Editor’s note: This post is the third of a three part series based on a paper examining Chinese use of cellular technologies (including the threat to US interests) by Charlie Parton. For the full paper see: Cellular IoT Modules- Supply Chain Security -bg

Because so little work has been done on the threat from Chinese cellular IoT modules, it is difficult to point to specific examples where data has been sent back to China to the detriment of the interests of free and open countries. But given the CCP’s record in other areas (there have recently been instances where Tik Tok and Huawei have assured that information is not sent to China, only for evidence to emerge that it is[1]), this is not a risk which other countries should take. CCP support for Russia, its behaviour in the Taiwan Straits and the South China Sea, its repudiation of universal values in the infamous “document no 9” and demonstration of that disregard in Hong Kong and Xinjiang should convince our policy makers that if the CCP does not represent a hostile power now, it is likely to in future. Therefore, with cellular IoT modules, it is a question of identifying the vulnerabilities and taking measures to close them off.

Dependency of free and open countries on Chinese companies would give the CCP a significant lever for use against them. We have seen how during the Covid crisis, the Party was not averse to manipulating the supply of medical goods. Hostility does not need to be carried out only in traditional armed conflict.

The threat can be broken down into four areas. This section takes a brief look at them.

National security threat

The national security arguments which apply to Chinese hardware and software in the telecoms, semiconductors and other sectors and upon which governments have acted apply to the IoT. This national security threat is wide ranging. Interference in CNI, or the threat thereof as a lever on policy, is at the extreme end.

The CCP could also use cellular IoT modules to harvest data and to supplement its intelligence efforts. For example, the Chinese intelligence services might not have penetration of American weapons manufacturing, but through IoT modules embedded in the supply chains and logistics system they might be able to build up a worryingly accurate picture of how many spare parts, or weapons systems have been transported and to where.

This intelligence threat could apply to attempts to recruit individuals as spies. By combining and personal and institutional data from a wide range of sources and processing it using machine learning, it would be possible to identify key government workers and their potential vulnerabilities to intelligence approaches or disruption. Chinese state hackers notoriously broke into the US Office of Personnel Management.[2] Their aim was to access personal information to help target Americans with access to classified information. It would be unwise to give Chinese companies unfettered access to similar types of information by allowing their IoT modules into our systems.

Axon (formerly Taser) has 70 percent of the market in the US for police body cameras (as of October 2020 in 49 cities). It also supplies the US Border Patrol, US Customs, and the Drug Enforcement Agency, as well as police forces in the UK and other countries.[3]

Quectel is in the final stages of developing a custom-built design for Axon, which is currently going through certification and is likely to be deployed in the next 2-3 months. All currently-deployed devices have Sierra Wireless (Canada) modules.

Economic prosperity threat

As indicated earlier, CCP industrial policy aims to ensure that Chinese companies, which must cooperate with their political masters, dominate the new technologies and industries, since this serves to advance China’s economic, and thereby geopolitical, pre-eminence. This would not only reduce liberal democracies to a dangerous dependency, but would hollow out their companies. Part of this process is what might be called “venture communism”, in which Chinese companies buy out foreign firms in the same field, whether in order to grow, to reduce competition[4] or to obtain technology and intellectual property. There is a particular concentration on start-up companies, whose attraction is both their new technologies and the fact that, by virtue of size, they do not appear on the radar of measures such as the UK’s National Security Investment Act.

The data generated by automated logistics, manufacturing, and transport systems would allow the holder to develop an industrial pattern-of-life of any supplies chains covered. This could be invaluable as a means of ensuring that the holder’s economic interests prosper over those of a competitor. Data from the networks and systems into which these routers would be plugged would provide insights into productivity, rate and quantity of supply, and efficiency. This equates to a form of data driven insider knowledge.

Such knowledge from inside a competitor or existing infrastructure could allow a malicious actor to tune their bids for infrastructure projects or for the buyouts of competitors. It could also allow them to manage their own supply chains and market offerings in a manner which permitted them to adapt pre-emptively to the strategies and capabilities of their competitors. This would undermine the free market and the forces of supply and demand.

The systematic acquisition of western science and technology and the erosion of the ability of western companies to compete, if unchecked, would undermine prosperity, geopolitical strength and the values upon which democratic countries have based their systems. Ultimately economic prosperity melds into national security.

Farming is a critical industry. Automation helps to increase yields while decreasing labour – similar to the logic which has seen automation become the norm in the automotive industry and within large retailers like Amazon. From automated harvesters to drones for monitoring crops and watering, cellular IoT modules suit farming equipment, not least because they allow continuous connectivity in places where WiFi is inaccessible or wired networking over huge distances is impractical.

At first sight data from IoT enabled farming equipment hardly seems threatening, even in the hands of a malicious actor. But, for example, if systems extensively used Chinese modules, knowledge of current, past, and predicted trends for crop yield, the resources used on the upkeep of the land, the financial situation of the potential vendor would enable CCP backed companies to identify farming enterprises in a precarious situation and to buy them out when they are at their most vulnerable. They could be well placed in negotiations with the US on grain contracts, on buying up American expertise in farm machinery or seed technology, or in more accurately targeting sanctions on American growers for political ends.

Data privacy threat

IoT devices are becoming increasingly commonplace within people’s homes. The range of uses and the data which they collect and process are expanding, not least so that targeted marketing can be sent to their owners. Wearable technology collects health and activity data; smart kitchen appliances or multimedia devices collect information on behaviour and personal interactions; door cameras, alarm systems and security cameras equipped with machine learning monitor personal comings and goings; smart meters monitor usage of electricity and gas, which in the midst of an energy crisis brought about by state manipulation of natural resources prices for political aims is of contemporary concern.

While it may not unduly worry the average citizen if the security organs of the CCP were to be in possession of personal information, it might concern those in free and open societies who, for example, are of Uyghur extraction, have relatives in Hong Kong or might work in sensitive government positions. By collating such information and the metadata created as people interact with IoT devices, particularly of electronic payments and travel, it is possible to work out who has been meeting whom and where. This pattern-of-life information can provide deep and rich insights into our daily habits, contacts and finances. Coupled with machine learning, such data makes it possible to make predictive assessments of where a person might be or how they might act at a certain time or in a certain situation. Such a capability is a threat not just to individual liberty and freedom of choice, but to security through the increased risk of effective blackmail campaigns tailored to the very specific lifestyle of an individual target.

READ MORE HERE