摘要
在当前全球深度互联的数字时代,软件供应链正在从各国数字协作的桥梁异化为国际战略竞争的关键场域,其武器化已成为国家间混合竞争的重要攻击手段。软件供应链武器化的本质是利用软件生产与供应的跨国家、多节点特性,通过操纵链上信任关系,实施全景监视、投毒破坏、阻遏断链等行动,实现窃取关键数据、破坏软件功能、阻断软件供应等目标。软件供应链武器化的核心策略选择主要取决于国家战略目标、软件可替代性程度这两个方面因素。国家战略目标可分为长期目标和短期目标,软件可替代性程度可分为较强可替代性和较弱可替代性,二者交叉组合构成了国家软件供应链武器化策略选择的基本分析框架,即始终围绕对链上信任的利用与瓦解展开。纵观历史,以“太阳风”公司(SolarWinds)供应链劫持为代表的全景监视利用链上信任进行潜伏,以NotPetya病毒为代表的投毒破坏依托对关键软件信任植入恶意代码,以EDA软件断供为代表的阻遏断链打破各国对全球软件供应链的信任预期,以及以微软断供俄罗斯、伊朗“震网”病毒为代表的混合行动则从多维度冲击信任体系。国际竞争中的软件供应链武器化行动正在持续摧毁数字生态中的基础信任,威胁各国政治、经济、生产等多领域数字安全,因此全面加强软件供应链安全治理迫在眉睫。
In the current era of deep global digital interconnection,software supply chains have shifted from serving as bridges of international digital cooperation to becoming pivotal arenas of international strategic competition,where their weaponization has emerged as a primary offensive instrument in hybrid interstate rivalry.The essence of this weaponization lies in exploiting the cross-national and multi-node architecture of software production and supply to manipulate trust relations along the chain.This enables state actors to execute tactics such as panoramic surveillance,malicious poisoning,and structural containment and disruption,thereby achieving strategic goals including the exfiltration of critical data,the sabotage of software functions,and the severance of software supplies.The strategic calculus behind the weaponization of software supply chains is primarily dictated by two factors:national strategic objectives and the degree of software substitutability.National strategic objectives are bifurcated into long-term and short-term goals,while the degree of software substitutability is assessed as either high or low.The intersections of these two variables constitute the basic analytical framework for state-led strategic weaponization choices,which invariably revolves around the dual dynamics of exploiting and eroding trust within the chain.Looking across historical cases,panoramic surveillance,epitomized by the SolarWinds supply chain hijacking,leverages in-chain trust for infiltration;poisoning and sabotage,exemplified by the NotPetya virus,exploits trust in critical software to embed malicious code;containment and disruption,typified by EDA software supply cuts,shatters global expectations of supply chain reliability;and hybrid actions such as Microsoft's suspension of services to Russia and the Stuxnet attack on Iran systematically undermine the trust architecture from multiple dimensions.In short,the weaponization of software supply chains in international competition is continuously eroding the bedrock of trust within the digital ecosystem,posing existential threats to national security across political,economic and industrial domains.Consequently,it is of the utmost urgency to comprehensively strengthen the security governance of global software supply chains.
作者
刘文龙
LIU Wenlong(College of National Security,People's Public Security University of China,Beijing,100038)
出处
《国际安全研究》
北大核心
2026年第2期97-119,169,共24页
Journal of International Security Studies
基金
中国人民公安大学中央高校基本科研业务费项目“特朗普2.0时代美国对华技术遏制与中国对策研究”(项目号:2025JKF02SK18)的阶段性成果。
关键词
软件供应链
武器化
数字信任
国家安全
国际竞争
software supply chain
weaponization
digital trust
national security
international competition
