Chinese military-linked companies dominate US digital supply chain

Despite growing national security concerns and government restrictions, Chinese military-linked companies remain deeply embedded in the US digital supply chain, according to Bitsight.

These organizations, many of which have been designated by the US Department of Defense as “Chinese Military Companies,” continue to provide essential digital infrastructure, exposing US businesses and critical industries to potential cybersecurity threats.

ByteDance Group (TikTok’s parent company) alone is connected to 35.4% of the US market, demonstrating how even high-profile companies facing potential bans remain widely used.

The continued reliance on these providers underscores the challenge of securing the digital supply chain against foreign government influence. Even with increased scrutiny and regulatory efforts, Chinese state-linked firms maintain a significant foothold in US industries, making it critical for organizations to assess their vendor relationships and mitigate potential risks.

Smaller software providers increase industry risks

While “big tech” companies dominate supply chain security discussions, smaller specialized software providers can also pose significant risk to sectors and industries.

Some niche providers serve only a handful of companies yet support massive market share in industries like energy, finance, and logistics. Some of the most critical software and infrastructure providers operate with fewer than 50 employees, yet their technology is embedded in Fortune 500 companies and global enterprises.

Aerospace, utilities, and financial services rely heavily on just a few specialized providers. A security failure at one of these companies could trigger cascading effects within and across industries.

Providers face rising cybersecurity challenges

Organizations that supply digital products and services—known as providers—often face far greater cybersecurity challenges than the businesses they serve. With larger attack surfaces, more complex vendor relationships, and increasing risk exposure, providers must take stronger measures to secure their own ecosystems.

Providers use 2.5x more products and have 10x more internet-facing assets than consumers, making them more exposed to cyber threats. Providers depend on multiple sub-providers, which increases their risk exposure and can make addressing them more complicated.

While providers outperform consumers in four of six security standards – including DMARC, SPF, DKIM, and DNSSEC – they lag behind in areas such as patch management, open ports, insecure systems, and botnet infections.

“Over the past year, we’ve seen several highly-visible security incidents that highlight how incidents in the digital supply chain can have a massive ripple effect across the global economy,” said Ben Edwards, Principal Research Scientist at Bitsight. “Even the most security-conscious companies are vulnerable to weaknesses in their supply chain. Organizations must continuously evaluate their third party vendors and suppliers and work proactively to close security gaps.”

The report is based on an analysis of 500,000 organizations, 40,000 products, and 12,000 providers, maps over 61 million digital supply chain relationships.