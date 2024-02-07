Cybersecurity
Prakash Sangam: Can IoT Devices Become Ticking Time Bombs?
Internet-of-Things devices may be making our infrastructure more vulnerable to national security threats.
The millions of IoT devices we use knowingly or unknowingly make our modern societies function. These include utility meters, traffic lights, and they even connect to the national grid. 5G is elevating their use to even higher levels and making them an integral part of the country’s critical infrastructure.
But that also is making that infrastructure more vulnerable to security threats. Reps. Mike Gallagher and Raja Krishnamoorthi of the U.S. House Select Committee on China understand this threat and are rightly sounding alarm bells. It’s fascinating how these seemingly benign and almost invisible IoT devices can be such a grave threat.
IoT devices are an integral part of the national critical infrastructure
The U.S. IoT market is massive, estimated to be $199B in 2024, according to Statista. IoT technology is found in almost any connected device for individual or industrial use. Since IoT devices manage and control the country’s critical assets, including power, water, natural gas, and many industries, even more with 5G IoT, they are part of national critical infrastructure.
Imagine the havoc the sudden collapse of the national grid or large-scale disruption of utilities can create. Such catastrophes can bring the country to a screeching halt, threaten lives, and cause lasting damage.
Despite its critical role, IoT security hasn’t gotten the attention of regulators and governments it deserves. It was considered a “business risk” to be managed by the industry. Fortunately, that is starting to change. The recent letters from the congressmen to the FCC, the Department of Defense, and the Treasury Department regarding cellular connectivity modules used in IoT devices indicate that lawmakers are now treating this as a national security issue.
Vulnerabilities of IoT devices
When it comes to cellular IoT devices, the biggest threat is the security of the connectivity module (aka IoT module) on which they are built. This module is the gatekeeper, which controls all the data going in and out of the device. If the module is compromised, the whole device, and in many cases all the systems it connects to, are compromised.
Note: For more details on IoT device security, please check out my article series here.
Connectivity modules could have many vulnerabilities. There could be backdoors built into the hardware or the software when modules are shipped from the factory (called “Zero Day” attacks) or introduced during numerous upgrades modules receive during their more than ten years of lifespan. These upgrades are similar to the ones our smartphones receive but are usually automatically executed.
Because of prohibitive costs, operators can’t examine and verify all the devices and their firmware updates. No matter who and how these vulnerabilities are created, they can be exploited by bad actors. If those bad actors are state-sponsored, the risk is even higher.
As FBI Director Christopher Wray mentioned in his recent testimony, “Hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities.”
The attackers can stay dormant for a long time and attack at a time of their choosing. Hence, it wouldn’t be wrong to say that any device with such vulnerabilities can become a ticking national security timebomb.
IoT security: A tragedy of commons
IoT is a largely low-margin, low-revenue (per subscription) business with a highly cost-competitive market. Most operators manage security as a business risk. They invest just enough to protect against fraud and liability. National security probably never makes it to their priority list.
Considering the complexity, cost, and potential risks involved, the responsibility of ensuring the security of IoT devices, from a national security perspective, rests squarely on the regulators and the government. The simple and highly reliable approach to achieve that seems to be establishing a fully trusted supply chain comprising local players and players from trusted national partners.
This is where things get complicated. According to Counterpoint Research, almost a quarter of the US cellular connectivity module is controlled by one Chinese company, Quectel. More alarmingly, a large portion of the IoT modules used in the cellular network used by first responders called FirstNet are also Chinese.
And that’s precisely why these congressmen are concerned and asking relevant US departments to intervene. As opined by many law experts, Chinese laws require all Chinese companies “to support, provide assistance, and cooperate in national intelligence work.”
So, then the question arises: Is the Huawei-like approach of totally banning these companies the right strategy? If not, are there any other remedies available? What are the pitfalls? All these questions need to be addressed before taking any substantive action. Look out for my next article for details on them and possible answers.
Prakash Sangam is the founder and principal at Tantra Analyst, a leading boutique research and advisory firm covering 5G, AI, Wi-Fi, Cloud, and IoT. He is a 3GPP/ETSI member and has more than 20 years of hands-on tech experience working for Qualcomm, Ericsson, and AT&T. He hosts Tantra’s Mantra podcast, a newsletter, and is often quoted in international media, and on the speaking circuit for leading industry events. This Expert Opinion is exclusive to Broadband Breakfast.
Broadband Breakfast accepts commentary from informed observers of the broadband scene. Please send pieces to commentary@breakfast.media. The views expressed in Expert Opinion pieces do not necessarily reflect the views of Broadband Breakfast and Breakfast Media LLC.
Cybersecurity
Industry Groups Urge Fixes to FCC’s Cybersecurity Labeling at House Hearing
The Connectivity Standards Alliance suggested that the program remain voluntary and that the FCC not mandate label.
WASHINGTON, January 17, 2024 – The Federal Communications Commission should make alterations to its proposed new labeling cybersecurity labeling system by making the label optional and increasing accessibility for consumers and the private sector, witnesses told a House subcommittee hearing on Thursday.
In August, the FCC unveiled its proposed Cyber Trust Mark, a labeling program which would help consumers identify secure technologies that protect their privacy. The FCC touted the cyber trust mark as a voluntary labeling program for connected smart devices, with a QR code providing updates on whether the product meets current cybersecurity standards.
Despite broadly supporting the agency’s proposed program, Tobin Richardson, CEO of Connectivity Standards Alliance – a constellation of companies that promote universal standards for the Internet of Things – suggested that the “FCC structure the program to allow it to be strong enough to meaningfully address IoT security, be flexible enough to incentivize private sector adoption, and be informative enough for consumers when they purchase new products.”
He also suggested that the program remain voluntary and that the FCC not mandate the label.
Alan Butler, executive director of consumer privacy group Electronic Privacy Information Center, said that a website on the safety of technologies could provide as an additional layer of protection. This would allow the FCC to limit the amount of information on the label and avoid confusing consumers. Consumers expect to understand if their devices could pose potential threats, he said.
Clete Johnson, senior fellow of Center for Strategic and International Studies, urged the FCC to “establish the mark as an opt-in program.”
Committee members and witnesses also discussed how generative artificial intelligence “lowers the barrier to entry” for cybercriminals to attack victims.
The hearing also touched on the significant expenses organizations incur when trying to hire personnel necessary to protect themselves from cyberattacks. The witnesses also mentioned the necessity of “adaptive” technologies, which can be “upgraded” to address evolving threats.
The United States has been exposed to various cyberattacks in recent years, causing lawmakers to scramble for solutions to potential cybersecurity vulnerabilities. In June 2023, several U.S. governmental agencies, including the Department of Energy, were victims of Russian cyberattacks.
In July 2023, the Biden Administration issued a statement voicing support for the proposed Cyber Trust Mark, citing urgency of providing, “ tools for consumers to make informed decisions about the relative security of products they choose to bring into their homes”
In December 2023, it was revealed that Chinese hacking groups infiltrated critical governmental sectors including water, utilities, and gas pipelines.
Broadband's Impact
CES 2024: Biden Administration Announces Deal with EU on Cyber Trust Mark
The White House is looking to get the mark on products “by next year.”
LAS VEGAS, January 11, 2024 – The United States has entered an agreement with the European Union on a “joint roadmap” for standardized cybersecurity labels, a Biden Administration official announced at CES on Thursday.
“We want companies to know when they test their product once to meet the cybersecurity standards, they can sell anywhere,” said Anne Neuberger, the White House’s deputy national security advisor for cyber and emerging technologies. “They can sell in Paris, Texas, or Paris, France.”
Neuberger said the White House is aiming to get its U.S. Cyber Trust Mark, a voluntary certification for internet of things devices, on consumer products by the end of the year. The effort to mark products like routers, baby monitors, and thermostats as safe from hacking was first announced in October 2022.
The Federal Communications Commission voted in August to seek comment on how to implement various parts of the program, including how to develop and ensure compliance with its cybersecurity standards.
What exactly those standards will be is not yet decided, but the Commission has said it will base the program on criteria developed by the National Institute of Standards and Technology. Those include encrypting both stored and communicated data and the ability to receive software updates.
The measure is not on the FCC’s tentative January meeting agenda, but Neuberger said the agency is “working toward next steps.”
Cybersecurity
Cybersecurity Requirements in BEAD Could Shape Internet Security Regulation More Widely
The Broadband Equity, Access and Deployment program requires ISPs and states to submit comprehensive cybersecurity plans.
WASHINGTON, November 2, 2023 – How states implement cybersecurity rules in the $42.5 billion Broadband Equity, Access and Deployment program could shape internet security regulations more widely, experts said during a virtual panel Wednesday.
The BEAD program, which will provide federal grants to states to disperse for broadband projects, requires providers to submit comprehensive cybersecurity plans based on standards from the National Institute of Standards and Technology. Panelists said flexibility in the plans allows customization but also establishes baseline expectations as critical infrastructure relies more on connected technology.
“I think the way that states and entities interpret these BEAD cybersecurity and supply chain requirements is really going to have a ripple effect across the whole community,” said Savannah Schaefer, an attorney of Wilkinson Barker Knauer, who advises clients on cybersecurity.
Federal Communications Commission rules are beginning to include similar mandates, meaning how states implement BEAD’s requirements could influence cybersecurity regulations more broadly, Schaefer said.
Melissa Newman, vice president of government Affairs at the Telecommunications Industry Association, said BEAD’s cybersecurity stipulations cite lengthy federal guidance documents providers must wade through. Her trade group developed a checklist to help companies understand the rules.
“You cannot be confident in the security of your networks and products without consideration of both cyber and supply chain security,” said Newman, TIA’s vice president of government affairs.
Supply chain management, knowing who provides equipment and software, is critical because cybersecurity threats can be embedded throughout a product’s lifecycle, she said.
Evan Rice, senior vice president of Guide Star, a division of CCI Systems, said providers should start by documenting current cyber practices, identifying gaps and making plans to address them. Cybersecurity must be incorporated holistically, from network construction to long-term operation, he said.
“Everyone understands that piece. The cybersecurity is the same. Once you build it, you have to operate it,” said Rice. Schaefer encouraged viewing BEAD as part of an ongoing process of shaping cybersecurity requirements.
Our Broadband Breakfast Live Online events take place on Wednesday at 12 Noon ET. Watch the event on Broadband Breakfast, or REGISTER HERE to join the conversation.
Wednesday, November 1, 2023 – Cybersecurity and BEAD
To qualify for funding under the Broadband Equity, Access and Deployment program, network operators must submit a comprehensive cybersecurity strategy in line with the National Institute of Standards and Technology’s cybersecurity framework. What impacts do these requirements have on broadband deployers, and what steps can they take to ensure compliance? How can operators strike the right balance between expanding their networks and safeguarding them against cyber threats?
Panelists
- Evan Rice, Senior Vice President, Guide Star
- Savannah Schaefer, Wilkinson Barker Knauer LLP
- Melissa Newman, Vice President of Government Affairs, Telecommunications Industry Association
- Drew Clark (moderator), Editor and Publisher, Broadband Breakfast
Evan Rice is an experienced IT executive with a focus on cyber security and operational excellence. Evan currently serves as the Senior Vice President of Guide Star, a division of CCI Systems. Evan has been with CCI Systems since 2012, starting as a Data Services Professional then moving to the Vice President of Information Technology role prior to his current position at Guide Star.
As an Associate at Wilkinson Barker Knauer LLP, Savannah Schaefer advises clients on a range of issues pertaining to cybersecurity, supply chain risk management, and emerging technology. Prior to joining the firm, Savannah represented companies in the information and communications technology sector at two trade associations where she led development and advocacy of the associations’ cybersecurity and supply chain legal and policy positions. She has also served in leadership roles in the IT and Communications Sector Coordinating Councils and on the Department of Homeland Security’s ICT Supply Chain Risk Management Task Force.
Melissa Newman has over 25 years’ experience in government affairs for the telecommunications sector. Prior to Melissa joining TIA as Vice President of Government Affairs, she worked at Transit Wireless heading the Legal and External Affairs departments; Wilkinson Barker Knauer, a premier telecommunications law firm in Washington, DC; CenturyLink (now Lumen) as Vice President, Federal Policy and Regulatory Affairs; and as Deputy Division Chief of the Policy Division in the Common Carrier Bureau of the FCC.
Breakfast Media LLC CEO Drew Clark has led the Broadband Breakfast community since 2008. An early proponent of better broadband, better lives, he initially founded the Broadband Census crowdsourcing campaign for broadband data. As Editor and Publisher, Clark presides over the leading media company advocating for higher-capacity internet everywhere through topical, timely and intelligent coverage. Clark also served as head of the Partnership for a Connected Illinois, a state broadband initiative.
WATCH HERE, or on YouTube, Twitter and Facebook.
As with all Broadband Breakfast Live Online events, the FREE webcasts will take place at 12 Noon ET on Wednesday.
SUBSCRIBE to the Broadband Breakfast YouTube channel. That way, you will be notified when events go live. Watch on YouTube, Twitter and Facebook.
See a complete list of upcoming and past Broadband Breakfast Live Online events.
Signup for Broadband Breakfast News
Broadband Breakfast Research Partner
Prakash Sangam: Can IoT Devices Become Ticking Time Bombs?
Clark County Approves Google Fiber Expansion in Las Vegas Metro
How Philly Crafted a Comcast Franchise Agreement in the City’s Favor
Rural Wireless Association Wants Changes to FCC’s 5G Fund
Broadband People: Three New Chiefs at FCC Bureaus
Dish Wireless Seeks FCC Help With Affordable Connectivity Transition
Jessica Rosenworcel Pushes Congress on Affordable Connectivity Program
Greater Spectrum Sharing Will Be Necessary, Says FCC Commissioner Anna Gomez
Indiana, Tennessee, Washington, and W.V. Receive BEAD Volume 1 Approval
Broadband Breakfast on February 14, 2024 – Live from National Digital Inclusion Alliance’s Net Inclusion in Philadelphia!
State Broadband Offices Struggle to Involve Local Stakeholders in BEAD Challenges
Rosenworcel Proposes Making AI-Generated Robocalls Illegal
Chamber of Commerce Asks Fifth Circuit to Vacate Digital Discrimination Rules
Broadband Breakfast on February 21, 2024 – Social Media and the Supreme Court
Washington State Looking to Start BEAD Challenge Process in April
Universal Service Administrative Company Updates Connect America Fund Map
Senators: New Agency Needed to Oversee Big Tech and AI
BITAG Wants States to Consider Non-Fiber for BEAD
FCC Adopts Rules on 911 Routing, Disaster Reporting at January Meeting
Craig Settles: Towns, Cities Show Power of Fixed Wireless
President Biden Touts Broadband Expansion Efforts in Wisconsin Visit
Affordable Connectivity Cutoff Notices Spark Effort to Save Program and Preserve Access
Los Angeles Passes Resolution Banning Digital Redlining by ISPs
Comments on E-Rate Modernization Call for Wired Connectivity Solutions
Broadband Breakfast on February 14, 2024 – Live from National Digital Inclusion Alliance’s Net Inclusion in Philadelphia!
Broadband Breakfast on February 21, 2024 – Social Media and the Supreme Court
Broadband Breakfast on January 24, 2024–Preparing for 20th Anniversary of the Pulver Order
Broadband Measurement Summit Announced for March 7
FCC Rules Face Litigation Risk in 2024, Note Journalists
Broadband Breakfast on February 7, 2024 – Congress, Net Neutrality and Privacy
Broadband Breakfast on January 31, 2024 – Broadband Mapping and BEAD Challenges
Broadband Breakfast on January 10, 2024 – Live from Las Vegas at CES 2024
Starlink Plans to Join Affordable Connectivity Fund Subsidy Program
Broadband Breakfast on January 3, 2024 – The Broadband Forecast for 2024 with Tech Journalists
Broadband Breakfast on December 27, 2023 – The 12 Days of Broadband
Broadband Breakfast on Wednesday, December 6, 2023 – Recap of the Digital Infrastructure Investment Summit
Trending
-
Robocall4 weeks ago
CES 2024: FCC and AT&T Say Collaboration is Key in Combatting Spam
-
Infrastructure2 weeks ago
Movement to Restore R&D Tax Credit Prompts Broadband Interest
-
Congress4 weeks ago
Bipartisan Bill Proposes $7 Billion Extension for Affordable Connectivity Program
-
Digital Inclusion2 weeks ago
Chamber of Commerce Asks Fifth Circuit to Vacate Digital Discrimination Rules
-
Broadband Mapping & Data3 weeks ago
FCC’s Affordable Connectivity Program Shutdown Silent on Broadband Labels
-
#broadbandlive1 week ago
Broadband Breakfast on February 21, 2024 – Social Media and the Supreme Court
-
FCC4 weeks ago
FCC Unveils Plans to Phase Out Affordable Connectivity Program
-
Funding2 weeks ago
Illinois, Indiana and Georgia Announce Plans for BEAD Challenges