Dealing with the threat of Chinese cellular (IoT) modules

Chinese cellular (IoT) modules are the next Russian oil – but with more devastating consequences. Most people have recognised the threat from Huawei, TikTok, DJI, and Hikvision to the security, economic prosperity, values and data of free and open countries. Yet the threat from Chinese cellular modules is far greater and more systemic than a danger posed by an individual company or sector. Removing that threat would be a bigger contribution to protecting the future than measures against individual Chinese companies.

What are cellular modules?

Cellular modules are small components embedded within equipment or devices. They include software processing, geolocation capability, e-sims and other peripheral components. In the manner of regular cell phones they establish internet connections across mobile networks in order to transmit, receive and process vast amounts of data about their environments.

What role do cellular modules play?

Cellular modules are crucial to a modern economy. They are used in a vast array of industrial applications including energy, logistics, manufacturing, transport, health, security, and payment processing. At home, they feature in cars, smart metres, computers, electric vehicle chargers and white goods. They monitor and control complex systems remotely. To ensure that such systems run efficiently, they collect huge amounts of data and metadata for analysis, processing, and response management. They also deliver software updates to improve functionality. 

What is the Chinese strategy for cellular modules?

As with 5G telecommunications and Huawei/ZTE, the Chinese Communist Party (CCP) aims to establish a monopoly of these vital components through its companies in the sector, of which QUECTEL and FIBOCOM have the greatest global market share. Through well-used tactics of subsidy, access to cheap finance, shared technology and other state support, the aim is to drive other nations’ suppliers out of business by offering impossibly low prices, and to establish a systemic dependency upon Chinese suppliers and equipment.

How does that translate into threat?

QUECTEL, FIBOCOM, SUNSEA, NEOWAY and MEIG are nominally private companies. However, the People’s Republic of China’s (PRC) national security laws require all organisations and individuals to accede to requests from the security authorities. 

By late 2022, Chinese companies held 64% of the global market (including the PRC) by sales, and 75% by connectivity. If they achieve their aim of destroying other nations’ capability and securing a Chinese monopoly, free and open countries will face a triple threat:

• Dependency. The parallels with reliance upon Russian oil are disturbing. Knowing that supplies of cellular modules could be turned on and off (as happened with Covid-19 related supplies), countries would be pressured into adopting policies favourable to the CCP.
• Degradation or destruction of capabilities. By sending covert software instructions to cellular modules, the CCP could destroy or threaten critical national infrastructure or – a more subtle policy – degrade it.
• Data egress. ‘Data is the new oil’ (there is a reason for clichés). Vast amounts of government, company and individuals’ data will end up in the hands of the CCP.

Some worrying examples

Beyond the dangers of dependency, attaining a monopoly over these ubiquitous cellular modules would allow the CCP wide-ranging opportunities to interfere in free countries. By sending instructions covertly in software updates, which are too numerous and frequent to monitor individually over the decade-plus lifetime of cellular modules, the CCP could take hostile action at a time of tension by:

• Bringing down all or selected parts of the power grid through smart metres;
• Grinding to a halt cities such as New York, Washington or London by disabling traffic control systems;
• Rendering inactive a new United States (US) satellite/cellular communication system currently under development;
• Having full oversight over and ability to disrupt First Net, the US civil emergency system under Department of Defence;
• Interfering with health provision, whether generally or for a particular individual;
• Building pattern of life pictures of individuals, including of senior government officials or those in sensitive jobs, such as Central Intelligence Agency or National Security Agency officers, at a level of detail many, many times worse than the Office of Personnel Management cyber attacks in 2014;
• Giving Chinese companies buying up foreign companies, agricultural produce or land a more accurate picture of their acquisition target than the target might have itself, thus disadvantaging the non-Chinese entity;
• Accessing data collected by cameras in sensitive government and defence establishments, for example via a contract with Axon, which has 75% of the US market for police cameras (and contracts in the United Kingdom (UK)); and,
• Collecting telecoms data – despite excluding Huawei from 5G masts and base stations – if the processing units for 5G signals in offices and homes contain QUECTEL cellular modules.

How to deal with the threat 

Four differences with past technological threats from the CCP are important, namely: 

• Cellular modules are components and not finished systems like Huawei’s 5G or a DJI drones. They often come embedded in another company’s sealed input into a machine or system;
• They are not exports, but imports, so traditional tools to limit exports are not effective;
• They are not generally high-tech, although with the spread of edge-computing, there are exceptions; and,
• The good news: unlike 5G and Huawei, there are a variety of non-Chinese companies from the US, Europe, and East Asia which produce cellular modules. The bad news is that some are struggling as the Chinese strive to strangle them out of contention.

Most officials have not heard of cellular modules. Far greater awareness of the threat is needed. Governments should be doing more to acquaint themselves with the risks and to publicise them with their people and companies. 

Because cellular modules are already deeply embedded in so many systems, wholesale ‘rip and replace’ is not a realistic option, except in a limited number of sensitive defence and security fields. However, speedy action is required to prevent greater penetration and thereby risk, as well as greater cost of replacement in sensitive areas. 

Ensuring that QUECTEL and other Chinese companies cannot be treated as trusted suppliers in government procurement or critical infrastructure contracts would send a powerful message to US or UK companies to consider the potential consequences of continued reliance on Chinese cellular modules beyond near-term cost advantage (some are proceeding with contracts despite having been made aware of the national security risks).

Measures also need to be devised to counter the tactic of Chinese companies setting up ‘American’ or other local companies, so that they can assert that they are not to be treated as Chinese companies controlled by the CCP. QUECTEL has already set up IKOTEK in the US, which will design full model products (for example, vehicle trackers) and which will include QUECTEL’s own cellular modules.

Conclusion

Understandably, the CCP wishes to avoid war. But it seeks pre-eminence, even dominance. To that end, its main weapon is to use new technologies to create dependency and leverage, to acquire vast amounts of data, and to be able to weaponise the destruction or degrading of critical infrastructure at a time of high tension, such as over Taiwan. It is not too late for governments of free and open countries to take action. Time is short. But first they need to wake up.

Charles Parton is a James Cook Associate Fellow in Indo-Pacific Geopolitics at the Council on Geostrategy. He spent 22 years of his 37-year diplomatic career in the British Diplomatic Service working in or on China, Hong Kong and Taiwan.