SVG
Commentary
The National Interest

The Internet of Things: Friend or Foe?

Is your robot vacuum cleaner poised to become your mortal enemy?

The Mi Smart Clock, a smart clock by Xiaomi that works as an artificial intelligence assistant with Google Assistant, as a speaker, and as a security device together with the Xiaomi Smart Camera c400, is being exhibited in the Xiaomi smart home display during the Mobile World Congress 2023 on March 2, 2023, in Barcelona, Spain. (Photo by Joan Cros/NurPhoto via Getty Images)
Caption
The Mi Smart Clock is being exhibited in the Xiaomi smart home display during the Mobile World Congress 2023 on March 2, 2023, in Barcelona, Spain. (Joan Cros/NurPhoto via Getty Images)

Israel’s pager exploit, targeting nearly 3000 Hezbollah operatives via their electronic devices, was undoubtedly a brilliant counterintelligence move. But it also serves as a grim reminder that a world built on connectivity can be a threat as well as a blessing—not only to our privacy but also our safety and, one can even argue, our national security.

Pagers and cell phones are only one part of the coming Internet of Things (IoT), the universe of interconnected “smart” devices that include refrigerators and air conditioners, as well as industrial sensors that monitor the power grid. It includes the GPS software in our automobiles, traffic surveillance cameras, and commercial drones. Overall, the IoT brings new risks that we have only begun to understand—let alone take steps to deter and prevent.

As Rep. Mike Gallagher (R-WI) and others have urged, taking stock of China’s role in manufacturing the IoT and limiting the number of these devices that originate in China is a sensible step in the right direction. But it’s only a step. The truth is that no national cyber strategy can be complete unless it addresses the overall threat and examines the new technologies that can mitigate that threat. A credible estimate is that there will be over 32.1 billion IoT devices worldwide by 2030.

Businesses have learned to use interconnected devices to track goods moving from inventory to customers. Factories use them to monitor production, and farmers use them to automate irrigation and check on livestock. They’ve become a daily part of our lives, from “smart” heating and air conditioning and Pelaton workout gear to robot vacuum cleaners—not to mention commercially made drones.

The fact that a Chinese commercial company, DJI, makes the majority of those drones prompted the House of Representatives to pass a ban on DJI drones in June. Recent concerns about Chinese surveillance equipment operating in U.S. shipyards have only elevated awareness of how China has positioned itself as a major supplier of IoT. That includes concerns about lithium-ion batteries for EVs manufactured in China: in fact, Congresswoman Carol Miller (R-WV) has introduced a bill to ban Chinese components for EVs. 

The concern isn’t just here in the United States. A new report by the China Strategic Risks Institute (CSRI) and the Coalition on Secure Technology in Britain warns that “suppliers suspected of having ties to China’s military-industrial complex pose a key risk due to the potential for built-in wireless components to be ‘weaponised,’ including causing gridlock in British streets.”

Until now, the concern about Chinese-made components, like those in drones, has been whether they could be used for snooping and gathering information and data. Now, the question has to arise whether interconnected devices like iPhones that rely on components made by America’s most formidable foe could be used for more lethal—even explosive—purposes. 

The recent Hezbollah pager explosions suggest this scenario is not so farfetched. A new administration and the private sector need to address three priorities to deal with this new frontier in security risks posed by IoT. 

The first is assessing where a device is made and where its key components came from—and not only in China. This is another reason why reshoring American electronic manufacturing, or at least “strategic reshoring” (i.e., buying from trusted allies like South Korea or Japan), is not just a good idea economically but a national security imperative. 

Even more important, however, is developing a strong IoT cybersecurity strategy. Today’s IoT devices come with no built-in security. To correct this, an IoT cybersecurity strategy will center first on defending the networks on which those devices depend. Cybersecurity measures will need to protect against data breaches, side-channel attacks (when an attacker is able to gather information by observing the effects of a program’s execution on its hardware or other systems), or simple failures to update encryption for security and privacy. However, given the explosive growth of the IoT market, it’s unlikely that even a sophisticated network-based cybersecurity plan will be able to keep track of every threat to every device scattered across the country or even across the globe. Even moving the network to the Cloud won’t defeat an adversary determined to use our smartphones or automobile GPS to create havoc or worse.

Another approach is looking to the Distributed Ledger Technology (DLT) encryption cryptocurrencies use to insulate individual users from any attack on the network as a whole. The problem is that the size of DLT encryption used by a cryptocurrency approaches hundreds of GBs. Most IoT nodes simply don’t have the storage needed to support DLT-based cybersecurity.

Instead, the best answer may be to turn to the new kinds of cybersecurity offered by the advent of quantum technology.

One solution is post-quantum cryptography. The algorithms just approved by the National Institute of Standards and Technology (NIST) will help combat future quantum computer hackers, who are also very effective at defeating present-day hacking.

Another is using quantum-based cryptography to create unhackable communication links between devices and their operators. This has the advantage of relying on a physical component, a quantum random number generator small enough to fit into any electronic device. Through this, the network can send a constantly changing quantum key for encrypted communication. (Samsung, for example, installed such a device in its 5G smartphones in 2021). 

Any number of commercial companies in the United States, Canada, and Australia have proved that using quantum mechanics to send or receive messages is 100 percent unhackable and secure. China is also taking this approach to protect its data and networks—a significant warning the United States needs to start heeding.

The fact is, there is no single solution to dealing with the future security risks associated with IoT. Instead, government and industry will require a multi-layered approach, from conventional cybersecurity to DLT and quantum cryptography, in order to avoid having the IoT universe become a cyber nightmare.

Connectivity in the age of the Internet is a blessing, but it’s also a risk—a risk we don’t want, like the Hezbollah pagers, to blow up in our faces.

Read in The National Interest.

Enjoyed this article? Subscribe to Hudson’s newsletters to stay up to date with our latest content.