Transcription
China’s Internet of ThingsJohn Chen, Emily Walz, Brian Lafferty, Joe McReynolds, Kieran Green,Jonathan Ray, and James MulvenonResearch Report Prepared on Behalf of the U.S.-China Economic and SecurityReview CommissionOctober 2018Disclaimer: This research report was prepared at the request of the U.S.-China Economic and SecurityReview Commission to support its deliberations. Posting of the report to the Commission's website isintended to promote greater public understanding of the issues addressed by the Commission in its ongoingassessment of U.S.-China economic relations and their implications for U.S. security, as mandated byPublic Law 106-398 and Public Law 113-291. However, it does not necessarily imply an endorsement bythe Commission or any individual Commissioner of the views or conclusions expressed in thiscommissioned research report.
About the SOSi Special Programs DivisionThis project was conducted within SOSi’s Special Programs Division (SPD), the premier opensource and cultural intelligence exploitation cell for the U.S. intelligence community. Staffed byan experienced team of cleared analysts with advanced language skills, SPD’s mission is to providecutting-edge, open source and cultural intelligence support to the collection, analytical, andoperational activities of the U.S. intelligence community, with the goal of achieving nationalstrategic objectives. SPD accomplishes its mission through the conduct of objective, independent,and relevant research and analysis, under strict quality guidelines.Comments may be sent to the General Manager of the Special Programs Division, Dr. JamesMulvenon.Dr. James MulvenonGeneral ManagerSpecial Programs DivisionSOS International2650 Park Tower Drive, Suite 300Vienna, VA 22180TEL: 571-421-8359Email: James.Mulvenon@sosi.comi
Table of ContentsAbout the SOSi Special Programs Division . iAcronym List . vExecutive Summary . 1China’s Approach to IoT Development . 2China’s Race to Set International Technical Standards . 3Unauthorized Access to IoT Devices and Chinese Exploitation Efforts . 4Authorized Access to IoT Data and Privacy Concerns . 5Conclusions . 6Introduction and Methodology . 7Chapter 1: Overview of China’s IoT Development . 9China’s IoT Development Strategy . 10Defining and Describing the IoT Ecosystem . 10Competing for Primacy: Chinese Views on IoT Development . 14Scientific and Technological Innovation in the Context of Chinese Grand Strategy . 16Government Support for IoT Development . 18Financial Support for the IoT Industry . 25The Current State of China’s IoT Development . 30Problems with IoT Development . 33Implications for the United States. 36Restrictions on Foreign Investment . 37Selective Enforcement of Chinese Laws in Favor of Domestic Companies . 38The Prospect of Technology Transfer. 40Recommendations . 41Chapter 2: The Standards Race . 43Setting IoT Standards . 45A Fractured Standards-Setting Environment . 46Major International Standards Bodies . 49United States IoT Standardization Efforts . 52U.S. Standardization Efforts Abroad . 53China’s Push to Set IoT Standards. 60Domestic Standardization: More than Tech Specs . 61ii
China’s Role in International Standardization Efforts . 69Key Points of Contention . 97Multi-Stakeholder Model of Internet Governance . 975G Frequency . 97Digital Object Architecture . 98Implications for the United States. 99Recommendations . 101Chapter 3: Unauthorized Access and Chinese Research into IoT Security Vulnerabilities . 103Existing Security Vulnerabilities in the IoT: A Primer . 104Known Vulnerabilities in Chinese IoT Devices . 106Chinese Research into IoT Security Vulnerabilities . 108Overview of Chinese IoT Security Research . 110China’s Burgeoning IoT Research Ecosystem . 111The Civil-Military Overlap . 115Operational Applications for IoT Vulnerability Research: Beyond Securing the IoT . 118Implications for the United States. 122Recommendations . 124Improving Overall IoT Security. 124Risks of Chinese Exploitation of IoT Security Vulnerabilities . 125Chapter 4: Authorized Access and Privacy Risks to U.S. Citizens from Chinese Data Access . 126Chinese Access to U.S. IoT Data . 127An Assessment of Authorized Data Access Methods. 128Impact on the United States . 144Existing Protections for U.S. Data . 145U.S. Data Protections: An Inadequate Approach. 148Recommendations . 149Authorized Data Access in IoT: . 149Specific Risks Posed by Authorized Data Access by Chinese Actors: . 151Conclusions and Areas for Further Research. 152Appendix A: Comparison of Application Permissions for Home Management IoT Devices . 154Appendix B: Selected Portions of Chinese Laws That Could Enable Data Access . 158Appendix C: Full Text of Selected IoT Company Privacy Policies . 163iii
Huawei . 163Huawei Consumer Business Privacy Statement . 163Xiaomi. 173Privacy Policy . 173Google . 188Privacy Policy . 188Apple . 195Privacy Policy . 195iv
Acronym ListAcronym2G3G3GPP3PLA4G4PLA5G5G C4ISRCACCAGRCAICTCAIHCAN-SPAMCASCAS IIECASCCASICCBPRCCCCCPCDITermSecond GenerationThird GenerationThird-Generation Partnership ProjectGeneral Staff Department 3rd DepartmentFourth GenerationGeneral Staff Department 4th DepartmentFifth GenerationFifth Generation New RadioFifth Generation Automobile AssociationAutomated Content RecognitionAssociation Française de NormalisationArtificial IntelligenceAlliance for the Internet of Things InnovationAmerican National Standards InstituteAsia Pacific Economic CooperationApplication Programming InterfaceAdvanced Persistent ThreatGeneral Administration of Quality Supervision, Inspection and QuarantineAviation Industry Corporation of ChinaAmazon Web ServicesBelt and Road InitiativeCommand, Control, Communications, Computers, Intelligence, Surveillanceand ReconnaissanceCyberspace Administration of ChinaCompound Annual Growth RateChina Academy of Information and Communications TechnologyChina Aerospace Investment Holdings Ltd.Controlling the Assault of Non-Solicited Pornography and Marketing ActChinese Academy of SciencesChinese Academy of Sciences’ Institute of Information EngineeringChina Aerospace Science and Technology CorporationChina Aerospace Science and Industry CorporationCross-Border Privacy RulesChina Compulsory CertificationChinese Communist PartyContent Digital Innovation Technology Co., Ltdv
f Executive OfficeChina Electronics Technology Group CorporationCommittee on Foreign Investment in the United StatesConfidentiality, Integrity, and AvailabilityCivil-Military IntegrationChina Merchants SecuritiesChina Information Technology Evaluation Center Security Testing CenterChina National Knowledge InfrastructureChina National Vulnerability DatabaseComputer Network OperationsChildren’s Online Privacy Protection RuleCustomer Premises EquipmentCentral Processing UnitChina Shipbuilding Industry CorporationData Acquisition SystemsDistributed Denial of ServiceDigital ObjectDigital Object ArchitectureDepartment of DefenseData Protection Impact AssessmentData Protection OfficerEnvironmental Characteristics ValueEuropean Economic AreaElectrically Erasable Programmable Read-Only MemoryEnhanced Mobile BroadbandElectronic Technology Information Research InstituteEuropean Telecommunications Standards InstituteEuropean UnionEnd User License AgreementFair Credit Reporting ActFood and Drug AdministrationForeign Investment Risk Review Modernization ActFederal Trade CommissionFederal Trade Commission ActGeneral Data Protection RegulationGramm-Leach-Bliley ActGlobal Positioning SystemGlobal System for Mobile Communications AssociationGlobal TD-LTE Initiativevi
HIPAAIANAICANNICTIDIECIEEEHealth Insurance Portability and Accountability ActInternet Assigned Numbers AuthorityInternet Corporation for Assigned Names and NumbersInformation and Communication ational Electrotechnical CommissionInstitute of Electrical and Electronics EngineersIETFInternet Engineering Task oTNDANDRCInternational Mobile Equipment IdentityInternet of ThingsInternet of VehiclesIntellectual PropertyInternet ProtocolIntellectual Property RightsInternational Standards OrganizationInternet Service ProviderInformation TechnologyInternational Telecommunication RegulationsInternational Telecommunications UnionLocal Area NetworkLimited Liability CorporationLow-Power Wide Area NetworksLocal Storage ObjectsLong-Term EvolutionMachine-to-MachineMedia Access ControlMobile Ad-Hoc NetworkMobile Edge Computing / Multi-Access Edge ComputingMicroelectromechanical SystemsMinistry of Industry and Information TechnologyMultiple-Input Multiple-OutputMulti-Level Protection SchemeMinistry of Science and TechnologyMinistry of Public SecurityMinistry of State SecurityNot ApplicableNarrowband IoTNon-Disclosure AgreementNational Development and Reform Commissionvii
ANext Generation Mobile Networks AllianceNon-Governmental OrganizationU.S. National Institute of Standards and TechnologyChina North Industries Group CorporationNew RadioNanjing University of Posts & TelecommunicationsNorthwest UniversityOne Belt One RoadOrganisation for Economic Co-operation and DevelopmentOperating SystemPeople’s Liberation ArmyPublic Land Mobile NetworkPeople’s Republic of ChinaQuick ResponseResearch and DevelopmentRadio Access NetworkResearch, Development, and AcquisitionRadio-Frequency IdentificationResearch InstituteRenminbiScience and TechnologyStandardization Administration of the People’s Republic of ChinaState Administration for Industry and CommerceState Administration for Science and Technology for National DefenseSoftware Development KitState Encryption Management BureauStandard-Essential PatentSubscriber Identity ModuleShanghai Institute of Microsystem and Information TechnologyState Key Laboratory of Information SecurityShort Message ServiceSpecial Project Action Plan for Standards FormulationState Secrecy BureauSecure Sockets LayerTechnical CommitteesTransmission Control Protocol/Internet ProtocolTime Division Long-Term EvolutionTime Division Synchronous Code Division Multiple Accessviii
IWICWLANWSCWTOTransport Layer SecurityTechnical Reconnaissance BureauTelevisionUnmanned Aerial VehicleUnited NationsUnited StatesUniform Resource LocatorUnited States of AmericaUniversal Serial BusU.S.-China Business CouncilUnited States DollarUnited States Trade RepresentativeUnmanned Underwater VehicleVehicle-to-EverythingWorld Wide Web ConsortiumWLAN Authentication and Privacy InfrastructureWorld Internet ConferenceWireless Local Area NetworkWorld Standards CooperationWorld Trade Organizationix
Executive SummaryThe Internet of Things (IoT)—the interconnection of physical and virtual things via informationand communication technologies—is emerging as the next front in global network infrastructure,with potentially transformative benefits across a range of applications and services. Due to itspotential adoption in essentially all economic sectors, analysts expect the IoT to expandexponentially over the next few years, ultimately involving billions of connected devices anddozens or more vertical markets around the world. However, pressing questions about the IoT’soperation, safety, and security have yet to be answered. What international standards will guidethe development of IoT technologies and supporting infrastructure like 5G networks? How secureis the IoT and what are the risks of its vulnerabilities? How will U.S. consumer data be used andprotected here and abroad?China features prominently in all of these issues, and its drive to become a leader in the IoT posessobering challenges to U.S. economic and security interests. This report examines how China’sdevelopment of the IoT—bolstered by the Chinese government’s efforts to harness nationalresources for its promotion—has put China in a position to credibly compete against the UnitedStates and other leaders in the emerging IoT industry. China’s pursuit of IoT dominance constitutesa significant challenge to U.S. economic and national security interests. Its robust participation ininternational standards committees has given Beijing greater opportunities to dictate the rules ofthe road. Its research into IoT security vulnerabilities and its growing civil-military cooperationraise concerns about gaining unauthorized access to IoT devices and sensitive data. Its authorizedaccess to the IoT data of U.S. consumers will only grow as Chinese IoT companies leverage theiradvantages in production and cost to gain market share in the United States.For now, China’s large market size, production capacity, and government support offer somesignificant advantages, but China is still behind leading international levels in many IoTtechnologies. Therefore, U.S. companies and the U.S. government still have time to maintain atechnological edge and influence future IoT development, standards, and roll-out. By comparison,the world is on the cusp of 5G with commercial rollouts beginning in 2018. The countries with thelargest and most reliable 5G networks will have a head start in developing the technologies that5G enables–first among them, the IoT. China has laid a solid groundwork for a comprehensiverollout, relying on a whole-of-country approach that has created an entire ecosystem fordomestically manufactured 5G technologies and furthered their inclusion in international technicalstandards. With ten times the 5G sites per person as in the United States, China appears likely tolead early 5G deployment. 1Chinese dominance in the IoT will likely come at considerable cost to U.S. companies andconsumers, hurting both U.S. economic and national security interests. China sees technologydevelopment as a decisive strategic resource and believes other countries’ control of keytechnologies is a significant strategic liability. Its determination to lead in IoT development isgrounded in these considerations, as well as a high sensitivity to the cost of ceding dominance innext-generation technologies to other powers. As such, China’s IoT development strategy to datehas been designed to narrowly serve Chinese interests. The Chinese government is unlikely toDan Littmann, Phil Wilson, Craig Wigginton et al., “5G: The Chance to Lead for a Decade” (London: Deloitte,2018), t-5g-deployment-imperative.pdf?mod article inline.11
show much consideration for the protection of U.S. consumers, let alone U.S. companiescompeting in the IoT space.China’s Approach to IoT DevelopmentAs this report describes, China’s commitment to becoming a leader in IoT development ispredicated on the belief that its security requires it to become a technological power, particularlyin emerging technologies that the country considers strategically vital. The potential effect of theIoT on the global economy led Chinese leaders to designate it as a priority area for developmentin 2009. China subsequently took steps to catalyze domestic IoT research and development (R&D)and infrastructure development through robust planning initiatives and extensive financial support.After years of this support, the Chinese IoT market has grown rapidly, passing 1 trillion RMB(approx. 154 billion) in value in 2017, with expectations that it will reach 1.8 trillion RMB(approx. 264 billion) in value by 2020. Global IoT industry growth trends have been similarlyrobust: by way of comparison, some experts believe that IoT infrastructure investment is expectedto reach 421 billion in the United States and 274 billion in Europe by 2021. 2 Chinese expertsanticipate that an “Internet of Everything” era will arrive once IoT is adopted widely in developedcountries, and some assess that China has already developed a relatively complete IoT supplychain, including chips, components, devices, software, systems integration, operators, and appliedservices.China’s top leaders have long viewed technological advancement as a bellwether of nationalstrength and security and are keen to avoid falling behind other international competitors intechnological advancement. Driven by this sense of urgency, China’s policies to promote IoTdevelopment have included the creation of IoT industrial clusters and demonstration bases,extensive financial support for IoT R&D, restrictions on foreign investment, selective enforcementof Chinese laws to hinder the operation of foreign IoT firms in China, and the ever-loomingprospect of technology transfer.These policies pose serious challenges for U.S. firms competing with Chinese firms in the IoTindustry, who must be aware that the Chinese government considers them to be strategic rivals, ifnot outright threats. China is likely to engage in protectionist and unfair trade practices to favor itsown IoT companies over foreign competitors, creating an austere and tacitly hostile marketenvironment for foreign firms. In response, this report recommends that the U.S. government: Commission a blue-ribbon panel with a mandate to assess the ability of the United Statesto compete in emerging commercial information and communications technologies;Publish a list of federal guidelines laying out “best practices” for IoT firms seeking tooperate within China;Continue to seek legal redress against coercive Chinese trade practices throughinternational institutions; andCollaborate with partner nations to counter coercive Chinese trade practices and expandexisting trade partnerships in the Asia-Pacific region to build a larger shared market thatcould act as a counterweight to China’s economic power.“Worldwide Semiannual Internet of Things Spending Guide,” IDC, accessed September 5, 2018,https://www.idc.com/getdoc.jsp?containerId IDC P2947522
China’s Race to Set International Technical StandardsThe Chinese government is actively attempting to influence international technical standards forthe IoT that would benefit Chinese companies at the expense of U.S. and other foreign counterparts.As information technology (IT) industry precedents have shown, the competition over technicalstandards touches on a larger contest about intellectual property ownership, market advantage,international prestige, and approaches to privacy, security, and control of data. Once a globalstandard is established and accepted it can put pressure on countries or companies developing otherstandards to conform to the existing norm, ceding these important benefits to whichever nation’spreferences manage to be adopted as the international standard. This advantage is magnified froma security viewpoint, as the originator of a standard technology has an intimate understanding ofhow it operates inside and out. China’s increased effort to influence and set international IoTstandards is a critical part of China’s ambitious state-directed plan to achieve dominance in theIoT. These efforts may lock-in Chinese preferences for standards in IoT and supportinginfrastructure sooner rather than later, as nascent IoT and 5G standards exist in a fragmented andcomplex standards-setting environment rife with incompatible proprietary solutions and analphabet soup of standards-setting bodies.China is currently leveraging a more coordinated and comprehensive strategy than the UnitedStates to influence relevant standards for the IoT, and U.S. entities are often absent from keyinternational standardization processes. Consequently, some international standards have beendeveloped with reduced U.S. input. In contrast, China’s international standardization efforts areincreasing, following a centralized plan to effect change at both high and ground levels. On thehigh level, China has increased its participation in international standards institutions, where itshows a preference for multilateral (one country, one vote) standards institutions over U.S.-backedmulti-stakeholder institutions. Chinese nominees leading these organizations work in tandem withnational Chinese standards development efforts and push China’s agenda from their officialplatforms. On the ground level, China is leveraging the country’s sizable economy, stateinvestment in new technologies, and state-subsidized foreign policy initiatives like the Belt andRoad Initiative (BRI) to encourage other countries to adopt its technology, and with it, its standards.China is explicit in its support for “standardization work” and will likely continue emphasizingthis work and strategy for the IoT and other new and emerging technologies.To address China’s aggressive pursuit of international technical standards and ensure U.S.leadership and advantages in the IoT and other related industries, the U.S. government should: Conduct additional open source reporting and research on China’s international standardsefforts;Encourage more U.S. participation in international standards committees throughadditional funding and incentives;Where acceptable, adopt proposals and processes agreed upon by multi-stakeholderinternational standardization bodies while continuing to counter Chinese attempts to redefine internet governance as a matter of national sovereignty that requires the devolutionof control to nation-states; andCreate a government-industry advisory body charged with studying corporate foreigninteractions in the interest of national security.3
Unauthorized Access to IoT Devices and Chinese ExploitationEffortsThe IoT is inherently vulnerable to attack as billions of devices are added and connected tonetworks. These products, from industrial controls to smart watches, can become attack surfacesthrough their internet connections. Worse, market demands for lower costs paired with low barriersto entry in the IoT market mean there is currently little incentive to build more secure IoT devices.Unauthorized access to IoT devices has already resulted in physical consequences, includingattacks on industrial machinery and power grids around the world. Future unauthorized access islikely to open a Pandora’s box of negative consequences as IoT devices are deployed in greaternumbers around the world.Because of its market size, China has the potential to wield an outsize impact on the security ofIoT devices against unauthorized access (i.e., technical compromise). Chinese-manufactured IoTdevices have already become common targets for unauthorized access, thanks in part to insecuredevice configurations that have resulted in surreptitious data collection and the commandeering ofdevices for use in botnets. The widespread usage of Chinese IoT devices and components suggeststhat the aggregate negative consequences of unauthorized access to Chinese devices may beproportionally larger than for devices from other countries.China is also actively researching IoT vulnerabilities, both for security purposes and almostcertainly to collect intelligence, conduct network reconnaissance for cyberattacks, and enhance itsdomestic surveillance powers. Chinese IoT security research exhibits a familiarity withexploitation methods that could lead to unauthorized access and is already leveraging machinelearning and algorithmic techniques to accelerate the pace of research and develop adaptablemalicious code that could affect multiple types of IoT devices. China’s IoT security researchentities are also part of a broader and increasingly fused civil-military research ecosystem thatincreases the chances that PRC intelligence and military actors will have access to anybreakthroughs in IoT vulnerability research.The combination of widespread adoption of IoT products and Chinese research into exploits raisesthe threat of unauthorized access to U.S.-based IoT devices and the networks they connect to. Tocounter Chinese potential exploits of IoT vulnerabilities and safeguard U.S.-based devices againststate and non-state threats, the U.S. government should: Encourage adoption of security best practices for IoT products in the form of an
OECD Organisation for Economic Co-operation and Development OS Operating System PLA People's Liberation Army PLMN Public Land Mobile Network PRC People's Republic of China QR Quick Response R&D Research and Development RAN Radio Access Network RD&A Research, Development, and Acquisition RFID Radio-Frequency Identification
