US homes and infrastructure are increasingly outfitted with Web-connected “smart” devices which can be vulnerable to hackers — and lawmakers claim beefed-up security standards shall be vital to handle growing threats from criminals and hostile governments alike.
Public fears about cybersecurity were stoked by ransomware attacks on the Colonial Pipeline and meat producer JBS in 2021, in addition to federal warnings of foreign attacks on the US power grid. Closer to home, hackers have used Ring cameras to spy on kids and even lure them into creepy conversations.
Rep. Mike Gallagher (R-Wis.), chairman of the House Select Committee on China, is amongst a growing group of policymakers focused on so-called “Web of Things,” or IoT devices, which generally are understood as non-computer devices with an online connection.
Examples range from smart TVs, wearable fitness trackers, doorbell cameras, and thermostats to regulate systems for factories and power plants. A key cause for worry, in line with the congressman, is the fast-growing use of Chinese-made cellular modules that allow smart devices to hook up with the Web.
It appears like science fiction, but with widespread control of those modules, China could steal US data or remotely shut down critical infrastructure in a conflict scenario, in line with concerned lawmakers. Hackers could crank up AC units en masse to cause power brownouts, or take control of self-driving cars and even medical devices like pacemakers – as former Vice President Dick Cheney once feared.
In an announcement to The Post, Gallagher said “modules sourced from [People’s Republic of China] corporations like Quectel pose a security risk in any US technology, but especially in government hardware, critical infrastructure, and life-saving first response systems.
“Using these modules may create a backdoor for malign Chinese government actors to access and potentially cripple our devices,” Gallagher added. “It’s just common sense: American critical infrastructure must not be dependent upon CCP technology.”
In August, Gallagher and the committee’s top Democrat, Rep. Raja Krishnamoorthi, asked FCC Chairwoman Jessica Rosenworcel to look at the use of Chinese-made cellular modules.
The lawmakers’ letter said the Chinese Communist Party has “given extensive state support” to the industry and singled out two Chinese firms, Quectel and Fibocom, as major producers of modules widely utilized in US products starting from smart cities and drones to US first responder body cameras.
The lawmakers cited Russia’s recent theft of $5 million in farm equipment from a John Deere dealership in Ukraine – just for the vehicles to be rendered useless after their modules were remotely disabled.
Last month, Rosenworcel followed up on the lawmakers’ request by asking the Justice Department, the FBI and other federal agencies to contemplate whether the use of components made by Quectel and Fibocom poses a national security threat.
A Quectel spokesperson said the corporate’s “IoT modules don’t pose any risk to national security or privacy” and noted that it has “proactively engaged with regulators, government agencies, and industry stakeholders to handle any concerns they may need.”
“Quectel is an independent public company and makes its own business decisions,” the spokesperson said. “It is neither owned nor controlled by the Chinese government. Quectel doesn’t and has not shared, transferred, or publicly disclosed data with the Chinese government. The Chinese government has never requested any data from Quectel.”
Fibocom didn’t immediately return a request for comment.
FCC Commissioner Nathan Simington, a Republican, said the threat of a state-sponsored attack on key infrastructure similar to industrial installations, public utilities or law enforcement needs to be taken “totally seriously.”
Any company or operator potentially in danger needs to be “engaged with its regulators on an ongoing basis and should develop more of an accountability plan,” he added.
“In rather a lot of ways, we’re lucky that rather a lot of the hacks to this point have just been criminal activity,” Simington said. “At the tip of the day, criminals are way less resourced than the Chinese NSA or the Russian NSA.”
For consumers, Simington is backing the FCC’s current push for a “US Cyber Trust Mark” label for smart devices that voluntarily adhere to “widely accepted cybersecurity standards,” including regular software updates over a disclosed period of time after the device is released.
In an August statement in support of the FCC’s labeling effort, Simington warned that “attacks on unpatched devices have gotten more frequent and more dangerous” and cited the chance of “botnets,” or networks of hijacked devices utilized in major cyberattacks.
Simington — who last month took the unique step of soliciting feedback on the popular “Hacker News” forum — said the label set to debut next yr isn’t an answer, but a slightly a primary step to assist businesses without making a costly, plodding bureaucracy.
“There are lots of Americans buying devices every single day – we’re talking thousands and thousands of units a yr – they’re buying them on the expectation that those devices are secure,” Simington told The Post.
“If those expectations are violated, the American persons are going to have some pretty legitimate questions on what exactly we were doing in DC all that point.”