Exploding Pagers: Supply Chain Vulnerability and Strategies to Reduce Risk

At a Glance

• An unknown actor’s ability to turn a pager into an explosive device highlights the potential risk to supply chains in a variety of sectors.
• There are multiple potential legal issues highlighted by the incident related to cybersecurity, the export of goods and other national security concerns.
• The federal government is already proposing bans on certain foreign-made products and components.
• Businesses can mitigate these risks to the supply chain by having a carefully considered due diligence and compliance program, and a strategy to react quickly to these types of incidents.

On September 17, 2024, electronic pagers and walkie-talkies belonging to members of Hezbollah exploded. Over the course of two days, several people were killed and wounded. This incident highlights the broad set of concerns and risks that come from supply chain vulnerability in the global marketplace. These vulnerabilities can be exploited surreptitiously in the future by domestic and foreign state and non-state actors alike who are parasitizing a wide variety of goods for their own purposes through weaponization, sabotage, eavesdropping, data gathering, and other means. Indeed, just after the pager/walkie-talkie incident, the United States Commerce Department proposed a ban on Chinese and Russian-made car parts.

At the same time, governments will continue to seek consent and/or use other legal process to access goods in a supply chain for law enforcement and other purposes. But lawful and even mandated cooperation in one jurisdiction may be unlawful and expose a business to consequences in another jurisdiction. 

Businesses should carefully consider the variety of issues that can arise from supply chain insecurities, and how to build a strategy to mitigate or respond to these risks.

Background

On the afternoon of September 17, 2024, numerous pagers in Lebanon beeped and buzzed to alert users to a message and then exploded, leading to the death of more than a dozen people and wounding many others. The pagers were believed to be used by associates of Hezbollah, an Iranian-backed militant group based in Lebanon, which is a U.S.-designated foreign terrorist organization due to its involvement in several large-scale terrorist attacks on U.S. military and diplomatic officials. The pagers contained several ounces of an explosive compound that had been built into the devices. Precisely who made the pagers remains unclear: some reports indicate that a Budapest/Hungary-based company manufactured the exploding pagers, while others point to a Sofia/Bulgaria-based company. In either case, reports suggest that the pagers were built at the direction of Israeli intelligence, and eventually disseminated to Hezbollah associates in Lebanon. Notably, the explosive pagers were branded with a Taiwanese company’s logo; that company has since claimed it was not involved in the manufacturing process and licensed their brand to the Budapest company through a regional license arrangement.

Legal Issues

This incident highlights a variety of concerns for manufacturers and distributors.

Knowledge of Counterparties

The Taiwanese company whose brand can be seen on some of the exploded pagers has stated that it was not involved in the manufacturing of these devices, and instead licensed their brand to the Budapest company through a regional license arrangement. An obvious question is, what did the Taiwanese company know about its downstream counterparties and what sort of due diligence (if any) did it perform before licensing their brand?

Lawful and Unlawful Interception and Modification of Items in the Supply Chain

If the devices were modified by Israeli intelligence, it would not be the first time that a military, intelligence or law enforcement agency has (with or without consent) conducted an operation involving the creation or modification of products. U.S.-based companies are sometimes approached by law enforcement with concerns that the products may be destined for a bad actor or for an illicit purpose. Law enforcement will request consent (or obtain judicial process) to install a tracker in the product or create a “sham” that renders the product unusable. On the other end of the spectrum, malicious actors may use supply chain vulnerabilities to gain access to a product so that it can adulterate or misuse it (for example:  inserting malicious code into a program or device that will allow for later cyber intrusion activities).

Third-Party Diversion of Goods

An ongoing concern of U.S. regulators is diversion of exported goods by third parties to end users who are sanctioned or to a location that requires an export license, and whether a U.S. company knew or should have known about the diversion. If a U.S. entity were involved in the pager incident and knew that their distributor was sending the goods to be used by Hezbollah members, they would have potential exposure to civil and criminal liability under U.S. export laws and sanctions regulations.

Foreign Agent Activity

The involvement of a foreign government in supply chain activity presents potential issues under other U.S. national security laws. If a foreign government or its intelligence agency directed a U.S. entity to provide access to items in their supply chain to engage in an intelligence operation, there is potential exposure under foreign agent laws like 18 U.S.C. § 951 (prohibiting acting at the direction of a foreign government without notice to the Attorney General). If the request related to classified or highly sensitive government information, such as might be the case with a cleared defense contractor, there might even be risk of liability under espionage laws like 18 U.S.C. § 793 (prohibiting the dissemination of national defense information).

What Companies Should Be Thinking About

There are a number of essential compliance and due diligence areas that companies can focus on to avoid supply chain issues like those described above.

First, companies need to take reasonable measures to know both their suppliers and their customers. Regarding suppliers, companies should take a hard look at their due diligence process and ensure it covers any supply chain risks. For example, relating to cybersecurity risk, the National Institute of Standards and Technology (NIST) outlines supply chain cybersecurity best practices, highlighting that companies should (a) ensure security requirements are included in every request for proposal; (b) ensure that a security team works with the vendor on-site to address any vulnerabilities and security gaps; and (c) include tack and trace programs to establish the provenance of all parts, components and systems. Additionally, businesses should appoint an employee in charge of supply chain cybersecurity and ensure that the person works with the vendor teams that work with any part of the product during its development life cycle.

With regard to customers, companies should understand that U.S. (and some foreign) regulators expect companies to take efforts to ensure that their customers are not diverting those goods to others. For example, the G7 recently issued guidance about preventing Russian sanctions evasion activity, which includes a list of “red flag” indicators and best practices for due diligence of customers. Similarly, a U.S. Senate report published in September advised that “there is no reason every semiconductor company should not immediately utilize” the Trade Integrity Project, a publicly available compilation of data about entities that have been linked to sanctions evasion activity. Given this scrutiny, a company’s compliance program should include not only regular screening of end users against denied party lists (as required by many governments’ export and sanctions agencies), but also reasonable screening for sanctioned individuals and entities and for third parties who have been known to improperly divert goods.

Second, companies should employ a systematic response to potential employee or counterparty misconduct. Businesses should ensure compliance and controls are adequate to limit the risk of misconduct through employee education and to catch misconduct if it happens. Additionally, enterprises should plan for rapid response to any potential misconduct. Timely investigation and decision-making, including the decision on whether there is a need to report to law enforcement, is one of the most significant ways to mitigate the risk of future corporate liability. For example, the decision by a life sciences and biotech company to self-report employee misconduct to the Department of Justice within weeks of learning of the illicit activity led to the first-ever corporate declination under the National Security Division’s voluntary self-disclosure program. 

Regarding cybersecurity incidents arising out of a supply chain intrusion, companies should carefully and quickly evaluate the scope of any incident notification requirements. For example, under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), covered entities involved in a “critical infrastructure sector” may have an obligation to report a cyber incident to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovery.  

Third, companies should have a well-considered plan for how to respond to requests from law enforcement and from both domestic and foreign government entities. Companies should ensure any consent to work with law enforcement that involves product changes is lawful and executed in a manner that is consistent with their values and risk tolerances — not only legal risks, but risks to reputation and to the safety of company personnel. 

If confronted with judicial process requiring access to the supply chain, businesses should ensure that the requested actions are consistent with, and not beyond the scope, of the judicial order or other legal process that has been issued. If the request or direction comes from a foreign government, companies should carefully consider whether carrying out the request creates an obligation to notify the U.S. government, or whether such notification is prudent even if not required by law.