March 16, 2023

New Dutch semiconductor export controls, a global regime grows

In a March 8 letter, the Dutch Ministry of Economic and Development Cooperation and Ministry of Foreign Affairs notified the elected Parliament of its plan to implement additional export control measures for advanced semiconductor manufacturing equipment, consistent with unilateral measures implemented by the United States government October 7, 2022 targeting exports to China. Specifically, the measures are aimed at controlling the “most advanced” technologies in the semiconductor production cycle in which a Dutch firm has a unique and leading position. ASML interprets it to mean its Twinscan NXT:2000i and subsequent Deep Ultra Violet (DUV) immersion lithography systems.

Citing “technological developments and geopolitical context” without mentioning China, the Cabinet will submit a confidential proposal to the consensus-driven Wassenaar Arrangement  (unlikely to succeed given Russian membership), while simultaneously establishing a national control list through its own public ministerial regulation, and also ask its EU and bilateral partners to adopt these measures through the appropriate dual-use regulation provision. Whether or not other states actually implement or adopt the licensing restrictions is an open question.  

The measures are based on existing Dutch dual-use policy and a strategic framework outlined in a December letter to Parliament. The framework defines three additional strategic goals with (inter)national security in mind, specifically;

  1. preventing Dutch goods from contributing to unwanted end use, such as military deployment or in weapons of mass destruction;
  2. preventing undesirable long-term strategic dependencies; and
  3. maintaining Dutch technological leadership.

Decision making about what dual-use goods to control occurs on a case-by-case basis and involves risk analysis based on confidential and public sources, including state threat actor assessment and domestic and military intelligence community reports, which only highlight a global “tech race” for economic and military development, and claim knowledge and technology espionage threats from China although no evidence is cited. An inconsistency between the goal of preventing military use and the proposed controls is that military applications typically involve more mature semiconductor technology. And, as is the case in dual-use regimes, the technology being controlled here has other widespread applications, for example, the AI field.

The Dutch framework is similar to what developed in the United States over the past several years, fusing national and economic security concerns with other measures to protect certain domestic technologies. It includes an “investment test (security test law, investments, mergers and acquisitions) and knowledge security measures” and also bolstering production onshore to “maintain technological leadership” through subsidization efforts like the European Chips Act

The Dutch strategic goals suggest an overarching question in need of an answer – how are economic competitiveness and benefits affected when a globalized industry sector that produces instrumental goods is burdened with (inter)national export controls? We can possibly draw on lessons from experience, e.g., in space-related technology or strong encryption. It is unknown whether any economic analysis of the trade-offs involved and potential impacts of the untested regime was performed. 

A new cyber social contract

The Biden Administration’s long-awaited cybersecurity strategy is here, and it seems the new office of the National Cyber Director is starting to pay off. The strategy’s language suggests a giant leap forward since the previous iteration in 2018. This new document aims to “reimagine the American cybersocial contract” as acting national cyber director Kemba Walden stated.

According to the strategy, cybersecurity is still considered a market failure where stakeholders underinvest and costs are disproportionately borne by some and not others. Critical low-margin sectors like water and sanitation cannot afford to increase cybersecurity investments whereas in the finance sector, the marginal cost of improving cybersecurity is not only absorbable but also tied to their business models with increased digitization. While the strategy keeps the demarcation of stakeholder responsibility purposefully vague, it makes it clear that real cybersecurity is about the protection of critical infrastructure and protecting what is most vulnerable. With this new cyber strategy, the Biden administration is sending a strong signal that they will soon work with Congress to try to pass mandatory cybersecurity requirements for critical infrastructure operators beyond the energy sector.

This fundamental shift from industry-self regulation to mandatory cybersecurity regulations has not been attempted since the Liberman-Collins proposal back in 2012. This bill would have granted DHS significant new authority to assess and serve civil penalties on owners and operators of CI that were in noncompliance with cybersecurity regulations.

The New Cybersecurity Strategy follows Liberman-Collins in correctly identifying a systemic problem in critical infrastructure protection stating that we are “layering new functionalities and technologies onto already intricate and brittle systems.” The convergence of IT and OT which the strategy refers to as “digital operational technology” has been an ongoing security concern.

The failure of Liberman-Collins illustrated significant structural differences between the ICT and energy sectors. The energy sector is the only sector with mandatory CIP Reliability Standards for a reason. The ICT sector is incredibly more complicated and spread across different industry verticals. Platforms, telecommunications providers, and cloud services providers, were also able to lobby against those measures. While the road will be similarly long and controversial today, critical infrastructure operators would be well advised to preempt government-defined cyber requirements with better security.
The strategy’s solution to the federal government’s aging OT systems like the Hoover Dam is to modernize and apply zero trust architecture across the board, which is much easier said than done. Assuming “modern” is a euphemism for networked/smart, even Cisco which sells industrial internet of things devices admits that for some systems it’s better to just not connect them to the internet at all. 

Otherwise, the strategy came up short of proposing new solutions for the thorny issue of information sharing. Perhaps some of the suggested “interagency deconfliction” will address path-dependency problems in the DHS/CISA regime like having separate communications and information technology sectors. Finally, the software liability and safe harbor framework proposed in the cyber strategy deserves to be addressed in a standalone post.

India Cracks Downs on Smartphone Manufacturers 

In yet another move to extend its control over the communications in India, the government is contemplating obligations for smartphone manufacturers operating in India. Most smartphones come with pre-installed apps that cannot be deleted. These pre-installed apps control several critical functions like taking photos (camera), storing documents (wallets), digital payments and accessing the internet (browsers). Smartphone manufacturers also include other proprietary apps in their devices as part of monetisation agreements. According to Reuters, smartphone manufacturers in India may soon be forced to allow removal of pre-installed apps and a lab authorized by the Indian Bureau of Standards will screen devices for compliance. Apart from providing an uninstall option, device manufacturers may also have to seek approval from the government before rolling out major updates to their operating systems. 

These obligations appear to be part of the Indian government’s crackdown on Chinese companies. Following border skirmishes in 2020, India has restricted Chinese companies access to, or banned them from the Indian market. Mandating removal of apps and screening of each major update to the operating system before it is rolled out to consumers is aimed at addressing concerns about “spying and abuse of user data by foreign players”. It remains to be seen how manufacturers respond to these efforts. Representatives of Chinese companies Xiaomi and BBK Electronics which dominate the Indian smartphone market, Samsung, and Apple have met with officials at India’s Information and Technology Ministry to discuss these obligations.