On September 2, 2025, U.S. Representative Zachary Nunn sent a letter to the chair of the Committee on Foreign Investment in the United States (CFIUS) highlighting concerns over ownership transparency of certain bitcoin mining firms and suppliers connected to China. The national security attention on bitcoin mining supply chains reveals why corporate boards and their attorneys should care about supply chain resilience in emerging technologies. Using bitcoin mining as a case study, we reveal in a new article an important but, to date, overlooked reality: Corporate governance plays an important role in national security.
The U.S. has identified several critical and emerging technologies (C&ET) as vital to national security, including blockchain technology, artificial intelligence, and quantum computing. All are hybrid technologies that rely on two distinct supply chains to operate: analogue supply chains for physical components and datasupply chains for software inputs and computational operations.
The resilience of these supply chains is of paramount importance to the firms that rely on them. But their resilience is also vital to the economic and national security priorities of the U.S., which relies on the goods produced through these supply chains. For example, in 2025, a series of executive orders classified distributed ledger technology, including the Bitcoin protocol and bitcoin itself, as a C&ET central to U.S. national security. The maintenance, management, and governance of the cryptocurrency known as bitcoin relies on software known as the bitcoin protocol. The bitcoin protocol is maintained by a process known as “bitcoin mining,” which involves solving cryptographic proofs through a computationally intensive process. Bitcoin mining requires specialized hardware referred to as ASICs (application-specific integrated circuits). Even as a U.S.-based bitcoin mining industry is taking root and growing in places like Texas, most of the ASICs they rely on are produced by Chinese manufacturers.
Against this backdrop, the federal government outlined ambitious plans for C&ET, including creating a national bitcoin strategic reserve and stockpiling other cryptocurrencies, with several states adopting similar strategies. The result is that the supply chain resilience of these C&ET is itself a national security concern.
But the day-to-day burden of achieving resilience falls mainly on private firms. This reality demands a bi-directional perspective: National security priorities shape how firms perceive and manage supply chain risks, including tariffs and import and export regulations. In turn, the success or failure of firms’ supply chain strategies determines the security of the nation.
This places contract design, corporate governance, and supply chain management at the center of national security conversations. Contract design, supply chain transparency, incentive alignment, and software governance become the levers through which market actors can meet national security goals. In short, securing national advantages in critical technologies requires combining public law priorities with private law tools that make complex, hybrid supply chains more resilient.
In our article, we provide a framework for both public and private sector actors to navigate these challenges. Our framework empowers corporate managers to improve their oversight of their hybrid supply chains.
First, managers must determine if their critical and emerging technologies rely on analogue and data supply chains. Many critical and emerging technologies involve both tangible hardware with intangible software and should be understood as socio-technical systems n—technology that exists within, is designed in relation to, and engages with certain social contexts, needs, and values. In such systems, technical components face analogue risks tied to physical production and logistics, and data risks tied to software development, computational infrastructure, and software governance. Because many C&ETs combine hardware and software, firms must simultaneously manage analogue and data supply chain risk, tailored to the social context in which their systems operate.
Second, managers should identify the types of risks and segments of risks that can compromise either or both of these supply chains. In an analogue supply chain, types of risk include environmental risk from natural disasters and power disruptions; economic risk from inflation or currency volatility; geopolitical risk ranging from interstate conflict to trade wars and sanctions; operational risk from failures in internal processes, labor, or systems; and reputational risk from publicized labor or environmental abuses in the supply base. Data supply chains involve actors that create inputs, computation, and outputs for software.
As with physical chains, data supply chain risks fall into familiar categories but manifest differently. Environmental risks include disasters that knock out power or damage fiber. Shifting weather patterns matter because many data-heavy systems require cool environments and reliable electricity. Economic risks include the cost and terms for acquiring data from subjects or partners and the price and availability of power. Geopolitical risks include internet segmentation, government blocking of services, and export controls or sanctions that restrict software distribution. Operational risks arise from buggy code, weak data protection practices, and cybersecurity lapses. Reputational risks stem from governance failures in the software’s stewarding organization – the foundation or company responsible for managing updates and availability of the software – that undermine trust in data acquisition or model integrity.
In contrast, segments of risk identify where disruptions occur along the chain, independent of geography. Companies face direct risks in analogue supply chains from their immediate suppliers and multi-tier risks from upstream suppliers several steps removed. Unlike analogue chains organized by tiers of suppliers, data chains are best analyzed by software subsystems. Direct subsystem risks come from components built or operated by contributors with whom the organization has a direct relationship. Multi-tier subsystem risks arise from dependencies on other socio-technical systems or from end-user behavior. Cloud outages can interrupt critical data access, making services appear “down.” Surges in user activity can overwhelm capacity, degrading performance across a networked system. Exploited flaws in smart contracts can drain pooled funds and fracture confidence, showing how failures in one subsystem propagate through the broader ecosystem.
Third, managers should examine whether these risks are present within their analogue and data supply chains and evaluate the resilience of these supply chains based on the framework for supply chain resilience provided by the Office of the United States Trade Representative (USTR). USTR frames resilience around four factors: sustainability, security, diversity, and transparency. Sustainability focuses on labor rights and environmental protections to build durable partnerships and to counter “artificial cost advantages” that rely on exploited labor or degraded environments. Security is pursued by using goods produced domestically or by companies located in friendly and nearby nations. Diversity mitigates the fragility of concentrated supplier bases, which the pandemic showed can paralyze production when a single node fails; concentration risks persist even in domestic chains and are not solved by proximity alone. Transparency requires information about the organization and actors within supply chains so that firms can spot shortages, bottlenecks, and other vulnerabilities.
What does this mean for Corporate Managers?
Applying the USTR’s four factors to risks of analogue and data supply chains for hybrid C&ET offers lessons for managers on risk disclosures, corporate governance, and contract design. To build transparency into analogue and data supply chains of C&ET, corporate managers should consider disclosing direct and multi-tier risks in their reporting.
But it is not enough to disclose these risks to investors. Corporate boards must also manage these risks as part of their oversight obligations. Risk management may include ensuring that one or more of its committees is charged with supply chain oversight and the implementation of systems designed to detect and mitigate supply chain disruption early. Corporate managers and other executives might also use contract design to mitigate the impact of supply chain disruptions by including contract provisions that provide some control or governance rights regarding downstream supply chains – the supply chains of the firm’s suppliers. This requires careful and creative contracting and is aimed at mitigating the multi-tier risks that often catch firms by surprise.
These are just some of the lessons learned by applying our framework for global supply chain resiliency to one arena of C&ET – bitcoin mining. The framework, however, can be used to manage supply chain resiliency for any emerging hybrid technology. Supply chain resiliency for the digital economy requires attention to direct and multi-tier risks in both analogue and data supply chains. Corporate law principles and national security priorities demand that corporate managers take note.
This post comes to us from Kish Parella, James P. Morefield Professor of Law at Washington & Lee University School of Law, and Carla L. Reyes, associate professor of law at SMU Dedman School of Law. It is based on their recent article, “Global Supply Chain Resilience in Emerging Technologies: A Case Study of Bitcoin Mining,” forthcoming in the Seattle University Law Review and available here.