Global supply chains are at an inflection point. While the COVID-19 pandemic shifted the focus from efficiency (just in time) to resilience (just in case), two developments in September 2024 indicate that another shift is underway in how supply chains are envisioned and operationalised — this time towards security (just to be secure).

Moves by the U.S. and Israel’s pager attack

On September 23, the United States Department of Commerce proposed rules which, if accepted “would prohibit the import or sale of certain connected vehicle systems designed, developed, manufactured, or supplied by entities with a sufficient nexus to the PRC or Russia”. The proposed rules target both the software and hardware associated with vehicle connectivity systems as well as automated driving systems. While the 100% tariffs on Chinese EVs announced by the U.S. earlier this year stemmed from competition concerns aimed at reducing their sale in the domestic market, the newly proposed rules, which stem from national security concerns, would effectively ban their sale in the U.S.

The U.S. case against Chinese connected car tech is that both hardware and software components in cars employing some form of external communication capabilities can be potentially misused. The idea is that cars with connected car tech are essentially mobile listening posts, and that malicious actors can use their cameras and sensors for espionage purposes. Worse, these cars may even be disabled or hijacked — especially those level 3 and above on the Society of Automotive Engineers’ levels of driving automation. For security hawks, handing over such control to a state with which you may be in a future conflict simply carries overwhelming risks.

If there was any strand of thought moderating the hawkish focus on supply chain security, that evaporated as the world came to terms with the Israeli supply chain attack, on September 17-18, targeting pagers and walkie-talkies used by Hezbollah in Lebanon. More than 30 people including children were killed while thousands were injured. The fallout was felt far and wide leaving everyone wondering about the state of advanced technologies used or embedded in products across industries when even basic old-fashioned devices could be made to explode.

While the U.S. proposed rules and the Israeli pager attack have reignited and amplified the supply chain security debate, it arguably began a few years ago when the U.S., Australia, Japan and even India effectively banned Huawei and other Chinese telecom players from participating in the 5G rollout for security considerations. The motivating fear was that China could install backdoors in the telecom infrastructure giving it the capability to surveil or sabotage the same. Since then, supply chain security concerns have spread to other tech industries such as semiconductors.

From efficiency to resilience to security

During the heydays of globalisation, especially from the 1980s till the 2010s, supply chains were configured to ensure maximum efficiency; that is, weaving a complex supply chain for each product or service in a way that components were procured and assembled at various locations across the world based on cost and other considerations. These “just in time” supply chains were to some extent immune from great power politics. China established itself as a central supply node in this arrangement. A combination of various factors in the late 2010s and early 2020s such as the U.S.-China rivalry and resultant technology decoupling and the COVID-19 pandemic shifted the focus away from “just in time” to “just in case”.

That is, there was a recognition in the U.S., Europe, India and elsewhere that supply chains had become too dependent on Chinese exports. Supply chain resilience, as a result, became all the rage. But, almost simultaneously, security considerations around Chinese involvement in telecom infrastructure also led to another shift — from resilience to security. This shift has only solidified in the wake of Israel’s supply chain attack.

India and supply chain security

How can India ensure that its supply chains are secure? Extreme measures such as outright banning import of a range of tech products and services would not work. Neither would fully subscribing to the “just in case” strategy that focuses on supply chain resilience.

What can work is a two-pronged approach involving both “just to be secure” and “just in case” strategies. The “just to be secure” strategy can be put in motion through “trust but verify” and “zero trust.” Certain tech products and services (say those used in communications, transport or critical infrastructure broadly defined) can be subjected to trust but verify entailing methods such as periodic audits, on-site inspections, and establishment of a mechanism that ensures compliance with national and international security standards. But a more narrowly defined set of technologies that are most critical (say those used by Indian military, intelligence agencies, or for cutting edge research and development) should be subjected to zero trust. Assuming by default that all tech products and services are compromised and applicable to friends and foes alike, zero trust would entail developing the most stringent checks during procurement as well as continuous monitoring and verification. For all the rest less critical technologies, the “just in case” strategy involving diversification of vendors and friendshoring would suffice in taking care of larger supply chain concerns about cascading fallouts due to single points of vulnerabilities and failures.

Lokendra Sharma is a research analyst with the Takshashila Institution’s High-Tech Geopolitics Programme, Bengaluru. Pranay Kotasthane is Deputy Director of the Takshashila Institution and chairs the High-Tech Geopolitics Programme

