Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
How to Sabotage a Supply Chain
3.5k Plays11 months ago
In this episode, we speak to Theresa Campobasso about the threats facing supply chains across the world.
Theresa Campobasso is Senior Vice President of Strategy at Exiger, a Supply Chain Security software company, where her operational and technical strategies drive success for both federal government organisations and private industry. She has spent over 15 years in supply chain security, and prior to her time with Exiger, she led the Critical Asset Protection program at KPMG, where she developed a microelectronics supply chain software solution that was selected as a winner in the U.S. Air Force’s 2019 AFWERX Challenge. In addition to her private sector experience, she served as a Marine Corps Intelligence Officer and, after leaving active duty, provided counterintelligence support to DIA’s Office of Counterintelligence, where her CI work included Research, Development, and Acquisition CI and helping establish DIA’s first Acquisition Risk Task Force. She completed her graduate studies at the Georgetown Security Studies Program, where she focused on Technology and National Security. She’s a former Rumsfeld Foundation Fellowship Recipient and a current member of the foundation’s Alumni Board. She was recently named as a "Top Supply Chain Executive to Watch in 2023" by Washington Executive Magazine.
Recommended
Transcript
Introduction to Podcast and Hosts
00:00:02
Speaker
Welcome to How to Get on a Watchlist, the new podcast series from Encyclopedia Geopolitica. In each episode, we'll sit down with leading experts to discuss dangerous activities. From assassinations and airliner shootdowns through to kidnappings and coups, we'll examine each of these threats through the lenses of both the Dangerous Act to seeking to conduct these operations and the agencies around the world seeking to stop them. In the interest of operational security, certain tactical details will be omitted from these discussions.
00:00:34
Speaker
However, the cases and threats which we discuss here are very real.
00:01:05
Speaker
I'm Louis H. Prisant, the founder and co-editor of Encyclopedia Geopolitica. I'm a researcher in the field of intelligence and espionage with a PhD in intelligence studies from Loughborough University. I'm an adjunct professor in intelligence at Science Pro Paris and in my day job I provide geopolitical analysis and security focused intelligence to private sector corporations.
00:01:26
Speaker
My name is Colin Reed. I am a former US intelligence professional now working in the private sector to bring geopolitical insights and risk analysis to business leaders.
Teresa Campo-Basso's Career and Experience
00:01:35
Speaker
So in today's episode, we're discussing how to sabotage a supply chain. And joining us for this is Teresa Campo-Basso. Teresa is a senior vice president of strategy at Exeter and a supply chain security software company, where her operational and technical strategies drive success for both federal government organizations and private industry.
00:01:56
Speaker
She spent over 15 years in supply chain security and prior to her time with Exager, she led the Critical Asset Protection Program at KPMG, where she developed a microelectronic supply chain software solution that was selected as a winner in the US Air Force's 2019 AFworkz Challenge.
00:02:13
Speaker
In addition to her private sector experience, she served as a Marine Corps Intelligence Officer, and after leaving active duty, provided counterintelligence support to the DIA's Office of Counterintelligence, where her counterintelligence work included research, development, and acquisition, CI, and helping to establish the DIA's first acquisition risk task force.
00:02:36
Speaker
She completed her graduate studies at the Georgetown Security Studies Program, where she focused on technology and national security. She's a former Rumsfeld Foundation Fellowship recipient and a current member of the Foundation's Alumni Board. She was recently named as a top supply chain executive to watch in 2023 by Washington Executive Magazine. So Teresa, thank you very much for being here and welcome to the show. Thank you so much for having me. I am a big fan of this podcast and excited to get to talk to you all today.
00:03:03
Speaker
That's always great to hear. Well, that's a hell of a career there. So the question we always like to ask for interesting folks, such as yourself, is how did you get into your line of work for kind of young graduates listening to this who are thinking about their careers ahead of them? You know, what sort of advice would you give them and how did you end up where you are today? Sure, absolutely. Well, I know when most people think about national security career, the supply chain may not be the first thing that they necessarily think of. And I was certainly in that boat as well.
00:03:31
Speaker
I knew that I wanted to get into public service, national security. And so as you had heard in my bio, I did start my career in the Marine Corps. And I was thinking I was going to do intelligence analysis. I was going to work in the government or work in the military my entire career. And what I found was that when I actually got out to Japan, I was originally attached to a Marine Air Group. It was MAG-12 out in Japan. And a lot of my job was not just focused on kind of the big national security elements of supporting the Marine Corps.
00:04:01
Speaker
But it was learning a lot about military technological superiority. My undergraduate work was actually in English. I mean, I was always really into writing and analysis and technology was never something I was originally drawn to. But once I actually got into it, I discovered that there was so much opportunity and so many interesting different things to learn and to start planning for and a lot of really significant opportunities.
00:04:27
Speaker
for both national security improvements and also national security vulnerabilities. And so it was something where as soon as I really got involved in it, I was just hooked. So from then I kind of got more and more, you know, I kind of stayed in the general technology arena, but I got more and more drawn into kind of the defensive aspects of military technological superiority through specifically securing the supply chain.
00:04:52
Speaker
So a couple of different iterations within my job or my professional background around especially the microelectronics piece, right? That's a big challenge that people have been trying to solve. And I realized that you didn't necessarily have to have a hard sciences background or proficiency to be able to really intelligently parse and talk and understand the implications of some of these technological considerations. And so,
00:05:20
Speaker
actually not having undergraduate work in engineering necessarily helped me kind of maybe translate some of those concerns to a non-technical audience and be able to have better outreach. So a little bit of an unexpected career path for me, but really, really enjoy it.
What is the Modern Supply Chain?
00:05:36
Speaker
So Teresa, I want to stay on that theme because there's this statement, right? That amateurs talk strategy and professionals talk logistics. So that statement kind of implies to what you're saying, right? That logistics and supply chains, they're far from these sort of anodized and boring topics that I think a lot of casual people might think that they are. They're actually sort of encompassing almost everything that modern militaries or governments or corporations do. Can you give us a little bit of a breakdown of how you define supply chains? What does that mean to you and why do you get excited about that?
00:06:05
Speaker
Absolutely. This is such a good question to start with, I feel like, because the answer has changed so much, especially in the recent past as far as what we understand to be part of a supply chain. Originally, this term came from around the 1900s around manufacturing, right? The earliest supply chains were really three families of third parties. You had your raw material suppliers, then you had your producers or your manufacturers of some kind.
00:06:31
Speaker
Then finally, the consumers and that was really the initial supply chain, pretty simple. Then as manufacturing gets more and more complex or maybe more globalized, got different types of third parties. Now we start seeing organizations like transportation and logistics companies, warehouses, distribution centers, shipping companies, research and development labs, mining and ore refineries, things like that. But again,
00:06:57
Speaker
the family of third parties is still pretty focused on the creation of physical, tangible goods. So for many, many, many years, supply chains were really just focused on that physical production ecosystem of relationships. But more recently with the rise of cyber attacks, digital compromise, the term supply chain has now really come to refer to a network of relationships also related to intangible or digital products. And I'm sure we'll kind of get into some of the cyber implications later on,
00:07:27
Speaker
But I know that the US recently published this executive order, it's 14028, Improving the Nation's Cybersecurity. And that specifically calls out a software supply chain and a software bill of materials. And that's fairly recent. And I would say the last thing would be people. So people are now understood to be key elements of supply chain. So it's not just about the security of the companies that you're working with or the products that are being created, be they're tangible and tangible, but also the individuals that make up those organizations.
00:07:56
Speaker
So that's really part of the reason that I get so excited about it is it's just changed. And it's just this incredible opportunity for national security by establishing the transparency within that ecosystem. All of a sudden you have the ability to address vulnerabilities, to make decisions that are going to result in an increase to safeguarding these technologies that are critical for national security.
00:08:20
Speaker
So I think that that's what's really exciting to me, just the changing and evolving concept of supply chain risk management, right? We've moved from just when we talk about supply chain risk from really business continuity, customer service, things, you know, focused on more efficiency, right? The risk of an inefficient or a costly supply chain for a business to now looking at, you know, security, integrity, authenticity of components.
00:08:46
Speaker
establishing trust with your network and your relationships and using that to kind of increase the integrity of the overall system. So I think that that's really exciting.
00:08:56
Speaker
Let's stay on this theme of national security. That first category, that physical things part of the supply chain, the semiconductors, the oil, the ball bearings, what's the benefit of an adversary targeting these things as a mean to disrupt their adversary versus, say, just targeting the finished product, the finished tank, the finished armaments and so on?
Why Target Supply Chain Components?
00:09:19
Speaker
I think you can think about this in a similar way to a traditional kinetic attack. If you're going after a hardened target, a center of gravity for your opposing force, that's overwhelmingly, frequently going to be more difficult. It's much more difficult to target. It's less likely to succeed, perhaps. Certainly going to be more expensive in terms of the resources or the time required to pull off a really successful effective attack. And at the same time,
00:09:47
Speaker
Both countries and organizations are really good at identifying their mission critical assets or crown jewels and protecting them. We've got a lot of nations investing so much into physical security, cybersecurity, these really expensive, professionalized, multi-layered programs to protect those finished products and those critical assets. So it's going to be a lot harder to target them.
00:10:14
Speaker
Nations don't typically adopt the same security first, really targeted approach, defensive mindset when it comes to the production and the assembly of every single component or subcomponent or down to the individual part level that goes into that finished weapon system. And there's a couple of reasons for this. The first reason could be the obfuscation that happens with a lot of supply chains, right? I mean, most organizations can't even tell you who is in their supplier ecosystem. And I think
00:10:45
Speaker
There was a recent statistic that came out, and I'll check where this actually came from, but it was a study that had been done, I think it was the Ponemon Institute, and they said that only 2% of organizations could articulate their own supply chain relationships beyond the second tier. And supplier networks, especially for very complex products or software products, have so many different tiers down to that raw material level or down to that code level.
00:11:12
Speaker
So that lack of transparency makes it very difficult to secure every node in that supply chain because we don't really know who's in our supply chains. But then the other driver for the failure to adopt that really strong security posture is that supply chain ecosystems kind of expand exponentially the further down into the tiers that you get. And it's very cost prohibitive for a lot of organizations to
00:11:39
Speaker
try to secure every single node in that sub-tier supplier ecosystem to the same degree that they would safeguard that finished critical component, especially when it comes to things like non-logic bearing components. I think you'd mentioned ball bearings. I think that the risks are understood to some degree when it gets to logic bearing components like microelectronic components. People have seen a lot of different types of compromise. They generally know
00:12:04
Speaker
that this is a vulnerability if there isn't some kind of establishment of trust and integrity in those components. But really, even with the non-logic bearing components, there's still that risk of compromise in kind of two ways, I think. One is going to be that the compromised or defective hardware perhaps intentionally being inserted into a supply chain. And again, that's going to be a lot easier to do at the point of entry as opposed to once the assembly is finished, a finished tank, right?
00:12:34
Speaker
But then oftentimes when manufacturers are awarded a contract in any country, especially with government customers, they are provided with something that's called the next highest assembly information. So that is typically going to be some kind of a schematic of that equipment inside of which that supplier's part or component needs to fit. So if that next highest assembly information, even if it's not the full finished weapon system,
00:13:01
Speaker
if it's proprietary technology or if it's dual-use technology, and the company receiving it doesn't really employ that strong physical or cybersecurity or even personnel vetting, then it's much easier for a bad actor or an adversary to steal that information from the manufacturer than from either the large technology company that's the reseller or the government organization. So there's that vulnerability as well. So I think it's just so much easier
00:13:30
Speaker
to target that larger base of smaller organizations that typically don't have that defensive mindset. So Teresa, you also mentioned a few minutes ago that the understanding of what the supply chain is, is expanded, right? Beyond those physical things, those components that go into production, but also now including things like software, like data, like the workers. Why is that happening? Why is that definition expanding? Are these softer targets for disruption? I would agree that they are.
00:13:59
Speaker
I think if you were to ask most people today who work in logistics or supply chain in some way, even just acquisitions community, do you consider individuals a key part of your supply chain? I think a lot of people would be very confused as to why you were asking them that. When we look at personnel risk, most people kind of, it tends to fall into either, oh, background investigations to establish trust in an employee, or perhaps an insider threat program to maintain
00:14:28
Speaker
trust in an employee. But people don't think about individuals as potential vectors for supply chain threat, right? But we see that all the time, especially in things like research and development communities or the university environment, right? A lot of dual use research is happening in universities. And that is how a lot of intellectual property theft or supply chain compromise can happen because the culture of academia
00:14:58
Speaker
is not... We talked a little bit previously about the defensive mindset, having maybe a threat-based perspective about supply chain as opposed to just that legacy, business continuity, optimizing for efficiency. And I think universities, again, are an environment where typically, despite the fact that a lot of government-sponsored or big organization-sponsored research happens, dual-use research happens,
00:15:23
Speaker
there is this culture of collaboration that in some ways I think is at odds with the responsibility to protect that dual use research. And I mean, this is publicly available information, right? So people know when a government organization funds academic research, like there's certain organizations within the university of the academic environment that have that dual use research term in their name. So you would easily be able to figure that out and
00:15:49
Speaker
an example would be the MIT Institute of Soldier Nanotechnology. That one's pretty evident. Unfortunately, they have good defensive mindset in that program. But it's certainly easier to get at intellectual property and perhaps exfiltrate it or try to engineer some kind of response to it or countermeasures to it before it gets into production and the defensive
00:16:16
Speaker
posture around that technology changes. So, I mean, I think there's all sorts of examples we can go into for the university environment and kind of the supply chain, you know, threats around universities and do use especially military technology development that, you know, talent recruitment programs, foreign research collaborations, foreign organizations sponsoring research alongside a domestic government organization, you know, in some research environments that gives them
00:16:47
Speaker
physical access to labs where that gives them rights to the intellectual property themselves. Obviously, talent recruitment programs, you're having a foreign government organization bring perhaps either a US scientist or a scientist within that country into working to benefit other nations.
00:17:09
Speaker
Maybe even from a resilience standpoint, a supply chain resilience standpoint, a large percentage, at least in the United States, of advanced degree students in STEM fields are from overseas. How is that going to impact the future workforce and the future skill set of the US technology economy? Because we're losing that skill set and knowledge base if all of those students are returning to their home countries at the end of their studies.
00:17:38
Speaker
I think there's a lot of different things that you can explore in that regard. I know I'd mentioned MIT. I think in 2021, there was that big case around the professor of mechanical engineering, Gong Chen, and a couple of these things, the talent recruitment, the affiliation with another foreign university, the technology transfer of taking that dual use research. Actually, it was from the MIT Institute of Soldier Nanotechnology.
00:18:06
Speaker
and using that to benefit a foreign university or foreign organization, what's the quantitative impact on US national security? So I think there are a lot of different examples of that type of technology transfer in the university environment for sure. I think my own experience as an academia, we just really enjoy talking about our work as well. So getting academics not to talk openly about this stuff is really challenging.
00:18:35
Speaker
Oh, I absolutely agree. And I mean, I think that there's a benefit in that international collaboration, right? I mean, if we don't have those avenues of approach for people to be able to collaborate internationally where the whole world really loses the benefit of that innovation, so how can you balance those things?
00:18:50
Speaker
Let's just come back to this idea of disruption. When you talk about disrupting a supply chain, immediately I'm thinking about bombing a factory, sinking a tanker ship.
Historical Examples of Supply Chain Disruptions
00:19:00
Speaker
The creators of this podcast, we tend to have pretty dangerous thoughts in that direction.
00:19:06
Speaker
Does disruption always imply destroying something? Or are there other ways to do this disruption without physical destruction? You talked about the tech transfer element, but what if my goal is purely to stop an adversary from producing something? That's a great question. I think that there are so many different historical examples of disrupting a supply chain where
00:19:31
Speaker
really nothing was destroyed. And I think in World War II, a lot of the work around the railroads supply chain challenges, right? Some of my favorite stories are where the railroad infrastructure actually wasn't destroyed. I know in other areas against the German resistance there, they would actually dismantle or physically disrupt the rails themselves and kind of deny the enemy the ability to use them. But I think my favorite examples are where they would just misroute the trains
00:20:02
Speaker
People would just get lost. The supplies would be sent somewhere totally different, or the workers would be confused or told something that was counter to what the truth was. And so they would lose supplies. It was misdirection, a lot of obfuscation. So it was really denying the enemy the ability to effectively use that infrastructure, but it really didn't destroy anything. Now, of course, there were many other examples where physical infrastructure was destroyed.
00:20:31
Speaker
But I mean, they would cause minor accidents, there would be schedule delays, misdirecting trains. And I just feel like that's something that you wouldn't necessarily think of when you think about a supply chain sabotage or a supply chain attack, but it was really effective. And I know there were other World War II examples where misdirection and kind of misrouting shipments was really effective.
00:20:53
Speaker
It's funny that you mentioned that because there's a sort of apocryphal poster that I've seen around which, you know, this is common in sort of tech meeting rooms and tongue in cheek discussions, right, where it's this page from the SOE sabotage manual for agents in occupied Europe in World War Two. And there's this whole page that's basically like if you want to really slow down your enemy,
00:21:12
Speaker
You need to make sure that their meetings are really long, that they never come to a conclusion, and that everybody talks, and there's no real outcome from the meeting. That's the best way to slow down the enemy. So I've seen this tongue-in-cheek sighted in corporate management culture today. I love it. There's some truth in that.
00:21:30
Speaker
Teresa, we've buried the lead long enough.
Taiwan and Microelectronics
00:21:34
Speaker
You've mentioned the microelectronics, the semiconductor supply chain thing a few times. Let's talk about that elephant in the room. Give us your two-minute brief on the Taiwan situation. Are the vulnerabilities exaggerated? Are they underplayed? What are their angles to this that people are maybe not considering? This is a tough one because there's a lot of different implications. The
00:21:55
Speaker
Taiwan situation around microelectronic production specifically kind of has a couple of different aspects in it. I think the first is around not just microelectronics in general, but specifically about advanced microelectronics. I mean, there are a lot of different kind of semiconductor fabs that exist in the world that basic microelectronic components can be created, right? Basic semiconductors can be created. But when it comes to components on a chipset that are below a certain
00:22:26
Speaker
It's a certain nanometer dimension. There are really only a few different places where those can be made. And so that does present a challenge. And what we see is people trying to account for this by creating products that no longer rely on advanced microelectronics.
00:22:48
Speaker
which is not a great solution because these products are missing out on the advantages. I mean, that's why the advanced chipsets and microelectronics were developed, right? To be able to have these capabilities that they have. And so trying to weed those out of the supply chain because we think that we're going to future, you know, lose access to that market, that really disadvantages the technology and the capabilities. So I don't know that that's the right answer either.
00:23:16
Speaker
I do think there's all sorts of different thoughts on the future states and the economic competition with China, Chinese likelihood of invasion of Taiwan, what would the United States do, what would the global community do, and how that would affect semiconductors and the availability. I think we would see extreme shortages. I think we would see a lot of immediate, pretty serious ramifications. I don't know that that's a surprise to either of you all, but there have been some
00:23:47
Speaker
I mean, we see like a lot of investment in the United States around things like the CHIPS Act, right? Trying to reassure a lot of that capability to what extent that's going to be possible. We'll have to see, right? Because there's a lot of concurrent investment that needs to be made in things like, I mean, we already just talked about the workforce, right? The skillset, the academic background of a lot of the students who are engaging in this type of study in the US, right? So sure, maybe we bring a lot of the capability
00:24:15
Speaker
into the United States, but how are we supporting that with some of the individuals, the skill sets, the S&T environment, the R&D environment in the United States? And then also, if we're throwing all this money at semiconductors, this current state, how are we missing a potential opportunity to invest in more capable alternatives? I feel like
00:24:39
Speaker
The CHIPS Act is so focused on just semiconductors that we're really missing a lot of opportunities there as well. There's so many different tangential topics that really touch on the Taiwan situation. I'm sure there are much more eloquent answers out there than the one I just gave you, but that's my stream of consciousness, like what I most immediately think of when I'm discussing this kind of problem.
00:25:04
Speaker
I've seen reference to Taiwan as kind of Arrakis from June for the sci-fi nerds listing. This idea of this kind of one location that's so central to the economy because of this kind of magical substance that's created there. And I just want to kind of revisit that last point you made there then. So if we kind of say, okay, the semiconductor is the thing that's drawing everyone's attention here,
00:25:30
Speaker
What is the next semiconductor?
Future Risks in Supply Chains
00:25:32
Speaker
What do you think are the next emerging risk items, products in the supply chain risk field? I think that resilience, I mean, I know we've talked a lot about security and integrity through our conversation thus far today, but I feel like a lot of resilience challenges are going to be on the horizon. And that's maybe the next big technology shortage, especially around critical elements, critical minerals.
00:25:59
Speaker
I know we've already seen a lot of disruption and a lot of shortages in availability of critical elements like lithium that has a lot of implications for electric vehicles and different kind of production and technology, but also alternatives to PFAS, especially for CBR and D uses, right? I mean, we've got this carcinogenic chemical, polyfluoroalkyl substances, PFAS, PFAS,
00:26:25
Speaker
And the compliance environment around this chemical has really changed pretty dramatically in the recent past. We've got the largest manufacturer, a company called 3M, no longer going to be making this. And globally, the PFAS alternatives are going to be required. And I think for some use cases, like the basic consumer goods, that's no problem. There are plenty of alternatives, but for some
00:26:52
Speaker
specialized use cases where you need perhaps a flexible, impermeable fabric for counter CBR&D purposes. There isn't an alternative that exists, right? There's been a big push in the S&T community to try to come up with something. But I just feel like there are a lot of either shortages or resilience issues that are going to
00:27:17
Speaker
become more and more significant, not just access to advanced microelectronics like we just discussed. And CBR&D, can you just quickly tell us what that means? Oh, yes, I'm sorry. It's chemical, biological, radiological, and nuclear substances, CPR. We've been listening to How to Sabotage a Supply Chain with Teresa Campobasso. After the break, we'll talk a little bit about how to protect supply chains.
00:27:50
Speaker
You have been listening to How to Get on a Watchlist, the podcast series from Encyclopedia Geopolitica. If you like this show, don't forget to check out our other content at Encyclopedia Geopolitica, which you can find at howtogettontawatchlist.com, where you can find our analysis on various geopolitical issues, as well as reading lists covering topics like those discussed in the podcast.
00:28:15
Speaker
Please also consider subscribing to the podcast on your streaming platform of choice, giving us a rating and joining our Patreon.
00:28:28
Speaker
So Teresa, supply chain risk seems to exist at every level from whole of government efforts to secure vaccines to small businesses trying to find eggs to bake cakes with. Are there organizational principles that you use when you're helping clients map where on that risk spectrum they sit?
Mitigating Supply Chain Risks with Maturity Models
00:28:43
Speaker
And how do you help them conceptualize how they begin mitigating these supply chain risks? I think as we kind of talked about earlier, because the supply chain ecosystems have gotten so complicated,
00:28:56
Speaker
it can be really, really difficult for organizations even to understand where to get started. And, you know, for, for my own work with my customers that I work with on this problem set, we use kind of a maturity model where you've got kind of different stages of awareness and maturity. And, you know, you're trying to move your organization up that curve to transform from really a reactive model where you're kind of just responding to a crisis that arises.
00:29:22
Speaker
to more of a proactive model where you're anticipating different kinds of risks or disruptions or challenges, and you're able to take some kind of action before something becomes a problem, which is obviously better for national security, my favorite topic, but it's also better for these businesses, right? At the same time, you want to be secure, but you don't want your business to cease operations. You don't want to not be able to provide something to your customers. So when we're talking about moving an organization along a maturity curve to become more aware and more proactive,
00:29:52
Speaker
The first thing that I would urge every organization to do, every business to at least think about, business, government organization, whatever it is, from that small bakery use case that you mentioned to a large multinational corporation, is countering that first big problem that we talked about when I was telling you what excites me about the supply chain. That obfuscation, that challenge in mapping out and establishing that transparency, that is the most
00:30:22
Speaker
effective thing that an organization can do because if you don't know who's in your supply chain, you don't know what risks you should even be considering, right? And maybe you're a small bakery and you don't think, you know, like I think what was your example trying, somebody trying to get eggs, right? Maybe you have been getting all of your eggs from a small business in your hometown and then all of a sudden they decide they're going to retire or they have a, some kind of a, I mean, I'm trying to think what
00:30:51
Speaker
the host of supply chain challenges would even be for an egg provider, a poultry influenza outbreak, something where the one supplier, the single node of your critical egg supply totally disrupted. You have no resilience built into your supply chain. You have no alternatives, no backups. All of a sudden, you're not going to be able to, you better start making some egg-free baked goods because you don't have any alternatives.
00:31:20
Speaker
You never want to be in that situation as a business, right? Or as a government, just nobody wants to be in that situation. So how can you set up a program to be proactive and predictive from the ground up? How can you kind of purpose build a program to be able to anticipate these things and respond to them before they become a problem? So fortunately these days, yes, our supply chains are more complex. Yes, our supply chain challenges are much more broad.
00:31:47
Speaker
than what we may have had to deal with in the 80s. But we also have a lot more access to data. We also have a lot of emerging technology. AI is something we could definitely talk about that is going to help us solve a lot of these problems and establish that transparency. Mapping out the current state is number one, and there's a couple different ways you can do that. Identifying from your first-tier suppliers, who are they doing business with?
00:32:14
Speaker
There's open source information you can use to put some of this together. A lot of people employ third-party risk management programs where they will actually work with the suppliers and have them report who they're sourcing their own materials from, and you can work down your supply chain that way in partnership with your suppliers, which helps establish trust. Mapping, getting that transparency, and then you can make an informed decision about, okay, where do I need to increase my resilience? I don't have that single source of egg failure.
00:32:44
Speaker
Or where do I need to maybe stop doing business with someone if I find that they are high risk? They are presenting a risk to my organization that I don't want to accept. How can I go elsewhere? How can I find an alternative supplier that is of lower risk? Maybe they're based in a different country that I have a better relationship with.
Complex Global Security and Supply Chains
00:33:02
Speaker
Maybe they have a better compliance environment, whatever it is. But you can start making those decisions and then measuring the impact on your program. That's how you move along that maturity curve.
00:33:12
Speaker
probably the biggest thing that I would tell everyone to do. So what about next steps beyond that? Because you've spoken a lot about how the organizations are getting more complex, how the supply chain inputs are more complex. But also, we're seeing, as we've discussed during this episode, the environment itself is getting more complex. It's a point that I make a lot in my work is that the post-Cold War environment
00:33:39
Speaker
Western-based businesses, any business basically had the ability to spin the globe, point their finger and say, let's go build a factory there. It's all about maximizing efficiency, as you talked about before, that just-in-time fulfillment. And now what we're suddenly seeing is a bunch of conflicts popping up across the globe. We're seeing new kind of blockification of the global economy, and it's suddenly getting less reliable. It's not as simple as just, we buy from this country because it's the cheapest, it's the most efficient. You've also got to think about geopolitics.
00:34:08
Speaker
So, as we see that environment change, this more complex global security environment, what are the next mandatory steps you think corporations would need to start thinking about when it comes to optimizing their supply chains to build that resilience that you've touched on? That's such a good question. Because when everyone talks about optimizing, what are they all talking about? Lean Six Sigma, smart warehouses, digital transformation, we're optimizing for
00:34:35
Speaker
We're not optimizing for resilience, and we're certainly not optimizing for security. But inherent in your question, you bring up this great point about the increasing number of both internal and external challenges around supply chain, geopolitical tensions certainly being chief among the external. But we've also got a rising rate of things like catastrophic weather events. If you've got a manufacturing facility on the coast of Japan, how do you plan for increasing rates of tsunamis or things like that where it's a physical
00:35:05
Speaker
physical security issue, the rates of climate variability and rising sea levels. What impact is that going to have on the physical elements of a supply chain? The long way around to answering your question, looking at some of those external and internal challenges, I think there's four things I would tell an organization to really be mindful of. But when we're looking at the external challenges, the additional ones that I really see, and when I say external, I really just mean a supply chain challenge
00:35:31
Speaker
that an organization doesn't necessarily have control over, right? Like an imposed challenge. So like geopolitical tensions, maybe the international compliance environment. I know there's a lot of pressure for organizations to comply with things like net zero or ESG and ESG is, oh my goodness, what is ESG? I believe it's environmental sustainability and governance, but I won't make a note to Chuck. But the ESG compliance,
00:36:01
Speaker
And then rising rates of counterfeits, rising rates of cyber attacks, so kind of intentional issues, availability of parts. We saw a lot of issues with long lead times during COVID-19 delays in organizations getting things that they had been able to order, access to raw materials. And then we talked a little bit about kind of the challenges around maintaining a skilled workforce and also diminishing manufacturers, right? A lot of specialized production methodologies are
00:36:30
Speaker
being reduced. People are going out of business. They're changing their factories. They're trying to follow where the high rates of production are. And so they'll change over a factory and kind of do away with a previous specialized manufacturing skill set and equipment. And so how do you maintain those things that you still need to update? So that's when we talk about external challenges, a lot of those are inherent in a program that would be optimized for resilience, but not necessarily all of them. Organizations are typically thinking about
00:37:00
Speaker
cost, schedule, performance, and maybe not planning in for some of these other kind of external imposed considerations. And then at the same time, organizations are struggling with internal considerations or internal challenges. What I mean by that would be either a lack of data, a lack of transparency. We already talked about the challenges in mapping out the supply chain and just establishing that visibility. Number one, budgets are always tight. There's always a lot of competition internally for funding.
00:37:30
Speaker
if there isn't stakeholder buy-in or kind of championship and leadership from an organization, then it's very difficult to get any kind of investment to establish a threat-based supply chain program like we would want, right? So this organizational culture around having that kind of a threat-based, security-optimized, resilience-optimized program. So when I kind of boil all this down for folks that I'm working with, I kind of give them four guiding principles
00:38:00
Speaker
I would consider these mandates for an effective supply chain program, but we'll say guiding principles is a little softer perhaps. I would say first and foremost, when we talked a little bit about this earlier, the challenge around some of the legacy definitions and the legacy understandings of concepts like logistics or supply chain, right? It was very Lean Six Sigma, and a lot of people who go through academic programs around supply chain
00:38:25
Speaker
they really focus on a lot of those elements, right? I mentioned smart warehouses kind of off the cuff earlier, and that is really an important thing, right? We want those skill sets to be included in our supply chain programs and our logistics programs. However, oftentimes today we find that supply chain programs within an organization tend to be pretty siloed. They're not really well organized or integrated with other security elements of a company like a cybersecurity program.
00:38:52
Speaker
or an insider threat program perhaps, or kind of a physical security program. So the first kind of guiding principle I would say would be integration with other roles and missions within your organization. The more collaborative you can have your supply chain program be, the more likely they will, the individuals working there and the design of that program, the more likely that will be to be more
00:39:18
Speaker
predictive, more proactive, because they'll have a broader definition of what supply chain is and what are all the factors that could impact a supply chain adversely. So that's kind of the first one. The second is very similar, and that would be kind of casting the widest net when we talk about supply chain risk.
Guiding Principles for Supply Chain Programs
00:39:34
Speaker
So we went through some of the internal and external challenges a minute ago, but just being able to show not just that you're focused on risks to cost schedule and performance in your acquisitions,
00:39:47
Speaker
but also that you're looking at things like cybersecurity or operational risk or the compliance environment, ESG, whatever it is. We talked about catastrophic weather, all of those different things. If you are including them in your program, even if the likelihood is very small, but the impact is very large, if you don't include it in your program, you're never going to be able to proactively address it. And if anything were to happen, you'll always be caught off guard.
00:40:13
Speaker
being able to look at the widest set of risks and incorporate that into your program is going to set you up for success, whether you're a government or business. Transparency is kind of my third guiding principle. I would say that we've talked a little bit about that to this extent. I think we've established why it's important to be able to map out who is in your supply chain so that then you can make decisions about whether you want to keep them in your supply chain or not. And then the last one would be
00:40:39
Speaker
to implement some kind of a continuous monitoring. And this is just the way we do for insider threat programs today, right? Where you've got, you establish trust upfront, and then you are using an insider threat program to continue to establish trust for an individual while they work in your company. So same with having a supplier in your supply chain. You want to vet them and make sure that you want to do business with them when you're first doing your acquisition.
00:41:05
Speaker
that they're not going to present unnecessary risk to your organization or to your product that you're creating. But then you also want to continue to vet them through continuous monitoring and make sure that they are continuing to act in a way that merits your trust and continuing to foster that business relationship with them. So those would be the four, I would say, guiding principles, I guess, that I would think most effective programs are going to be able to incorporate.
00:41:32
Speaker
Teresa, I want to stay on this theme of moving from compliance to a threat-based mindset here. I think it's environmental, social governance, or whatever it was that you said. I think you're not alone in struggling to remember what
00:41:48
Speaker
What do those things mean? What do those terms mean? What are we trying to accomplish when we talk about ESG goals for a corporation? And there's been tons of headlines this year. Is ESG past its prime? Is this still a useful thing for corporations to think about when they're trying to approach sustainable and resilient operations? And I think really a big part of that challenge is that people are still operating with ESG as a compliance mindset. It's something that your board mandates that you do. And here's the bare minimum metrics that you need to hit in order to be compliant. And then you're done with that. And you can move on to making money.
00:42:18
Speaker
So I want to come back to this theme that you've kind of pulled out for us here, which is that when you move away from that compliance mindset towards something that's more proactive and threat-based or you could say opportunity-based, right? How does that change how your business operates? Are there sort of early wins or success stories you've seen in your work with clients that you can point us towards that maybe corporations can start undertaking as the first steps in this culture change? I think that
00:42:45
Speaker
Compliance is a very good place to start. People implement these compliance mechanisms because they are generally effective at helping organizations understand how to start wrapping their hands around a thread or a vulnerability that's out there. But I think there's also a challenge if that's your only guiding principle. Something that we just talked about was casting that really wide net. If you're just teaching to the test or going down the checklist or only
00:43:13
Speaker
creating your program set up for the letter of the law, you're always going to be leaving yourself open to the unknowns, right? If you're only looking at what's already been mapped out and what's already required, the compliance environment is not known necessarily for being dynamic or proactive. And I don't mean that as a hit on any compliance professionals. I think compliance is very important and it has this really critical role at organizations. That being said,
00:43:43
Speaker
Compliance environment can also be very bureaucratic. It can also be very reactive. And compliance environments are only, you know, and compliance checklists are only created to address known threats. And frequently what you find is the threats that have been around long enough to have gone through a bureaucratic compliance process, have a standard published about them, have best practices and guidelines kind of pushed out to, you know, businesses or whoever. I mean, by the time you set up your program to comply with those standards,
00:44:14
Speaker
I mean, the nature and the dynamic evolution of threats is far outpacing how quickly the compliance environment can adapt. And that's just the nature of it. It's not a negative or a positive. It's just kind of the fact. So compliance is very important. It's a great place to start. The compliance guidelines that are out there are, you mentioned ESG.
00:44:40
Speaker
You're absolutely right. The S is social. Don't tell anyone I forgot that. ESG, if you're setting it up and you're saying, okay, well, I need to check every company that I do business with and make sure that they're not on this human rights watch list, that's a great start. That's definitely something that you should be doing.
00:45:04
Speaker
What do you want to do that kind of goes beyond that? If you're really looking at, we'll take forced labor as an example. If you're looking at combating the threat of having a company employing forced labor in your supply chain, yes, as a compliance mechanism, you should check that the name of the company is not on the list. But companies are probably not going to be advertising if they're employing forced labor. So what other data sources can you pull in? What other kind of analytics can you apply to your acquisitions program
00:45:33
Speaker
to really make sure that you don't have companies that are secretly, covertly employing forced labor. Maybe you look at the types of goods that they're producing. Maybe you look at their physical footprint. Maybe you look at where their IP addresses are coming from if you don't think that their physical footprint and their actual labor force are, you know, if they're not being honest about that. You know, how are you going to be able to measure open source indicators of data to prove or disprove that a company is acting in the way that they say they are? How can you trust but verify?
00:46:02
Speaker
That mindset is going to lead you to take a wider variety of activities than what may be required by the compliance environment. And it's going to give you better insight into the true drivers of vulnerability and the true drivers of threat in your supply chain. So that's kind of how I think about it when I talk about kind of a compliance-based mindset versus really a dynamic threat-based mindset and being able to keep that proactive approach.
00:46:30
Speaker
I just want to come back to a point you made earlier. You introduced this idea of AI and emerging technology helping with this challenge.
AI and Climate Change in Supply Chains
00:46:37
Speaker
Can you talk a little bit more about this? It seems almost tailor-made for if you're faced with such a complex problem set like supply chain risk, it feels like AI is going to be the solution you need. Is that right? I love this question. I think that there's so much that AI can do that makes solving elements of this problem
00:47:00
Speaker
possible in a way that they weren't previously. We talked a lot about the complexity and the challenges around mapping and establishing transparency of the supplier ecosystem. AI is really, really effective at discovering trends that you don't necessarily know that you need to be looking for. So when we're talking about all the data that's available to us, sometimes that creates a lot of noise. Sometimes that makes analytics more difficult for a supply chain program. And so AI is really great at taking large data sets
00:47:30
Speaker
coordinating, maybe discovering critical nodes, maybe surfacing hidden trends, proactively flagging indicators of a particular risk if you can set up a risk framework. And you know, even assessing and predicting like likelihoods of events and contingencies, we talked about kind of catastrophic weather events as a good example, right? There are indicators that maybe a hurricane is going to hit at a certain location, right? Or, I mean, all sorts of different kinds of indicators of geopolitical things like civil unrest.
00:47:58
Speaker
or pandemics, things like that, right? How can we use AI to measure indicators through open source data that can give us a head start so we can make a decision? That's a great thing that AI is really well designed and well suited to do. Now, there are other kind of, when we look at some of the internal challenges that we talked about earlier, on one of them, you know, kind of making sense out of a large disparate data sets, AI is very well suited for that. But when it comes to things like implementation and really
00:48:27
Speaker
You know, one of the truest drivers of success of a supply chain risk management program is that kind of organizational culture and that key stakeholder buy-in. And AI is not going to help you with that. I mean, you can have the greatest, most risk-informed, best risk framework, you know, phenomenal data sets. But if you don't have an organization that wants to do anything with that information and that wants to be proactive and that wants to shift that legacy mindset of thinking about supply chain as primarily a logistics and an acquisition kind of legacy problem set,
00:48:57
Speaker
and really look at it as more of a security problem set. AI is not necessarily going to give you a lot of gains there if you don't have some of those other kind of organizational culture implementation things kind of aligned.
00:49:09
Speaker
Teresa, you mentioned the catastrophic weather. I think that's a supply chain risk that people maybe don't think that much about, but probably is the one that causes the most disruption on a yearly basis. I want to talk about climate change. Is climate change helping this transition? Is it harming this transition? What's the complicating factor there? Can it be managed in the same way as other risks, or is there a different set of calculations that go into that? Climate change, climate variability is definitely
00:49:38
Speaker
climate security, that's what I'll call it. The climate security environment, certainly on the forefront more frequently of discussions now than it was even two or three years ago, I feel like it's becoming a bigger and bigger consideration. I think that there's a lot more information also about the potential impacts of climate security that
00:50:06
Speaker
people are understanding, oh, this is much more prevalent than just, oh, we're going to have to change our compliance environment. We're going to have to be able to show investors that we're not polluting. We're a green company. I think it was something that people tended to brush off or maybe overly politicized. But I think there are a lot of real physical impacts to supply chains as a result of climate security. And rising sea levels is a big one for any coastal
00:50:34
Speaker
there are different kind of, I mean, going back to the AI topic that we discussed a minute ago, there are a lot of models out there that you can predict what is going to be the physical impact to certain coastlines, coastal areas of rising sea level. And you can kind of run those models and project that over time. And so also for things that require, you know, maybe cold storage or certain temperature controls, like how is that going to be
00:51:01
Speaker
either less feasible in the future or much more expensive in the future. And you can run those models as well. I think that because the likely impacts are much better understood now, people are taking a really a lot more of a serious stance when it comes to planning this around as part of a supply chain program. I think a lot of those risks are knowable. They are measurable. They are a little bit predictable, unfortunately, without a lot of mitigating effort, right?
00:51:29
Speaker
as far as combating the climate security issues. But I think being able, we can plan for those impacts much more effectively now than we could previously. I think they're gonna continue to become really important in the physical security aspects of supply chain. All right, so it's time for our final question. And I know for a fact you have some diabolical thoughts that we've talked about in the past, but what keeps you up at night? What's the scenario that you're really concerned about?
00:51:58
Speaker
I think there are some really disruptive technologies out there that we may not be really kind of planning for necessarily. I think we understand a lot of the challenge around things like semiconductors, loss of critical materials. I think that even competing challenges around data, but I feel like the untapped
00:52:25
Speaker
innovative area around synthetic biology. That's something where I feel like there are so many possibilities that maybe haven't been built into our plans. I think governments and organizations have so many current day competing challenges. They're really good at focusing on what in the Marine Corps we would call the closest alligator to the boat. But we don't have necessarily a lot of, hey, in 30 years from now, what's going to be the biggest supply chain challenge?
00:52:54
Speaker
And I think that lack of strategic planning is probably what keeps me up at night. Well, Teresa, thank you very much for joining us. Thank you so much for having me. It was a great conversation. I appreciate it. Well, that was Teresa Campo Basso discussing how to sabotage supply chain with us. Our producer for this episode was Edwin Tran. Our researchers were also your hosts, Colin Reed and me, Louis H.Epson, as well as Edwin Tran and other unnamed members of the Encyclopedia Geopolitical team. To our audience, as always, thank you very much for joining us.
00:53:24
Speaker
If you enjoyed this show, please consider checking out our other content at Encyclopedia Geopolitica. We'd also appreciate it if you could subscribe to the podcast, leave a review, or support us on Patreon. Thanks for listening.