Chinese Spies Don't Have to Hack Us. They're Already Here
It may sound paranoid to think any product made in China might be hiding a device to spy on you. But it's not paranoid. It's actually true. In fact, it's the law. Specifically, China's 2017 National Intelligence Law requires Chinese companies to cooperate with Chinese intelligence services when requested.
This is why two U.S. government officials recently took apart a Chinese-made power converter that was installed in the United States. They were checking for security issues, making sure it wasn't rigged with spy equipment. It was one of many converters purchased to connect solar panels to the electrical grid.
The product's documents mention the converter can connect to the internet. So officials expected to find electronics inside meant to share data. This allows the converters to be updated and maintained remotely. Comes in handy when the power converters are distributed with the solar panels in the field. But the solar panel company had a firewall set up. The data would not make it back to China, and certainly there was no path where China could send instructions back.
Except they could.
When officials opened the converter, they discovered rogue communication equipment, not explained in the product specs. The power converter was set to give the Chinese government complete control of any electrical grid it was linked to. These same converters are widely used in solar panels and wind turbines across the country. The Chinese could potentially shut down the grid, or create high voltage conditions that could turn into disasters.
Of course, these solar power converters were disabled. Exactly how many was never revealed. But shutting down all Chinese-made converters would mean shutting down 44% of the solar and wind power operating in the U.S. Turns out, China dominates this market. Chinese companies such as Huawei, Sungrow, and Ginlong Solis are leading global suppliers of power converters, their products widely utilized in U.S. renewable energy.
So for now the Department of Energy examines these devices for security threats, hoping to catch them before the Chinese have a chance to take advantage.
Why don't we just ban them? Well, turns out, we did. In 2019, an Executive Order was written to ban foreign equipment for use in U.S. power systems. This happened after a similar power transformer was intercepted and found to contain remote hardware hidden inside.
But only a couple of years later, the ban was lifted. Turns out, the Executive Order was too broadly written. Utility companies and manufacturers were confused about what qualified as foreign equipment, and how exactly they were meant to evaluate and replace all the existing equipment. The well-intentioned effort was bogged down in logistics and red tape. Grid modernization projects and renewable energy efforts were stopped in their tracks -- simply put, they relied on foreign components that just aren't made in the United States, not yet anyway. Some things can't suddenly be banned.
Instead, the Department of Energy focused on high risk vendors, certain Chinese manufacturers known to hide rogue electronics in their shipments.
Based on this recent discovery, the Chinese continue their brazen efforts to get their hooks in power grids. And U.S. officials continue to uncover these attempts.
Of course, cybersecurity efforts from the Department of Energy are focused on large scale power systems. City-wide power grids. Substations and transformers. As you'd expect, these are the systems we are most concerned might come under foreign control.
But there is a blind spot.
Home-based energy resources don't get searched. Small scale systems get shipped from China and installed on a regular basis with no cybersecurity official taking a look "under the hood". There is no federal requirement for cybersecurity certification of home inverters, batteries, or EV chargers.
When you charge your Tesla using off-the-shelf equipment, it is most likely made in China. And it likely has built-in communication modules, the ability to connect to Wi-Fi or cell networks. It probably has smart batteries that connect to cloud-based data servers.
If enough of these devices make it into residential neighborhoods across the nation, it's easy to imagine someone in China flipping a switch and compromising millions of homes, disrupting voltage stability, causing power surges and blackouts, and even finding paths into the larger power grids that are the focus of national cybersecurity teams.
Those same Chinese firms dominate the residential market.
Let's hope they never flip off that switch.
