China’s Internet of Things

[Pages:212]China's Internet of Things

John Chen, Emily Walz, Brian Lafferty, Joe McReynolds, Kieran Green, Jonathan Ray, and James Mulvenon

Research Report Prepared on Behalf of the U.S.-China Economic and Security Review Commission October 2018

Disclaimer: This research report was prepared at the request of the U.S.-China Economic and Security Review Commission to support its deliberations. Posting of the report to the Commission's website is intended to promote greater public understanding of the issues addressed by the Commission in its ongoing assessment of U.S.-China economic relations and their implications for U.S. security, as mandated by Public Law 106-398 and Public Law 113-291. However, it does not necessarily imply an endorsement by the Commission or any individual Commissioner of the views or conclusions expressed in this commissioned research report.

About the SOSi Special Programs Division

This project was conducted within SOSi's Special Programs Division (SPD), the premier open source and cultural intelligence exploitation cell for the U.S. intelligence community. Staffed by an experienced team of cleared analysts with advanced language skills, SPD's mission is to provide cutting-edge, open source and cultural intelligence support to the collection, analytical, and operational activities of the U.S. intelligence community, with the goal of achieving national strategic objectives. SPD accomplishes its mission through the conduct of objective, independent, and relevant research and analysis, under strict quality guidelines. Comments may be sent to the General Manager of the Special Programs Division, Dr. James Mulvenon.

Dr. James Mulvenon General Manager Special Programs Division SOS International 2650 Park Tower Drive, Suite 300 Vienna, VA 22180 TEL: 571-421-8359 Email: James.Mulvenon@

i

Table of Contents

About the SOSi Special Programs Division .................................................................................... i Acronym List .................................................................................................................................. v Executive Summary ........................................................................................................................ 1

China's Approach to IoT Development ...................................................................................... 2 China's Race to Set International Technical Standards .............................................................. 3 Unauthorized Access to IoT Devices and Chinese Exploitation Efforts .................................... 4 Authorized Access to IoT Data and Privacy Concerns............................................................... 5 Conclusions................................................................................................................................. 6 Introduction and Methodology ....................................................................................................... 7 Chapter 1: Overview of China's IoT Development ........................................................................ 9 China's IoT Development Strategy .......................................................................................... 10

Defining and Describing the IoT Ecosystem ........................................................................ 10 Competing for Primacy: Chinese Views on IoT Development ............................................ 14 Scientific and Technological Innovation in the Context of Chinese Grand Strategy ........... 16 Government Support for IoT Development .............................................................................. 18 Financial Support for the IoT Industry ................................................................................. 25 The Current State of China's IoT Development ....................................................................... 30 Problems with IoT Development .......................................................................................... 33 Implications for the United States............................................................................................. 36 Restrictions on Foreign Investment ...................................................................................... 37 Selective Enforcement of Chinese Laws in Favor of Domestic Companies ........................ 38 The Prospect of Technology Transfer................................................................................... 40 Recommendations..................................................................................................................... 41 Chapter 2: The Standards Race..................................................................................................... 43 Setting IoT Standards................................................................................................................ 45 A Fractured Standards-Setting Environment ........................................................................ 46 Major International Standards Bodies .................................................................................. 49 United States IoT Standardization Efforts ................................................................................ 52 U.S. Standardization Efforts Abroad .................................................................................... 53 China's Push to Set IoT Standards............................................................................................ 60 Domestic Standardization: More than Tech Specs ............................................................... 61

ii

China's Role in International Standardization Efforts.......................................................... 69 Key Points of Contention.......................................................................................................... 97

Multi-Stakeholder Model of Internet Governance................................................................ 97 5G Frequency........................................................................................................................ 97 Digital Object Architecture................................................................................................... 98 Implications for the United States............................................................................................. 99 Recommendations................................................................................................................... 101 Chapter 3: Unauthorized Access and Chinese Research into IoT Security Vulnerabilities ....... 103 Existing Security Vulnerabilities in the IoT: A Primer .......................................................... 104 Known Vulnerabilities in Chinese IoT Devices ................................................................. 106 Chinese Research into IoT Security Vulnerabilities............................................................... 108 Overview of Chinese IoT Security Research...................................................................... 110 China's Burgeoning IoT Research Ecosystem ................................................................... 111 The Civil-Military Overlap ................................................................................................. 115 Operational Applications for IoT Vulnerability Research: Beyond Securing the IoT ....... 118 Implications for the United States........................................................................................... 122 Recommendations................................................................................................................... 124 Improving Overall IoT Security.......................................................................................... 124 Risks of Chinese Exploitation of IoT Security Vulnerabilities .......................................... 125 Chapter 4: Authorized Access and Privacy Risks to U.S. Citizens from Chinese Data Access. 126 Chinese Access to U.S. IoT Data............................................................................................ 127 An Assessment of Authorized Data Access Methods......................................................... 128 Impact on the United States ................................................................................................ 144 Existing Protections for U.S. Data .......................................................................................... 145 U.S. Data Protections: An Inadequate Approach................................................................ 148 Recommendations................................................................................................................... 149 Authorized Data Access in IoT:.......................................................................................... 149 Specific Risks Posed by Authorized Data Access by Chinese Actors: .............................. 151 Conclusions and Areas for Further Research.............................................................................. 152 Appendix A: Comparison of Application Permissions for Home Management IoT Devices.... 154 Appendix B: Selected Portions of Chinese Laws That Could Enable Data Access ................... 158 Appendix C: Full Text of Selected IoT Company Privacy Policies ........................................... 163

iii

Huawei .................................................................................................................................... 163 Huawei Consumer Business Privacy Statement ................................................................. 163

Xiaomi..................................................................................................................................... 173 Privacy Policy ..................................................................................................................... 173

Google..................................................................................................................................... 188 Privacy Policy ..................................................................................................................... 188

Apple....................................................................................................................................... 195 Privacy Policy ..................................................................................................................... 195

iv

Acronym List

Acronym 2G 3G 3GPP 3PLA 4G 4PLA 5G 5G NR 5GAA ACR AFNOR AI AIOTI ANSI APEC API APT AQSIQ AVIC AWS BRI

C4ISR

CAC CAGR CAICT CAIH CAN-SPAM CAS CAS IIE CASC CASIC CBPR CCC CCP CDI

Term Second Generation Third Generation Third-Generation Partnership Project General Staff Department 3rd Department Fourth Generation General Staff Department 4th Department Fifth Generation Fifth Generation New Radio Fifth Generation Automobile Association Automated Content Recognition Association Fran?aise de Normalisation Artificial Intelligence Alliance for the Internet of Things Innovation American National Standards Institute Asia Pacific Economic Cooperation Application Programming Interface Advanced Persistent Threat General Administration of Quality Supervision, Inspection and Quarantine Aviation Industry Corporation of China Amazon Web Services Belt and Road Initiative Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance Cyberspace Administration of China Compound Annual Growth Rate China Academy of Information and Communications Technology China Aerospace Investment Holdings Ltd. Controlling the Assault of Non-Solicited Pornography and Marketing Act Chinese Academy of Sciences Chinese Academy of Sciences' Institute of Information Engineering China Aerospace Science and Technology Corporation China Aerospace Science and Industry Corporation Cross-Border Privacy Rules China Compulsory Certification Chinese Communist Party Content Digital Innovation Technology Co., Ltd

v

CEO CETC CFIUS CIA CMI CMS CNITSEC CNKI CNNVD CNO COPPA CPE CPU CSIC DAS DDoS DO DOA DoD DPIA DPO ECV EEA EEPROM eMBB ETIRI ETSI EU EULA FCRA FDA FIRRMA FTC FTCA GDPR GLBA GPS GSMA GTI

Chief Executive Office China Electronics Technology Group Corporation Committee on Foreign Investment in the United States Confidentiality, Integrity, and Availability Civil-Military Integration China Merchants Securities China Information Technology Evaluation Center Security Testing Center China National Knowledge Infrastructure China National Vulnerability Database Computer Network Operations Children's Online Privacy Protection Rule Customer Premises Equipment Central Processing Unit China Shipbuilding Industry Corporation Data Acquisition Systems Distributed Denial of Service Digital Object Digital Object Architecture Department of Defense Data Protection Impact Assessment Data Protection Officer Environmental Characteristics Value European Economic Area Electrically Erasable Programmable Read-Only Memory Enhanced Mobile Broadband Electronic Technology Information Research Institute European Telecommunications Standards Institute European Union End User License Agreement Fair Credit Reporting Act Food and Drug Administration Foreign Investment Risk Review Modernization Act Federal Trade Commission Federal Trade Commission Act General Data Protection Regulation Gramm-Leach-Bliley Act Global Positioning System Global System for Mobile Communications Association Global TD-LTE Initiative

vi

HIPAA IANA ICANN ICT ID IEC IEEE

IETF

IMEI IoT IoV IP IP IPR ISO ISP IT ITR ITU LAN LLC LPWAN LSO LTE M2M MAC MANET MEC MEMS MIIT MIMO MLPS MOST MPS MSS N/A NB-IoT NDA NDRC

Health Insurance Portability and Accountability Act Internet Assigned Numbers Authority Internet Corporation for Assigned Names and Numbers Information and Communication Technology Identification/Identity/Identifier International Electrotechnical Commission Institute of Electrical and Electronics Engineers

Internet Engineering Task Force

International Mobile Equipment Identity Internet of Things Internet of Vehicles Intellectual Property Internet Protocol Intellectual Property Rights International Standards Organization Internet Service Provider Information Technology International Telecommunication Regulations International Telecommunications Union Local Area Network Limited Liability Corporation Low-Power Wide Area Networks Local Storage Objects Long-Term Evolution Machine-to-Machine Media Access Control Mobile Ad-Hoc Network Mobile Edge Computing / Multi-Access Edge Computing Microelectromechanical Systems Ministry of Industry and Information Technology Multiple-Input Multiple-Output Multi-Level Protection Scheme Ministry of Science and Technology Ministry of Public Security Ministry of State Security Not Applicable Narrowband IoT Non-Disclosure Agreement National Development and Reform Commission

vii

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download