1

Original Title: Capturing Complexity: emergent properties and security analysis The original paper title built upon research I had done concerning intelligence analysis. As I delved into this subject it became clear to me that as a society we were increasingly and unwittingly contributing intelligence feeds into corporate and government data-warehouses. Deciphering and decoding the complexity of these feeds and of this intelligence struck me as an underexplored area. The re-titled paper follows and is a very first draft. In the coming months it will be refined and updated in the light of new material and in particular market data and technical detail. The argumentation will also be updated, I am sure. "Freedom, Covert Security Surveillance, and Big Data: the Internet of Things and Security Challenges” RM DOVER (Loughborough University) First Draft – Prepared for UK Political Studies Association Conference, 30 March – 1 April 2015, Sheffield. Please do not cite without permission. Amended draft will be posted on Loughborough University’s Institutional Repository. Abstract: The Internet of Things, or objects that have the capacity to report data derived from sensors or usage back to a central data-hubs are becoming ubiquitous. From wearable technology, ostensibly for healthcare improvement, through to dash-cams to protect a driver from erroneous insurance claims, through to internet enabled lights, heating and entertainment centres, the quantity of information being produced by and about individuals has increased beyond the confines of our social understanding of it, and the regulation of it. This paper holds the emergent phenomenon of the IoT up to a bifurcated analysis: 1) the potential covert security applications of the IoT and data-aggregation and analysis, and what this does to the social contract between citizen and government, and in terms of social relations between social actors (individuals) and consumers and companies and 2) how the social scientific researcher can access and make sense of the technology and the data produced (an interdisciplinary question) and the security implications of this technology and its usage. There is a substantial gap in scholarly understandings of how covert security surveillance - within the broad wrapper of network enabled devices - contributes to the use of forms of coercive violence or restrictive behaviours. Given that the commercial and marketing applications of these technologies is well known there seems no better time to tackle this subject. "

___________________________________________________________________

Google’s CEO Eric Schmidt (2010): “We know where you are. We know where you’ve been.

We can more or less know what you’re thinking about.”

The internet has changed everything: or so the popular meme goes. Along with such

thoughts follows that data has become ‘democratised’, or ‘free’ and that the ordinary

citizen has become ‘empowered’. A newer variant on the internet is coming to the fore,

which extends the notion of its ubiquity and the security challenges lying behind it.

The internet of things – as it has become known – is a broad range of objects, or artefacts

which are network enabled. That is objects which are capable of generating data from

sensors or usage, and which communicate this information across a network, typically

directly via an internet connection or at one step removed via Bluetooth to a so-called smart

phone, which in turns transmits the data to a data-hub via a mobile data or internet

connection. We see evidence of this underpinning architecture of the IoT in all sorts of

commonplace technology platforms. These include our motor vehicles – where most new

models come with data-gathering and transmission technology including for diagnosis and

2

repair. The onset of the smartwatch – and Apple’s grand launch of the Apple Watch in

March 2015 – may well herald a wider adoption of internet enabled devices, in addition to

the ubiquity of so-called smart-phones.

The internet of things is regarded as a disruptive set of technologies (Kellmereit &

Obodovski, 2013), that is a set of developments capable of generating paradigmatic shifts in

the way business is conducted, or in the way the individuals communicate or deal with

commerce, government, or in their social relations. The term ‘Internet of Things’ was a

marketing device coined by the founder of Belkin, Kevin Ashton, in a presentation to traders

in 1998. The term has stuck presumably due to the invocation of the term internet (which

carries a particular cache), whilst those working in this area prefer the umbrella term M2M

(machine to machine). This paper focuses on the security aspects of the IoT: not the deeply

technical forms of security that can be found in firmware and software architecture, but in

the security studies themes that apply most directly to these technologies. This paper is very

much a work in progress, indeed it is a first draft of a piece that I will seek to refine and

hone. As such the conclusions are preliminary and I would like to deepen much of the

analysis, so what is presented here is a set of indicative areas of concern.

The Management of Urban Space

Section Summary:

The Smart Cities initiatives offer officials and their suppliers the opportunity to plan more effectively

for capital spend. They do this in two ways: 1) the use of sensor data and prediction to assess the rate

of obsolescence in publicly owned objects – e.g. street lights, drainage. 2) the use of movement data

to better understand how people use cities, what time various public goods are required, when

resource can be better deployed.

The Smart Cities and open data initiatives offer a regenerative opportunity in an urban space: that is

to allow start-up companies to form making use of and applying lessons from captured data. This has

occurred mostly within what has become known as ‘hackathons’ which are competitions in which the

largest contribution to the community are attempted and which are a closely related cousin of the

ecosystem that supports the Internet of Things.

Smart Cities create opportunities to improve governance (through data-driven analysis), energy

usage, building usage, mobility, healthcare (which is a definite IoT area) and to improve the

knowledge base of the ordinary citizen.

As will be expanded on later in this piece, the ethical and regulatory dimensions required to roll these

initiatives out fully are yet to reach maturity. The citizen is – as yet – passive in the collection of their

data and in their understanding of what the analysis of this data means. The small number of pilot

projects has also been due to the commercial necessity of where providers or suppliers can reach

deals with local authorities. Many of these deals have not been a commercial success in their own

right, merely a proof of concept exercise for future deals.

There is the potential for these technologies to be used to enhance the security of urban spaces – as

the monitoring of movement has been shown to provide insights into trigger points for violence and

disorder.

3

Surveillance, Social Relations, Ubiquity and Data-collection

Section Summary:

There are competing interpretations of what sensor technology and IoT means for individuals, their

relationships with each other, and their relationship to sources of authority. The two competing views

essentially coalesce around the question of whether these technologies compound a power

imbalance between authority (be it public or private) and the individual or whether they allow the

individual to hold authority in check or to enable genuinely local power and influence to occur.

The clear emphasis within the extant literature is that these range of technologies allow minor

improvements in efficiencies and function for individuals whilst providing a strong advantage to

corporations in understanding the behaviour of consumers and minable data-sets that have their own

intrinsic value.

There is a misunderstanding that the primary collectors of M2M data are states, this is not the case.

There would be many potential utilities for states in collecting movement data (for example) which

would provide greater levels of prediction around violence in urban spaces, alternatives to mobile

phone led surveillance data, movement data in the home, and in resource planning and resilience in

understanding prevailing health of a community as an unrelated task. But the reality is that the

majority of this data is collected, stored and mined by the manufacturers back-end function and by

third parties contracted into perform these roles. The utility for these actors is to be able to analyse

the usage of their devices, to make improvements and modifications as a result of this, and also to

find activities that follow a logical consequence of this analysis.

From a political science perspective the pace of technological change coupled with the pervasive

quality of this technology into our everyday lives has outstripped our sociological understanding of

what such leaps have done to the relationship between state and citizen, and the relationship

between consumer and supplier. Similarly, the regulatory and ethical dimensions of the use of this

technology has been outpaced by the speed at which the technology has come to market and

‘penetrated’ the market. In this respect there is much that is analogous with and to the analysis of the

leaks by Edward Snowden: those involved in the development of technologies have continued to

pursue the logical end-points of their technological advances without paying much credence to the

braking influence of formal regulation and ethical control. As such we may well find ourselves

collectively in the position of enduring a Snowden MkII moment, whilst these technologies have

become genuinely ubiquitous.

In the adult lifetime of this author, western society has become immersed in a sea of

collectable, collectable and analysable electronic data. Before I went to university in 1996,

electronic mail was the clunky preserve of a few, and the majority of those I studied law

with were introduced to email by the necessity of the university, rather than because it was

ubiquitous. Students who could afford the £1500 for a basic laptop might have one, but it

had yet to hear of this thing called ‘Wi-Fi’. Mobile phones were not smart, nor were they 3,

4, or 5g and relatively few people owned one. Supermarkets had just begun to get serious

about their loyalty card schemes, but carrying one was more exception than the norm. And

4

internet shopping and banking was only done by early adopters, if at all.1 So, within a

remarkably short period of time on the human developmental scale, we have moved from

an analogue society, to a digital one. Our everyday purchases (both online and offline)

generate collectible data feeds that can be recorded, analysed, repackaged, exploited and

sold, similarly so our online activity, telephone communication (both voice and messages),

as can our everyday movements (be they motorised or on foot). And whilst it can be seen

that these changes have occurred very rapidly, it is the case that the public and political

debate around what this growth of data production and analysis means is vastly

underspecified.

These observations are as equally valid to the ‘ordinary’ internet and telecommunications as

they are to the IoT. This paper focuses on the IoT for reasons of immediacy – enabled

technologies are a rapidly emerging tranche of technologies – and because the IoT advances

and embeds the essential networked qualities of the internet closely onto and sometimes

effectively into the bodies of ordinary citizens. IoT hardware is attracting a lot of media and

investment attention due to the large so-called ‘unicorn’ acquisitions of GoPro, Nest, and

FitBit amongst others, and the public accessibility of information around crowdsourcing

rounds. The IoT is, at the moment, relatively simple to research on due to the closely

defined nature of its ecosystem. The IoT creative space is very clearly geographically

delineated with key hubs in San Francisco, New York, Austin, Shenzhen, London, Hamburg,

Paris, Barcelona and Bangalore. The ecosystem is essentially underpinned and supported by

a sub-strata of Hackerspaces, FabLabs, incubators, MakerSpaces, MakerFaires, and meetup

spaces: the London IoT meetup community for IoT runs to 4712 members according to

meetup.com (accessed 12 March 2015). The IoT centres are also heavily present in cities

where there is ready availability of capital. Whilst crowdfunding platforms should allow the

making community to geographically disperse, the reality has been that ambitious makers

have continued to locate themselves near to venture and angel investors, whether they

have an immediate need for these forms of capital or not. Similarly, as makers has clustered

near to money, they have created learning and innovation communities, so there have been

intellectual reasons to cluster in the way that we can observe. That growth has had an

exponential rather than linear quality to it, however, with the industry commentator Renne

DiResta (2014) asserting that in 2008 there were 50 hacker/make spaces created per year,

rising to 200 new spaces created in 2009, 300 in 2011 and 250 per year since. The

development of manufacturing platforms such as Hackster2) has allowed micro- or small

scale innovators the opportunity to rapidly prototype their ideas and has lowered the

barriers to market entry. Whilst this market entry is quicker and cheaper – and therefore a

positive to business – it has also allowed more experimental ideas and innovations to find

airplay, if not a market. This is because the prototyping is quicker, easier and cheaper thanks

1 I should declare that I have been an early-adopter for most electronic devices in my adult life-time. I have what the comedian Eddie Izzard describes as techno-joy, as opposed to techno-fear. 2 https://www.hackster.io/platforms, accessed 20 March 2015

5

to standardised platforms like Arduino, Raspberry pi, and Spark, and the development of

additive manufacturing. For this rapidly developing area the unit cost price of these ‘3D

printers’ is continually dropping: the top end Makerbot now retails at $2899, and as

functionality decreases there is the Buccaneer at $1099, Overlord $699, Micro at $349, and

at the budget end the ibox nano at $299. The time to market has been compressed by the

hastening of prototyping, finance, manufacturing and retail offer (be it online and offline

retail options). An indication of scale in this regard comes from AngelList (an online platform

for investors to place money in Angel syndicates), who estimate that there were 3022

hardware start-ups in March 2015, around 1000 in 2014, around 800 in 2013, around 700 in

2012 and around 200 in 2011, with very few present before that date. These innovation

communities and the organic growth they have experienced, the local and national

government policies that have helped to spur inorganic growth and how the innovation

policy has spilled out into consumer electronics are all worthy of further exploration. For

this paper, however, the central question is around the impact of these technologies in the

security space.

The development, improvement and cost efficiencies found in on-board processing, in a

variety of sensor types, battery size, weight and longevity, have helped to create a wave of

devices (that have come to market in 2014/15) that effectively ‘intelligent’ and which can

operate autonomously. Prior to this small connected devices (watches, trackers etc) were

reliant upon piggy-backing on other forms of computing power, such as smart-phones

and/or cloud platforms. Autonomous networking capabilities are now coming to the fore

and there is some evidence for this in the investments made into M2M networking

platforms such as Helium which secured $21m and SigFox, which is a telecommunications

network for IoT devices, which secured $148m of investment capital. Whilst it is only a

proxy measurement for influence and likelihood of success, there is a strong assumed

correlation in this sector between investment capital secured and the direction of travel for

these technologies.3

3 Valuations as an indicator of success

1) Xiaomi (a wide range of wearable tech) 2) GoPro (wearable cameras) 3) Square 4) Jawbone (wearable health-tech) 5) Nest (home – thermostat, carbon monoxide) 6) Beats (home entertainment) 7) Magic Leap 8) Oculus (virtual reality) 9) Razer (virtual reality) 10) Kiva Systems 11) Makerbot (3D printing) 12) Dropcam 13) Boston Dynamic 14) PrimeSense 15) Fitbit (wearable health tech) 16) Parrot 17) SmartThings (home automation)

6

The current direction of travel appears towards varieties of health-related, home-related,

energy-related and mobility-related technologies. The technology causing headlines in the

early part of 2015 was all around the notion of human augmentation and technology, the

replacement of human workers with machines (but this debate seems centuries old), and

the potential for machines to displace humans more generally, as per the pessimistic

conclusion of such towering figures as Stephen Hawking. However, the ongoing human

security threats in West Africa from the Ebola virus, and from a variety of pandemic

respiratory diseases has spurred such initiatives as ‘Fever Smart’4 which was funded via the

crowd-funding platform indiegogo, but at $125 is unlikely to break into developing world

markets. Clarity – an air quality monitor – seeks to provide information to users about the

quality of air in their vicinity.5 For those in jobs where concerted attention is vital there is a

device called Vigo which will provide alerts if it detects fatigue, but it seems a very niche

technology.6 Even more extraordinary is the Scout by Scanadu which measures a body’s vital

signs from a USB stick sized device.7 It is capable of measuring heart rate, ECG readings,

breathing flows, and body temperature. It is – essentially – like being wired up in hospital,

but without the whole hospital ‘experience’. There are emerging devices that sit in the inner

ear, or in the inner soles of shoes, all of which brining technology closer to human

augmentation. The utility of these apps to the individual are clear (for the most part) but the

data collected, particularly from those apps which draw upon sensitive data (which would

be of acute interest to the insurance markets) and thus are both eminently marketable and

yet pose some issues and potential concerns for those who are generating the data.

Similar sorts of concerns might be found in technology that relates to the home. Not only in

the occupancy patterns of home life, but in how real people (as opposed to modelled

assumptions) move around and use their homes: this sort of data is more valuable than the

modelled assumptions for obvious reasons, and would open up all sorts of

commercialisation and economic data for energy companies, as well as advertisers. Google

is currently making a strong bid to dominate the home data space, and whilst there is an

obvious counter-play expected from Apple, for example, the rivals to Google are likely to

become acquisition targets for well capitalised large companies. NEST is the best known of

these companies and has become a tech-unicorn (essentially a billion dollar acquisition),

which focuses on domestic heating and separately in fire and carbon monoxide detection.

The thermostat platform is surprisingly open and most industry commentators assume that

18) iHealth 19) Aldebaran Robotics 20) Basis

4 http://feversmart.com/ accessed 25 March 2015. 5 http://clairity.io/index.html accessed 25 March 2015. 6 http://www.wearvigo.com/ accessed 25 March 2015. 7 https://www.scanadu.com/scout/ accessed 25 March 2015.

7

Google will begin to expand the range of functions that NEST can perform. The acquisition

of Revolv by NEST (and thus by Google) which is a home automation hub merely reinforces

the notion of Google making headway in this space. A similar sized venture – certainly in

scale and ambition – is Samsung’s SmartThings suite8 (currently only available in the US and

Canada) which is a home automation platform that traverses entertainment, security,

heating, lighting and motion. It aims to provide a complete home automation solution and it

is not clear whether it suffers from the same security glitches as the Samsung voice

operated televisions which Samsung themselves warned against speaking too candidly in

front of for privacy reasons.9 So, any work-place device that is voice controlled and Wi-Fi

enabled is capable of being manipulated to provide intercepted human intelligence. Control

by voice means that voice is recorded, understood and analysed (normally via cloud

services), and being Wi-Fi enabled means that the device goes via the local corporate

network into wider internet networks. So, if there are any vulnerabilities in the firmware or

in the corporate network then that device might provide sensitive human intelligence to the

third party. Security in this field is reliant upon the firmware designers (and as mentioned

elsewhere in this paper, the component manufacturer) having security at the forefront of

their design parameters. The accusations in the Snowden leaks were that the NSA – in

particular – had noted and collected security vulnerabilities but not sought to address them,

aiding their own collection efforts, but leaving ordinary users still vulnerable (Schneier,

2015, p. 38).

As part of the Snowden revelations we collectively discovered that all network enabled

devices are capable of being compromised by SIGINT and ELINT agencies to provide

intelligence. The most lurid examples located themselves around the switching on of

microphones and cameras laptops and so on to provide details of conversations and also to

record who was using the device at the time of a particular search. The range of data that

can be captured by these devices has become part of an investigation by a committee of the

UK Parliament. In this inquiry the committee has said: “there are legitimate concerns that

certain categories of Communications Data – what we have called ‘Communications Data

Plus’ – have the potential to reveal details about a person’s private life (i.e. their habits,

preferences and lifestyle) that are more intrusive. This category of information requires

greater safeguards than the basic ‘who, when and where’ of a communication.” The report

also says that legislation should cover different levels of metadata: Communications Data,

which is restricted to basic information about a communication, rather than data, which

would reveal a person’s habits, preferences or lifestyle choices. This should be limited to

8 http://www.smartthings.com/ accessed 25 March 2015 9 (eg NEST, Ecobee, Revolv (Google), SmartThings (Samsung), Dropcam (google) , Welcome by

Netatmo, protect (smoke) by net, Point – house sitter, Ring (smart doorbell), smart body analyser (by

withings), nomiku (cooking), luna (smart bed cover)

8

basic information such as identifiers (email address, telephone number, username, IP

address), dates, times, approximate location, and subscriber information. Communications

Data Plus would include a more detailed class of information, which could reveal private

information about a person’s habits, preferences or lifestyle choices, and websites visited.

This is far more sensitive data, and therefore should be regulated far more toughly. Such

debates were had over Passenger Name Record data that the US Department of Homeland

Security had requested from the European Parliament, which also included ‘lifestyle data’

and which caused a great deal of unrest amongst privacy campaigners and MEPs (Dover,

2010). In the event, the EU permitted the transmission of such data under the threat of

further visa restrictions being placed upon European citizens seeking to travel to the US.

The analysis of voice has been used successfully by Google to refine their ‘Translate’ product

to the point where it gives a very fair account of spoken phrases into different languages.

The voice search and Apple’s initially much-mocked Siri service also make much use of these

techniques and analysis, and provide further insights into machine-learning of the spoken

word, things that are highly prized by SIGINT and ELINT agencies.

Beyond the reasonable scope of this paper10 are cognate areas that make up the IoT

ecosystem, all of which contain security implications. Wearable cameras – disconnected

from smartphone cameras – have been one of the most visible manifestations of the IoT in

general, but of privacy issues more generally. The discontinuation of Google Glass in early

2015 was part recognition of the prohibitive pricing of the glasses (circa $1500), and of the

issue around the augmentation of the internet through the glasses, and with the unresolved

issues around privacy – the recording of third parties without consent and of conversations

etc (Hof, 2015). But Google Glass is actually one of the more limited pieces of wearable

augmented reality available. The key political science point about augmented reality is the

discrimination of the information presented to screen and in the case of augmented

reality11 and virtual reality devices for gaming the immersive quality of the experience when

matched to particular world views or delineated choices12.

On the periphery of the IoT are productivity tools for agriculture, which covers formerly

labour intensive activities of harvesting and pruning, spraying and indeed laying seeds,

which according to market data is a sector currently worth $800m and by 2020 is estimated

it will be worth $16bn (wintergreen research, January 2014). Related technologies that

10 Although I will extend it in the published version of this paper. 11 For example, Magic Leap, HoloLens by Microsoft, SmartEyeGlass (Sony), and Skully which is an augmented reality bike helmet. 12 Examples of virtual reality platforms include Oculus (acquired by Facebook), Project Morpheus (Sony), VICE VR (co-owned by the smart-phone manufacturer HTC and the gaming platform Valve), OSVR (by Razer, another gaming platform), Samsung Gear VR (oculus), iPhone VR headset (patented by Apple but not yet in production), and Google Cardboard, which is a budget device. In order to add usability to this technology there has also been developed a virtual reality keyboard to match the VR headset, allowing the user to type, virtually. This is called Leap Motion.

9

incorporate network enabled robotics for a domestic range of tasks – such as mowing the

lawn and vacuuming the house – extend the IoT further into the home, providing labour

saving capacity. These devices are smart – in as much as they can be controlled over the

internet – but are not particularly intelligent in the data they collect and transmit. A new

breed of so-called social robots13 have a much higher level of ‘smart’ development, as they

are – with varying degrees of success – able to respond to facial expressions and speech,

and clearly the data that these devices are able to glean fall into the category of

Communications Data Plus, as do those aimed at children, such as the interactive Barbie Doll

(BBC Technology, 2015) and the long-standing concerns about the Furby toys’ ability to

collect sensitive data leading to it allegedly being banned from the US NSA in 1999

(Marshall, 1999).

Lastly, the increasingly prominent (and overhyped) area of self-driving cars poses an

analytical problem around whether this segment is transport, or large scale IoT devices.

Audi, BMW, Google and Tesla (of the large players) and the MEV-c by ZMP which is a car not

blessed by aesthetic beauty have made strong leaps to develop genuinely autonomous

vehicles and whilst Audi have managed to get their vehicle (based on the large A6 saloon) to

drive more quickly than a human racing driver (Knapton, 2015) there are legal, ethical and

practical issues to be resolved. In the UK there are driverless car pilots in Greenwich

(focussing on safety), Milton Keynes and Coventry (focussing on road usability), Bristol

(focussing on legal and insurance dimensions as well as how the vehicles are received by

local communities). The technology itself is very complicated, requiring a mix of radar (to

judge distance from other vehicles), video cameras (to read roadside signs, and lights, and

the positioning of static and moving objects), LIDAR (light) and ultrasonic detectors locate

kerbs and lines whilst a central computer system and control planes bring this together to

actually drive the car. The benefits of these systems are said to appear in emissions control,

congestion, and safety, as well as legal compliance and planned maintenance. The

networked quality of these vehicles would again provide the sort of meta-data that would

provide Communications Data Plus, and therefore those UK pilots, particularly the Bristol

one will need to carefully hone the ethical dimensions of this emergent technology.

All of these devices providing all of this data, which is not only capable of being harvested by

manufacturers, data warehouse firms, and governments but is harvested and analysed,

raises stark questions of usage, further transfer and end-use. The security technologist

Bruce Schneier describes all such activity as ‘surveillance’. (Schneier, 2015). Similarly

Schneier does not discriminate between government and corporate collection, it being on

the same continuum of surveillance. His argument is – in parenthesis – that all surveillance

curtails natural behaviour, but that the ordinary consumer has both been slow to

understand the extent to which their privacy has been compromised and similarly slow to

13 Double – Telepresence Robot by Double Robotics, and Nao and Pepper – social robot

10

seek out the sorts of techniques and technologies that would help them address these

vulnerabilities. Ultimately – and Schneier’s book serves as a soft manifesto – he seeks a

(perhaps small) private realm free from surveillance, as he describes it. That is where the IoT

is a significant challenge to this notion of having any private space free from data collection.

Because we all anecdotally know that we are likely to speak about a subject differently in

front of a source of authority than in the privacy of speaking to friends or when speaking

without care (even if just in tenor and tone), there is a good reason to believe that we will

self-correct in front of pervasive levels of collecting technology. But even if we do not, then

the collection of authentic thoughts carries value in a multitude of ways and the Office of

the Director of National Intelligence published a redacted report in 2015, that was originally

written in 2009 on intelligence from smart phones where it posited that all the data could

form ‘crowdsourced intelligence’. (ODNI, 2009, p. 41). A powerful corrective to this notion

comes from Robert David Steele, in private correspondence where he noted that useful

open source intelligence is not merely the aggregation of sheer weight of sources, but

quality filters are required to discern the useful from useless. The challenges in this space

are then as much for governments as they are for individuals. Ultimately, however,

individual consumers and citizens are parting with ever larger data trails – some of which

they are plain unaware of, some of which they have little understanding of, and some of

which they are just happy/content/acquiescent in providing, for an assumed positive trade

off of improved services and convenience.

The importance and (threat?) of China to the IoT ecosystem

Section Summary:

The importance of China to this broad sector is found in the harvesting of the core materials base

underpinning the manufacturing of these technologies. The Chinese government’s previous

willingness to restrict access to these base materials represents a threat and challenge not only to the

consumer electronics market, but to the defence electronics sector.

The importance of China to the manufacturing supply of consumer electronics places it as a vital

component in the supply chain, but also allows it privileged access to global intellectual property on

this and related sectors. Dovetailed with the culture and pattern of business ownership in China then

the Chinese government has a very strong oversight of technology based developments.

Data mining from M2M technologies opens up the possibility for the Chinese security state to analyse

meta- and individual level data across a wide-spread of technologies (eg health tech, home tech, and

movement data). Such capabilities do not solely exist for China, of course.

A number of potentially disruptive businesses are based in China. Xiaomi and Huawei are the most

prominent of these in terms of hardware. Xiaomi has nearly 100 hardware lines making the most of

network connectivity and sensor technology, all of which substantially undercut western rivals. Whilst

this is not necessarily a ‘security’ threat, there is little understanding of how such disruption will

impact on R&D intensive sectors in the west.

The oft-cited cyber security threats presented by Chinese electronics manufacturers (particularly in

telecoms, and networking) seem partially misrepresented, and actually the threat posed by these

11

firms exists in the soft-intelligence they can potentially gather from participating in infrastructure

projects.

China holds a special place in the heart of those involved in the IoT ecosystem. Much of

China’s influence and power comes from its privileged position as the pre-eminent producer

of the world’s consumer electronics. As such, the overwhelming majority of wearable

technologies are manufactured in China, and more particularly the city of Shenzhen, which is

known as the ‘Silicon Valley of Hardware’. Those involved in technology based start-up

businesses have a fondness for China that is unmatched in other industries and sectors. Much

of this connection is due to the speed, quality and price that can be achieved manufacturing

in China. Whilst Chinese manufacturers used to be selected purely because of the prices they

could achieve, since the turn of the century, Chinese manufacturing concerns have made

much of their cash-surpluses to offer world leading manufacturing capability as well as

competitive (for which read, cheap) labour costs. For those start-ups seeking to prototype

and then rapidly scale, a trip to Shenzhen can get their product into the market quickly. A

reality of this process is – however – that an essential part of the manufacturing process is

time in Shenzhen, to adapt and design with Shenzhen’s electronics ecosystem in mind.

Components that are design, manufactured and sold in the SEG Electronics Market provide

lower barriers to entry, and rapid turnaround times, including to meeting the holy-grail of

electronics manufacturers of a twenty-four hour turnaround time of printed circuit boards

(PCBs).

To describe China as a threat in this space needs some elucidation. Some aspects of the ‘threat’

come from a dominant market position, and thus could also be consumed under economic

headings such as the ‘west’s comparative lack of competitivity in this manufacturing field. In

this context, the drawing of threat is commensurate with the notion that seeing vital or

important fields of economic activity disappearing from – in this case – the UK is has a security

aspect to it. But it is in the connectivity of the devices in the IoT ecosystem that ‘threats’ may

be drawn (often tangentially), and indeed in the raw materials used in the manufacturing

processes itself.

The tangential concerns of security professionals around the presence of Chinese computing

components in ‘interesting’ or valuable technologies really comes from a set of concerns

around the part Chinese government owned manufacturer Huawei, as expressed by largely

Anglophone security services. It is important to note that the various official reports written

about Huawei’s technology have merely suggested vulnerabilities within it, rather than

demonstrating malfeasance. Part of the concerns expressed have been that the Huawei’s

ownership model is part-vested in the Chinese government and that the firm rigidly adheres

to Chinese modes of intellectual property and business ethic. But there is an important

12

corrective to the shrill narrative around Huawei which correlates its positioning with threat,

which is that there are very few telecommunications nor computing products (be they

commercial nor government) in the world that have not been touched by Chinese

manufactured components, and indeed our largest computing firms have their final assembly

operations in China (e.g. Dell, Apple, Cisco and Hewlett Packard). So, whilst a realisation that

global computing power is already at least partly Chinese does not dull a threat analysis, in

absolute terms, but in relative terms it does place it in context.

The most often mentioned security threats said to be presented by the Chinese computing

components are:

1) variants of malware: these include the suggestion that components can be written with a

‘kill-packet’, which essentially means that an organisation with ‘the’ coding to activate the ‘kill

packet’ could do so rendering all effected networks instantly hobbled. But such talk rather

ignores that levels of firewalling between elements of a network, so any attacker wishing to

make use of a ‘kill-packet’ would need control of the whole network anyway. Similarly, the

notion that Chinese made components contain ‘backdoor’ points of entry, seems unlikely in

the context that the manufacturers supply their own government and consumer markets.

Intentional security weaknesses would then be open to probing by our own somewhat active

ELINT agencies.

2) Deliberate software issues: the placing of deliberately weak or vulnerable software to

enable routes into the data being generated by users is also often cited. Again, this is entirely

possible, both intentially and unintentially, but these vulnerabilities would be as available to

other actors as they would be Chinese state officials.

3) Prevailing Chinese business culture: An important, non-technical issue when considering

suppliers from China is the differing cultural frameworks for both competition and intellectual

property. The Chinese government and political infrastructure requires that any successful

company be intertwined with the governing Communist Party, which itself is integrated into

the government and military infrastructure of the country. This level of formal

interconnectedness is entirely normal in China, but means that Chinese manufacturers have

a higher level of alignment to the government than would be the norm (or even the outlier)

in the UK. As such, the level of trust demonstrated between those purchasing equipment and

Chinese suppliers should be qualified (as it should in all commercial relationships), but the

fact that it needs restating points to a lapse on the part of purchasers to exercise restraint

and due caution.

And finally: 4) Intelligence reporting: Former US NSA Chief gave a controversial interview with

the Australian Financial Review (July 2013) in which asserted that the firm represented a

13

substantial threat to Australian and American security. 14 Hayden was unable to provide

precise detailing on why this was his judgement but it was part based on his instinct as a long-

serving intelligence officer, but mostly because of the kind of intimate knowledge an outside

contractor gets of the systems, processes, and procedures of government through building or

servicing telecommunications and computer networks. Hayden also said to his interviewer

that there was ‘hard evidence’ of Huawei spying for the Chinese government. As such he said:

"At a minimum, Huawei would have shared with the Chinese state intimate and extensive

knowledge of the foreign telecommunications systems it is involved with…As an intelligence

professional, I stand back in awe at the breadth, depth, sophistication and persistence of the

Chinese espionage campaign against the West." These comments followed an October 2012

report by the US House Intelligence Committee that noted that in their view Huawei and ZTE

posted a national security risk and that their telecommunications equipment should not be

used in critical infrastructure projects, something that both firms fiercely rejected. Contained

within these lines of contestation are several concepts that require unpacking: 1) what

constitutes ‘spying’ to echo the language used here, and 2) an allusion to competing purposes.

The Snowden revelations arguably demonstrated that the NSA has been conducting large

scale surveillance of Chinese mobile communications data, and so there is an element of

equivalence to the stance of the two countries. Similarly, both nations are said to be guilty of

intercepting, via communication cables (often under-water) wholesale communications data

and applying decryption. Based on these activities, it is difficult to decipher why Chinese

components would add any particular layer of additional vulnerability to the IoT: the mass

interception of data is seemingly blind to the component make-up of the technology

generating interceptable data.

Hayden does seem to be mostly eluding to a pattern of competitive behaviour that partly fits

within the definition of ‘hybrid warfare’ that was advanced in relation to Russia in early 2015

by NATO, and also that I have proposed as ‘hyper-competition’ in several online forums.

Within this, state acquisition of competitive advantage (that ultimately points towards

military or security advantage) can be seen in bringing very high end intellectual property to

Chinese shores, albeit in what might have traditionally been seen as a supplicant

manufacturing role. The co-production of manufacturer and designer, and sophisticated

understanding of electronics have placed China in a pre-eminent position with on-board

computing and use of sensors. That prominent western universities have also sought to build

large-scale collaborations in China and Shenzhen in particular, with Berkeley and MIT (Boston)

being the most notable examples. Whilst these sorts of collaborations clearly align with

university priorities, they are rarely refracted through the prism of national security, and

particularly not those of hyper-competition.

China also holds a very strong position as a majority producer of the rare earth elements

contained within consumer and defence electronics – in particular dysprosium (99 percent)

14 It should be noted that the Australian parliament barred the government from contracting with the firm in May 2014.

14

and neodymium (95 percent), in components such as batteries, mobile telephony, GPS

systems and so. Figures vary from 70-95% of global production. The Chinese government has

shown themselves to be very aware of the influence such a position gives them, and has been

keen to flex this influence in restricting supply of these materials, as they did between 2009-

10 by some 9%, whilst signalling they would like to restrict by up to a further 30% in the

medium term. This has caused some forward planning by western militaries (particularly the

US, Japan, South Korea and Sweden) who also rely on these rare elements for their defence

electronics, the US Congress investigated the issue in 2012 and concluded that the US should

explore exploiting their own reserves of these elements as well as striking partnerships with

allies such as Australia, whilst President Obama pursued a diplomatic track in the WTO to

force China to drop the restrictions. The main barrier to increasing US production is cost, with

the unit cost of production in China being dramatically less than in the US. The South Korean

and Japanese responses was to begin a process of stockpiling elements of interest to them

and to forge partnerships with other rare earth producers (e.g. Vietnam and India). In Sweden,

they effectively nationalised a rare earth mine, and the German government created a

lucrative partnership with mines in Mongolia.

The softly colonial mind-set of assuming China to be a reliable, enduring and essentially

supplicant partner should be revised. Whilst some of the excessively shrill discourse around

China’s supposed bid for world domination is almost certainly over-stated, there are reasons

to sensibly revise western disposition towards China in the interlinked fields of electronics,

from the very material building blocks of electronics, to the appropriation of key IP, to the

back-end data-warehousing that takes place on Chinese soil. Misunderstanding the

competitive advantage this provides China with has the potential to put western powers (and

their citizens) in a position of vulnerability in the short to medium term. However, divesting

away from or appropriately ring-fencing China poses business costs on western firms. For the

vibrant SME community that essentially makes up the heartbeat of the IoT, this will not be an

ask they heed unless legally forced to.

Conclusion

The era of the IoT is nearly upon us and from a security perspective the real issues

surrounding this group of technologies comes from a set of unresolved debates around

ethics and privacy. As consumers and citizens we know precious little (and perhaps are not

capable of understanding) the capabilities possessed in these technologies. Whilst the

research organisation Gartner suggested that 50% of users are said to lose interest in their

devices reasonably quickly this might – to some degree – turn out to be a self-limiting

problem. Similarly CNN reports that Chinese counterfitters (a large industry in their own

right) have begun to shun the area, implying that the area is not yet profitable enough for

their endeavours (Nylander, 2014). The IoT offers public officials and consumers some real

advantages – for cities better resource planning and purchasing is possible via the various

15

Smart Cities initiatives. Similarly, regeneration and the clustering of technology firms should

spin off the installation of data-producing sensors. For individuals, I struggle to see the

arguments for enhanced productivity, those rarely result from technological advances, but

in the health-tech and med-tech spaces the gamification of well-being and the body-

monitoring do offer advantages. But for the advantages do currently come the attendant

disadvantages of the monetisation of the data that comes off the sensors. Without

appropriate controls – and the education that precedes the debates even occurring is yet to

be had – the unprecedented collection of intimate data will present a serious erosion of

what we understand to privacy to be. The analysis that can be done by competitive or

competitor nations of this data opens our societies to vulnerabilities of greater

understanding: the competitor nation simply knows and understands us better than we

know ourselves.