Putting the Chinese IoT Threat in Perspective

A new report paints a disturbing picture of how Chinese officials and the companies under their influence plan to dominate the Internet of Things (IoT). The 202-page report to Congress describes China’s aggressive pursuit of IoT for various purposes, including collecting intelligence, subversion, and market control. The report was submitted by the US-China Economic and Security Review Commission, which was created by Congress in 2000 with the mandate to investigate and monitor the security effects of trade between the US and the People’s Republic of China.

China’s “drive to become a leader in the IoT poses sobering challenges to US economic and security issues,” the report states. The report also notes how “unauthorized access to IoT devices has already resulted in physical consequences, including attacks on industrial machinery and power grids around the world.”

The Exploitation of IoT Devices Is a Global Threat

China is not alone in the exploitation of IoT devices. In July 2018, when US President Donald Trump and Russian President Vladimir Putin met in Finland, cyber attacks provided access to audio and video devices that could snoop on the high level talks, according F5 Networks, a cybersecurity firm. Normally, Finland is not a major cyber attack target. But during the event, the country experienced a spike in attack traffic originating from various countries. F5 reported that 34% of the attacks originated from China, the top attacking country, and the US followed at 12%.

Beyond countries like China or the US exploiting IoT devices, the latest IoT technologies might pose unintended security risks. Researchers at Brown University have figured out how to potentially eavesdrop on emerging 5G networks, which are expected to play an essential role as the IoT market unfolds. 5G wireless networks transmit data on higher frequencies than previous generations and higher frequency wavelengths are expected to be harder to intercept. Therefore, these networks should provide more secure communications. However, researchers at Brown conducted a series of 42 experiments that placed cylindrical objects partly within the path of the transmission beam to divert some of the signal. In 10 of the scenarios, researchers were able to successfully eavesdrop.

Beyond vulnerable network technology, industrial and military security is lacking at the most fundamental level, which does not portend well as more IoT devices and systems intersect. A recent report from the US Government Accountability Office concludes: “The US Department of Defense (DOD) faces mounting challenges in protecting its weapon systems from increasingly sophisticated cyber threats. This state is due to the computerized nature of weapon systems,” and “DOD’s late start in prioritizing weapon systems cybersecurity.” This cannot be taken lightly at the Pentagon. Moreover, the industrial sector faces its own challenges. A new report by CyberX says 69% of industrial control systems openly send plaintext passwords, and 40% of industrial sites have at least one direct connection to the public internet.

The Best Defense Is a Good Offense

There are reasons to be concerned about other vulnerabilities related to IoT. Hackers from anywhere are a threat and so are organizations that fail to implement basic protections. For energy market stakeholders seeking a stronger cybersecurity defense, see Guidehouse Insights’ report, Managing IoT Cybersecurity Threats in the Energy Cloud Ecosystem.

Despite the threats I tend not to be an alarmist about cybersecurity, but more of a realist. The clock cannot be turned back on technology like IoT, but stakeholders can get a better handle on the situation. And that means a diligent, ongoing approach that looks at real threats and meets those with solid tools and procedures to drastically reduce risks to an acceptable level. There is no way to eliminate all risk in an IoT world—unless you simply shut down or disconnect the devices. Short of that, we need to get much more serious about taking action.