Supply Chain Risk

Now that President Trump stuck a national security fork into it and ended Broadcom’s hostile bid for Qualcomm, it’s a good time to put politics aside for the moment and consider supply chain risk.

Japanese governments officials mention supply chain risk from time to time: who and what country makes the components and writes the software controllers that go into our smart devices and where the final products are assembled. How secure are all those components from all those places and what’s the risk? More than a few people have wondered if the NSA and other security agencies knew about and exploited the Spectre and Meltdown flaws and if Intel designed them on purpose.

It’s not only the hardware side either. In light of Apple handing over iClouds keys to the Chinese government software services also fall under supply chain risk: who holds the keys to our cloud data and digital wallet transaction records, where is it stored, how secure is it.

Huawei’s Jeff Wang, regional president for Japan and Korea gave an interview to IT Media in late 2017 for the Mate 10 Pro rollout. When asked if future Huawei models would incorporate global NFC, Wang said yes but explained that Huawei needed to build up their cloud service first to “support FeliCa”. In other words Suica and FeliCa credit card payment network support will be tied to Huawei Pay. It goes without saying that all the transaction data from Huawei Pay will be stored in China with the crypto keys held by the Chinese government. The same goes for QR Code contactless AliPay and WeChat Pay. Japanese are well aware of the risks:

Demerits of OR Code Payments

  • QR requires a good network connection
  • Slow transaction speed
  • Weak Security and QR Code Chinese payment apps (AliPay, WeChat Pay) keep transaction records in Mainland China
  • Device needs be on and screen active
  • No ‘on the spot’ refunds

Merits of FeliCa (NFC-F) Payments

  • Works without network connection
  • Very fast transactions
  • High security and transaction records stay in Japan
  • Device can be off (Android only) or screen off (Apple Pay Suica, Mobile Suica Android)
  • On the spot refunds

AliPay, WeChat Pay and Huawei Pay will never be taken up by Japanese customers no matter how much carriers or banks extol them or competing Japanese QR payment services, but they are not aimed at Japanese customers anyway. They are about capturing Inbound Chinese business leading up to the 2020 Tokyo Olympics.

It’s a given that Apple assesses and manages supply chain risk like all risks, but you can be sure it will never be discussed in the Apple Supplier Responsibility report. Tim Cook has put far too many supply chain eggs in the mainland China basket and this carries a great risk for Apple. At some point the China basket will break and Apple’s position as a top American company might break with it.

UPDATE: Tim Cook’s Apple Legacy