Into the Breach: Countering Chinese Digital Espionage in Routers

April 8, 2024 Topic: Espionage Region: World Blog Brand: Techland Tags: EspionageChinaCCPInternetTechnology

Into the Breach: Countering Chinese Digital Espionage in Routers

The ROUTERS Act is a meaningful step toward quantifying the risks posed by vulnerabilities within these technologies.

For anyone following the Chinese Communist Party’s (CCP) actions related to digital technology, the specter that Chinese companies could be leveraged to conduct intelligence activities has been ever-present. National security officials and researchers have highlighted how Chinese laws require domestic firms to assist the CCP in national security or counter-espionage operations, with no limit on what that cooperation can entail. These laws empower the CCP to turn any domestic firm’s product into a trojan horse for its malign operations.

The threat of domestic Chinese technology companies bolstering the CCP’s military and intelligence capabilities has prompted congressional responses on several occasions. The first instance involved Huawei and ZTE, Chinese telecommunications firms with ties to the CCP’s military apparatus, leading to laws preventing the purchase or use of their equipment within U.S. telecommunications networks. Vulnerabilities and potential backdoors into technology used by government agencies, including the Department of Defense, were uncovered in drones manufactured by DJI, a Chinese company, leading to their addition to the Bureau of Industry and Security Entity List. Similar concerns about cybersecurity vulnerabilities have been raised around ZPMC, a Chinese state-owned crane manufacturer, prompting an investigation into the firm. Most recently, the House of Representatives passed H.R. 7521 to mitigate potential security threats posed by TikTok, the popular social media platform owned by Chinese firm ByteDance. Now, another link in the chain that sustains internet connectivity is drawing attention: routers.

Recent reporting and government disclosures have highlighted how CCP digital espionage operations are targeting vulnerabilities in routers in Europe and the United States. Routers are devices that serve as hubs for directing data traffic within and between networks. When you connect to a wireless network at home, work, or school, that connection is facilitated and managed by a router. Insecurities within routers can allow hackers to install malware within networks that can go undetected for years, allowing for remote access, information gathering, and other forms of cyber espionage.

Research has found that CCP-supported hacker groups could exploit a firmware implant within routers designed and manufactured by the Chinese company TP-Link in Europe. The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has logged hundreds of reports of technical vulnerabilities within TP-Link products in its National Vulnerabilities Database. These vulnerabilities allowed CCP-sponsored hacker groups to control the infected devices and access compromised networks undetected. Even with NIST’s documented security risks, TP-Link routers are widely available at major retailers such as Walmart and Amazon and have been purchased by federal agencies such as the Department of Defense, the National Aeronautics and Space Administration, and the General Services Administration.

In addition to weaponizing domestic Chinese firms’ products, CCP-sponsored hackers have expanded their operations to non-Chinese routers to target critical infrastructure in the United States. The U.S. Treasury Department recently sanctioned CCP-sponsored hackers who used a domestic Chinese firm to disguise their operations. This follows disclosures by the Intelligence Community in January that state-affiliated hacker groups had breached routers connected to U.S. communications, energy, transportation, and water infrastructure by exploiting outdated Cisco and NetGear routers. These instances illustrate that CCP cyber espionage teams are equal opportunists when it comes to manipulating vulnerable routers. Government officials, businesses, and consumers need to understand where they may be vulnerable and address such insecurities before they are exploited.

Congress has responded to similar threats elsewhere in digital supply chains, and routers are the next link needing repair. The House Energy and Commerce Committee has kicked off the mending process by unanimously passing the bipartisan ROUTERS Act out of committee. The ROUTERS Act would require the Department of Commerce to study the national security risks posed by consumer routers, modems, and devices with analogous capabilities that are designed, developed, or manufactured by an entity owned or controlled by a covered country. The definition of covered countries relies on the exact definition of the recent TikTok divestiture bill, applying to China, Russia, Iran, and North Korea.

Complementing the legislation in Congress, the Federal Communications Commission (FCC) has recently opened a request for comment to inform cybersecurity labeling of Internet of Things devices. FCC Commissioner Nathan Simington has raised concerns about insecurities related to connected devices and the importance of mitigation throughout his time at the agency. Such labels would allow hardware manufacturers to signal that their product has been vetted for vulnerabilities and consumers’ data is secure. Paired together, the study commissioned by the ROUTERS Act can provide expertise to guide future congressional action, while FCC labels can begin addressing threats posed by Chinese-made devices as well as vulnerable domestic devices by guiding consumers, business owners, and government agencies about different vulnerabilities within routers and connected devices. 

This legislation is a meaningful step toward quantifying the risks posed by vulnerabilities within these technologies. It can provide further insight into how Congress should deal with risks posed by Chinese technology firms. Cyber threats continue to grow, and lawmakers and government officials must have up-to-date information on potential threats to America’s digital infrastructure. The ROUTERS Act is an important first step toward mitigating such threats.

Joshua Levine is the Manager of Technology Policy at the Foundation for American Innovation. Follow him on X: @JoshuaTLevine