an image that incorporates the theme of repurposing the Country of Origin (COO) concept for cybersecurity risks in digital products.
///

The war in Ukraine: Why knowing the country of origin of tech components is vital?

Is it possible to repurpose the Country of Origin (COO) concept to address cybersecurity risks in digital products?

The war in Ukraine has demonstrated the significance of knowing the Country of Origin (COO) of technology product components. For example, a single Iranian drone was found to contain parts made by more than a dozen US and Western companies. Moreover, digital products can contain hardware components, software elements, embedded systems, and data from various countries and computing environments. Considering this, several questions present themselves: How can this conundrum best be addressed to support national security? How can the end consumer be better informed about the origin of the digital products he/she is buying? And what are the implications for these products’ sustainability and recyclability?

Digital Products and Cybersecurity Risk

Even before the Russian invasion of Ukraine, the director of the UK National Cyber Security Centre, Ciaran Martin, warned that  “Russian-made anti-virus software should not be used in systems containing information that would harm national security if it was accessed by the Russian government”. This reference to the Kaspersky anti-virus software product, which is readily available and deployed in the West, highlighted the risks such products pose when their true origin, purpose and function are unclear. Similarly, Google decided to withdraw the licence for using the Android mobile operating system in Huawei products because of the potential threat of information leakage to the Chinese government. Additionally,  just this month, the US government was moving to ban the Chinese social media product TikTok, with the Republican committee chair, Michael McCaul, describing the product as a “spy balloon in your phone”. In short, unless every component of a digital product can be identified and its origin and purpose can be verified, the product as a whole may constitute a cybersecurity risk.

Repurposing the COO Concept

Recent research in Turkey has highlighted how the COO concept could be redefined and repurposed to provide a framework that might contribute to addressing such cybersecurity risks. Through a series of workshops and face-to-face interviews with public officials and private sector professionals working on digital products, an initial list of 37 parameters pertaining to digital products was identified. After discussing with the interviewees and conducting an online survey of professionals from various public sector departments involved in digital projects, the parameters were refined. These were then reduced to a final list of 18, classified into four main categories or “influences”: hardware, software, platforms deployed, and producer of the final product (see Table 1).

Final parameter list for digital product COO evaluation
Table 1. Final parameter list for digital product COO evaluation

An important consideration is that some products, despite appearing to be made in one country, are not entirely produced within that country. This fact is not reflected in the current COO assessment. Today, the most commonly used parameters for COO determination are, in general terms, production place, headquarters location and/or domestic capital deployment. This is replicated in many COO regulations, predominantly used in various countries to assess tariff calculations rather than determine products’ true domesticity. This means that the “Made in…” labelling may be misleading at best and, at worst, plainly wrong.

The Xiaomi Smartphone Example

In Turkey, three main parameters are used for assessing digital product domesticity – production place, content rate and certification of the manufacturer in the Turkish Industrial Registry. If a product satisfies two of these conditions, it is classified as Turkish. For example, Xiaomi Corporation, a Chinese company that designs and manufactures consumer electronics and software, has a factory in Turkey that employs 2000 people to produce smartphones. Although all the component parts are imported through Xiaomi’s international subsidiaries, the production place of the smartphone is in Turkey. Despite the negative content rate due to this fact, Xiaomi has obtained an industry registry certificate that enables it to engage in legal transactions in Turkey. Therefore, the smartphone is considered a Turkish product because it satisfies two of the three criteria.

Table 2. COO Evaluation of Xiaomi mobile phone using a proposed parameter list

However, an assessment of the same smartphone using the proposed COO parameters would show that most are negative (Table 2), which would almost certainly preclude a “Made in Turkey” labelling.  Using such a scale for COO assessment could therefore lessen import dependency. At the same time, governments could also introduce subsidies and incentives for domestic companies to develop products with a certain threshold of domesticity to compete more effectively with global technology manufacturers.

Security and Sustainability Aspects

Moreover, a repurposed COO assessment would allow for greater scrutiny of the security considerations alluded to above. If the storage of data produced from an imported product is managed in the cloud via an unvetted third party, there is an obvious risk that the data may be leaked or hacked. If the COO assessment confirms this to be the case, then organizations and governments that wish to store strategic data safely would be reluctant to use such products.  Given the spiralling costs of data security breaches, these data-related security considerations may also affect a product’s value and potential use. The COO parameters put forward here, therefore, allow a fuller assessment of related data security issues.

There are also implications for the sustainability of the digital supply chain, i.e., the consideration of the circular economy. Clarifying the origin and makeup of different digital technology components could facilitate an assessment of their sustainability and recyclability.  Reuter noted that “metallurgy is a key enabler of a circular economy; its digitalization is the metallurgical Internet of Things. In short: metallurgy is at the heart of a circular economy, as metals all have strong intrinsic recycling potentials”. This demands a consideration of a wide range of measures and systems to assess the resource efficiency and reusability of digital product parts. This, in turn, requires clarity on the origin of the component parts and software elements contained in digital products; an accurate and realistic COO assessment could be a step towards this end. 

Conclusions

A new and more realistic COO assessment could provide the basis for implementing policies to exclude or impose higher levies on non-domestic digital products. At the same time, this would support the development of home-grown technology companies. Moreover, digital products from companies or countries considered a threat to security could be more effectively screened through such a revised set of COO parameters. Further research could refine and adapt the parameters put forward here, and additional criteria and formulas should be explored, not least in identifying recyclable or non-recyclable materials. Finally, linkages to other research, notably concerning circular economy product assessment, could be explored to combine security and sustainability concerns in a revamped COO assessment of digital products.

🔬🧫🧪🔍🤓👩‍🔬🦠🔭📚

Journal Reference

Ozdemir, S., Wynn, M., and Metin, B. (2023) Cybersecurity and Country of Origin: Towards a New Framework for Assessing Digital Product Domesticity. Sustainability, 15(1). https://doi.org/10.3390/su15010087

Serkan Ozdemir is a Research Assistant in the Information Systems Department at the Institute of Informatics, Middle East Technical University, Ankara, Turkey. He obtained his Master's degree from Bogazici University, Istanbul, Turkey. His current PhD studies focus on time series prediction using artificial intelligence models.

Bilgin Metin is the head of the Management Information Systems Department and the Cybersecurity Centre at Bogazici University. After receiving his Ph.D. degree from Bogazici University in 2007, he was appointed as an assistant professor in the Management Information Systems Department, where he became an Associate Professor in 2014 and a Professor in 2021. His research interests span multiple disciplines, including cybersecurity, information technology and privacy governance, and electronic design for information and communication systems. He has published over 100 papers in international journals and conferences. He also holds qualifications such as OSCP (Offensive Security Certified Security Professional), CISA (Certified Information Systems Auditor), CDPSE (Certified Data Privacy Solution Engineer), and ISO 27001 Lead Auditor.

Martin Wynn is Associate Professor in Information Technology in the School of Business, Computing and Social Sciences at the University of Gloucestershire and holds a PhD from Nottingham Trent University. He was appointed Research Fellow at East London University, and he spent 20 years in industry at Glaxo Pharmaceuticals and HP Bulmer Drinks. His research interests include digitalisation, information systems, sustainability, project management, and urban planning. His latest book, Handbook of Research on Digital Transformation, Industry Use Cases, and the Impact of Disruptive Technologies, was published in 2022.