When guys like Brandon Wales talk, the rest of us listen.
The head of the US Cybersecurity and Infrastructure Security Agency (CISA) was in Australia a few weeks back for meetings with Australian security officials.
They had a lot to talk about. All of the usual topics were covered - the growing prevalence of cyber attacks, the need for better coordination among Five Eyes partners, the vulnerabilities of our critical infrastructure, and the importance of naming and shaming malicious cyber actors.
Wales talked about the so-called “axis of autocracy", the loose collection of nations that includes China, Russia, Iran, and North Korea, and which share a common desire to undermine the liberal international order. This can take a number of forms - from political support to the selling of weapons or drones, or, in the case of Russia and China, joint military exercises.
Interestingly, Wales played down the degree of cooperation in cyberspace.
“These are countries that are generally untrustworthy, and there are going to be limits to the degree of collaboration that they will undertake," he told The Australian Financial Review. “They don’t have things like Five Eyes alliances. They are not dependable partners."
Wales also talked about cars.
The rapid take-up of EVs has clearly rattled the national security community. It’s not hard to see why. Global EV sales in 2022 topped 10.2 million. (In 2010 that figure was just 7,600). In Norway around 80 percent of all new cars sold are electric. In the US, where the take-up rate has been slower, the figure is around 7.6 percent.
In China EV sales are growing at a rate of nearly 20 percent a year, accounting for the lion’s share of global sales. China has also become a major exporter of EV technology, partly owing to a decision taken years ago to invest heavily in what was then seen (correctly as it turns out) as an emerging strategic capability. As a consequence of that decision, and by virtue of the economies of scale China can bring to bear on any kind of high-end manufacturing, China is poised to dominate the global EV market.
That’s the bit that worries Wales. Like all IoT devices, EVs are a point of entry to a wider network. They’re also a treasure trove of sensitive data. One component part in particular worries the security guys. The “cellular IoT module” or CIM links physical objects to networks. According to the UK’s Council on Global Strategy, the CCP is intent on acquiring a monopoly on all CIM production. So far things are going according to plan. In 2023 five companies accounted for 61 percent of of all CIM sales. Four of them were Chinese.
Wales thinks EVs should be subject to a higher level of scrutiny and security, partly because the networked nature of the technology makes them more susceptible to attack, but mostly because the majority of them are made in a country that engages in industrial-scale data collection.
“Any time that you are purchasing technology from a country that has, as its stated purpose, to burrow into US critical infrastructure and hold it at risk, that technology is going to be inherently suspect," Wales said. “It should and deserves a higher level of scrutiny."
A couple of things are at play here. The rapid take-up of EVs, China’s emerging market dominance, and the highly networked nature of the technology have given rise to serious national security concerns among guys like Wales.
At the heart of those concerns is data. EVs are basically iPhones on wheels. They generate huge quantities of sensitive data, from biometric information to location data. No wonder US President Joe Biden has announced an investigation into Chinese-made smart cars.
His Commerce Secretary Gina Raimondo pointed out there were other risks as well.
“Imagine if there were thousands or hundreds of thousands of Chinese-connected vehicles on American roads that could be immediately and simultaneously disabled by somebody in Beijing," Raimondo said. “So it’s scary to contemplate the cyber risks, espionage risks that these pose."
All of this is true as far as it goes.
But EVs are really just the tip of the iceberg. Globally the IoT market is projected to be worth just shy of US$1.4 billion in 2024. The number of devices connected to the internet is expected to go from about 15 billion in 2020 to around 29 billion in 2030. Every one of those devices is a potential attack vector. How secure are they? Not very. According to China Telecom the overwhelming majority - around 95 percent - are made in China.
The issue is not necessarily the intentions of the Chinese government. Yes, China’s National Intelligence Law obliges every citizen and corporate entity to place itself at the service of the state, should the need arise. But the problem has as much to do with standards as it is with PLA spies using the baby monitor to hack into your network.
Most of the junk coming out of China comes with no security standards built in. Default passcodes are often generic, firmware updates are not mandatory meaning vulnerabilities are not patched, and consumers have no way of gauging how vulnerable a product is. Unless programmed not to, CIMs will send data back to their manufacturers.
However, it would be a profound mistake to lay the entirety of the blame for this problem at the feet of the Chinese Communist Party. Most sophisticated state-sponsored cyber espionage exploits are in US products made by US companies, a fact Wales acknowledged.
“It’s not enough to focus just on Chinese cranes and other technology that’s coming directly from China," - Brandon Wales
Instead, the emphasis must be on making all technology, regardless of its provenance, secure by design.
“(That is) the mechanism by which they are getting into our networks today," Wales said.
