Internet-of-Things devices may be making our infrastructure more vulnerable to national security threats.
Published
on
By
The millions of IoT devices we use knowingly or unknowingly make our modern societies function. These include utility meters, traffic lights, and they even connect to the national grid. 5G is elevating their use to even higher levels and making them an integral part of the country’s critical infrastructure.
But that also is making that infrastructure more vulnerable to security threats. Reps. Mike Gallagher and Raja Krishnamoorthi of the U.S. House Select Committee on China understand this threat and are rightly sounding alarm bells. It’s fascinating how these seemingly benign and almost invisible IoT devices can be such a grave threat.
The U.S. IoT market is massive, estimated to be $199B in 2024, according to Statista. IoT technology is found in almost any connected device for individual or industrial use. Since IoT devices manage and control the country’s critical assets, including power, water, natural gas, and many industries, even more with 5G IoT, they are part of national critical infrastructure.
Imagine the havoc the sudden collapse of the national grid or large-scale disruption of utilities can create. Such catastrophes can bring the country to a screeching halt, threaten lives, and cause lasting damage.
Despite its critical role, IoT security hasn’t gotten the attention of regulators and governments it deserves. It was considered a “business risk” to be managed by the industry. Fortunately, that is starting to change. The recent letters from the congressmen to the FCC, the Department of Defense, and the Treasury Department regarding cellular connectivity modules used in IoT devices indicate that lawmakers are now treating this as a national security issue.
When it comes to cellular IoT devices, the biggest threat is the security of the connectivity module (aka IoT module) on which they are built. This module is the gatekeeper, which controls all the data going in and out of the device. If the module is compromised, the whole device, and in many cases all the systems it connects to, are compromised.
Note: For more details on IoT device security, please check out my article series here.
Connectivity modules could have many vulnerabilities. There could be backdoors built into the hardware or the software when modules are shipped from the factory (called “Zero Day” attacks) or introduced during numerous upgrades modules receive during their more than ten years of lifespan. These upgrades are similar to the ones our smartphones receive but are usually automatically executed.
Because of prohibitive costs, operators can’t examine and verify all the devices and their firmware updates. No matter who and how these vulnerabilities are created, they can be exploited by bad actors. If those bad actors are state-sponsored, the risk is even higher.
As FBI Director Christopher Wray mentioned in his recent testimony, “Hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities.”
The attackers can stay dormant for a long time and attack at a time of their choosing. Hence, it wouldn’t be wrong to say that any device with such vulnerabilities can become a ticking national security timebomb.
IoT is a largely low-margin, low-revenue (per subscription) business with a highly cost-competitive market. Most operators manage security as a business risk. They invest just enough to protect against fraud and liability. National security probably never makes it to their priority list.
Considering the complexity, cost, and potential risks involved, the responsibility of ensuring the security of IoT devices, from a national security perspective, rests squarely on the regulators and the government. The simple and highly reliable approach to achieve that seems to be establishing a fully trusted supply chain comprising local players and players from trusted national partners.
This is where things get complicated. According to Counterpoint Research, almost a quarter of the US cellular connectivity module is controlled by one Chinese company, Quectel. More alarmingly, a large portion of the IoT modules used in the cellular network used by first responders called FirstNet are also Chinese.
And that’s precisely why these congressmen are concerned and asking relevant US departments to intervene. As opined by many law experts, Chinese laws require all Chinese companies “to support, provide assistance, and cooperate in national intelligence work.”
So, then the question arises: Is the Huawei-like approach of totally banning these companies the right strategy? If not, are there any other remedies available? What are the pitfalls? All these questions need to be addressed before taking any substantive action. Look out for my next article for details on them and possible answers.
Prakash Sangam is the founder and principal at Tantra Analyst, a leading boutique research and advisory firm covering 5G, AI, Wi-Fi, Cloud, and IoT. He is a 3GPP/ETSI member and has more than 20 years of hands-on tech experience working for Qualcomm, Ericsson, and AT&T. He hosts Tantra’s Mantra podcast, a newsletter, and is often quoted in international media, and on the speaking circuit for leading industry events. This Expert Opinion is exclusive to Broadband Breakfast.
Broadband Breakfast accepts commentary from informed observers of the broadband scene. Please send pieces to commentary@breakfast.media. The views expressed in Expert Opinion pieces do not necessarily reflect the views of Broadband Breakfast and Breakfast Media LLC.
Industry Groups Urge Fixes to FCC’s Cybersecurity Labeling at House Hearing
Broadband Breakfast is a decade-old news organization based in Washington that is building a community of interest around broadband policy and internet technology, with a particular focus on better broadband infrastructure, the politics of privacy and the regulation of social media. Learn more about Broadband Breakfast.
‘Alarming Amount of Vulnerable Gear’: FCC Data Show 6,300 Sites with Insecure Equipment
CPF Allocates $228 Million to Launch Open Access Grant Program in New York
NTIA Must Outline Clear Spectrum Auction Targets for U.S. 5G Leadership: CTIA
Funding and Unified Standards Essential for Open RAN: Experts
Industry Groups Plea for Funding to Address Secure Network Shortfall
FCC: Only Five Firms Have Finished ‘Rip and Replace’ of China Gear
The Connectivity Standards Alliance suggested that the program remain voluntary and that the FCC not mandate label.
Published
on
By
WASHINGTON, January 17, 2024 – The Federal Communications Commission should make alterations to its proposed new labeling cybersecurity labeling system by making the label optional and increasing accessibility for consumers and the private sector, witnesses told a House subcommittee hearing on Thursday.
In August, the FCC unveiled its proposed Cyber Trust Mark, a labeling program which would help consumers identify secure technologies that protect their privacy. The FCC touted the cyber trust mark as a voluntary labeling program for connected smart devices, with a QR code providing updates on whether the product meets current cybersecurity standards.
Despite broadly supporting the agency’s proposed program, Tobin Richardson, CEO of Connectivity Standards Alliance – a constellation of companies that promote universal standards for the Internet of Things – suggested that the “FCC structure the program to allow it to be strong enough to meaningfully address IoT security, be flexible enough to incentivize private sector adoption, and be informative enough for consumers when they purchase new products.”
He also suggested that the program remain voluntary and that the FCC not mandate the label.
Alan Butler, executive director of consumer privacy group Electronic Privacy Information Center, said that a website on the safety of technologies could provide as an additional layer of protection. This would allow the FCC to limit the amount of information on the label and avoid confusing consumers. Consumers expect to understand if their devices could pose potential threats, he said.
Clete Johnson, senior fellow of Center for Strategic and International Studies, urged the FCC to “establish the mark as an opt-in program.”
Committee members and witnesses also discussed how generative artificial intelligence “lowers the barrier to entry” for cybercriminals to attack victims.
The hearing also touched on the significant expenses organizations incur when trying to hire personnel necessary to protect themselves from cyberattacks. The witnesses also mentioned the necessity of “adaptive” technologies, which can be “upgraded” to address evolving threats.
The United States has been exposed to various cyberattacks in recent years, causing lawmakers to scramble for solutions to potential cybersecurity vulnerabilities. In June 2023, several U.S. governmental agencies, including the Department of Energy, were victims of Russian cyberattacks.
In July 2023, the Biden Administration issued a statement voicing support for the proposed Cyber Trust Mark, citing urgency of providing, “ tools for consumers to make informed decisions about the relative security of products they choose to bring into their homes”
In December 2023, it was revealed that Chinese hacking groups infiltrated critical governmental sectors including water, utilities, and gas pipelines.
The White House is looking to get the mark on products “by next year.”
Published
on
By
LAS VEGAS, January 11, 2024 – The United States has entered an agreement with the European Union on a “joint roadmap” for standardized cybersecurity labels, a Biden Administration official announced at CES on Thursday.
“We want companies to know when they test their product once to meet the cybersecurity standards, they can sell anywhere,” said Anne Neuberger, the White House’s deputy national security advisor for cyber and emerging technologies. “They can sell in Paris, Texas, or Paris, France.”
Neuberger said the White House is aiming to get its U.S. Cyber Trust Mark, a voluntary certification for internet of things devices, on consumer products by the end of the year. The effort to mark products like routers, baby monitors, and thermostats as safe from hacking was first announced in October 2022.
The Federal Communications Commission voted in August to seek comment on how to implement various parts of the program, including how to develop and ensure compliance with its cybersecurity standards.
What exactly those standards will be is not yet decided, but the Commission has said it will base the program on criteria developed by the National Institute of Standards and Technology. Those include encrypting both stored and communicated data and the ability to receive software updates.
The measure is not on the FCC’s tentative January meeting agenda, but Neuberger said the agency is “working toward next steps.”
The Broadband Equity, Access and Deployment program requires ISPs and states to submit comprehensive cybersecurity plans.
Published
on
By
WASHINGTON, November 2, 2023 – How states implement cybersecurity rules in the $42.5 billion Broadband Equity, Access and Deployment program could shape internet security regulations more widely, experts said during a virtual panel Wednesday.
The BEAD program, which will provide federal grants to states to disperse for broadband projects, requires providers to submit comprehensive cybersecurity plans based on standards from the National Institute of Standards and Technology. Panelists said flexibility in the plans allows customization but also establishes baseline expectations as critical infrastructure relies more on connected technology.
“I think the way that states and entities interpret these BEAD cybersecurity and supply chain requirements is really going to have a ripple effect across the whole community,” said Savannah Schaefer, an attorney of Wilkinson Barker Knauer, who advises clients on cybersecurity.
Federal Communications Commission rules are beginning to include similar mandates, meaning how states implement BEAD’s requirements could influence cybersecurity regulations more broadly, Schaefer said.
Melissa Newman, vice president of government Affairs at the Telecommunications Industry Association, said BEAD’s cybersecurity stipulations cite lengthy federal guidance documents providers must wade through. Her trade group developed a checklist to help companies understand the rules.
“You cannot be confident in the security of your networks and products without consideration of both cyber and supply chain security,” said Newman, TIA’s vice president of government affairs.
Supply chain management, knowing who provides equipment and software, is critical because cybersecurity threats can be embedded throughout a product’s lifecycle, she said.
Evan Rice, senior vice president of Guide Star, a division of CCI Systems, said providers should start by documenting current cyber practices, identifying gaps and making plans to address them. Cybersecurity must be incorporated holistically, from network construction to long-term operation, he said.
“Everyone understands that piece. The cybersecurity is the same. Once you build it, you have to operate it,” said Rice. Schaefer encouraged viewing BEAD as part of an ongoing process of shaping cybersecurity requirements.
Our Broadband Breakfast Live Online events take place on Wednesday at 12 Noon ET. Watch the event on Broadband Breakfast, or REGISTER HERE to join the conversation.
Wednesday, November 1, 2023 – Cybersecurity and BEAD
To qualify for funding under the Broadband Equity, Access and Deployment program, network operators must submit a comprehensive cybersecurity strategy in line with the National Institute of Standards and Technology’s cybersecurity framework. What impacts do these requirements have on broadband deployers, and what steps can they take to ensure compliance? How can operators strike the right balance between expanding their networks and safeguarding them against cyber threats?
Panelists
Evan Rice is an experienced IT executive with a focus on cyber security and operational excellence. Evan currently serves as the Senior Vice President of Guide Star, a division of CCI Systems. Evan has been with CCI Systems since 2012, starting as a Data Services Professional then moving to the Vice President of Information Technology role prior to his current position at Guide Star.
As an Associate at Wilkinson Barker Knauer LLP, Savannah Schaefer advises clients on a range of issues pertaining to cybersecurity, supply chain risk management, and emerging technology. Prior to joining the firm, Savannah represented companies in the information and communications technology sector at two trade associations where she led development and advocacy of the associations’ cybersecurity and supply chain legal and policy positions. She has also served in leadership roles in the IT and Communications Sector Coordinating Councils and on the Department of Homeland Security’s ICT Supply Chain Risk Management Task Force.
Melissa Newman has over 25 years’ experience in government affairs for the telecommunications sector. Prior to Melissa joining TIA as Vice President of Government Affairs, she worked at Transit Wireless heading the Legal and External Affairs departments; Wilkinson Barker Knauer, a premier telecommunications law firm in Washington, DC; CenturyLink (now Lumen) as Vice President, Federal Policy and Regulatory Affairs; and as Deputy Division Chief of the Policy Division in the Common Carrier Bureau of the FCC.
Breakfast Media LLC CEO Drew Clark has led the Broadband Breakfast community since 2008. An early proponent of better broadband, better lives, he initially founded the Broadband Census crowdsourcing campaign for broadband data. As Editor and Publisher, Clark presides over the leading media company advocating for higher-capacity internet everywhere through topical, timely and intelligent coverage. Clark also served as head of the Partnership for a Connected Illinois, a state broadband initiative.
WATCH HERE, or on YouTube, Twitter and Facebook.
As with all Broadband Breakfast Live Online events, the FREE webcasts will take place at 12 Noon ET on Wednesday.
SUBSCRIBE to the Broadband Breakfast YouTube channel. That way, you will be notified when events go live. Watch on YouTube, Twitter and Facebook.
See a complete list of upcoming and past Broadband Breakfast Live Online events.
BroadbandNow: Internet Provider Search and research on the digital divide
CES 2024: FCC and AT&T Say Collaboration is Key in Combatting Spam
Movement to Restore R&D Tax Credit Prompts Broadband Interest
Bipartisan Bill Proposes $7 Billion Extension for Affordable Connectivity Program
Chamber of Commerce Asks Fifth Circuit to Vacate Digital Discrimination Rules
FCC’s Affordable Connectivity Program Shutdown Silent on Broadband Labels
Broadband Breakfast on February 21, 2024 – Social Media and the Supreme Court
FCC Unveils Plans to Phase Out Affordable Connectivity Program
Illinois, Indiana and Georgia Announce Plans for BEAD Challenges
Copyright © 2008-2023 Breakfast Media LLC. Articles and Expert Opinions on Broadband Breakfast are not legal advice or legal services.
About The Author
More Stories
Anatomy of a Scam
Climate and Environmental Sustainability Within the IETF and IRTF
From Commitments to Practice: Internet Society’s Priorities for WSIS+20 Implementation