Gallagher, Krishnamoorthi Write to FCC on Potential Risk of Chinese Internet Connectivity Modules Sabotaging Americans' Devices

WASHINGTON, DC – Chairman Mike Gallagher and Ranking Member Raja Krishnamoorthi of the House Select Committee on the Chinese Communist Party today wrote to FCC Chairwoman Jessica Rosenworcel requesting information about the threat of Chinese cellular modules infiltrating, tracking, and sabotaging American Internet of Things (IoT) devices. 'IoT devices' refers to any electronic device that could be connected to the internet, ranging from cars to refrigerators. To illustrate the impact of cellular modules in 'IoT devices', the lawmakers wrote that last year when Russian agents stole $5 million worth of John Deere tractors from a Ukrainian dealership, because the vehicles possessed cellular modules developed in the West, remote operators were able to shut down the tractors using the internet, leaving the Russian culprits stuck.

The lawmakers asked questions about potential security concerns involving cellular modules made by Chinese companies such as Quectel and Fibocom. Gallagher and Krishnamoorthi asked questions regarding the possibility that American devices like live-saving medical equipment, vehicles, and farm equipment could be accessed and controlled remotely from China if they are made with Chinese-made cellular modules.

In the letter, Chairman Gallagher and Ranking Member Krishnamoorthi wrote, "Connectivity modules are used in a wide variety of devices throughout the U.S., from consumer ‘smart devices’, to electric cars, to U.S. telecom networks regulated by the FCC. Serving as the link between the device and the internet, these modules have the capacity both to brick the device and to access the data flowing from the device to the web server that runs each device. As a result, if the CCP can control the module, it may be able to effectively exfiltrate data or shut down the IoT device. This raises particularly grave concerns in the context of critical infrastructure and any type of sensitive data."  The letter also notes that the FCC has already taken important steps to counter the nefarious influence of CCP-controlled technology in U.S. telecom networks.

The lawmakers requested the following information to assess how the FCC is addressing the threat:

• Is the FCC, or other agencies with which it collaborates on national security issues, able to track the presence of Quectel, Fibocom, and other cellular IoT modules provided by PRC-based companies in the U.S.? Can the FCC provide further information about these modules in U.S. networks?

• Does the FCC share our concerns about the presence of PRC cellular IoT modules in U.S. networks?

• We understand that the FCC is considering whether to require measures to address individual component parts. Is the FCC considering using the Covered List to tackle PRC cellular IoT modules? Could requiring certification for modules used in communications equipment be an effective means of countering PRC cellular IoT modules in U.S. networks? What other potential solutions exist in the view of the FCC?

• Does the FCC require or desire further statutory authorities to combat the threat that PRC cellular IoT modules pose?  

View a copy of the letter HERE or read below.         

-------------

Dear Chairwoman Rosenworcel,

We write to request information about the security risks posed by cellular connectivity modules provided by companies subject to the jurisdiction, direction, or control of the People’s Republic of China (PRC) or the Chinese Communist Party (CCP). Connectivity modules are components that enable Internet of Things (IoT) devices—from cars to medical equipment to tractors—to connect to the internet. Connectivity modules are typically controlled remotely and are the necessary link between the device and the internet.

Recent events demonstrate the power of these small modules. Last year, Russia stole $5 million worth of farm equipment from a John Deere dealership in Ukraine and attempted to bring it back to Russia. Luckily, that equipment was embedded with Western-made connectivity modules. Because the modules can be controlled remotely and the vehicles require internet connectivity to operate, remotely shutting down the module allows the module provider to shut the vehicle down. When Russia moved the stolen John Deere vehicles across the border into Russia, the modules were disabled—shutting down the equipment and effectively turning the vehicles into bricks. 

Connectivity modules are used in a wide variety of devices throughout the U.S., from consumer ‘smart devices’, to electric cars, to U.S. telecom networks regulated by the FCC. Serving as the link between the device and the internet, these modules have the capacity both to brick the device and to access the data flowing from the device to the web server that runs each device. As a result, if the CCP can control the module, it may be able to effectively exfiltrate data or shut down the IoT device. This raises particularly grave concerns in the context of critical infrastructure and any type of sensitive data.

Indeed, the CCP is well aware of the importance of IoT modules. It has given extensive state support to its cellular IoT industry, led by Quectel and Fibocom. Quectel provides modules to leading international firms. They are used in smart cities, drones, and U.S. first responder body cameras. Fibocom, meanwhile, targets individual collaborations with major tech players.

PRC law requires companies to comply with the Party’s commands, including requests for data whether it is stored in the PRC or elsewhere. In addition, observers have expressed concerns that both companies are closely integrated into the PRC military and state security. Fibocom even states on its website that people using Fibocom’s Platform “shall comply with…the laws of the People’s Republic of China,” which implies that Americans using a device with a Fibocom module can be surveilled pursuant to PRC law.

Under your leadership, the FCC has taken important steps to counter the nefarious influence of CCP-controlled technology in U.S. telecom networks, including adding equipment and services to the Covered List from companies such as Huawei, ZTE, and Hikvision, among others. Luckily, unlike in the Huawei case, there are still many U.S. and allied firms that compete with PRC cellular IoT module providers—such that restricting Quectel and Fibocom’s access to the U.S. market would not undermine U.S. telecommunications networks.

Tackling PRC cellular IoT modules is a natural next step for the FCC, in consultation with appropriate national security agencies. For one, Quectel and Fibocom supply companies whose equipment is already on the FCC’s Covered List. The equipment on this list poses a national security threat to the U.S. and may not receive authorization for importation or sale in the U.S. Similar scrutiny should be considered for any PRC cellular IoT modules in this equipment.

We respectfully request information on the PRC IoT threat. Please respond to the following questions by August 21, 2023.

• Is the FCC, or other agencies with which it collaborates on national security issues, able to track the presence of Quectel, Fibocom, and other cellular IoT modules provided by PRC-based companies in the U.S.? Can the FCC provide further information about these modules in U.S. networks?

• Does the FCC share our concerns about the presence of PRC cellular IoT modules in U.S. networks?

• Is the FCC considering using the Covered List to tackle PRC cellular IoT modules? Could requiring certification for modules used in communications equipment be an effective means of countering PRC cellular IoT modules in U.S. networks? What other potential solutions exist in the view of the FCC?

• Does the FCC require or desire further statutory authorities to combat the threat that PRC cellular IoT modules pose?

The House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party has broad authority to “investigate and submit policy recommendations on the status of the Chinese Communist Party’s economic, technological, and security progress and its competition with the United States” under H. Res. 11.

Thank you for your attention to this important matter and prompt reply.