The Trump Administration blacklisted companies it viewed as security threats, barring their products from being sold in the US, preventing American tech suppliers from selling to them, and sometimes doing both. Chinese companies that utilize and are developing important AI technologies such Huawei, Xiaomi, and TikTok, were targeted to varying degrees. The logic was that, by working through “trusted” suppliers, the U.S. would benefit from a “clean network” impervious to cyberattack.
But last December, hackers working for Russian intelligence infected the software of SolarWinds, a Texas-based IT firm (and “trusted supplier”) whose customers included the U.S. Departments of Treasury, Defense, Justice, State, Commerce, and Energy, plus governments and companies in at least seven other countries.
“Blacklisting Chinese companies was a politically appealing yet wholly ineffective approach to network security. We need a holistic strategy that guards against threats from any country, through any channel, while still allowing for the proliferation of crucial technologies such as AI,” says Scott Klososky, Founding Partner at Future Point of View, and the author of “Blacklisting Our Future” a recent whitepaper on this topic.
SolarWinds confirmed what cyber security experts had said in mid-2019: that barring particular technology providers is not an effective strategy for making American networks more secure. Moreover, Klososky explains, “digital bans or blacklists will produce unintended consequences that actually degrade America’s ability to create innovative technology, especially in the competitive and fast-moving space of artificial intelligence.”
First, blacklists create new competitors to U.S. businesses. For example, cutting off Huawei’s supply of U.S.-made semiconductors, as the Trump Administration did in May 2020 by modifying the Foreign Direct Product Rule, was intended to hobble the company in the short term. But the longer-term effect will be to push Huawei – and other Chinese companies – toward greater self-reliance. As of November 2020, Chinese chip-makers had raised about $38 billion through public offerings, private placements, and asset sales. At the same time, the number of Chinese semiconductor companies quadrupled.
Preventing other countries from buying American technology forces them to create their own. It may take years before Chinese companies can make the most advanced chips, but eventually they will get there. When they do, they will never buy U.S. chips again. And these faster processors will only become more and more in-demand as the proliferation of artificial intelligence in industries requires exponentially faster processing speeds.
This could lead to a second unintended consequence: Reducing market share and causing significant revenue losses that force U.S. companies to cut R&D investment and capital expenditures. Such cuts will likely degrade their innovation capacity, eventually allowing international competitors to capture markets in computing and AI that the U.S. could have led.
Noting that “a strong semiconductor industry is critical to U.S. global competitiveness and national security,” the Boston Consulting Group (BCG) projected that American companies could see a 37% drop in revenue over the next three to five years if Washington bans U.S. chipmakers from selling to Chinese customers. Naturally, a drop of that magnitude would hurt U.S. technology jobs.
Rather than banning or blacklisting particular companies, one alternative would be to require certain international technology providers to build their products and applications inside the United States.
“This would allow much closer scrutiny, such as the hiring of auditors who could score products based on criteria such as whether the technology was used in critical national infrastructure (e.g., the power grid, or the banking system),” says Klososky. Companies that scored below a certain threshold would flunk the test, leading either to remedial action or, potentially, a ban.
Another alternative would be to legislate global penalties against companies that deliver unsecure products, including AI software. This is analogous to the GDPR, the 2018 privacy law which applies to every company that does business in the European Union, or handles the data of EU citizens. The EU could simply have banned companies it felt were a risk; instead, it put in place rules and penalties to assure good behavior in their countries. In response, many companies have adjusted their data management processes to comply with GDPR.
A third alternative to blacklisting would be a non-proliferation treaty of the type that has successfully limited expansion of nuclear stockpiles.
“The U.S. could be the world leader in developing this kind of peace treaty,” Klososky states, “which would protect signatories from cyber aggression and allow them to invest resources into more productive tasks than defending themselves.”
He continues, “Certifications could be made by third-party inspectors, in the same way that the International Atomic Energy Agency oversees the world’s nuclear facilities.”
President Joseph Biden has said he wants to build coalitions of “shared interests and shared values.” The new President has an historic opportunity to strengthen network defenses by enacting transparent rules that hold all companies accountable, while protecting all citizens.
Political leaders can partner with the private sector to find new paths forward – options that will address real threats to network security without segregating the U.S. economy from the rest of the world, and according to Klososky, “allow AI to develop at the speed of our collective, global imagination – unlimited by ineffective and unnecessary bans.”