House committee asks FCC for more action on IoT device security

The House Select Committee on the Chinese Communist Party wants to learn more about the U.S. security risks within the increasingly interconnected world of the internet of things, particularly surrounding the security of connectivity modules.

In a letter issued to the Federal Communications Commission on Monday, the Select Committee Chairman Mike Gallagher, R-Wisc., and Ranking Member. Raja Krishnamoorthi, D-Ill., inquired about the security of connectivity module devices that are manufactured by China-based companies Quectel and Fibocom.

These modules — which transmit data between machines and networks  — are used in a bevy of critical U.S. operations, notably the “smart devices” that make up the wireless internet of things, as well as drones and body cameras used by first responders.

Given the sensitive nature of the data being transmitted through these modules, lawmakers asked FCC Chairwoman Jessica Rosenworcel how the agency is reconciling potential U.S. data collection with the usage of Chinese-linked modules.

Ultimately, the lawmakers suggested investigation and potential bans on Chinese-made cellular modules.

“Tackling PRC cellular IoT modules is a natural next step for the FCC, in consultation with appropriate national security agencies,” the letter reads. “For one, Quectel and Fibocom supply companies whose equipment is already on the FCC’s Covered List. The equipment on this list poses a national security threat to the U.S. and may not receive authorization for importation or sale in the U.S.”

Specific questions House committee members asked Rosenworcel center on FCC or other federal agencies’ actions related to the national security issues presented by the sale of Quectel and Fibocom devices in the U.S.

“If the CCP can control the module, it may be able to effectively exfiltrate data or shut down the IoT device,” the lawmakers said in the letter. “This raises particularly grave concerns in the context of critical infrastructure and any type of sensitive data.”

There are recent precedents for Gallgher and Krishnamoorthi’s request. The FCC and other agencies have policed other IoT device and software companies with ties to China, most notably Huawei, and other brands like Hikvision and ZTE.

“We will closely review the committee’s letter," an FCC spokesperson told Nextgov/FCW. "We take very seriously the security of U.S. networks and equipment. We have taken strong actions on a bipartisan basis to remove untrustworthy equipment and network operators from U.S. networks, published the first-ever Covered List of communications and services that pose an unacceptable risk to national security and revoked the section 214 operating authorities of Chinese state-owned carriers who were providing service in the United States.” 

Past the threat of illicit U.S. data collection from Chinese-made technology, the FCC is taking action on the overall cybersecurity risk posed by IoT devices and systems. On Thursday, the agency issued a proposed voluntary cybersecurity labeling program for IoT devices, part of the Biden administration’s previously proposed Cyber Trust Mark.

“With more than 25 billion connected IoT devices predicted to be in operation by 2030, consumers need tools that allow them to understand the relative security risk that an IoT device or product may pose, to compare IoT devices and to have a level of confidence whether the IoT devices they ultimately purchase meet certain cybersecurity standards,” the notice reads. 

While the rule does not address the threat of Chinese surveillance via IoT hardware or software, it does propose to exclude any brand or device listed on the federal Covered List from benefiting from the cyber trust labeling program.

“This proposal builds on good work already done by government and industry because we will rely on the [National Institute of Standards and Technology]-recommended criteria for cybersecurity to set the Cyber Trust Mark program up,” Rosenworcel said in an accompanying statement. “That means we will use criteria device manufacturers already know, and, when they choose to meet these standards, they will be able to showcase privacy and security in the marketplace by displaying this mark.”