Editor’s note: This post is the third of a three part series based on a paper examining Chinese use of cellular technologies (including the threat to US interests) by Charlie Parton. For the full paper see: Cellular IoT Modules- Supply Chain Security -bg
Because so little work has been done on the threat from Chinese cellular IoT modules, it is difficult to point to specific examples where data has been sent back to China to the detriment of the interests of free and open countries. But given the CCP’s record in other areas (there have recently been instances where Tik Tok and Huawei have assured that information is not sent to China, only for evidence to emerge that it is), this is not a risk which other countries should take. CCP support for Russia, its behaviour in the Taiwan Straits and the South China Sea, its repudiation of universal values in the infamous “document no 9” and demonstration of that disregard in Hong Kong and Xinjiang should convince our policy makers that if the CCP does not represent a hostile power now, it is likely to in future. Therefore, with cellular IoT modules, it is a question of identifying the vulnerabilities and taking measures to close them off.
Dependency of free and open countries on Chinese companies would give the CCP a significant lever for use against them. We have seen how during the Covid crisis, the Party was not averse to manipulating the supply of medical goods. Hostility does not need to be carried out only in traditional armed conflict.
The threat can be broken down into four areas. This section takes a brief look at them.
The national security arguments which apply to Chinese hardware and software in the telecoms, semiconductors and other sectors and upon which governments have acted apply to the IoT. This national security threat is wide ranging. Interference in CNI, or the threat thereof as a lever on policy, is at the extreme end.
The CCP could also use cellular IoT modules to harvest data and to supplement its intelligence efforts. For example, the Chinese intelligence services might not have penetration of American weapons manufacturing, but through IoT modules embedded in the supply chains and logistics system they might be able to build up a worryingly accurate picture of how many spare parts, or weapons systems have been transported and to where.
This intelligence threat could apply to attempts to recruit individuals as spies. By combining and personal and institutional data from a wide range of sources and processing it using machine learning, it would be possible to identify key government workers and their potential vulnerabilities to intelligence approaches or disruption. Chinese state hackers notoriously broke into the US Office of Personnel Management. Their aim was to access personal information to help target Americans with access to classified information. It would be unwise to give Chinese companies unfettered access to similar types of information by allowing their IoT modules into our systems.
Axon (formerly Taser) has 70 percent of the market in the US for police body cameras (as of October 2020 in 49 cities). It also supplies the US Border Patrol, US Customs, and the Drug Enforcement Agency, as well as police forces in the UK and other countries.
Quectel is in the final stages of developing a custom-built design for Axon, which is currently going through certification and is likely to be deployed in the next 2-3 months. All currently-deployed devices have Sierra Wireless (Canada) modules.
As indicated earlier, CCP industrial policy aims to ensure that Chinese companies, which must cooperate with their political masters, dominate the new technologies and industries, since this serves to advance China’s economic, and thereby geopolitical, pre-eminence. This would not only reduce liberal democracies to a dangerous dependency, but would hollow out their companies. Part of this process is what might be called “venture communism”, in which Chinese companies buy out foreign firms in the same field, whether in order to grow, to reduce competition or to obtain technology and intellectual property. There is a particular concentration on start-up companies, whose attraction is both their new technologies and the fact that, by virtue of size, they do not appear on the radar of measures such as the UK’s National Security Investment Act.
The data generated by automated logistics, manufacturing, and transport systems would allow the holder to develop an industrial pattern-of-life of any supplies chains covered. This could be invaluable as a means of ensuring that the holder’s economic interests prosper over those of a competitor. Data from the networks and systems into which these routers would be plugged would provide insights into productivity, rate and quantity of supply, and efficiency. This equates to a form of data driven insider knowledge.
Such knowledge from inside a competitor or existing infrastructure could allow a malicious actor to tune their bids for infrastructure projects or for the buyouts of competitors. It could also allow them to manage their own supply chains and market offerings in a manner which permitted them to adapt pre-emptively to the strategies and capabilities of their competitors. This would undermine the free market and the forces of supply and demand.
The systematic acquisition of western science and technology and the erosion of the ability of western companies to compete, if unchecked, would undermine prosperity, geopolitical strength and the values upon which democratic countries have based their systems. Ultimately economic prosperity melds into national security.
Farming is a critical industry. Automation helps to increase yields while decreasing labour – similar to the logic which has seen automation become the norm in the automotive industry and within large retailers like Amazon. From automated harvesters to drones for monitoring crops and watering, cellular IoT modules suit farming equipment, not least because they allow continuous connectivity in places where WiFi is inaccessible or wired networking over huge distances is impractical.
At first sight data from IoT enabled farming equipment hardly seems threatening, even in the hands of a malicious actor. But, for example, if systems extensively used Chinese modules, knowledge of current, past, and predicted trends for crop yield, the resources used on the upkeep of the land, the financial situation of the potential vendor would enable CCP backed companies to identify farming enterprises in a precarious situation and to buy them out when they are at their most vulnerable. They could be well placed in negotiations with the US on grain contracts, on buying up American expertise in farm machinery or seed technology, or in more accurately targeting sanctions on American growers for political ends.
IoT devices are becoming increasingly commonplace within people’s homes. The range of uses and the data which they collect and process are expanding, not least so that targeted marketing can be sent to their owners. Wearable technology collects health and activity data; smart kitchen appliances or multimedia devices collect information on behaviour and personal interactions; door cameras, alarm systems and security cameras equipped with machine learning monitor personal comings and goings; smart meters monitor usage of electricity and gas, which in the midst of an energy crisis brought about by state manipulation of natural resources prices for political aims is of contemporary concern.
While it may not unduly worry the average citizen if the security organs of the CCP were to be in possession of personal information, it might concern those in free and open societies who, for example, are of Uyghur extraction, have relatives in Hong Kong or might work in sensitive government positions. By collating such information and the metadata created as people interact with IoT devices, particularly of electronic payments and travel, it is possible to work out who has been meeting whom and where. This pattern-of-life information can provide deep and rich insights into our daily habits, contacts and finances. Coupled with machine learning, such data makes it possible to make predictive assessments of where a person might be or how they might act at a certain time or in a certain situation. Such a capability is a threat not just to individual liberty and freedom of choice, but to security through the increased risk of effective blackmail campaigns tailored to the very specific lifestyle of an individual target.
IoT cellular modules in vehicles are a particular worry. For example, Quectel supplies its AG525R-GL module to Tesla for the powerful ‘car computers’ in its Model S Plaid and Model X Plaid to manage the internal data processing. These modems have been designed for auto-related applications, such as fleet management, vehicle tracking, in-vehicle navigation system, vehicle remote monitoring, vehicle remote control, security monitoring and alarming, remote vehicle diagnostics, vehicle wireless routing and in-car entertainment.
The dangers of allowing vehicle data to come into the possession of hostile powers are clear. For example, it could be used to identify sensitive government employees by locating their place of work, their home and their meetings. In January 2023, the i newspaper in the UK reported that a surreptitious Chinese cellular IoT module had been discovered in UK government cars, including those used by senior government minsters. The newspaper reported, ‘A hidden Chinese tracking device was found in a UK Government car after intelligence officials stripped back vehicles in response to growing concerns over spyware, i has been told. At least one SIM card capable of transmitting location data was discovered in a sweep of Government and diplomatic vehicles which uncovered “disturbing things”, a serving security source confirmed. The geolocating device had been placed into a vehicle inside a sealed part imported from a supplier in China and installed by the vehicle manufacturer, according to the source.’ 
Quectel’s and Fibocom’s work with HikVision cameras, HiSilicon semiconductors, and Huawei 5G infrastructure is important for the functioning of “smart cities”. Often the term “smart cities” is a euphemism for the surveillance deployed by the CCP in Xinjiang, and increasingly in other parts of China, as well as abroad through export. They are attractive not least in Hong Kong, Africa and parts of Europe, because of the low initial cost, long term maintenance contracts, and potential savings and efficiency for local governments as a result of better information. Yet they are the central pillar of digital authoritarianism directed at minority groups within China. Their R&D and their supplier’s increasingly dominant position in the market is built on the back of the work given to them by the CCP in policing the minority population in Xinjiang. This is unwholesome.
Quectel’s and Fibocom’s modules transfer the data captured by the more easily noticed apparatus of surveillance back to centres for processing. Using machine learning security forces attempt to identify indicators of behaviour which are seen as a threat to the CCP.
As these companies make their way into our airports, ports, cities, and road systems under the seemingly innocuous Trojan horse of “Smart Cities”, they bring with them the same values which they present within mainland China. Cheap and useful though they may be, but by normalising their use within our societies we are normalising their darker side.
The same cameras, telecoms infrastructure, and ‘smart’ systems are increasingly being promoted to cities in free and open countries. In the UK, Milton Keynes and Bournemouth are examples. The relatively low cost of networked services and capabilities which could improve traffic, logistics, or security is attractive to cities with tight budgets. But governments need to decide – quickly – whether they are happy to import CCP values.
Countering these threats and mitigating the risks will also empower the domestic IoT industry in the US, UK and their allies, delivering a supply chain which enables growth and innovation. The fostering of a strong, globally competitive market for IoT companies will serve to drive industry and innovation in a manner which avoids the risks inherent in a supply chain dominated by CCP controlled companies. Fortunately, there remain a good number of American, European, and Asian players still in the market, as was not the case with Huawei, where the only other options were Erikson and Nokia.
Free nations have taken action in the areas of 5G and semiconductors. They need – urgently – to do the same in the field of IoT, to preserve the future of IoT manufacturers based in our countries, and to uphold national security, economic prosperity, privacy and values. The longer the delay in limiting Chinese cellular IoT modules, the more difficult and expensive it becomes to replace them. The window of opportunity is closing, but it is still open.
 See the report of what appears to be a deliberate attempt to buy into the UK company Nexperia and to starve it of funding in order to kill off competition, the Times, 6 August 2022. https://www.thetimes.co.uk/article/chinese-backed-nexperia-hobbled-newport-wafer-fab-to-buy-on-the-cheap-q859ztdrb
 As reported in the Financial Times two smart city deals with local authorities in the UK were cancelled at the very last minute after intervention by the NCSC and GCHQ: https://www.ft.com/content/46d35d62-0307-41d8-96a8-de9b52bf0ec3 .