Join War on the Rocks and gain access to content trusted by policymakers, military leaders, and strategic thinkers worldwide.
In 2017, the world’s largest shipping company, Maersk, went dark. A state-sponsored cyber attack known as NotPetya spread from Ukraine into global networks, paralyzing terminals from Los Angeles to New Jersey. Cargo piled up, factories waited on missing parts, and workers resorted to moving containers with Post-it notes and WhatsApp messages. The White House later attributed the attack to Russia’s military intelligence agency, calling it “the most destructive and costly cyber attack in history.” The disruption cost Maersk hundreds of millions of dollars and showed how a single supply chain shock can ripple across economies. Yet nearly a decade later, the United States still treats supply chains as a subset of other sectors rather than the critical infrastructure they plainly are.
In February 2025, the Senate Commerce Committee finally decided to act and warned that “one supply chain shock can disrupt the entire system, driving shortages and raising costs.” That warning was paired with action: the Promoting Resilient Supply Chains Act, which passed the Senate unanimously in June but now sits “held at the desk” in the House of Representatives.
That legislative stalling highlights a structural problem. Supply chains are not secondary concerns: they are the connective tissue that keeps every other sector humming. Yet current policy still treats them as small pieces inside existing industries. To correct that, supply chains should be recognized as their own critical infrastructure sector with clear leadership, resources, and accountability.
Why Past Efforts Fell Short
When faced with crises, the United States has relied on familiar but limited tools. The Strategic National Stockpile was overwhelmed during the COVID-19 pandemic, even as hospitals and state governments competed desperately for masks, ventilators, and protective equipment.
The Defense Production Act has been invoked for ventilators, baby formula, and semiconductors. Yet it remains a surge mechanism, useful only after disruptions occur, not before.
The Creating Helpful Incentives to Produce Semiconductors and Science Act of 2022 poured tens of billions into domestic semiconductor manufacturing, a meaningful step but one that touches only a single chain.
Federal agencies have also issued guidance on managing supply chain risks. The National Institute of Standards and Technology, for example, published Special Publication 800-161, Revision 1, outlining cyber security practices for systems and organizations. The Department of Defense built on this foundation with its own Supply Chain Risk Management Guidebook.
Presidents have also tried to fill the gaps through executive orders. In 2021, President Biden issued Executive Order 14017, which required agencies to review supply chains for semiconductors, pharmaceuticals, critical minerals, and batteries. Those reviews revealed vulnerabilities but scattered responsibility across departments, with no clear steward. Later that year, Executive Order 14028 mandated new cyber security rules for software vendors, but only in the information technology space. In August 2025, the White House ordered creation of a Strategic Active Pharmaceutical Ingredients Reserve, a narrow initiative to cushion the drug supply but not a cross-sector reform.
These efforts share two flaws. First, they are vertical: Each one focuses on an individual sector or material, leaving interdependence untouched. Second, they are reactive: designed to respond after a crisis has begun rather than embedding resilience from the start.
What Makes This Bill Different
The Promoting Resilient Supply Chains Act takes a new approach. It directs the Department of Commerce to lead a government-wide working group, continuously map and model critical supply chains, and publish a national strategy. By doing so, it would in effect make Commerce the lead manager for supply chains, a role that does not exist today.
This bill is not about stockpiling or temporary intervention. Rather, it is about making resilience part of daily governance. But the way it is bogged down in the House shows how entrenched habits and bureaucratic boundaries continue to block reform.
The advantages are clear. A dedicated lead would replace today’s patchwork of overlapping authorities with a single steward responsible for mapping vulnerabilities, coordinating responses, and driving long-term planning. Continuous modeling could spot weak points before crises hit and a national strategy would give industry and government a shared framework for investment.
At the same time, the challenges are real. Concentrating authority in the Department of Commerce could trigger resistance from agencies that already oversee supply chains in their own sectors, from energy to health care. Industry groups may worry about added reporting burdens or perceived government overreach. And unless Congress provides resources and enforcement tools, the bill risks creating yet another coordinating body without the power to compel action.
Why It Is Stalled in the House
Although it sailed through the Senate, the bill is stalled in the House of Representatives. Its “held at the desk” status means that leadership has not chosen to bring it to the floor.
First, floor time is scarce. In a crowded calendar filled with appropriations bills, defense authorizations, and foreign aid packages, resilience legislation can look optional.
Second, and more importantly, institutional resistance is real. Agencies that already manage supply chains want to hold onto that authority. The Department of Energy has formed a supply chain task team focused on transformers and has publicly identified transformer availability as a major constraint. The Department of Health and Human Services has established both a supply chain “control tower” and a supply chain resilience and shortage coordinator to manage pharmaceutical and health supply lines. Perhaps the biggest opponent to reform is the Cybersecurity and Infrastructure Security Agency — designated by the 2024 National Security Memorandum-22 as the national coordinator for critical infrastructure security and resilience — which is charged with coordinating across the existing 16 critical infrastructure sectors. That agency is protective of its jurisdiction. Its leaders argued to my office at the National Security Council before the bill was put to a vote that this law would make the Department of Commerce the de facto sector risk management agency for supply chains, undercutting all other agencies’ authority over the supply chains tied to their own industries.
Another hesitation is scope. Expanding Commerce’s role means greater federal oversight of markets that have largely run themselves. Advocates see this as necessary for security, while critics fear it could add costs and stifle competition.
Taken together, these dynamics give House leaders reason to delay. Jurisdictional battles are easier to tolerate if supply chains are seen as economic. They are harder to justify if supply chains are understood as matters of national security.
The National Security Stakes
America’s rivals already view supply chains as battlefields. One observer writing in these pages described “supply chain interdiction” — the deliberate delaying, diverting, or destroying of an adversary’s supply lines — as a way to win without firing a shot. Another analysis put it bluntly: “The Pentagon’s arsenal is built on materials that China can turn off like a light switch.”
The risks are real. In 2022, explosions ruptured the Nord Stream pipelines in the Baltic Sea, showing how easily physical sabotage can sever lifelines. In 2017, the NotPetya cyber attack spread worldwide, paralyzing Maersk’s shipping systems, snarling port operations, and even halting vaccine production at Merck. In 2021, the Colonial Pipeline ransomware attack, enabled by a single compromised password, cut off 45 percent of the U.S. East Coast’s fuel supply and triggered panic buying.
These events show why supply chains are not an abstract economic problem. They are national security vulnerabilities. And they reveal the true measure of resilience: not whether failures can be prevented, but how quickly systems can absorb shocks, reroute, and recover.
What a Supply Chain Sector Would Enable
Designating supply chains as their own sector would embed resilience in national policy. It would institutionalize continuous mapping of bottlenecks, single-source suppliers, and fragile nodes, and it would mandate buffers such as alternate suppliers, rotating reserves, and fallback routes. This wades into a risky gray area: Government involvement in private supply chain relationships can improve security, but also risks distorting markets. Even federal agencies struggle to enforce their own supply chain rules, which raises doubts about how far such oversight can extend into the broader economy. The federal government could run stress tests, much like blackout drills for the electric grid, to simulate port shutdowns, rail stoppages, or cyber compromise of logistics software.
Designating supply chains as their own sector would scale reserve models across industries, including pharmaceuticals, semiconductors, rare earths, and specialty chemicals, treating reserves as flexible buffers instead of static warehouses. In effect, such a designation would likely broaden the Strategic National Stockpile. The key is to reserve only what is scarce, irreplaceable, and vital to defense or health. Otherwise, stockpiles risk becoming political wish lists. The new sector would integrate cyber security and operational risk, since supply chain disruptions today often begin in software systems that control logistics and production. And the sector would formalize cross-industry councils, giving ports, railroads, trucking firms, manufacturers, distributors, and software providers a platform to coordinate responses.
Most importantly, a supply chain sector would align civilian and defense planning. Vulnerabilities in commercial systems, such as rare earth processing, also endanger military readiness. A dedicated sector would bridge that gap.
Momentum and the Road Ahead
The Senate has already spoken. The Promoting Resilient Supply Chains Act has bipartisan support and strong industry backing. But the House has not moved, in part because of competing legislative priorities and in part because of resistance from existing agencies.
Even if the House passes the bill, a larger step remains to be taken — formal designation of supply chains as a critical infrastructure sector. The White House’s 2024 National Security Memorandum-22 updated priorities but declined to add new sectors, clinging to a structure created more than a decade ago. That decision reflected institutional inertia rather than strategic foresight.
The next step requires a shift in framing. Supply chains should be understood not as narrow economic issues but as essential to national security and resilience. Only then will policymakers overcome bureaucratic turf wars and act decisively.
From Recognition to Strength
The U.S. government has reorganized swiftly when threats have demanded it — after the 9/11 attacks to improve homeland security, and more recently to confront cyber operations. Those reforms were imperfect, often trading security gains for new concerns about surveillance and civil liberties, but they show Washington’s capacity to act decisively when stakes are high. Supply chains are the next test. Adversaries already treat them as pressure points, probing for vulnerabilities. Americans have lived through shocks to Maersk, Colonial Pipeline, and Nord Stream. Each case shows that prosperity, security, and even the ability to fight wars depend on lifelines that can be severed in an instant.
The Senate has taken the first step by passing the supply chain bill. The House should not wait. As soon as the current government shutdown ends, this legislation should be at the top of the agenda. And the White House should go further, elevating supply chains into the list of critical infrastructure sectors. Only then will resilience become a standing priority rather than a scramble after the fact.
Jesse R. Humpal is an active duty U.S. Air Force officer whose work focuses on the policy implications of national security spending, with an emphasis on critical infrastructure resilience. He can be followed @jessehumpal on X. The views expressed are his own.
**Please note, as a matter of house style, War on the Rocks will not use a different name for the U.S. Department of Defense until and unless the name is changed by statute by the U.S. Congress.
Image: Midjourney
