The Surprising and Dangerous Fifth Column Hiding Within the Internet of Things

By: Alan Zeichick

I can’t trust the Internet of Things. Neither can you. There are too many players and too many suppliers of the technology that can introduce vulnerabilities in our homes, our networks – or elsewhere. It’s dangerous, my friends. Quite dangerous. In fact, it can be thought of as a sort of Fifth Column, but not in the way many of us expected.

Merriam-Webster defines a Fifth Column as “a group of secret sympathizers or supporters of an enemy that engage in espionage or sabotage within defense lines or national borders.” In today’s politics, there’s lot of talk about secret sympathizers sneaking across national borders, such as terrorists posing as students or refugees. Such “bad actors” are generally part of an organization, recruited by state actors, and embedded into enemy countries for long-term penetration of society.

There have been many real-life Fifth Column activists in recent global history. Think about Kim Philby and Anthony Blunt, part of the “Cambridge Five” who worked for spy agencies in the United Kingdom in post-World War II era; but who themselves turned out to be double agents working for the Soviet Union. Fiction too, is replete with Fifth Column spies. They’re everywhere in James Bond movies and John le Carré novels.

Let’s bring our paranoia (or at least, my paranoia) to the Internet of Things, but start by way of the late 1990s and early 2000s. I remember quite clearly the introduction of telco and network routers by Huawei, and concerns that the Chinese government may have embedded software into those routers in order to surreptitiously listen to telecom networks and network traffic, to steal intellectual property, or to do other mischief like disable networks in the event of a conflict. (This was before the term “cyberwarfare” was widely used.)

Recall that Huawei was founded by a former engineer in the Chinese People’s Liberation Army, and was heavily supported by Beijing. Also there were lawsuits alleging that Huawei infringed on Cisco’s intellectual property – i.e., stole its source code. Thus, there was lots of concern surrounding the company and its products.

Those concerns continued for decades. Even as late as 2014, publications like IEEE Spectrum wrote articles that continued exploring this topic, such as “U.S. Suspicions of China's Huawei Based Partly on NSA's Own Spy Tricks.” Based on those concerns, many government agencies refused to purchase routers and other critical network equipment from non-U.S. companies – and many enterprises followed suit.

Of course, this is multilateral. I’m sure that foreign governments are convinced that U.S. enterprise-grade hardware and software is capable of spying on them, or might contain a shut-down switch in the event of cyberwar. If you were in charge of IT within a country currently in conflict with the United States or NATO, would you want your critical networks controlled by Cisco or Juniper, your servers running on Microsoft, your phones controlled by Apple, your firewalls powered by Palo Alto? Probably not. In fact, you might even be suspicious of any device labeled “Intel Inside.”