He has more than 25 years of experience in the information and communications technology industry. and has spent more than seven years in the UK government, where he was Her Majesty's government CIO and CISO. John Suffolk, Senior Vice President and Global Cyber Security Officer, Huawei Technologies Co., Ltd.

Every smartphone, tablet, personal computer, television, or even consumer white good has a global supply chain within it. Taiwan, for instance, produces a notebook computer every 0.35 seconds, a PDA every 8.54 seconds, and a desktop computer every 0.68 seconds. In the United States, a Government Accountability Office (GAO) Report published in March 2012 warned that the global supply chain of IT products could be putting national security at risk. According to the report, federal agencies rely extensively on computerized information systems and electronic data to carry out their operations. The exploitation of information technology (IT) products and services through the global supply chain is an emerging threat that could degrade the confidentiality, integrity, and availability of critical and sensitive agency networks and data.

According to the report, officials at the Departments of Energy, Homeland Security, Justice and Defence told investigators from the GAO that they did not know the extent to which their telecommunications networks contained foreign-developed equipment, software, or services. The Departments of Energy and Homeland Security had not defined supply chain protection measures. The Justice Department had defined protection measures, but had not implemented them or developed procedures for monitoring compliance with measures.

There appears to be no definition of what is meant by foreign-developed. While the report may have focused on telecommunications networks, it really needs to consider all technology from all vendors.

The reality is a single piece of equipment, such as laptop, can include components across the world from Canada, Ireland, Poland, Italy, the Czech Republic, the Slovak Republic all the way to China, Israel, Japan, Malaysia, the Philippines, Singapore, South Korea, Taiwan, Thailand, Vietnam, and many others.

The Chinese city of chengdu has 16,000 companies registered and 820 of them are foreign-invested companies. Of these, 189 are fortune 500 companies. Household brand names such as Intel, Microsoft, SAP, Cisco, Oracle, BAE, Ericsson, Nokia, Boeing, IBM, and Alcatel-Lucent are all located there to name but a few. Should what these companies do be considered foreign-developed?

Cisco has a huge presence in China, with R&D centers in six major cities. Over 25 percent of all Cisco products are produced by Chinese partners, and the company announced a USD 16 billion investment in China that includes training 100,000 network engineers and the opening of 300 centers at vocational colleges to train students in networking technologies. Cisco CEO, John Chamber, stated, "What we are trying to do is outline an entire strategy of becoming a Chinese company. Does this constitute foreign-developed?"

According to company reports, every major telecommunications equipment provider has a substantial base in China. Alcatel-Lucent has one-third of its global manufacturing done by Shanghai Bell, and Ericsson's joint-venture Nanjing Ericsson Panda Communication Co. has become the largest supply chain of Ericsson in the world in 2011. Nokia Siemens Networks had 10 manufacturing facilities worldwide - five in china (Beijing, Shanghai, Tianjin, Hanghzou, and Suzhou), and two in India.

In India, a mature professional set of international company and support services has been created over the last 20 years, providing technology on-shoring and off-shoring for the global enterprise community. In purely financial terms, total exports from the Indian IT sector were at USD 59 billion during FY11. The industry has seen strong growth at a CAGR of 16.4 percent during FY 2007-11 despite weak global economic growth, and India has generated world-class IT players, such as TATA, Wipro, Infosys, and HCL Technologies. World-class companies, like those mentioned above plus the likes of Siemens, HP, Philips, ABB, Flextronics, and AT&T have all established operations there. Cisco has over 8000 employees in India including R&D, sales, and business support staff. There is extensive support system for customers with 18 logistics centers. The Cisco global development center is in Bangalore and is the largest one outside of the United States. Cisco also established joint development centers with Wipro Technologies and Infosys Technologies in Bangalore, HCL Technologies in Chennai, and Zensar Technologies in Pune.

The concept of foreign developed in today's globally intertwined world is meaningless just as the notion that companies or products from one part of the globe can be trusted more than companies or products from another part of the globe. It has been speculated that whether this thinking is anything more than trade protectionism masquerading as national security. In today's globalized world, any policy toward cyber security that is based solely upon the nationality of the provider or upon where the provider's headquarters are located is bound to be ineffective. Any approach to cyber security that simply singles out companies on the basis of their national origin is not local. Such an approach is inherently discriminatory and violates most-favored-nation treatment.

A Microsoft paper entitled, cyber supply chain risk management toward a global vision of transparency and trust fully endorsed by Huawei highlights that vendors have a significant economic incentive to resist the efforts of national governments to taint the supply chain for a very simple reason. There is significant risk that back doors or other intentional defects will be discovered and made public, and such revelation will lead to loss of public trust, and, ultimately, market share. Indeed, it is likely that a company engaging deliberately in such activities may be forced out of business, especially if one appreciates that the loss of trust would be global; that is, even people in the vendor's home country are likely to reject a product with secret backdoors, even if they were inserted primarily so that the local government could obtain advantage against foreign adversaries. In many countries, there is concern not just about foreign surveillance, but domestic surveillance as well.

While government concerns are understandable, it is important that government responses do not threaten the vitality of the global ICT sector, stifling both innovation and competition.

When devices from multiple suppliers are connected to the technology infrastructure, the equipment and software are likely to be designed, developed, and manufactured via tens, if not hundreds, of companies from around the world.

The global ICT supply chain issue was summed up by Richard Clarke, who served as chair of the counter-terrorism security group and as a member of the National Security Council under President George H W Bush, and who also served under President Clinton. In 2002-03, Clarke served as a special advisor to President Bush on cyber security and chaired the President's critical infrastructure protection board that helped draft the United States National Strategy to secure cyberspace that was released by President Bush in February 2003. Clarke said, "Whether it comes from New York state or Shanghai, it probably has the same risk in software. There are people in the United States who can be bribed, too."