Last year, China rolled out development plans for IPv6, 5G, and industrial internet. As more devices become connected, there also emerged the difficulties in securing them. An off-the-radar government report revealed a worrisome picture of Internet of Things (IoT) security in China, which provides added rationale for cooperation between different models of cyber governance.
On April 25, the Chinese Cybersecurity Emergency Response Team (CN-CERT) — a division recently moved to the central organ for cyber policy making known as the Cyberspace Administration of China — released an annual report that assessed the country’s cyber threats landscape and forecasted emerging threats. In 2017, the Chinese National Vulnerabilities Database archived 16,000 security vulnerabilities, a 47.4 percent uptick from 2016. Smart devices gained much attention. The total number of archived IoT vulnerabilities increased by 120 percent in 2017 and 27,000 smart devices fell prey to unauthorized remote control every day.
Market failure has plagued IoT security. Small- and medium-sized vendors compete for market space, and prioritize affordability and usability over security. It is commonplace to have devices that cannot be patched or have weak default passwords. According to the report, weak passwords were found in nearly 40 percent of the sampled smart devices in Chongqing, a megacity with a 30 million population.
These numbers showed the degree of cyber threats faced by China, which are not reflected in attention-grabbing high-level speeches and development plans.
Chinese lawmakers have been working to give blood and flesh — the complementary regulations and guidelines — to the skeleton of the Cybersecurity Law. A draft version of the Critical Information Infrastructure (CII) Security Protection Guideline was released in June 2017 to provide clarity on CII definitions. Information and industrial operation systems, if deemed as CII, would be subject to top-down security review by an interagency group. The Guideline called out many sectors that are intertwined with the IoT, such as healthcare, transportation, energy, education, and certain industrial sectors.
The final definition of CII remains to be seen in future drafts; so does the scope of the inspection campaigns and their associated costs. On one hand, the broad scope of CII and the potential lack of transparency in the inspection process raised concerns about unfair treatment for foreign companies. On the other hand, the numbers in the CN-CERT report provided a rationale for using a “big bang” approach to overcome the market failure in securing smart devices.
An elephant in the room is the “Made in China 2025” plan that promotes indigenous innovation in key manufacturing sectors. Although the plan has clouded U.S.-China bilateral trade relations, IoT security presents an opportunity to find common ground against common threats.
The interdependent IoT supply chain endowed the two countries with tremendous norm-setting power in promoting best security practices. Demand-side pressure, such as procurement by governments and upstream companies, will influence the security practices of downstream suppliers that may be geographically located on the other side of the Pacific. For example, an IoT device updatability guideline by the U.S. National Telecommunications and Information Administration could sway American companies to prefer updatable devices. Thus, manufacturers in China would be compelled to focus on device updatability in order to fulfill American orders.
Besides device updatability, there are many other industry norms the two largest economies can agree on. Fail-safe measures, no hard-coded credentials, transparency on software and hardware components – the list can go on. An increase in development costs could make a worthwhile contribution to defending against IoT-borne threats, sometimes at the scale of transnational botnets.
It is no secret that both the United States and China have placed cybersecurity at a prominent level. Chinese President Xi Jinping famously said that “without cybersecurity, there is no national security” and the U.S. National Security Strategy considered cybersecurity as critical to every part of national security. Beyond the headlines, however, few massive denial of service and ransomware attacks have been sponsored by states, perhaps except North Korea. Since states have already demonstrated their offensive capabilities in more sophisticated scenarios, they would have little to gain from incurring collateral damage through poorly secured IoT networks.
There exists huge potential for seeking common ground in raising cyber defense and resilience above the level of nonstate hackers. And quantitative threat assessments, such as the CN-CERT’s report, deserve more attention in analyses of Beijing’s high-level cyber policies.
Qiheng Chen does research for the Cyber Statecraft Initiative at the Atlantic Council. He is interested in cyber policy, emerging technologies, and Chinese foreign policy. You can follow him on @QihengC. Views are his own.