Start your day with intelligence. Get The OODA Daily Pulse.

Reshoring U.S. Manufacturing, Security Researcher Protections, and Open Source Security Topics of May 2022 OODA Network Member Meeting

To help members optimize opportunities and reduce risk, OODA hosts a monthly video call to discuss items of common interest to our membership. These highly collaborative sessions are always a great way for our members to meet and interact with each other while talking about topics like global risks, emerging technologies, cybersecurity, and current or future events impacting their organizations. We also use these sessions to help better focus our research and better understand member needs.

To encourage openness of discussion, these sessions take place with Chatham House rules, where participants are free to use the information in the meeting but are asked not to directly quote or identify other participants (we also keep privacy in mind when preparing summaries of these sessions, like the one that follows).

The May call was held on Friday, May 20th.  Topics of discussion on the May monthly call were:

  • Reshoring Manufacturing back to the U.S.
    • Multinational Industrial Network with Key Select Allies
    • Building Open Societies will provide Manufacturing Opportunities
    • A Billion People between the Rio Grande River and Tierra Del Fuego
    • Reshoring does not always equal job creation
    • Splitting Hardware and Software
    • Apply Information Security Models to Supply Chain Security
    • We Need to Adopt the Same Dual-Use Vendor and Contracting System as the Chinese
    • Modular, dual-use defense technologies can also be used to address food security, water security, and climate change
    • Do we have the architecture and network capabilities for modular reusability?
    • There is a lack of conscious thought about operational models
    • Will digital transformation now include supply chain and manufacturing concerns as a priority?
    • What Role 3D Printing?
    • The Ecosystem for 3D Printing Maintenance and Support Does not exist yet
    • Is This a Classic Technology Scalability Problem?
    • Russian Supply Chain Issues In Ukraine are a Cautionary Tale
    • In the Nirvana of real-time visibility, there are a lot of structural and human incentives
    • A Drawback from China?
    • State Department Regional Innovation Hubs
    • US Manufacturing Base Public/Private Partnership and USG Career Track Opportunities
    • Improve Cybersecurity in Massive Reshoring Efforts
    • Supply Chain Innovation will be as much about Business Model Innovation as Technology Itself
  • Department of Justice will not Prosecute Security Researchers
  • White House Effort to Improve the Security of Open Source Software
  • Are Zero-Covid Policy and Recent Lockdowns Destroying the Chinese Industrial Base?

Reshoring Manufacturing back to the U.S.

Multinational Industrial Network with Key Select Allies:   The numbers tell the story:  trying to do everything within a country of 330 million relative to an adversary of 1.4 billion?  They are catching up in the number of PhDs and in terms of capabilities.  We know how this story ends. We need to think about both reshoring and how we do a multinational industrial base with key select allies.  How do we involve the Five I’s, but also Germany and Japan (and possibly India?)in this reshoring effort as well  – for what used to be called the industrial base and what now needs to be the industrial network?

Building Open Societies will provide Manufacturing Opportunities:  The more open societies have success, the more this is a competitive advantage for this future industrial network.

A Billion People between the Rio Grande River and Tierra Del Fuego:  We need to start thinking about leveraging our own hemisphere.  Why aren’t we thinking about how to start working with those countries, cultures, and societies – giving them unprecedented opportunities to date?  If done correctly, it could be structured to help solve our immigration problem. As one network member noted:  “If people had a chance to have a good career, a good future, good economic prospects in their own town, region, state and country, whatever. There has been a lot of benign neglect, but maybe there are a lot of smart people in that area that have just been underserved and undereducated.”

Reshoring does not always equal job creation:  A new plant here in the US will include a lot of automation. That’s great. You get some jobs in that area, but it’s nowhere near the job creation that plant used to do provide.  Modernization is good, but it’s not always a net benefit to jobs, at least on a plant-by-plant basis.

Splitting Hardware and Software:  A member offered the following perspective:  “Obviously moving hardware manufacturing from China back to the United States or the Five I’s, between Canada and the United States and the UK and Australia with massive capabilities is the right thing to do. But as we do that- software can be done more quickly.  And if you think about a lot of the vulnerabilities in our hardware systems, they are from the software side. So moving from an open-source code base to a trusted source code base is something that we can do at a much quicker pace, which aligns with our national security goals.”

Apply Information Security Models to Supply Chain Security:  It is interesting to apply some of the models that we have in information security to supply chain security.  If we take even the CIA Triad (Confidentiality, Integrity, and Availability) are all of those equally important?  Does it require a whole reassuring?  Or can the concept of the fail over production capacity,  like we would in preserving the availability, work?  This would allow for both a low-cost production center that is less availability assured, but then the ability to fail over and quickly scale up in onshore production centers.  Can we apply the burstable capacity concept as we have in cloud computing?  Is there a concept of burstable manufacturing capacity that could be shared and available so that when individual centers are disrupted, for whatever reason, you can quickly spin up a “warm site” for physical production in the same way that we have warm sites for servers and software?

We Need to Adopt the Same Dual-Use Vendor and Contracting System as the Chinese:  How prepared is our defense industrial base to contract sufficient private sector investment?  China has a solution for this:  their private sector is there a government, but the other solution is they do dual use when they are not doing defense, they’re building cruise ships. We haven’t adopted a strategy that makes it attractive enough for our private sector to invest in defense because we right now believe that defense should not be dual-use. That is a fundamental weakness of our current system versus China, which is we don’t have the ability to attract our private sector into sustained investments and defense.

Modular, dual-use defense technologies can also be used to address food security, water security, and climate change:  Trying to find something to attract the private sector to have sustained investments in the defense industry, what would be the first step on dual-use? I would say food security.  Food security is boiling up now thanks to Ukraine and Russia.  And then the other thing is also insisting on modular. , we need to break away from a single vendor versus modular and reusable.  The goal of what DoD should be doing is the idea that you can modernize in place versus tossing something away for the next generation.

Do we have the architecture and network capabilities for modular reusability?  The idea that you can modernize in place, different components that come from different vendors – that of course requires foresight:  do you have the architecture and network capabilities for reusability for hardware or software.

There is a lack of conscious thought about operational models:  A member framed the issues at hand in the following manner:  “If you pick a big company and ask them “what is the operational model of the company?” And I would be willing to bet that more than 50% of the Fortune 100 would have a hard time answering that in a succinct way. And so the problem is:  until you have an operational model, and you can identify what your core capabilities are for modularizing, those become incredibly prohibitive. We have this strategic deficit that we have known about in cybersecurity for a long time.  Some of it goes back to basic management theory  – and the DoD dysfunction about dual-use in some ways is directly connected to that. Because if you have a clearer understanding of what your capabilities are, then you should be able to create those distinctions to figure out which ones might not be or might be ‘pets versus cattle’ to use a software term.”

Will digital transformation now include supply chain and manufacturing concerns as a priority?   What is your actual operating model?  What is your core competency? Do you need to do this? Are you trying to do a replication model or unification model or coordination model? This stuff is not new, but it has now been reframed in the context of digital transformation efforts. So in some ways, it might be a good time to inject these realizations about supply chains and manufacturing reshoring into these digital transformation efforts.

What Role 3D Printing?    Doesn’t 3D printing (adaptive manufacturing) preclude a lot of these issues and/or shorten the supply chain considerably, i.e. for consumer goods?  It hasn’t quite hit the vertical part of the adoption curve, but it will at some point.  When it does, will it transform what we understand “manufacturing” to be?    Another member mentioned that “at the industrial scale, there is a company called Hadrian that builds a factory that builds factories – they are doing this in the aerospace industry and for companies like SpaceX and others, but they’re aiming to do it for like the F16 program, which is now such an old program they are having a hard time getting spare parts because most of the supply chain for even these advanced aeronautics systems are smaller companies where the owners are now in their sixties and are just kind of leaving the market. And it’s hard to get these supplies. So Hadrian is building automation to create these things, not quite a printer in everybody’s garage, it’s industrial strength stuff, but I think that’s going to be part of the answer, at least for aerospace. Now we need that same kind of approach for all the other industries.”

The Ecosystem for 3D Printing Maintenance and Support Does not exist yet:  There is a lot of maintenance required in 3D Printing and the infrastructure to support the additive manufacturing ecosystem does not exist yet, especially in that last mile.  When we see an adoption that is high enough, then we will start to see that infrastructure emerge as a valid business opportunity.  Also, 3D Printer repair in the industrial domain differs from the individual consumer space.

Is This a Classic Technology Scalability Problem?  Part of this is a classic scalability question.  There is a cliff when you are trying to get to scale technology beyond a certain point.  Then the investment of resources is so dramatically different, that it is prohibitive for entry.  And I think we are starting to see that in software  – with the number of companies that will have the resources to train AI models may be a lot smaller than we think because it is so expensive. What is interesting is that we are seeing parity between software and hardware adoption curves in a way that maybe we never have before.

The opposite perspective was also discussed based on this metric: “We are starting to see AI that is multi-use multi-problem – some of the DeepMind stuff, even over the past week, it is the first time since they’ve been tracking general AI, that it ticked down under 10 years.”  A network member also offered this entrepreneurial experience:  “With training AI models the entirety of our business, I emphatically disagree with that. If anything, AI models have become somewhat democratized. It is quite possible for a small to medium-sized company to produce models that are more appropriate to what our customers do than any other competitor. There are competitors I worry about – but none of the big barriers to entry type companies worry me in the least. I spent a lot of my time easily out-competing them.”

Russian Supply Chain Issues In Ukraine are a Cautionary Tale:   What we are seeing in Russia with their supply chain  – maintaining it and replacing parts as they wear out  – is a bit of a cautionary tale.  From the analysis that we have seen, it’s not the mechanical parts that are the most difficult to replace, it is the electronics. And those are the ones that have the deepest supply chain. And I think we are a lot further away from having the ability to print your own chips in a  garage than we are from being able to print the mechanical components.  Even if rare earth minerals are not that rare, processing them is hard and expensive and takes time, and requires manufacturing plants that are a key part of the supply chain. We cannot just instantly fix that.

In the Nirvana of real-time visibility, there are a lot of structural and human incentives:  There is a powerful corporate and institutional resistance  – and the resistance in part comes from all these disruptions – whether it is the pandemic, the war in Ukraine the notion that they are temporary, that this is not a permanent change in the situation.  It is hard to get them to focus on something that is going to be disruptive and accepted as a permanent change.  And they will come through on the other side and we will return to doing business as usual.  That is a powerful filter in how people in general and corporations perceive the world.  Second, these corporations are huge and politically powerful  Sometimes some of these corporations behave like Pharaohs in ancient Egypt just by sheer will”  “We don’t have to change.  We can sort this out in another way. And since it’s complex and disruptive, let’s look at the things that we know how to do. We know how the lobby; we know how to change the rules; We know how to crush new challenges that are preferable to making fundamental changes.” this leads us to the question: is reshoring going to take place because major organizations decide to reshore?  Or is it going to take place in a more insidious guerrilla warfare fashion – in which more nimble smaller organizations will get it sooner?

A Drawback from China:  With regards to China now, over multiple administrations of both parties, we are seeing a drawback from China for a lot of reasons – strategic and national security issues, etc. In the nineties we made decisions collectively to outsource pollution and dangerous jobs to China – that was all conscious.  but if there is a strategic imperative and a market force and a market-clearing price, then that will become more competitive. There are several issues that we may be seeing at an inflection point – there seem to be some forces that are working right now that are changing attitudes, and the corporations are going to have to start adjusting.

State Department Regional Innovation Hubs:  A network member mentioned “hubs in which the State Department will remove any obstacles to you doing business in one of their regional innovation hubs.  Right now they’re focusing on the Pacific, but they’re going to offer it in the Middle East and everywhere else after that. So if you are looking to offshore and you’re having challenges with Malaysia, because, for example, they do not have certain standards for food export that the U.S. has, the State Department would work with them so that their standards for Malaysia are harmonized with the U.S.  So I would say, point companies to the State Department for solutions.  There are signs of life there.  It is not sufficient: there is more that needs to be done.”

US Manufacturing Base Public/Private Partnership and USG Career Track Opportunities:  Reshoring will really require a public-private partnership between the United States government and our manufacturing base.  We will need to clean up procurement in the United States, on the government side, to buy American.  Unfortunately, this is an extremely nuanced process. There is not a career track in the government for very technical people to stay in the government.  Very technical people get frustrated and leave.  So unless we fix this issue of creating a career path for technical people who want to serve America to stay in the government and get strong, then you have someone that can partner with private business because the private business will respect the technical acumen of the government workforce.

Improve Cybersecurity in Massive Reshoring Efforts:  To bring it back to the practitioner who needs to help companies that want to reshore manufacturing:  these companies are going need help with strategy, vision guidance, but also execution. And that includes data analytics, understanding their data, using good data in their plans  – and cybersecurity.  I think all of us are going to have an opportunity to contribute thoughts on how to ensure and improve cybersecurity in massive reshoring efforts.

Supply Chain Innovation will be as much about Business Model Innovation as Technology Itself:  It is not just the technology, but also the business models. There are companies like Rapid Robotics where you can basically hire a robot as a factory worker. It is a subscription-based model which is quite different from what ABB and other companies are doing. But if you want to rapidly build up capacity, this is interesting and portends the type of business model innovation we will start seeing – which is independent of a traditional working definition of a linear ‘supply chain’ and an innovation that has to map to that supply chain or value chain.

Department of Justice will not Prosecute Security Researchers

The membership discussed the following announcement from the DoJ – Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act | OPA | Department of Justice:

The Department of Justice today announced the revision of its policy regarding charging violations of the Computer Fraud and Abuse Act (CFAA).

The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.   ‘Computer security research is a key driver of improved cybersecurity,’ said Deputy Attorney General Lisa O. Monaco. ‘The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.'”

OODA Network members agreed this decision was “a big win –  it’s a good decision in the right direction, but who knows how it’ll play out? So one small step that has been worthwhile after the past 20 years of bad policies.  It is much needed. We’ve clearly seen the value demonstrated by the security research community and we’ve come a long way with regards to responsible disclosure and how that stuff is managed. So it’s good to see the ecosystem supported from a legal perspective.”

One network member spoke from recent experience:  “One thing that comes up when interacting with the DoJ or FBI is that if they did not have discretion on whether to prosecute or not, they were not going to get the insights and the Intel that they needed to combat ransomware instead, people were just not going to report anything. And so part of the goal of DOJ is by relaxing this policy, they hope to get more Intel on ransomware.”

White House Effort to Improve the Security of Open Source Software

The White House is now supporting a special effort to try to improve the security of open source software – Global CISOs, White House agree 10 point OSS Security Mobilisation Plan  – with the White House supporting tech companies like Amazon and Google and Microsoft who are pledging to contribute money, to improve the security of open source projects:  Tech giants pledge $30M to boost open-source software security.  OODA Loop also offered a recent analysis of Open Source “Protestware”: Sabotaging Open-Source Code as a Form of Hacktivism.

The membership discussed these issues on the call briefly:

“Since Log4J, basically the White House has said that if it open source doesn’t get its act together. It just has too many pain points and they’re not going to be as favorable towards open source. And so Microsoft is putting a lot of money towards it, as are Google and others.  Because otherwise, that ecosystem will dry up.”

“According to this article, they are supporting the Linux foundation and the Open-Source Software Security Foundation. That sounds extremely virtuous.  But they’re not the only open-source projects out there.  Is this also connected to the Apache ecosystem, for example?”

“A lot of this, when it touches the USG,  falls under the rubric of software bill materials (SBOM).  If you are searching for things, look for SBOM and that is where you’ll find a lot of this work. IEEE did a panel session on the 23rd (video archive here) with Alan Friedman and Gene Camp and some other folks. I think this group will probably give the most realistic assessment of the state of the world, but this is largely driven by Allen Friedman’s work around software bill materials.”

“Google has been arguably kind of doing this with projects. They’ve been putting money behind auditing other people’s software since they created project zero. So it is not entirely new. But the government’s acknowledgment of it,  some of that is new. But my experience has been if you look for things under open-source, it’s hard to find, but if you look under SBOM, you’ll literally find all of this whole history of meetings and relationships and sponsorships that have been going on pretty aggressively for about five to seven years.”

Are Zero-Covid Policy and Recent Lockdowns Destroying the Chinese Industrial Base?

“One thing is it sends a clear message of what is important to them  – and what is important is communist party rule for forever. And they’ll do anything to ensure that.  A lot of uncertainty right now in China.”

“They want to change the Zero Covid policy, but they are having the challenge of “how do you change it without looking like you were wrong.”  So they know it’s wrong, but are looking for a glide path is what they’re trying to find out.”

According to the WSJ, party leaders are being asked to discourage Western assets, real estate, and others to minimize the opportunity for Western sanctions to have an effect.  What are they really trying to do? Stay in power.  What are they willing to do?  What kind of backchannels are being leveraged to talk about that glide path?”

A network member also shared their involvement in private sector back-channels negotiations on the topic of changing the Zero Covid policy.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community.

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.