9 min read

Cyber Supply Chain Regulation: Governing Dual-Use Technology, Cryptography, and the Global Cyber Supply Chain

Cyber Supply Chain Regulation: Governing Dual-Use Technology, Cryptography, and the Global Cyber Supply Chain

Introduction

Defense and technology surveillance equipment, whether embodied in software, hardware, or a combination of both, is rarely produced by a single actor. These systems are built from modular components with discrete functions that are integrated to perform a specific task [1]. A cyber weapon, for instance, may combine software with hardware components such as clipper chips, microprocessors, and peripheral logic units. Because these components can be manufactured anywhere in the world and assembled in a separate location before final sale, the resulting product passes through a genuinely global supply chain — a development made possible by international trade and investment liberalization [2].

This liberalization has been a net benefit for the growth of information and communication technology, and it has disproportionately benefited economies such as China. But the same interdependence that lowers costs and accelerates innovation also creates vulnerabilities. Cyberterrorism, malware, data theft, and advanced persistent threats are not solely the product of malicious code; they are also enabled by the tampering of people, processes, and knowledge at various points along the "cyber supply chain" [3]. This article examines how the international community has attempted to govern that supply chain — through regional security arrangements, intellectual property law, and multilateral export control regimes — and identifies the gaps that remain.

Supply Chain Cybersecurity

"Supply chain cybersecurity" refers to the set of practices aimed at securing the information technology systems, software, and networks that make up a supply chain. It rests on two basic premises: first, that security is indivisible — a weakness anywhere in the chain is a weakness in the whole system — and second, that the nature of a breach can only be understood by examining the people, processes, and knowledge flows involved, not the technology alone. Cybersecurity, in other words, is not purely a technical problem. Supply chain risk in this sense spans sourcing, vendor management, continuity planning, transportation security, and a range of other functions across an enterprise, and addressing it requires coordination across all of them [4].

That risk can, at least in part, be managed through better regulation of cyberspace. The relevant regulatory instruments — international laws, agreements, and policies — are inherently multilateral, since supply chains themselves span multiple jurisdictions and stakeholders. The remainder of this article considers three such instruments: the Shanghai Cooperation Organisation, the international patent system as applied to cryptography, and the COCOM/Wassenaar export control lineage.

Regional Governance: The Shanghai Cooperation Organisation

One of the earliest efforts to regulate cyberspace at the regional level was the Shanghai Cooperation Organisation (SCO), founded by China, Russia, and several former Soviet states [5]. India and Pakistan joined the organization in June 2017 [6]. The SCO's stated purpose is political, military, and economic cooperation, but a central and often overlooked objective is the preservation of data sovereignty in cyberspace: member states are formally obligated to respect one another's control over data within their borders [7].

In practice, that obligation has not always been honored. Reports of Chinese cyber espionage directed at Indian defense facilities suggest a clear tension between the SCO's stated principles and the conduct of at least one of its founding members [8]. The episode illustrates a broader limitation of the SCO framework: it addresses data sovereignty in principle but says little about the technical means — cryptography and encryption — that actually protect the confidentiality and integrity of sensitive data [9]. Nor does it address the export or import of cryptographic technology, the dual-use status of many cyber tools, or supply chain security more broadly. Those questions fall instead to the Wassenaar Arrangement, a regime to which India, China, and many other states are notably not party.

The Patent System as a Mechanism for Regulating Cryptography

Rising demand for sophisticated technology over the past decade has pushed corporations toward heavier investment in research and development. The rapid growth of the information and communication technology sectors in India, China, and Israel owes a great deal to multinational corporate investment of this kind. India's experience is instructive here: despite this investment, its domestic patent regime remained comparatively weak for much of this period, which limited the extent to which locally developed cryptographic and security innovations could be protected and commercialized on the same terms as innovations from jurisdictions with more mature IP systems.

Patents applied to computer programs — software patents — have become a significant vehicle for protecting innovation in this space. Some of the most consequential software patents granted by the U.S. Patent and Trademark Office fall within the field of cryptography [10]. Internationally, the World Intellectual Property Organisation administers systems of IP protection across a large number of countries, including the United States [11]. The patent system therefore functions as an indirect but meaningful regulatory lever: by shaping who controls cryptographic innovation and on what terms it can be licensed or transferred, it influences the same underlying concerns — data sovereignty, dual-use control, and technology diffusion — that the SCO and Wassenaar frameworks address more directly.

COCOM and the Wassenaar Arrangement: Regulating the Export and Import of Dual-Use Technology

After the Second World War, the Coordinating Committee on Multilateral Export Controls (COCOM) was established, headquartered in Paris, to monitor and govern the transfer of technology from developed supplier countries, with the primary objective of limiting the growth of Soviet military capability. As the Cold War ended, COCOM's rationale weakened even as the Soviet Union had, by that point, spent enormous sums developing its own arms capabilities regardless. A successor regime was needed, and this led to the establishment of the Wassenaar Arrangement.

The Wassenaar Arrangement is broader in scope than COCOM. It aims to regulate, coordinate, and harmonize policy on the export of conventional arms and dual-use goods through two lists: the Munitions List, which tracks conventional weapons, and the Dual-Use Goods and Technologies List, which covers technology usable for both peaceful and military purposes. Its founding objective was to promote regional and international security and stability by increasing transparency and responsibility in the transfer of weapons and dual-use equipment [12]. This concern with dual-use technology has deep roots: during the Cold War, both the Soviet Union and the United States invested billions of dollars in space programs that simultaneously advanced rocket technology and intercontinental ballistic missile capability, and it was this overlap that first crystallized dual-use technology as a distinct category — technology usable for both civilian and military ends [13].

Unlike COCOM, Wassenaar membership is based on specific, predefined criteria: a state must produce or export arms or associated dual-use goods and technologies, maintain a national policy restricting the sale of weapons and sensitive technologies, and adhere to the broader non-proliferation regime. Combined with the absence of any member veto over another member's export decisions, this makes Wassenaar a more inclusive form of governance than its predecessor. There is no strict, enforceable compliance mechanism; instead, members are expected to report on their transactions semi-annually through the WA Secretariat in Vienna [14].

The United States, for its part, uses both domestic and global export control tools to manage the flow of goods and to advance its broader foreign policy objectives. During the Cold War, it used these tools to deny advanced Western technology to the Soviet Union and its allies. That effort was only partially successful — the Soviet Union still acquired less sophisticated versions of the relevant technologies and invested heavily in its own research and development — but the scale of that investment is widely credited with contributing to the economic strain that preceded the Soviet collapse.

The Big Shift: Bringing ICT Into the Dual-Use Framework

Information and communication technology products sit uneasily within the dual-use category: they serve both civilian and military applications and can, in principle, contribute to the proliferation of weapons of mass destruction. Over the past decade, the exclusivity that once defined this space — with the United States and the Soviet Union as the only serious developers of advanced technology — has eroded. Export control itself has, somewhat paradoxically, encouraged many states to pursue indigenous technology development, while multinational corporations have become significant vectors for technology diffusion in their own right. These developments pushed policymakers to bring specific ICT products within the export control regime, while still weighing industry concerns about the resulting compliance burden.

The Wassenaar Arrangement first addressed secure encryption software controls in 1998, and the list was updated in 2013 to include surveillance and intelligence-gathering software [15]. That update proved controversial. "Intrusion software" is defined under the Arrangement as anything designed to avoid detection from monitoring tools or to defeat protective countermeasures, and which can modify or extract data from a system or monitor it [16]. Critics have argued that this definition is drawn too broadly: penetration-testing tools used by security professionals to identify and resolve system vulnerabilities technically fall within the same control-list category as genuinely malicious intrusion software, even though they are not, in practice, monitored under the regime with the same rigor. The gap between the letter of the definition and the practice of enforcement is itself a standing concern about the regime's effectiveness.

Within the United States, the Department of Defense and the Department of State assess the national-security dimensions of technology transfers, while the Customs Service and the Bureau of Export Administration, under the Department of Commerce, hold primary responsibility for enforcing technology transfer controls. Commerce and State, through their participation in the export control regime, also shape the underlying rules — typically toward greater stringency [17]. This division of labor raises a broader institutional question worth flagging for future work: agencies charged with this task must simultaneously manage well-understood, present-day transfer risks and adapt their frameworks to an evolving and less predictable technology landscape — a tension comparable to what organizational theorists describe as ambidexterity, the capacity to exploit existing capabilities while exploring new ones. Whether the current interagency model achieves that balance, or whether a different organizational structure would serve the same goals more effectively, is a question this article leaves open.

Conclusion and Directions for Future Research

The governance of the cyber supply chain today is fragmented across at least three distinct instruments — regional security arrangements such as the SCO, intellectual property regimes centered on cryptographic patents, and the COCOM/Wassenaar lineage of export controls — none of which was designed with the modular, globally distributed nature of modern cyber and surveillance technology fully in mind. The SCO speaks to data sovereignty but not to the technical or export dimensions of supply chain security; Wassenaar speaks to export control but excludes major cyber powers such as China and India from its membership; and the patent system shapes who controls cryptographic innovation without directly addressing proliferation risk at all. The result is a set of overlapping but incomplete regimes, each covering part of the problem and none covering all of it.

Several questions raised by this gap merit further research. First, the roles of the World Customs Organization and the World Trade Organization in classifying IT products — including cyber weapons and encryption software — remain underexamined, as does the relevance of the WTO's Information Technology Agreement to this regime. Second, India's own export-import framework for cyber and surveillance technology deserves closer study, particularly as the Digital India and Make in India initiatives have accelerated indigenous development of sophisticated surveillance and defense technology; how India monitors and regulates these capabilities, and what that implies for its international relations, is not yet well documented. Third, the potential benefits to India of deeper engagement with export control institutions such as Wassenaar warrant investigation. Fourth, a supply-chain-based taxonomy of security breaches — categorizing incidents by where in the people-process-knowledge chain they originate — could usefully inform defensive strategy. Finally, the relationship between domestic legislation such as the Digital Millennium Copyright Act and this international regulatory landscape is worth tracing in more detail. Each of these questions extends naturally from the analysis above and is left for subsequent work.


About the Author

Sanjana Rathi is the founder and CEO of The Cyberdiplomat, a cybersecurity and technology venture based in the USA and India. Her research focuses on cyberdiplomacy and critical infrastructure cybersecurity, including SCADA, OT, and other industrial control systems. She holds an M.A. in Security & Diplomacy from Tel Aviv University and an MSc in Management of Information Systems and Digital Innovation from the London School of Economics, and completed a Post-Graduate Diploma in Cyber Law and Cyber Forensics from the National Law School of India University, where her dissertation examined the legal and technical dimensions of cryptography export and import regulation. She has held research and advisory roles with INTERPOL, the Institute for National Security Studies (Tel Aviv), Technology Against Crime NGO Africa, and the Quality Council of India, and is a designated DMCA agent and IIA-certified cybersecurity auditor.

Connect: linkedin.com/in/sanjanarathi · thecyberdiplomat.com · sanjana.rathi@thecyberdiplomat.org


Notes

  1. Yoko Kubota, "Business News: Toyota Adopts More Modular Design — Decision to Adopt Production System with Shared Components Follows in Path of VW," Wall Street Journal (New York, N.Y.), Mar. 27, 2015, B.3.
  2. Ibid.
  3. Andre Mayounga et al., Cyber-Supply Chain Visibility: A Grounded Theory of Cybersecurity with Supply Chain Management (ProQuest Dissertations and Theses, 2017).
  4. Patrick Burnson, "Supply Chain Cybersecurity: A Team Effort," Supply Chain Management Review 17, no. 3 (2013): 6–7.
  5. Stephen Blank, "Making Sense of the Shanghai Cooperation Organization," Georgetown Journal of International Affairs 14, no. 2 (2013): 39–49.
  6. Michel Casey, "It's Official: India and Pakistan Join Shanghai Cooperation Organization," The Diplomat (Tokyo), June 12, 2017.
  7. Yaroslav Radziwill-Širjajev, Cyber-attacks and International Law: Imperfections of a Stagnant Legal Regime(PQDT – UK & Ireland, 2014).
  8. "India Fears Cyberspying by China," Network Security 2010, no. 5 (2010): 19–20.
  9. "Data Encryption; Encryption Key Management Leader Venafi Names Jeff Hudson as CEO," Defense & Aerospace Business (Atlanta), Nov. 17, 2010.
  10. Olena Ivus, "Does Stronger Patent Protection Increase Export Variety? Evidence from US Product-Level Data," Journal of International Business Studies 46, no. 6 (2015).
  11. "Microsoft Corporation Files Patent Application for Encryption and Data-Protection for Content on Portable Medium," Indian Patents News (New Delhi), Aug. 29, 2011.
  12. Richard T. Cupitt and Suzette R. Grillot, "COCOM Is Dead, Long Live COCOM: Persistence and Change in Multilateral Security Institutions," British Journal of Political Science 27, no. 3 (1997): 361–89.
  13. Samuel Evans, Technological Ambiguity & the Wassenaar Arrangement (PQDT – UK & Ireland, 2009).
  14. Ibid.
  15. Ibid.
  16. Jack Caporal, "Wassenaar Countries Move Toward Carveouts Aimed At Fixing 'Intrusion Software' Issue," Inside US Trade Daily Report (Arlington), Aug. 11, 2016.
  17. Hamed Alavi and Tatsiana Khamichonak, "EU and US Export Control Regimes for Dual Use Goods: An Overview of Existing Frameworks," Romanian Journal of European Affairs 17, no. 1 (2017): 59–74.