escorts, delays in transportation of goods and services, disruption in production facility operations, and reduced availability of critical goods that support critical infrastructure. The US and its allies have subsequently launched military operations on Houthi military targets to impede the ability to conduct such attacks.
As I wrote in the 2024 Homeland Security Today Threat forecast, these events are not occurring in a vacuum. They compound the logistical and security challenges already faced by maritime shipping, such as Russian harassment and stoppages in the Black Sea, and drought conditions impacting water levels in the Panama Canal, limiting the volume of trade able to transit this vital shortcut between the Pacific and Atlantic Oceans.
Cyberattacks
Over the past decade, Iran has executed, directly and indirectly, cyberattacks against the US and its allies. This includes critical infrastructure providers, government agencies and data systems, and healthcare and water systems. Some had the potential—should they have been more successful from the attacker’s perspective—to have catastrophic impacts on civilian populations. On November 2, FBI Director Christopher Wray stated before the Senate Homeland Security and Governmental Affairs Committee that the cyber targeting of US interests and critical infrastructure we have seen conducted by Iran and nonstate actors is likely to get worse. In fact, on November 26, there was an Iran-linked cyberattack on a public water system near Aliquippa, Pennsylvania. The FBI, Cybersecurity, and Infrastructure Security Agency (CISA), the National Security Agency, and the Israel National Cyber Directorate issued a joint cyber advisory on December 2 focused on Iran-backed hackers targeting specific Israeli-produced control systems related, in particular, to water systems and storage facilities, and offered recommendations for the steps that the owners of such critical infrastructure facilities should take to avert attacks. Other critical infrastructure has been attacked using cyber methods.
The FBI and CISA have identified and are proactively addressing such cyber threats. However, the high volume of attacks across diverse and potentially vulnerable targets warrants heightened attention to possible critical infrastructure sector attacks, particularly given our interrelated supply chains.
RECOMMENDATIONS
While the adverse impacts on US supply chains and critical infrastructure described above are pronounced, we also believe this level of volatility and threat provides opportunities.
This “new normal” underscores the importance of having the capability to understand, monitor, mitigate, and respond to supply chain and critical infrastructure challenges. To meet this opportunity, we recommend that U.S. government and private sector entities:
- Critically examine and analyze the parties in key supply chains, the risks they potentially present, their interdependencies, the tradeoffs, alternatives, and mitigations that can be identified, and the cascading effects of seemingly regional and isolated disruptions and their potential second- and third-order impacts.
- Invest in and incentivize the use of methodologies and technology to enable holistic supply chain risk management, including the ability for real-time monitoring and the ability to forecast cascading impacts.
- Use interagency and government-private sector governance and information-sharing mechanisms to collaborate on assessments, investments, and scenario planning. These entities can also be leveraged to inform dynamic decision-making in response to changes in the threat environment.
The newly created Department of Homeland Security (DHS) Supply Chain Resilience Center (SCRC) offers the potential to bring such supply chain risk management elements together, using the SCRC’s interagency US government team for more effective risk management and strategic decision-making.
According to recent announcements by DHS and the White House, the SCRC will be charged with analyzing vulnerabilities and conducting scenario planning with private sector stakeholders to help mitigate supply chain disruptions, ensure reliable and efficient deliveries of goods and services, and lower supply chain costs.
Fulfilling these responsibilities given today’s supply chain challenges will be no easy task, but the SCRC is in a position to coordinate the various departments and agencies, private sector and other entities, to create relevant data, technology and monitoring systems, supply chain protection playbooks, and enhanced safeguard mechanisms for critical infrastructure.
Given the interrelated elements of US supply chains, it is critical that the homeland security community continues and amplifies its collective work across the supply chain and critical infrastructure ecosystem to enhance US national security and economic prosperity. We anticipate the SCRC to be a foundational part of that augmentation and reinforcement.
