Recently, there's been a lot of focus on the material and physical supply chains of global trade (thanks to the latest round of seemingly endless tariff escalations). As trade tensions and geopolitical realignments reshape global commerce, much attention has focused on physical supply chains – container ships, manufacturing plants, and border crossings. Yet a parallel transformation is silently unfolding in the world of digital goods, where seemingly borderless software products are increasingly constrained by the same geopolitical forces disrupting traditional industries. This convergence of digital and physical supply chains creates both unprecedented vulnerabilities and strategic opportunities for businesses. We touched on some of these ideas briefly in our CrowdStrike coverage last year, but it's time to tackle it head-on.

Generally speaking, a supply chain is defined as the “network of companies and people that are involved in the production and delivery of a product or service” [1]. Another definition that might confuse you even more is “a complex logistics system that consists of facilities that convert raw materials into finished products and distribute them to end consumers or end customers” [2].

Both definitions do a pretty good job of explaining it in buzzwordy ways. In plain English, you can consider a supply chain as the people and steps involved in getting a product or service made and delivered to a customer. While most discussions center on physical goods moving across borders, digital products follow a surprisingly similar path—albeit one that's often invisible to the end user.

Let's examine the supply chain of a Ford vehicle to ground this concept:

1. Raw Materials (Tier 3): Production begins globally with suppliers providing steel, aluminum, rubber, and plastics [3].

2. Component Manufacturing (Tier 2): These materials transform into sensors, wiring harnesses, and subcomponents [3] in other countries throughout the globe.

3. System Integration (Tier 1): Approximately 1,400 suppliers manufacture major systems like engines and transmissions within and outside the US [4].

4. Assembly: After all the components are brought together, Ford models are then assembled in the United States or Mexico (which has led to recent concerns regarding tariffs) [5][6].

5. Distributions: Dealerships then coordinate with manufacturers on demand forecasting before selling to consumers (mostly in the US).

This linear progression from raw materials to finished product is immediately recognizable. But as we often discuss, a good portion of today’s world is digital. Digital goods are often perceived as borderless and infinitely scalable. While their marginal distribution cost approaches zero, their creation relies on a complex web of dependencies that spans both software and—crucially—hardware.

What does a supply chain look like for a digital good? For example, the digital supply chain of a mobile application built for a large retailer:

1. Design & Planning: The process begins with product requirements and UX design, typically involving 3-4 weeks of collaborative work between stakeholders and designers. This is the basic raw material of the application. At this point, you could argue everything is in-house.

2. Core Development: However, this starts to change once implementation begins. Engineers can build the foundation of the application using React Native. This open-source framework, while originally developed by Meta, now represents contributions from 2,300+ developers from all over the world [5] and is composed of other open-source building blocks and dependencies. The development team will iterate on the work of all those contributors.

3. Feature Integration: From this starting point, you may need to add additional features to this mobile application that are outside the bounds of a plain, vanilla approach to a React Native application. While you can theoretically hand-roll every piece yourself, you'd realistically need to use third-party libraries to build some of this. For example, let's say the team integrates specialized modules like payment processing (Stripe), authentication (Auth0), and product recommendation engines. Each third-party service itself will have its own set of dependencies that its comprised of, which are then part of your overall supply chain.

4. Testing & Deployment: The application undergoes testing and QA. Once tested, you'd deploy on your cloud infrastructure. This is where the digital and physical supply chains converge. Your application will run on servers powered by semiconductors manufactured through their own complex supply chain. A typical cloud provider's data center contains servers built with processors that require raw and manufactured materials sourced globally from countries including the United States, Germany, Japan, Taiwan, South Korea, and Chin [7]. These chips themselves go through multiple production steps across various countries before being assembled into servers, with different nations specializing in different segments of the supply chain. A cloud provider's infrastructure represents a nested physical & digital supply chain – from the Taiwan-manufactured silicon in their AMD/Intel processors to the memory chips from South Korea and storage devices with components from Japan and China.

5. Maintenance & Updates: After the launch, the application requires regular updates to address security patches (averaging 1-2 critical updates monthly) and feature enhancements. Each potentially touches 30-50% of the codebase's dependencies. You're also dependent on your provider's hardware refresh cycles (typically 3-5 years) and their ability to source components amid potential semiconductor shortages or tariff disruptions.

By the time your digital product reaches customers, it has contributions from hundreds of thousands of individuals and organizations, most of whose names you will never know. Unlike physical supply chains where inventory can be stockpiled, digital ones require constant vigilance—with the average organization addressing 3-5 critical dependency updates quarterly that must be immediately implemented.

This nested dependency chain illustrates why digital goods aren't immune to supply chain constraints. When Taiwan produces 60% of the world's semiconductors and 90% of advanced chips [8][9], trade policies affecting hardware ultimately ripple through to the software layer. Your seemingly borderless digital product actually relies on a sprawling physical supply network that's every bit as vulnerable to geopolitical disruption as Ford's manufacturing line.

The ramifications of such complex interdependencies become particularly acute when we consider mission-critical systems. Just like in the world of atoms, disruptions in the digital supply chain can create material shifts in how organizations operate—only with potentially less visibility and warning.

Let’s consider the how this digital supply chain was trending prior to 2025 and what it looks like today.

The Pre-2025 Landscape

Before uh the choppy macroeconomic waters of 2025, digital goods (much like physical ones) were in a bit of a post-COVID transition. As overall software adoption and usage sky rocketed, the cloud infrastructure supporting this activity was increasingly consolidating around the three main hyperscalers: Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure (no cool acronym). As consolidation often does, increased efficiencies and economies of hyper-scale were created from this concentrated dominance. However, it also brings increased risk, as one can notice when any of these providers have an outage and a good chunk of our day-to-day consumer and business services go down accordingly. There is an element of fragility in this consolidation. The other perspective is the classic framing of issues of consolidation: pricing power. As these providers increase their grasp of the market, their ability to raise prices without naturally reducing demand for their services goes beyond what a market might consider fair [10].

Another major theme of this supply chain was the increasing reliance on a diverse and almost exponentially increasing set of open source technologies. This reliance led to eye-popping estimates, like IBM’s figure that the average enterprise application contains 500+ external dependencies [12] , or as cyber security firm Black Duck reported, “86% of commercial codebases evaluated contained open source software vulnerabilities and 81% contained high- or critical-risk vulnerabilities” [13]. As this reporting indicates, the expanding set of open source components that comprise this supply chain has immense benefits, but at the same time, introduces a new series of risks and potential frailty that isn’t often considered when a junior backend developer innocently runs pip install ITs-greatest-nightmare and years later an entire division is paying for their sins.

Finally, the digital supply chain is not wholly separate from the physical, as the hardware layer is heavily impacted by movements there, even as software is abstracted away. This brings us back to what we hinted at earlier. Leading up to 2025, the hardware conversation was still around tariffs and policy, but in a much more….uh…measured manner. The industrial policy attitude and strategic tariffs on certain components like specialized chips was a major driver in how the supply chain was formed and molded.

The 2025 Reality

So, that was the major trends going into 2025. What are we looking at today?

Well, some things have accelerated. The industrial policy and tariff tactics have been broadened to target inputs and goods across all sectors and countries, which has certainly changed how consumers and firms are thinking about digital goods. Organizations like hyper scalers (and regular scalers), are facing sourcing costs (that change almost every day) and are unable to make long term capital allocation decisions. While their decision making has been slowed, the mitigation strategy looks to be passing off costs to customers (classic), which implies increased costs across the slew of services they provide including hosting, storage, networking and niche products like CDNs, ML models, and even GPU based servers [11].

The other acceleration has come less from real economy impacts, and more from shifting geopolitical postures. The digital world has always been more fragmented than most care to discuss, but as long-held alliances and partnerships have begun to appear more flexible than ever before, this fragmentation only looks to continue growing. Different regulatory agencies and countries are approaching technology in vastly different ways, with things like data & privacy compliance, competing app stores (or their equivalent), and national technology champions are changing how it is approached [14][15]. This translates to increased risk around linchpins of these digital supply chains like ASML in Europe, TSMC in Taiwan, and the new AI juggernauts in the United States (as well as their counterparts in other regions of the world). The other risk comes from the dependencies that now underpin major commercial and public systems. All these third party components introduce new attack vectors for hostile actors across all scales. These risks are only increasing as friendly faces start retreating from the table.

It’s worth mentioning what is decelerating in 2025 as well. While efforts in the past were consistently framed around increasing connectivity and free exchange of [information, trade, etc.], we’re seeing this slow down [14][15]. Instead, those trends are inverting. Companies like Meta used to tout increased connections, more communication between people, and their growth strategies were accordingly focused on things like getting more users on the internet (so they could uh then go on Facebook). But now, they don’t even care to keep expanding in that manner. Human connection is dead, gen AI content is here to stay and they’re not afraid to say it out loud! [16]. Why bother increasing connectivity between people when you can connect them to…..shrimp jesus!

 

People are entrenching, nations are retreating, and these supply chains are fragmenting [15]. This goes from the digital to the physical.

So, what comes next and how can we maneuver it?

Truth to be told, I don’t know for sure.

I’m not sure anyone does. After all, the macro conditions are changing almost every day. But, organizations can't always afford to wait for clarity before acting. With that in mind, here are some potential strategies to think about that I’ve been reflecting on:

 

Resiliency Through Deliberate Redundancy:

The concept of redundancy has evolved from a technical best practice to a business imperative. In today's environment, resiliency requires more than just multi-region deployment within a single cloud provider—it demands true multi-cloud architecture by default. This shift comes at a pivotal moment: the era of infinitely decreasing cloud costs is officially dead. Hyperscalers now face a double squeeze of tariffs on critical hardware inputs and constraints on infrastructure supply chains. The resulting cost increases are cascading through the ecosystem, forcing technology companies into uncomfortable trade-offs between margins and capabilities [17].

This supply shock is accelerating market bifurcation. Premium players with strong unit economics can absorb increased costs, while smaller providers must pass these costs to increasingly price-sensitive customers. The middle ground—where most companies currently operate—is rapidly evaporating.

When analyzing the architecture of this new supply chain paradigm, the framing is no longer as simple as “which combination of AWS, GCP, or Azure do I string together?”.  Decisions must be made through the perspective of technical capabilities, macro-economic conditions, and hedges against geographic and scale lock-in. Instead of relying on major providers across the board, being able to shift between large hyperscalers, smaller niche providers, and even on-premise. That's right, as the pendulum swings in the eternal cloud vs on-prem debate, there are emerging signs of players revisiting the supposedly outdated practice of running their own metal for core workloads. This isn't a wholesale return to on-prem, but rather a sophisticated rebalancing that acknowledges the new risk calculus of digital dependency. There are new dimensions to consider now.

 

Dependency Management as a Core Business Function:

The second strategic imperative represents a fundamental organizational shift: technical dependencies can no longer remain strictly within engineering's domain. These decisions now warrant the same scrutiny as major vendor relationships or capital expenditures.

Basically, technical dependencies are not just a developer’s concern, or even just IT’s. They should be finance and risk management’s concerns as well. Vulnerability scanning isn't merely a security exercise—it's effectively a financial audit that should inform strategic planning. The ripple effects of seemingly minor technical choices now extend far beyond system architecture to encompass business continuity, regulatory compliance, and even geopolitical exposure.

The days of leaving critical dependency decisions to whoever happened to build the original prototype are over. The accumulation of these decisions, made without systematic oversight, has created brittle digital supply chains for many organizations. Given how extensively these dependencies shape an organization's resilience and options in this new landscape, such decisions require a governance framework commensurate with their impact.

In this fragmented digital world, organizations that can systematically map, monitor, and manage their full dependency graph—from physical hardware through infrastructure services to application libraries—will maintain strategic flexibility as others find their options increasingly constrained by decisions made years ago with entirely different assumptions about the world.

The parallels between digital and physical supply chains have never been more evident or consequential. Just as manufacturers learned to diversify suppliers and maintain strategic reserves of critical components, technology organizations must now apply similar thinking to their digital ingredients. Those that do will convert today's disruption into tomorrow's competitive advantage.

 

Again, it’s tough for me to peer too far into the future. However, it’s quite clear that 2025 and the new era it has kick-started is dramatically different than the preceding period. The accelerated fragmentation we’re seeing is forcing a seismic shift in the industry, with digital economics increasingly resembling traditional manufacturing - complete with inventory management (dependencies), sourcing strategy (cloud diversification), and supply chain risk (geographic concentration). On the other hand, the deceleration of the free exchange of information (and..trade?) is highlighting the risks that arise where the physical and digital supply chains intertwine, including our exponentially increasing reliance on software dependencies, shifting geopolitical postures in regions with key technical competencies, and the shift from more connections to…well, more slop. In the end, this new era has really shown us that the digital supply chain was never truly “weightless” - it’s always been anchored to physical infrastructure and geopolitical realities that software companies were able to conveniently ignore during the previous era. Continuing to ignore them in this new era is no longer a viable choice.

References

1. Investopedia. (2023). "Supply Chain Definition." Investopedia. https://www.investopedia.com/terms/s/supplychain.asp

2. Wikipedia. (2024). "Supply Chain." Wikipedia. https://en.wikipedia.org/wiki/Supply_chain

3. Kiyokuni. (2023). "Automotive Supply Tiers Explained." Kiyokuni UK. https://www.kiyokuni.co.uk/automotive-supply-tiers-explained/

4. Thomas. (2024). "Ford Supply Chain Analysis." Thomas Insights. https://www.thomasnet.com/insights/ford-supply-chain/

5. Meta Open Source. (2024). "React Native GitHub Repository." GitHub. https://github.com/facebook/react-native

6. Morningstar. (2024). "Canada-Mexico Tariffs Are Major Problem for GM, Ford Suppliers If They Persist." Morningstar. https://www.morningstar.com/stocks/canada-mexico-tariffs-are-major-problem-gm-ford-suppliers-if-they-persist

7. Center for Strategic and International Studies. (2023). "Mapping the Semiconductor Supply Chain: Critical Role of the Indo-Pacific Region." CSIS. https://www.csis.org/analysis/mapping-semiconductor-supply-chain-critical-role-indo-pacific-region

8. Council on Foreign Relations. (2024). "Will China's Reliance on Taiwanese Chips Prevent War?" CFR. https://www.cfr.org/blog/will-chinas-reliance-taiwanese-chips-prevent-war

9. Financial Times. (2024). "Taiwan's Central Role in Global Semiconductor Production." Financial Times. https://www.ft.com/content/05206915-fd73-4a3a-92a5-6760ce965bd9

10. MSP Channel. (2024). "Costs Risen by Up to 25% for the Majority of Hyperscaler Users." MSP Channel. https://msp-channel.com/news/67078/costs-risen-by-up-to-25-for-the-majority-of-hyperscaler-users

11. Computer Weekly. (2024). "Massive Hyperscaler GenAI Spend Raises Questions on Costs." Computer Weekly. https://www.computerweekly.com/news/366593857/Massive-hyperscaler-GenAI-spend-raises-questions-on-costs

12. IBM. (2024). "5 Best Practices for Managing Application Growth." IBM Think Insights. https://www.ibm.com/think/insights/5-best-practices-managing-application-growth

13. Black Duck. (2025). "New Black Duck Report: 86% of Commercial Codebases Contain Vulnerable Open Source, Exposing Organizations to Security Risks." Black Duck News. https://news.blackduck.com/2025-02-25-New-Black-Duck-Report-86-of-Commercial-Codebases-Contain-Vulnerable-Open-Source,-Exposing-Organizations-to-Security-Risks

14. Future of Privacy Forum. (2025). "Geopolitical Fragmentation, the AI Race and Global Data Flows: The New Reality." FPF Blog. https://fpf.org/blog/geopolitical-fragmentation-the-ai-race-and-global-data-flows-the-new-reality/

15. Next IAS. (2025). "Economic Survey 2024-25: Shift from Globalization to Geo-Economic Fragmentation." Next IAS Current Affairs. https://www.nextias.com/ca/current-affairs/01-02-2025/economic-survey-2024-25-shift-from-globalization-to-geo-economic-fragmentation

16. The New Yorker. (2025). "Mark Zuckerberg Says Social Media Is Over." The New Yorker - Infinite Scroll. https://www.newyorker.com/culture/infinite-scroll/mark-zuckerberg-says-social-media-is-over

17. VBeyond Digital. (2025). "Data Centers in the Crosshairs: Understanding Tariff Implications for Cloud Computing Expansion." VBeyond Digital Blog. https://www.vbeyonddigital.com/blog/data-centers-in-the-crosshairs-understanding-tariff-implications-for-cloud-computing-expansion/