Much modern technology relies on American inventions: The internet sprang from a Department of Defense (DoD) project, microprocessors from Intel researchers, and operating systems Windows and macOS from the founders of Microsoft and Apple, respectively. These early developments allowed the United States to dominate the technology market for decades. However, this long-held technology primacy is coming to an end. Countries worldwide are developing their own high-tech sectors and are beginning to compete with U.S. companies in international markets.
Some of these high-tech products are from adversary countries, causing espionage and surveillance concerns. However, while the United States has focused on Huawei’s links to foreign espionage operations, for example, this is only part of the problem. The decline of U.S. primacy in technology poses another, less explored threat: More international products in consumer markets will likely become a detriment to the United States’ ability to conduct vulnerability research at scale to enable its own offensive and defensive computer network operations.
It is, simply put, a complexity problem. While many foreign technologies may be similar to or based on U.S. products, they are unique systems with their own sets of code and potential vulnerabilities.
The intelligence community seeks to exploit the vulnerabilities in technology to develop offensive capabilities, collect intelligence, or remain persistent within a network. To do this, researchers first must obtain the target technology. More international products in consumer markets, therefore, will be a detriment, not just because of the number of products to be analyzed, but also because of the efforts of some countries to ensure their products are not acquired or analyzed.
Companies headquartered in adversary countries can be tightly linked to their nation’s intelligence community, because of either their technology’s dual-use applications or their country’s laws and norms. These firms have a vested interest in ensuring their products do not fall into the hands of vulnerability researchers (in the U.S. government or otherwise), to ensure the security of both their company and their related intelligence organizations.
Native Chinese applications, for example, are often difficult to obtain overseas, even by Chinese citizens living abroad. Obtaining a copy of North Korea’s Red Star OS is even more difficult; most publicly available versions originated either from online leaks or copies of a version purchased in North Korea.
In addition, vulnerability research is incredibly difficult to scale. The proliferation of foreign technology suggests the United States will have to go through the process of obtaining foreign products more frequently. Then it will have to conduct vulnerability research against all the acquired products to develop defensive and offensive capabilities, a notoriously difficult, expensive, and laborious process. While access to source code reduces the cost and effort required, the likelihood of obtaining access to foreign software, let alone its source code, is slim. Growing vulnerability research requirements will require significantly more funding and manpower than the United States currently invests.
While the decline of U.S. technological primacy might seem inevitable, there are steps the country can take to mitigate its fall. Increased collaboration and partnership between the private and public sectors could allow DoD to remain at the forefront of technological breakthroughs. The nonprofit venture capital firm In-Q-Tel continues to invest in cutting edge technology companies, while federally funded research and development centers such as MITRE and MIT Lincoln Laboratory have projects in which civilians assist with proof-of-concept development.
Programs to speed foreign acquisitions approvals also must be developed. Groups such as the Defense Innovation Unit and the National Security Innovation Network are pioneering new ways to speed the acquisition process for cyber projects. Encouraging new and existing avenues for collaboration between private and public sectors for vulnerability testing and foreign technology analysis, or automating such analysis through initiatives such as the Defense Advanced Research Projects Agency Cyber Grand Challenge, also can provide inroads into scaling vulnerability research for emerging technologies. With enough effort, the United States can stay secure within this rapidly evolving technological landscape.