National security threat posed by China and the Internet of Things is an urgent issue for Scottish Government – Stewart McDonald

In large part, simply because it can and because firms are trying to find new uses for new technologies. My toothbrush, like at least one piece of electronic equipment you likely use daily, is part of the so-called Internet of Things: objects made with sensors, software and connectivity which allows them to collect data and communicate with each other. The Internet of Things is one of those concepts that has rumbled quietly in the background, always on the cusp, its advocates tell us, of changing the world. We are watching that promise come true with AI. I think it’s the Internet of Things’ turn next.

The radio components of these smart devices – the conduit on which information is transferred to and from a device – is called a cellular IoT module, or CIM. These are already ubiquitous. At the end of 2022, there were almost 20 billion in use worldwide. By the end of next year, there are expected to be over 30 billion, across all sectors of society, from personal IT devices and cars to power systems and agriculture. They have genuine transformative potential, from allowing cities to save power by dimming streetlights, when the light doesn’t sense anyone near, to automatically tracking and re-ordering goods for hospitals or supermarkets.

Get our weekly opinion newsletter for expert analysis from The Scotsman’s team of columnists

As great as this is, it also presents a critical national security issue in our age of renewed geopolitical competition. This technology is not only already present in homes and businesses across the country, but across government too. Early last year, the UK Government conducted a forensic sweep of its official vehicles, used to transport government ministers, and found a CIM in a part that had been imported from China and which could collect and transmit location data – just like my toothbrush, your car or your smart speaker.

A profound weakness

There is no published evidence that the Chinese Communist Party has been extracting data via CIMs, but it does have the capability. Under Chinese national security laws, companies can be compelled to share that data – useful when Chinese companies have 60 per cent of the global market. And we know that the CCP has a track record of exploiting the weaknesses in targets’ defences and stealing the data of foreign governments, defence systems, commercial companies, and individuals. Chinese-built CIMs in private and government devices across the country are a profound weakness that is ripe for exploitation. They exist right across the public sector, in transport, health, agriculture, energy and much more, making this an urgent area of interest for all layers of government across the UK.

For much of modern history, critical national infrastructure was what you think it is: power stations, transport hubs, telecommunications systems. But now, as a recently published paper from the Council on Geostrategy and Coalition for Secure Technology argues, we are now entering a new age – with artificial intelligence, quantum computing and the Internet of Things – in which almost every piece of digital technology could be classed as critical national infrastructure. We have seen, in China’s Confucius Institutes, their willingness to use apolitical, non-military sectors as sites of geopolitical competition, while the 2017 Cambridge Analytica scandal laid bare the transformation of political and economic aggregated data.

This is not necessarily a cause for panic, but it should spur governments in Edinburgh and London into a sense of urgent action. It’s simply another manifestation of an argument I have made several times in these pages: that we are entering a new age where geopolitical competition touches every citizen and home. So, what is government to do?

New age of global insecurity

As I have lamented here before, there is an issue with defence and security policy in the UK. To call it a lacuna would be too polite. There is a gaping chasm caused by the Scottish Government’s lack of resources in this area, matched only by the UK Government’s “out of sight, out of mind” mentality when it comes to security policy and devolution. Edinburgh too often outsources much security policy work to the UK Government, while Whitehall is blind to anything that doesn’t fall within an outdated, 20th-century definition of national security. This artificial binary not only makes no sense in our new age of global insecurity and hybrid threats. It makes us all less safe. This situation has long been untenable, with security issues found in a whole suite of devolved policy areas.

So, on this issue, it’s time for government to invest in research and awareness-raising, building our understanding and capability in economic security across all parts of government. The threat posed by CIMs and the urgent need to address it requires the Scottish Government to act now and forge a strong working relationship with the UK Government on this pivotal security issue, underpinned by mutual trust and an acknowledgement of our shared interest in getting this right.

This means both governments must up their game, investing money and resources in tackling modern security challenges in a devolved context, and show some creative initiative. Indeed, the Scottish Government should take the lead on the issue of CIMs and establish a cross-government unit to conduct a comprehensive audit of critical national infrastructure in Scotland to identify and remove any Chinese-made CIMs, starting with our NHS. But we should also work with likeminded partners on more long-term solution to this problem, sharing best practice on legislation, research and planning. The urgency of the threat demands no less.

Stewart McDonald is SNP MP for Glasgow South