A House of Representatives panel focused on national security issues between the U.S. and Beijing is putting Chinese-made light sensing modules and internet of things components in its crosshairs amid concerns the equipment is laying groundwork for enhanced intelligence-gathering and cyberattacks on critical infrastructure.
The Select Committee on the Chinese Communist Party is seeing growing Chinese market dominance in light detection and ranging technologies — known as LiDAR — and has assessed that the dynamic poses security risks to several U.S. critical infrastructure sectors, according to a committee aide with direct knowledge of the matter.
In parallel, IoT devices — which include everyday household appliances that connect to the internet — are a more immediate national security concern because billions of devices in the U.S. have a Chinese-made IoT module installed that may be accessible to Chinese cyber operatives, said the aide, who spoke on the condition of anonymity to be candid about the committee’s thinking.
A potential cyberattack could involve a coordinated digital offensive that would overwhelm areas of the U.S. power grid by remotely turning on troves of IoT devices at the same time, they said, citing past research on cyberattacks that aim to manipulate electronics’ wattage output.
Details on efforts to curtail use of the tech components were not immediately available, though the committee may choose to draft legislation that would restrict their acquisition. An amendment that prohibits the Department of Defense from procuring LiDAR hardware made by foreign adversaries has already been slotted into a must-pass defense policy package due by year's end.
Chinese-made LiDAR modules give Beijing an added leg-up in intelligence gathering, said Nathan Picarsic, a senior fellow at the Foundation for Defense of Democracies focusing on China’s military strategy.
The technology — designed to map out terrain by rapidly bouncing light off of objects to image their shape and dimensions — is already used in autonomous vehicles, geographic information systems and various other distance measuring applications.
“It’s a much more rich feed of information. And it gives you a much richer target set and attack surface,” Picarsic said.
National security officials are already grappling with a pervasive Chinese hacking collective dubbed Volt Typhoon that’s said to be burrowing into troves of U.S. critical infrastructure in preparation for potential U.S. military conflict with China. Light ranging technology likely helps with those efforts further, he added.
“[LiDAR systems] are connected into the broader network of whatever the thing they’re working with is, which means that there’s the intelligence piece where they’re collecting and transmitting information, but it also can be a backdoor to execute vulnerabilities,” he said.
Cybersecurity experts in December detected a slew of new attack vectors where a hacker could disrupt the sensory systems of autonomous vehicles, which rely heavily on LiDAR to operate. Transportation Secretary Pete Buttigieg last year said he has national security concerns about China-linked AV technology and that the U.S. needs to better understand its AV tech suppliers.
Chinese firm Hesai predominates much of the LiDAR sensor market. There’s concern the company’s influence within much of the supply chain will stop the U.S. from standing up a domestic LiDAR competitor in the next few years and force American customers to shop for potentially exploitable equipment, said the House aide.
The Department of Defense in February listed Hesai and several other firms on a roster that accused the companies of working on behalf of Beijing’s military, following bipartisan concerns from the House China panel on why the company was not placed on any restriction lists. Hesai responded by filing a lawsuit against the U.S. last month in federal district court on grounds that the accusations were false.
China’s national security laws and its state-centered economy enable its government to compel tech companies to act on behalf of intelligence interests, though no recent public evidence has specifically linked Hesai to such activities.
Though China’s prevalence in the LiDAR market presents targeted security concerns, IoT security risks span a much larger attack surface because they are used in both common consumer household appliances and several critical infrastructure sectors, said Nick Nilan, a former Verizon public sector executive who managed the telecom giant’s IoT portfolio.
Mapping out the entire U.S. IoT asset inventory would be a gargantuan undertaking, spanning smart meters, monitoring devices and building management systems, said Nilan, now CRO at Fortress Information Security, a firm focused on supply chain and critical infrastructure cybersecurity.