A congressional advisory panel says the purchase of internet-linked devices manufactured in China leaves the United States vulnerable to security breaches that could put critical infrastructure at risk.
In its annual report on Wednesday, the U.S.-China Economic and Security Review Commission warns of dangers to the U.S. government and private sector from a reliance on global supply chains linked to China, which is the world’s largest manufacturer of information technology equipment.
China’s push to dominate in the high-tech industry by 2025 already is a sore point with Washington and a contributing factor in trade tensions that have seen the world’s two largest economies slap billions of dollars in punitive tariffs on each other’s products this year.
The U.S. also has had long-running concerns about state-backed cyber theft of corporate secrets, something that China agreed to stop in 2015. But the bipartisan commission highlights the potential security risks to the United States by China’s pre-eminence in the so-called internet of things, or IoT, which refers to the proliferation of physical devices that have sensors that collect and share data and connect to the internet. Such devices could be everything from household appliances like refrigerators and air conditioners to warehouse delivery systems, smart traffic signs and aerial drones.
“The scale of Chinese state support for the IoT, the close supply chain integration between the United States and China, and China’s role as an economic and military competitor to the United States creates enormous economic, security, supply chain, and data privacy risks for the United States,” the report says.
The commission, which does not set policy but can make recommendations to Congress and the U.S. administration, is warning that the potential impact of malicious cyberattacks through such systems will intensify with the adoption of ultra-fast 5G networks that could quicken data speeds by up to 100 times.
“The lax security protections and universal connectivity of IoT devices creates numerous points of vulnerability that hackers or malicious state actors can exploit to hold U.S. critical infrastructure, businesses, and individuals at risk,” the report says.
The United States has already taken some steps to restrict the use of Chinese-made high technology. For example, it has restricted government procurement from Chinese tech giants Huawei and ZTE, which deny their products are used for spying by China’s authoritarian government.
In June, the Defense Department suspended the purchase of all commercial, off-the-shelf drones until a cybersecurity risk assessment strategy was established. In 2017, U.S. customs authorities alleged that drones produced by Chinese company DJI, which has dominated the U.S. and Canadian drone markets, likely provided China with access to U.S. critical infrastructure and law enforcement data. DJI denied the allegation.
The commission is calling for Congress to push for assessments by U.S. government agencies on their supply chain vulnerabilities. It says the U.S. government depends on commercial, off-the-shelf products, many of them made in China, for more than 95 percent of its electronics components and information technology systems.
Large U.S. telecommunications providers also rely on global supply chains dominated by Chinese manufacturers. Although they do not source directly from Huawei and ZTE, major U.S. telecommunications providers rely on other foreign 5G network equipment suppliers that incorporate Chinese manufacturing in their supply chains, the report says.
Related: DUST Identity Emerges From Stealth to Protect Device Supply Chain
Related: Watch Cisco’s Edna Conway Talk Supply Chain Security With Microsoft Cybersecurity Field CTO Diana Kelley (Video)