The Alan Turing Institute

Mitigating Supply Chain Threats: Building resilience through AI-enabled early warning systems

Expert Analysis

Nii Simmonds, Alice Lynch

Introduction

Critical technologies that keep the public safe and which are the foundation of much international trade are dependent on intricate and globally integrated supply chains.

Nearly all public and private-sector organisations rely upon suppliers to deliver essential products, systems and services. These supply chains can be vast and complex, involving a multitude of suppliers and often crossing national borders. While many of these supply chains underpin the economies and national security of most countries, their complexity makes it difficult to guarantee their security. Vulnerabilities can be inherent, or can be introduced and exploited at any point in the supply chain.

Given the interconnectedness of global supply chains, disruption at one point in the system is likely to have a cascading impact throughout the chain. This can have potentially catastrophic consequences for national security. For example, the supply chains of critical technologies could be susceptible to disruption through factors such as political unrest, cyberattacks, environmental hazards or geopolitical crises, which could in turn prevent countries from accessing critical technologies that are essential to safeguard their national security. This challenge is particularly pertinent to semiconductor supply chains, which have been subject to increased security concerns in recent years. The COVID-19 pandemic brought the vulnerability of semiconductor supply chains into sharp relief for global consumers and businesses. The Russian invasion of Ukraine, growing tensions in the Taiwan Strait, and the lingering effects of the COVID-19 pandemic have all contributed to continued supply chain security concerns.

This article explores the potential applications of AI-enabled early warning systems for national security supply chain resilience, using semiconductor supply chains as a lens through which to examine their feasibility. 

Semiconductor supply chains are particularly relevant for national security, because semiconductors underpin national economies and enable technologies critical to UK prosperity, security and global competitiveness. Semiconductor chips are an essential component of electronic devices, powering everything from smartphones and transportation to electric vehicles and military systems. National economies rely on semiconductor-based platforms for their daily operations, including critical national infrastructure.

Therefore, the national security consequences of semiconductor supply chain disruption are twofold: they threaten economies and the technologies that underpin our daily lives; and directly impact the critical national infrastructure that safeguards the UK’s security and prosperity. 

Challenges to Supply Chain Risk Management

Given their size and complexity, not to mention their dynamic nature, it is extremely difficult to achieve a comprehensive picture of semiconductor supply chains. This, in turn, makes it hard to understand all points where vulnerabilities exist or might be introduced, or to anticipate what the second, third or fourth-order effects of disruption might be.

The production of semiconductors involves a series of steps from design to front-end fabrication, back-end assembly, testing, packaging and transport. These functions are carried out by firms in different countries that have developed specialisms in specific nodes of the supply chain. For example, many high-end chip designers such as Arm, Nvidia and Intel are based in the US and Europe. Yet most of the fabrication facilities that manufacture the chips designed by these firms are controlled by South Korea and Taiwan. Most notably, Taiwan Semiconductor Manufacturing Company (TSMC) manufactures approximately 90 percent of the world’s advanced chips. Meanwhile, labour-intensive back-end production is mostly concentrated in Malaysia, Vietnam, and the Philippines. These globally dispersed capabilities mean that no one country has end-to-end control or oversight of semiconductor chip production. 

Brookings nonresident senior fellow Chris Thomas has noted that, due to the hyper-specialisation of different points in the supply chain, “the top one or two players in any given niche […] earn all the economic profits in that niche due to scale, learning efficiencies, and high switching costs to customers.” These regional specialisms also create critical points of failure, meaning that disruption at any of these nodes can have an enormous impact on global semiconductor supplies.

Many core nodes of the semiconductor supply chain are based in locations subject to high geopolitical risk, most notably Taiwan. Should China’s People’s Liberation Army (PLA) invade Taiwan or impose a blockade on the Taiwan Strait, the manufacturing of semiconductors relied upon across the world would likely grind to a halt. Elsewhere in the supply chain, the Russia-Ukraine conflict is already impeding access to some critical materials needed for semiconductor production. For instance, palladium and neon, two critical elements used in semiconductor production, are being stockpiled in record numbers due to the conflict

In addition to their vulnerability to geopolitical shocks, there are significant risks associated with investment in vendors in the semiconductor supply chain by state-owned enterprises (SOEs) of UK competitors. The resulting regulations designed to mitigate these risks are also presenting challenges for vendors looking to operate across national borders. The Chinese Communist Party (CCP) has explicitly stated its intention to gain technological supremacy over the West, with semiconductors being one of the main priority areas. In July 2022, MI5 Director General Ken McCallum stated that Chinese state-backed actors are seeking to gain technological advantage over the UK and its allies by “making investments and creating partnerships that position their proxies to steal valuable technologies.” 

As a result of growing awareness of this strategy, governments around the world are introducing investment screening and export control measures to regulate investment by Chinese-owned companies in semiconductor firms. This includes new US export controls on semiconductor technologies. Introduced in October 2022, these controls aim to slow China’s technological and military advances by prohibiting the sale of semiconductor chips to China, as well as the advanced equipment needed to make them and the exchange of knowledge from any US citizens, residents, or green card holders. These measures effectively prohibit suppliers anywhere in the world from dealing with China (or any entity with a Chinese company present in their supply chain) if there are also US companies present anywhere in their supply chains. These latest measures are one example of the challenges faced by suppliers who must navigate an increasingly complex regulatory environment.

Given their centrality to national security, combined with their vulnerability to economic and geopolitical disruption, there is a strong case for exploring the potential applications of AI technologies to an early warning system (EWS) for semiconductor supply chains. This is particularly pressing in the context of ongoing global crises such as the COVID-19 pandemic, Russia-Ukraine war, and wider geopolitical instability.

As the COVID-19 pandemic wreaked havoc and caused many shortages to key medical, automotive and consumer product supplies, it also brought the vulnerability of the UK defence and security industry supply chains into sharp focus – significantly slowing productivity on several major defence programmes, and forcing UK defence and security to rethink traditional industrial ways of working. Beyond COVID, cyberattacks such as the 2020 SolarWinds attack have shown how quickly data breaches can happen on crucial digital networks and supply chains, which the US and UK governments, NATO, Microsoft, and other companies assumed to be secure. SolarWinds was regarded as the most devastating cyberattack ever due to the nature of the attack and how long it went undetected — reports of eight to nine months in which hackers had access to crucial public and private networks. Besides physical supply chains, this incident highlighted the critical vulnerabilities inherent in the security of global digital supply chains. In response to the attack, the US Cybersecurity and Infrastructure Security Agency (CISA) created a directive and incident response programme and supply chain guidance was issued by the National Security Agency (NSA), CISA, and Office of the Director of National Intelligence (ODNI).

Opportunities in AI-enabled Early Warning Systems 

How could an AI-enabled early warning system be used to identify and classify a challenge to a supply chain, locate a threat, or safeguard a mission-critical system? Fortunately, given that the need to forecast disruption is a common challenge across many sectors, there are some existing frameworks, guidelines, and promising practices from the public and private sectors that the defence and security community can draw upon.

In the US, the non-profit research group MITRE has created the System of Trust Framework for understanding supply chain risks and evaluating suppliers and providers. Furthermore, CISA has developed a website that tracks significant cyber incidents in real time affecting enterprise networks across US federal, state, and local governments, as well as critical infrastructure entities and other private sector organisations: Supply Chain Compromise. Similarly, the Australian government has produced Critical Technology Supply Chain Principles that highlight core pillars to understand supply chain security risks and to set requirements for suppliers involved in critical national technologies. Existing frameworks and guidelines such as those listed above could be leveraged by the UK and US governments as a basis for developing AI-enabled agile early warning systems to ensure that our supply chains and vital systems are resilient to future attacks.

AI-enabled early warning systems are already beginning to emerge in the commercial sector. For instance, the technology company Infosys has created an early warning system powered by machine learning, predictive analytics and prescriptive analytics to forecast potential disruption and mitigative actions for the shipping and transport sector. Similarly, in the automotive sector, Audi applies ML to rapidly review publicly available sources for potential supply chain risks such as environmental pollutants and human rights violations at an early stage. Other models are also already being used in financial and credit risk early warning, and disaster risk early warning. The national security community should identify lessons learned and best practice from these existing commercial examples which could inform the development of future AI-based EWS for critical supply chains.

Building Supply Chain Resilience

One challenge of developing AI-enabled early warning systems is the significant management and maintenance they would require. The US and UK governments have significant technical capabilities to develop, build and maintain these systems with the assistance of defence contractors. In order to service the Pentagon and other US government agencies, Google, Microsoft, Amazon, Oracle, and IBM have all scaled up their public sector government entities for cloud products. However, what about smaller nations with limited resources, which lack the budget required to cultivate a flourishing supplier ecosystem to help develop AI-enabled early warning systems? The costs required to develop, build and maintain these systems can rapidly add up. More importantly, a nation must also develop its own internal staff and technical abilities to operate these systems.

As supply chains become more complex, they must become agile and more resilient. To guarantee that a good or service can reach a customer, many supply chains now incorporate sensors and other emerging technologies to strengthen their resilience. Due to financial incentives, businesses like Amazon, FedEx, DHL, and UPS, for example, have all deployed emerging technologies to ensure that shipments reach their customers. What private sector use-cases may be implemented to enhance the resilience of semiconductor supply chains? And how can possible failures be reduced by identifying weak links or crucial points of failure?

The pandemic highlighted the brittleness of the “just-in-time” model for global manufacturing and distribution processes. Some blame globalisation as a culprit, and the movement of production to lower-cost producers of goods for labour arbitrage. As firms removed excess capacity in favour of “just-in-time” logistics,  supply chains have become less resilient due to not having buffer stocks or extra reserves. For consumer supply chains, this helps with lowering costs and increasing market competitiveness. But for the essential minerals and resources required to produce critical technologies like semiconductors, a different approach is needed to ensure resilience and contingency throughout the supply chain – given the significant impact that disruption can have for countries’ national security.

US efforts to re-shore semiconductor manufacturing may also yield lessons for safeguarding the resilience of critical technology supply chains more broadly. The recent US Chips Act represents a turning point in legislative efforts to address supply chain resilience, competitiveness and vulnerability mitigation. The Chips Act provides financial incentives for domestic semiconductor manufacturing, and led to subsequent announcements from Intel, TSMC, Samsung and others to build more semiconductor fabrication plants in the US. Additionally, due to global semiconductor shortages and ongoing geopolitical tensions between China and Taiwan, more companies have expressed a desire to re-shore or build US chip manufacturing capacity. Recent analysis from Georgetown University’s Center for Security and Emerging Technology (CSET) has assessed the potential impact of chip-reshoring and concluded that this is likely to assist with building resilience and supporting US chip capacity and competitiveness. Nevertheless, it is likely to be several years until the proposed new fabrication plants are fully operational.

Conclusion

There are no ‘golden bullets’ in securing critical technology supply chains. A combination of measures is required to address the complexity of critical supply chain risk management, focused on identifying and protecting specific vulnerabilities identified at each point in the chain – whether physical or digital. AI-enabled early warning systems are one emerging tool that could prove instrumental in this regard. Drawing on promising practice from other nations and sectors, AI-enabled early warning systems could be complemented by (i) efforts to support commercialisation in the domestic critical technology supplier base; (ii) stockpiling of key raw materials for critical technologies such as semiconductors; and (iii) re-shoring initiatives for key critical technology suppliers, including through legislative change. The UK and US governments should jointly explore the potential of AI-enabled early warning systems for identifying, classifying and responding to emerging supply chain threats, and assess the resources required to implement them in practice. 
 

The views expressed in this article are those of the authors, and do not necessarily represent the views of The Alan Turing Institute or any other organisation.

Citation information

Nii Simmonds and Alice Lynch, "Mitigating Supply Chain Threats: Building resilience through AI-enabled early warning systems," CETaS Expert Analysis (January 2023).