Cybersecurity risks in a possible US manufacturing resurgence

When factories, notably in China, shuttered during the COVID-19 pandemic, products the US relied on were impacted. Here's how experts see a return to "Made in America" and the incumbent risks.

Made in China

Image: Getty Images/iStockphoto

When COVID-19 began to gain momentum worldwide, Chinese factories were shut down, some at the end of December 2019, but most by January 2020, and the closures called attention to the stall of iPhone production, wedding gowns, L.O.L Surprise! Dolls, and many other high-profile products sold to American consumers. 

TechRepublic spoke to executives and experts to see if the US could avoid such supply chain issues by ramping up manufacturing to return to "Made in America" glory. Few thought it was likely to shift all or most production from China and elsewhere back to the US.

"The U.S. cannot manufacture everything it needs or wants, even if isolationism proves to be the only way to survive a global pandemic," said Jerry Ray, COO of SecureAge.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)

Serious security issues

If this massive manufacturing change were to take place, what are the implications for cybersecurity concerns?

"Manufacturing was consistently a top-targeted sector throughout the three-month [pandemic] period," noted Matthew Gardiner, cybersecurity strategist at Mimecast.

Joseph Neumann, director, offensive security at Coalfire, expressed concern about stolen intellectual property and products being compromised, and warned, "Making the shift to onshore production will lower security risk in the end but have a short term risk due to bringing everything back into the US."

SEE: Life after lockdown: Your office job will never be the same--here's what to expect (cover story PDF) (TechRepublic)

Made in USA, with USA Map. 3D Illustration

Image: Getty Images/iStockphoto

"US manufacturers face the challenge of quickly switching to domestic suppliers without incurring risk to their business,  said Danny Thompson, senior vice president market and product strategy at apexanalytix.
 
There are other elements at play when making such a big shift. "Two key areas to consider when making large-scale transitions are data transfers and privacy localization requirements around the globe," said Dan Clarke, president of IntraEdge.

Vulnerabilities

"The US has been the richest target of cyberattacks from abroad aimed at capturing that knowledge to accelerate development of goods–both tangible and intangible–without having to pay the rents that have funded the US economy for decades of dwindling manufacturing," Ray of SecureAge said. 
 
"Even if the US somehow found a domestic market devout and large enough to finance a return of manufacturing of US-designed goods, those foreign actors will not only still target American IP to reduce their development costs, but will now also have a larger attack surface: the manufacturing equipment, materials, and logistics reliant on robots, AI, and data," he said.
 
Tim Danks, vice president, risk management and partner relations at Huawei Technologies, said, "There's been grandiose talk of big manufacturing moves to the US, but the results to date find most of these are greatly lagging, very limited in scope and scale or not even coming to fruition at all."

There's a pill for that

China, for example, manufactures 90% of US antibiotics, Vitamin C and Hydrocortisone, 70% of acetaminophen, 70% of pharmaceutical ingredients and up to 45% of Heparin. Nearly all ibuprofen sold in the US was made in China. Some studies suggest up to 80% of the basic ingredients in US drugs come from the PRC (People's Republic of China). The FDA (Federal Drug Administration) reported that the PRC is the second-largest exporter of biologics and the primary source of medical devices.

US consumers may be able to survive without electric blankets and telescoping umbrellas (99% and 98%, respectively, made in China), but trying to do so without needed and even life-saving medication is going to be a rather big problem.

There are actually a few reasons drug companies might consider making a dramatic change and bringing the manufacturing of medical drugs back to the US. Aside from the obvious health and lifestyle needs, tensions have risen between the US and China, and range from high tariffs to implications, by even the US president, of China being the starting point/cause of the COVID-19 crisis. 

SEE: COVID-19: A guide and checklist for restarting your business (TechRepublic Premium)

"Due to inexpensive labor, more lax manufacturing processes and lower environmental standards, it hit home that the large bulk of critical items such as N95 masks, food, and medicines were being manufactured in China," said Erich Kron, security awareness advocate at KnowBe4.

Paying the price

Vulnerability is always a risk "when you make big changes," said Tony Howlett, CISO at SecureLink. "Speed also lessens security and if production is ramped up too quickly, infrastructure could be inadequately secured. Legislation and regulation also take time, many years in some cases, so it will likely lag behind the actual risk."

While China is singled out here (it is, after all, the country that provides the most products for US companies), the 1994 North American Free Trade Agreement moved even more factories out of the US and into Mexico and Central America. 

Medications—even by those covered by insurance—are already pricey, and with patients having to absorb the decidedly higher cost of US production, are likely to be more affordable.

 "Those Americans willing to pay higher prices for virtually every tangible item to be made in the U.S.A. will be tested early and often enough to prevent any meaningful shift away from foreign dependency on manufacturing to ever happen," Ray said.

By nature, drug manufacturing (and the funds the black market would bring) could cause security breaches. 

Mind the data breaches

"Manufacturing is one of the most targeted industries for cyberattacks and data breaches," said Art Sturdevant, senior director, solutions engineering at Censys. "As the industry adopts more and more IoT, cloud computation and automation, there are increased opportunities for a data breach with unsecured wireless networks, servers with weak passwords, and malware infections."
 
Sturdevant added: "Manufacturing is largely about how quickly you can turn out widgets. While most US manufacturers have excellent IP to manufacture products, very few companies have sufficient security measures and programs in place to protect their most valuable assets against threats and vulnerabilities."
 
"Manufacturing will have to up their game considerably in terms of protection from DDOS, ransomware, ICS, IoT, and IIoT attacks," Howlett said. "The government will probably also regulate manufacturing more, especially those areas considered strategic or national security related." 

SEE: Top 100+ tips for telecommuters and managers (free PDF) (TechRepublic)

"In any scenario by which the U.S. relinquishes its massive net importer-status to become a self-reliant manufacturing hub, the digital systems and data running all of it would be even more vulnerable than the digitally stored IP that it currently produces," Ray said. 

"Autonomous farm equipment or welding machines can be hacked and attacked from anywhere on the planet in a way a human laborer cannot. But with a labor force both too expensive and paltry compared to those in countries like China and India, the US will have to rely on machines to manufacture a quantity and variety big enough to satisfy the demand that Americans are uniquely known for throughout the world."

Also see