China is eyeing dominance of the Internet of Things (IoT) market and may use vulnerabilities in these technologies as the next front on its ongoing cyberwar with the United States, a move that demands a response from U.S. policy makers to counter the threat, according to a new report. China has done substantial research into the security vulnerabilities of the IoT in the last seven years not only for its own technology interest, but also as a way to conduct cyber-espionage and exploit other nations’ IoT systems, according to the U.S.-China Economic and Security Review Commission-sponsored report, “China’s Internet of Things.”
“Beijing’s strong rhetorical emphasis on IoT security is unsurprising given its attention to network security as a function of national security, but China’s extensive research into IoT vulnerabilities could also enable intelligence collection and cyberwarfare capabilities based upon unauthorized access,” according to the report, which was prepared by security services firm SOS International LLC. “In fact, evidence strongly suggests that China’s coercive apparatus supervises and directs the collection and release of vulnerabilities.”
To combat this potential threat, the report recommends that the United States take definitive policy action, including clarifying data-privacy laws for both U.S. and foreign companies and requiring full transparency for any foreign IoT products brought into the country that may have connections to the Chinese government.
Indeed, it’s no secret that not only is the IoT a huge financial opportunity for stakeholders in the United States, but also that IoT devices are full of security holes–flaws manufacturers aren’t prioritizing fast enough to keep up with adoption. Numerous reports have come out over the last several years of just how catastrophic it could be for consumers, the enterprise and even critical infrastructure if these vulnerabilities are effectively exploited.
History of vulnerability collection
China seems determined to do just that. The government hit the ground running on examining IoT vulnerabilities as early as 2011, when the Ministry of Industry and Information Technology’s (MIIT’s) China Academy of Telecommunication Research identified security as one of the core IoT development challenges needing further government study and consideration in its “IoT White Paper” published that year, according to the report.
The paper called for a full assessment of the security threats, data-leakage vulnerabilities and privacy threats facing IoT systems, and recommended the creation of systems for IoT layered protection, security evaluation and risk assessment. Not long after, China released a five-year development plan for the IoT which identified “strengthening information security”as one of its main IoT tasks, with a specific focus on research and development to shore up privacy protection, access control, key management, secure routing and intrusion detection, the report found.
China’s apparent head-start in the exploration of IoT vulnerabilities is especially worrying for the security of these systems not just in the United States but also across the world because there already is precedence for China exploiting its knowledge of vulnerabilities for its own offensive cyber operations. Reports from Recorded Future released earlier this year found evidence of China delaying its release of known vulnerabilities so it could evaluate how they might be used in cyber warfare before making others aware of them, and then attempting to cover up this behavior.
The commission’s report also found evidence of China’s intention to hide its vulnerability research from the rest of the world so it can use it for the nation’s own gain. Researchers found that “anecdotal evidence” supports that China’s MIIT discourages Chinese security vendors from participating in international hacking competitions so the government can “stockpile” vulnerabilities that they might otherwise share with the international community.
“It is likely that this practice of stockpiling vulnerabilities for exploitation extends to IoT products sold in U.S. markets,” the report found.
How to protect U.S. IoT interests
While IoT stakeholders in the United States appear to be dragging their feet on making IoT devices and networks more secure, there are steps the U.S. government can take to protect U.S. IoT interests and networks from the impending Chinese threat, according to the report.
Recommendations focus on making new data-privacy and -collection policies, including enacting a tiered disclosure regime for IoT products broad enough to cover multiple aspects of authorized IoT data collection, and mandating data expiration and de-identification of data where appropriate according to existing principles of data minimization, especially for information resellers.
Researchers also recommend creating a single, comprehensive federal law governing data privacy that encompasses all current and existing U.S. data regulations, as well as passing a unified federal data privacy statute applicable to both foreign and domestic IoT companies as soon as possible.
Transparency and a tighter leash on foreign access to data also are ways the U.S. government can help protect the IoT from Chinese cyberattack. The report recommends that lawmakers enact policy requiring foreign IoT products to disclose affiliation with foreign entities that may pose a significant risk of harmful but authorized access to U.S. data.
Researchers also suggest the United States refer corporate-level attempts to transfer U.S. data to foreign entities to the Committee on Foreign Investment in the United States for approval before doing so, they said.