Where is 'domestic and national' in cybersecurity?

Debates about the reliability of technology products and supply chain security have been reignited around the world after Israel infiltrated the supply chain and detonated thousands of pagers and radios in Lebanon, causing many deaths and injuries. While one part of the technology world praised this as a 'targeted and skilful attack', another part emphasised the danger of accepting this type of attack as normal or reasonable. In Turkey, the main part of the debate on this issue is the praise of Baykar, Aselsan, etc., accompanied by cries of 'domestic and national technology'.

Before moving on to the question of 'to what extent can 'domestic and national technology', which is presented as the saviour, save us from supply chain incidents', it would be useful to make a few reminders:

• "The use of booby traps or other devices in the form of apparently innocuous portable objects specially designed and constructed to contain explosives" is prohibited by the "Convention on Certain Conventional Weapons", to which 107 countries, including Israel, are signatories. The operation praised by a certain segment of the technological world is an international offence.
• The effort to develop national technology is not meaningless or unimportant. However, within capitalism, except in a few exceptional cases, this effort has taken a form that can be reduced to the question of "which capitalist to prefer", with national capitalists and their international partners, if any, on one side and international capitalists on the other.

To answer the question of whether domestic production of technology can save us, we must first discuss the feasibility of such production. The problem is not whether we have the ideas and intelligence to do it, but the logistics of production. If you look at modern electronic devices, you are faced with an extraordinary complexity when you get down to the most basic components of these devices. A vast tangle of supply chains, often spanning dozens of countries. The arms of many suppliers, some providing natural resources, some making the chassis of the device, some making a circuit board, some developing the software, are linked together to create the final product. For all these processes to take place within the borders of a single country, they depend on various parameters, such as the availability of sufficient natural resources and the existence of qualified staff and facilities capable of carrying out the relevant work. Moreover, the conditions of capitalism imply that these parameters should be more profitable than outsourcing.

The production of machines designed to produce electronic devices above a certain level of complexity is also part of the same debate. For example, if you want to use extreme ultraviolet lithography in chip production, you have to queue at the door of ASML, the only company that makes the production tools, along with giants such as Intel, Samsung and TSMC. Again, in terms of software, unless you want to write everything from scratch, you have to use various open or closed source libraries and software. Any of this software and libraries can be the target of supply chain attacks, as happened with the XZ earlier this year.

Attacks on supply chains identify the point or points in all these production processes where they can infiltrate most efficiently. This could be through the adulteration of raw materials with a material that is not easily detectable in tests, but which could have an impact on the final product, as in the STUXNET example, where malware is infiltrated into a production device on a closed network via a USB stick sold in a nearby shop. Or, as shown in the documents leaked by Edward Snowden, the mechanisms for this type of attack can be established during the transport of devices.

Of course, various security controls are designed and implemented for all these production stages. However, in such complex processes, a well-disguised attack preparation can go unnoticed for months. In the US, the Solarwinds supply chain attack, which resulted in the infiltration of numerous government agencies, including the Departments of Treasury, Commerce and the Interior, the Department of Homeland Security and the National Nuclear Security Administration, was uncovered after nine months of activity.

Technical and logistical feasibility aside, the examples of supply chain attacks to date suggest that whether the technology is produced domestically or multinationally has little impact on protection. In this case, the thesis that 'domestic and national technology will protect us from supply chain attacks' is just 'domestic and national' propaganda that lines someone's pockets.

Supply chain attacks are a serious threat to both the security of citizens and national security. However, supply chain attacks would remain a serious threat even if the interdependencies that permeate all production processes from the raw material stage, and which are mostly impossible to liquidate, could be completely eliminated. The pro-government media, referring to the increasing cyber security threats and highlighting this latest attack, announce the creation of a Cyber Security Directorate (SGB) under the Presidency. According to the written and drawn behind-the-scenes information, the tasks of the SGB will range from 'introducing a cyber security standard and supervision for state institutions' to 'protecting e-government data', from 'bringing together cyber security groups in different institutions' to 'activating a proactive defence network'. Of course, no one will object to the introduction of cyber security standards and audits in public institutions, better protection of our data, etc., but it would be naive to think that a government that has politicised all public institutions for its own interests would establish such an institution just to ensure our cyber security.