Smart City and IoT: The “Trojan Horses” in China's liminal war
- Gabriele Iuvinale
- 1 giorno fa
- Tempo di lettura: 10 min
Smart Cities and the Internet of Things (IoT) offer immense advantages but also represent a "Trojan horse" in liminal warfare, with serious implications for national security. China, in particular, has adopted an aggressive strategy, deeply integrating informatization into every aspect of society and the state to enhance its global power.
This vision leads to the massive collection of big data for internal surveillance, and through the export of technologies from giants like Huawei, Hikvision, and ZTE, it creates potential vulnerabilities in critical global infrastructures. Several countries, including the United States with its recent investigation into Chinese-made "connected vehicles" (initiated by the Biden administration in 2024), and the "Five Eyes" alliance members, have already imposed severe restrictions on these companies.
IoT, by its nature, is vulnerable, and China's "dual-use" research in this field, supported by the government, fuels both protection and attack capabilities. For Italy, this means risks to critical infrastructures, digital sovereignty, and dependence on external suppliers. A proactive approach is crucial, ensuring "security by design," rigorous supply chain vigilance, and robust regulations to safeguard national security.
The concept of "smart cities" and the pervasive integration of the Internet of Things (IoT) represent a profound transformation of the urban and social fabric globally. However, as the metaphor of the "Trojan horse" suggests, while these technologies offer countless benefits, they also introduce significant vulnerabilities that can be exploited in the context of "liminal warfare" (grey-zone warfare), with a direct and substantial impact on national security. This is especially true given the People's Republic of China's (PRC) strategic approach and dominant influence in this critical technological domain.
China's Vision: Informatization, Surveillance, and Global Power
China has preemptively recognized and strategically promoted the development of Smart Cities and the Internet of Things (IoT), seeing them as fundamental pillars of its national and global power vision. As early as 2009, Chinese leaders identified IoT as one of five "strategic emerging industries," supporting its development with substantial economic and political backing. For the Chinese Communist Party (CCP), urban internet, cloud computing, and big data infrastructure are considered as important as roads and bridges for urban planning—essential elements for building a national and global power system.
In the Chinese understanding, a smart city is generally defined as the drive to integrate information technology into every aspect of the state and society, aiming to build China's national and global power system. Chinese ideological and strategic documents often describe the era of informatization as the successor to mechanization (the "fourth industrial revolution"). "New smart cities" are a constant theme in these writings, with the idea that informatization processes in military and civilian spheres must reinforce each other. Consequently, China's civilian informatization policies are designed to both account for national security interests and enhance its military power whenever possible. As President Xi Jinping stated, "there can be no national security without cybersecurity," a principle that guides China's technological expansion.
This strategic vision has generated global concerns, particularly regarding the potential use of the vast big data collected for population surveillance. China's mass surveillance program is one of the largest on Earth and is expanding rapidly. In 2017, China had 176 million surveillance cameras, a number that surged to 200 million by July 2018. Chinese policymakers view the construction of smart cities as a vital component of the Belt and Road Initiative (BRI), extending China's technological and infrastructural influence globally.
The Digital Trojan Horse: Smart City and IoT – Vulnerabilities and Liminal Warfare
Smart cities are complex ecosystems of physical, informational, social, and commercial infrastructures interconnected by next-generation information technologies like the IoT, cloud computing, and decision-making optimization. This interconnection generates a continuous flow of data on the movement, location, and conditions of urban objects, creating "unprecedented knowledge" of the urban environment.
The IoT, in particular, outlines a future where virtually every everyday object acquires a digital identity and can exchange information. Cars, streetlights, traffic lights, home automation devices, smart meters, industrial IoT systems, and smart agriculture are just a few examples of "smart" objects that, supported by artificial intelligence (AI), cloud computing, and fifth-generation (5G) wireless technology, are evolving into mature technological ecosystems.
However, the very pervasiveness of these technologies introduces enormous attack surfaces. IoT devices, often manufactured with insufficient attention to security ("security by design"), can be easily exploited weak points. Vulnerabilities extend from the IoT networks themselves—easily compromised by unprotected devices and outdated software—to data privacy risks. Without robust privacy protections, sensitive information (e.g., traffic flows, energy consumption, citizen movements) could be accessed, stolen, or misused. Even Artificial Intelligence (AI), a cornerstone of smart cities, can be manipulated by hackers, leading to erroneous decisions or even endangering public safety. Furthermore, supply chain attacks can compromise the integrity of hardware and software before they are even deployed.
In this context, "liminal warfare" (or grey-zone warfare) finds fertile ground. This concept describes conflicts that occur below the threshold of conventional warfare, often in ambiguous areas, using non-kinetic tools such as disinformation, psychological manipulation, cyberattacks, and the disruption of critical infrastructure. Smart cities and IoT become extremely effective tools for:
Sabotage and service disruption: A successful attack on smart traffic light systems, power grids, water systems, or public transport could cause chaos, panic, and severe economic damage. For example, a Denial-of-Service (DDoS) attack on a smart city charging station or a public transport network could disable entire sections of a city.
Espionage and surveillance: The vast network of sensors and cameras in smart cities, if compromised, can be used for intelligence gathering, monitoring citizens' movements, and even identifying sensitive targets.
Ransomware attacks: Ransomware, by blocking access to vital data or systems, can paralyze essential services like emergency response systems or public transport, leading to significant financial losses and widespread disruption.
Propaganda and information manipulation: The ability to manipulate data and information flowing through smart city systems can be used to spread disinformation, create confusion, or influence public opinion.
Social instability: The compromise of essential services, violations of privacy, and the perception of insecurity can lead to a loss of trust in institutions and generate social instability.
The Export of Chinese Technology and Its National Security Implications
Hikvision, Huawei, Dahua, and ZTE are major Chinese exporters of smart city and IoT products and services. Their technologies, which include public and private surveillance networks, 3G/4G/5G/LTE infrastructure, big data collection systems in cloud networks, data centers, servers, fintech applications, smart meters, integrated emergency management platforms, safe city solutions, call centers, command centers, and municipal services (such as smart parking, bus systems, smart streetlights, or intelligent waste management), have been acquired by public and private entities in almost every country worldwide. This prolific export has direct and profound implications for the national security of recipient countries.
Chinese legislation explicitly allows the regime to requisition all data deemed necessary to protect its national security, and Chinese companies are encouraged to acquire as much data as possible through IoT. This raises serious privacy and human rights concerns domestically and, when exported, national and international security issues.
Several countries have already acted to limit or ban the use of Chinese technologies considered a risk:
In November 2021, President Biden enacted the Secure Equipment Act, prohibiting the FCC (Federal Communications Commission) from granting licenses for network equipment to companies posing a national security threat, directly impacting Huawei and ZTE.
Section 889 of the John S. McCain National Defense Authorization Act forbids government contractors from providing the federal government with telecommunications or video surveillance equipment, systems, or services (or essential components thereof) or other products from five specific Chinese companies: Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company. Separately, Section 889 also prohibits government contractors from using these items or specific services, regardless of whether they are used in federal contract performance.
In May 2022, Canada also excluded Huawei and ZTE from its 5G networks. The government stated that the use of new 5G equipment and managed services from Huawei and ZTE would be prohibited, and existing 5G equipment must be removed by June 28, 2024. Ottawa's decision aligns with those taken by the United States, Australia, Great Britain, New Zealand, Japan, and Sweden, which have already blocked or severely restricted the use of Huawei technologies. Along with the UK, New Zealand, and Australia, Canada is among the first Western countries to follow suit. All four, together with the United States, form the "Five Eyes," an intelligence-sharing alliance on telecommunications security.
Recent U.S. Measures and the "Connected Vehicle" Threat
The strategic concerns surrounding Chinese technology in critical infrastructure have recently extended to the automotive sector. In a significant move in February 2024, the Biden administration initiated an investigation into Chinese-made "connected vehicles," citing national security risks. While this occurred during Biden's presidency, it echoes and expands upon the assertive stance taken by his predecessor. The probe specifically targets vehicles that collect sensitive data and could be remotely controlled or accessed by foreign adversaries. This action highlights a growing understanding in the U.S. that even seemingly benign consumer products, when highly interconnected, can become vectors for espionage or disruption. The administration is exploring imposing new regulations, tariffs, or even outright bans on such vehicles, reflecting a bipartisan concern about the pervasive reach of Chinese technology into everyday life and its potential implications for national security. This initiative builds on previous measures, like those enacted during the Trump administration, to restrict Chinese telecommunications and surveillance equipment, underscoring a continuous effort to safeguard critical data and infrastructure from potential foreign interference.
IoT Vulnerabilities and Dual-Use Chinese Research
The IoT is particularly vulnerable to technical compromise because almost every component is a potential target. Many IoT devices are also vulnerable due to their small size and high mobility, lacking the space to accommodate printed circuit boards for more complex security and authentication protocols. Unauthorized virtual access to industrial control systems has already led to destructive effects in the physical world, and the current destructive potential of unauthorized access to IoT devices seems unlimited.
In China, technical research into IoT security vulnerabilities has become a top priority for both public and private organizations, drawing support from government research programs and funding. While IoT vulnerability research is often undertaken with the primary goal of improving Chinese information security, it should be considered "dual-use" because such knowledge can directly fuel efforts to gain unauthorized access to IoT devices. Sophisticated technical knowledge of hardware or software vulnerabilities in an IoT device, or supporting elements like cloud storage systems, can be used just as easily to attack these systems as to protect them. Moreover, the high degree of collaboration among academic and civilian government research organizations, private sector companies, and military and defense industry organizations in Chinese IoT security research suggests a strong government interest in exploiting the capability to gain unauthorized access to IoT devices and networks.
Programs like the National High-Tech R&D Program (863 Program) fund crucial scientific and technological development projects with direct relevance to long-term national security. Furthermore, the Action Plan for Special Projects stipulates that "superior IoT industry" projects should be brought into an ecosystem to yield military benefits. As Chinese military researchers have stated, the IoT has increasing relevance for battlefield operations and must be understood in the context of promoting links between civilian technical development and military end-users, often referred to as "civil-military integration (CMI)." Chinese research also examines the role of IoT in implementing the PLA's (People's Liberation Army) upcoming "space-air-ground integrated information network."
Consumers regularly use IoT devices designed or manufactured in China, entrusting them with access to potentially sensitive networks and data. However, as in other areas of network security, the Chinese government has explicitly enshrined in law the principle that the national security implications of emerging information technologies like IoT require granting the Chinese government, military, and intelligence agencies the power to inspect information systems and data at will. The Chinese government has given itself almost unchecked legal powers to exploit the data and supply chains of Chinese civilian companies for uses ranging from espionage to offensive operations.
Impact on Italian National Security
For Italy, as for other countries, the widespread adoption of smart cities and IoT, especially with the integration of technologies from at-risk suppliers, poses significant challenges for national security:
Critical Infrastructure: Smart cities are intrinsically linked to critical infrastructure (energy, transport, communications). A cyberattack targeting IoT vulnerabilities could cause cascading disruptions at the national level, compromising the supply of essential goods and services, mobility, and emergency response capabilities. Italy, in particular, is increasing its focus on protecting its critical infrastructure, deemed vital for national and European security, including gas pipelines, submarine cables, and electricity grids, but IoT integration expands their attack surface.
Dependence on External Suppliers: Relying on external suppliers, some of whom are non-European, for IoT technology raises concerns about supply chain security and the possibility of backdoors or intentional vulnerabilities that could be exploited by state actors. Indeed, China often imposes numerous indirect requirements on foreign entities, particularly those operating in sectors Beijing deems strategically vital, including forced technology transfer.
Digital Sovereignty: The massive collection and processing of data by foreign or unregulated entities jeopardize digital sovereignty and control over critical information, including data related to citizens and national infrastructure.
Widespread Vulnerabilities: Studies on Italian smart cities have already highlighted the presence of potentially vulnerable devices at various technological levels (network, sensors, platforms, applications), compromising the security and privacy of services.
Countermeasures and Solutions for National Security
To mitigate these risks and prevent smart cities and IoT from becoming actual "Trojan horses" in liminal warfare, several actions are necessary:
Security by Design and Privacy by Design: Integrate security and privacy into every phase of the design, development, and implementation of IoT devices and smart city infrastructures.
Supply Chain Vigilance: Conduct rigorous security assessments of suppliers and components, prioritizing solutions from trusted vendors and diversifying sources to reduce reliance on potentially compromised technologies.
Regular Updates and Patching: Keep software and firmware consistently updated to address known vulnerabilities.
Robust Authentication and Encryption: Implement strong authentication mechanisms and end-to-end encryption to protect data in transit and at rest.
Continuous Monitoring and Threat Detection: Adopt advanced real-time monitoring systems and artificial intelligence to detect and respond rapidly to attack attempts.
Strategic Collaboration: Foster strong partnerships among governments, industries, academia, and citizens to share threat intelligence and develop joint security solutions.
Robust Regulatory Framework: Develop and enforce clear regulations and standards for cybersecurity and data protection in smart cities, in line with European directives such as NIS 2.
Awareness and Training: Increase cybersecurity awareness and provide training for all citizens and smart city operators.
Resilience and Business Continuity: Design systems to withstand attacks and recover quickly in case of disruption, implementing comprehensive Disaster Recovery and Business Continuity plans.
Comments