John Hultquist, vice president of intelligence analysis at Google-owned cybersecurity firm Mandiant, likens his job to studying criminal minds through a soda straw. He monitors cyberthreat groups in real time on the dark web, watching what amounts to a free market of criminal innovation ebb and flow.
Groups buy and sell services, and one hot idea — a business model for a crime — can take off quickly when people realize that it works to do damage or to get people to pay. Last year, it was ransomware, as criminal hacking groups figured out how to shut down servers through what’s called directed denial of service attacks. But 2022, say experts, may have marked an inflection point due to the rapid proliferation of IoT (Internet of Things) devices.
Attacks are evolving from those that shut down computers or stole data, to include those that could more directly wreak havoc on everyday life. IoT devices can be the entry points for attacks on parts of countries’ critical infrastructure, like electrical grids or pipelines, or they can be the specific targets of criminals, as in the case of cars or medical devices that contain software.
“What I wish is that the vulnerabilities of cybersecurity could never negatively affect human life and infrastructure,” says Meredith Schnur, cyber brokerage leader for US & Canada at Marsh & McLennan, which insures large companies against cyberattacks. “Everything else is just business.”
For the past decade, manufacturers, software companies and consumers have been rushing to the promise of Internet of Things devices. Now there are an estimated 17 billion in the world, from printers to garage door openers, each one packed with software (some of it open-source software) that can be easily hacked. In a conversation Dec. 26 with The Financial Times, Mario Greco, the group CEO of giant insurer Zurich Insurance Group, said cyberattacks could pose a larger threat to insurers than pandemics and climate change, if hackers aim to disrupt lives, rather than merely spying or stealing data.
IoT devices are a key entry point for many attacks, according to Microsoft’s Digital Defense Report 2022. “While the security of IT hardware and software has strengthened in recent years, the security of Internet of Things (IoT) … has not kept pace,” according to the report.
A rash of attacks that reached the physical world through the cyber world in the past year show the rising stakes. Last February, Toyota stopped operations at one of its plants because of a cyberattack. In April, Ukraine’s power grid was targeted. In May, the Port of London was hit with a cyberattack. That followed up on a 2021 that included to major attacks on critical infrastructure in the U.S., taking down energy and food supply operations of Colonial Pipeline and the JBS meatpacking conglomerate.
What many experts are anticipating is the day enterprising criminals or hackers affiliated with a nation-state figure out an easy-to-replicate scheme using IoT devices at scale. A group of criminals, perhaps connected to a foreign government, could figure out how to take control of many things at once – like cars, or medical devices. “We have already seen large-scale attacks using IoT, in the form of IoT botnets. In that case, actors leveraging unpatched vulnerabilities in IoT devices used control of those devices to carry out denial of service attacks against many targets. Those vulnerabilities are found regularly in ubiquitous products that are rarely updated.”
In other words, the possibility already exists. It’s only a question of when a criminal or a nation decides to act in a way that targets the physical world at a large scale. “It’s not always the art of the possible. It’s a market-driven thing,” Hultquist said. “Somebody figures out a scheme that is successful at making money.”
Aside from responding rapidly to attacks, the only answer to the “cat-and-mouse game” is constant innovation, says Shlomo Kramer, an early investor in Palo Alto Networks and currently one of the top cyber security investors worldwide.
There are a handful of companies, new regulatory approaches, a growing focus on cars as a particularly important area, and a new movement within the software engineering world to do a better job of incorporating cybersecurity from the beginning.
Internet of Things has a big update problem
The cybersecurity industry is upping its game. Companies including ForeScout and Phosphorus focus on Internet of Things security, which has a heavy emphasis on constant inventory of “endpoints” – where new devices connect to a network.
But one of the key problems in Internet of Things security is that there isn’t a good process for updating devices with patches, as new vulnerabilities, hacks or attacks are discovered, says Greg Clark, former CEO of Symantec, currently the chairman of Forescout. Many users are accustomed to downloading updates and patches to computers and phones; and even in those cases, a significant number of users don’t bother to do the updates.
The problem is much worse in the IoT: For instance, who bothers to update their garage-door opener? “Not many of the IoT devices have a system to update the code,” says Clark. “It becomes a serious problem to remediate the vulnerabilities in the IoT.”
He said one focus for cybersecurity companies has become putting controls around the devices so they can only do a specific set of things. That way, the devices can’t be weaponized to launch attacks on other networks. “There are a lot of hammers swinging,” Clark said, on products that make the IoT more secure).
Medical devices, which are seen as particularly important and particularly vulnerable, are one focus. Last month, Palo Alto Networks announced a new product aimed at medical device makers.
IoT device makers are not regulated enough
Because the challenges are new, and cut across industries, the U.S. guidelines and regulations remain patchwork. That has left a lot of IoT cybersecurity up to consumers and companies across sectors, rather than the many manufacturers making IoT devices.
“I’m hopeful there will be some new standards, and newer regulations that will force the vendors to do more,” says Randy Trzeciak, director of the science information and security policy & management program at Carnegie Mellon University. “There should be a national discussion around insuring device security, and where the manufacturer needs to take some ownership and responsibility.”
Clark said CISA and the National Institutes of Standards and Technology are working together, issuing guidelines for the thousands of manufacturers that make IoT devices covering such things as ensuring that IoT devices identify themselves to networks as they are added to them. In 2020, the U.S. Congress turned the guidelines into a law, but only for companies that supply the U.S. government with IoT devices. A spokesman for the National Institutes of Standards and Technology says this is the only national law the agency knows of. Some state-specific and industry-specific laws also exist: For instance, data in medical devices would be covered by HIPAA, and the National Highway Traffic Safety Administration has some jurisdiction over cars.
Some investors and executives cautiously welcome the increasing involvement of regulators. “It’s simply too complex,” Kramer said. “There’s not enough qualified and experienced security people.”
How cars are being targeted
As more criminal hackers aim attacks at the physical sphere, cars are a target. That includes theft, with attackers exploiting the keyless entry systems, but also attacks on sensitive information now being stored in cars, such as maps and credit card data.
Led by the European Union, countries around the world are rapidly adopting cybersecurity regulations for cars, with the EU’s coming into effect in July of last year.
The transition to electric vehicles has created an opportunity for regulators to get ahead of the criminals. As the new technology lowered the barriers to entry, more car companies entered the market. In turn, that has created an opportunity for regulators to work with industry groups that want to protect their home-grown industries.
The concerns about cars are nothing new. In one landmark experiment in 2015, two hackers attacked a Jeep Cherokee. “They shut down the engine on the highway – the brakes didn’t respond. This is not a pleasant situation,” said David Barzilai, CEO of a six-year-old Israeli company called Karamba Security, which helps car companies make their IoT devices more secure.
Barzilai says that in the past 12 months, there were dozens of attacks, both by serious criminal gangs and teen-agers. “When we started six years ago, the attacks were by states, mostly China,” he says. “Within the last 12 months, there’s a democratization” in car attacks, he said, pointing to the case in January 2022 of the teen who figured out how to access the control systems of a few dozen Teslas at once, last January — have already done.
Connected cars usually have SIM cards, that hackers can attack via cellular networks, he said. “All cars of the same vehicle model use the same software,” he said. “Once hackers identify a vulnerability, and a way to exploit it remotely, they can replicate the attack on other vehicles.”
Cybersecurity grew as an industry mostly as an after-the-fact attempt to fix software and hardware that was long since on the market, as criminals and foreign governments discovered vulnerabilities in the systems that they could exploit. One study by IBM‘s System Science’s Institute found it costs six times more to fix a cybersecurity vulnerability while software is being implemented than when it is under development. The IoT is still relatively new as an industry, giving security-minded developers a chance to get ahead of the cat-and-mouse game, says Trzeciak, and there’s a growing movement of researchers and developers working on this, including Carnegie Mellon’s Software Engineering Institute’s DevSecOps initiative, which aims to add security into earlier phases of software development. That process-based innovation could make all kinds of software, including that in cars and medical devices, more secure — and therefore, the devices safer.
Tesla CEO Elon Musk wears a ‘Trump Was Right About Everything!’ hat while attending a cabinet meeting at the White House, in Washington, D.C., U.S., March 24, 2025.
Carlos Barria | Reuters
Tesla shares slumped on Thursday, reversing course a day after the electric vehicle maker had its biggest gain on the market since 2013.
The stock dropped 7.3% to close at $252.40 and is now down 38% for the year, by far the biggest decline among tech’s megacap companies. That’s true even after the shares soared 23% on Wednesday, their second-sharpest rally on record.
President Donald Trump sent stocks up on Wednesday after announcing he would pause steep tariffs for many U.S. trading partners for 90 days to allow for negotiations. He set a minimum tariff rate of 10% while negotiations take place, but increased the tariff on China.
The whole market has whipsawed on President Trump’s changing plans, but Tesla has been particularly volatile, rising or falling by at least 5% on 19 different occasions this year.
The slump on Thursday came after the White House clarified that China’s tariff rate now stood at 145%. Beijing announced a reciprocal 84% tariff rate on U.S. goods, effective April 10. And the EU said it approved reciprocal tariffs on U.S. imports.
As questions swirled about the type of deals the U.S. might strike, analysts at UBS, Goldman Sachs and Mizuho cut their price targets on Tesla, with all three citing margin impacts of Trump’s auto tariffs.
“We expect Tesla shares to be volatile but downward sloping considering the rich valuation (especially compared to the other Mag7 stocks) in a skittish market,” UBS wrote. The firm, which has a sell rating and price target of $190, said it also sees “demand concerns.”
Tesla has experienced brand deterioration, declining deliveries and has been hit with protests along with some criminal acts targeting its facilities and vehicles. CEO Elon Musk, one of President Trump’s top advisers, has drawn heat to Tesla for his work in the White House, where he has slashed government spending and the federal workforce. In Europe, he has faced opposition after endorsing Germany’s far-right AfD party.
Tesla sales declined across Europe in the first quarter, according to data from European Automobile Manufacturers’ Association (ACEA) and others.
The uncertainty and threat of new tariffs has been troubling for Tesla’s margin outlook. The company sources many parts and materials from suppliers in China, Mexico and elsewhere.
Sales growth for Tesla previously hinged on the company’s ability to manufacture and sell a high volume of its cars and battery energy storage systems throughout Europe and Asia. EV competition has ramped up on both continents recently, and now the company has to contend with highest costs imposed by levies.
Musk has taken his anger out on Trump’s top trade adviser Peter Navarro, calling him a “moron” and “dumber than a sack of bricks” in social media posts earlier this week. However, Musk has shown his approval of the administration’s hard line against China, sharing a clip on X of U.S. Treasury Secretary Scott Bessent discussing the matter.
“China’s business model is predicated on this incredible imbalanced economy, and exporting low-cost goods – and subsidized goods – to the rest of the world,” Bessent said in the clip.
Thursday’s selloff provided some relief to Tesla short sellers, who got hammered in the prior day’s rally. According to S3 Partners, Tesla short interest stood around 80.5 million shares, with a 2.8% float as of Thursday. It’s one of the top four equity shorts in terms of notional value, at $17.9 billion. Short sellers bet on the decline in a stock and lose money when it goes up.
Many sellers on Amazon count on China for manufacturing and assembly due to lower costs and established infrastructure – up to 70% of goods on Amazon come from China, according to Wedbush Securities. With nearly all imports from China being taxed a staggering 145% under the latest tariffs, Amazon sellers are having to decide whether to raise prices or absorb the vastly increased cost of importing their goods.
Amazon CEO Andy Jassy on Thursday told CNBC that its vast network of third-party sellers will likely “pass the cost on” to consumers. He added that Amazon has done some “strategic forward inventory buys” and looked to renegotiate terms on some purchase orders to keep prices low.
Although Trump temporarily lowered tariffs on most countries to 10% on Wednesday, he doubled down on the huge tariffs on goods from China. Before the pause, average tariff rates under Trump were at the highest level since the Great Depression. The “reciprocal tariffs” were far steeper in regions like Southeast Asia. Tariffs also hit U.S. allies at unusual rates, including 20% on the European Union and previously announced 25% tariffs on Mexico and Canada.
Josianne Boisvert of Canadian-based Portable Winch Co. said she “was in a state of shock” when the tariffs were announced. For 20 years, the company has driven its products an hour to the U.S. border for duty-free shipping to American customers.
“We are questioning ourselves if we just move our focus to Europe,” Boisvert said.
CNBC talked to several Amazon sellers to find out how the new tariffs are having an impact on their decisions about prices and where to manufacture.
Price hikes
In a small warehouse in San Rafael, California, Dusty Kenney showed CNBC hundreds of boxes filled with her PrimaStella brand baby spoons, bento boxes and other kids products. Most of them arrived by sea from China before tariffs went into effect. Paying the added tariffs could put her out of business if they continue, she said.
“I will hold my prices for as long as I can and just absorb those tariffs because I’m already competing against those Chinese sellers that are undercutting me,” Kenney said. Although tariffs will also impact her Chinese-based competitors, the cost of doing business in the U.S. is far higher than in China.
“The administration would like people to think that this is a China problem, and that this is only hurting Chinese-based businesses and helping U.S.-based businesses. But I am a U.S.-based business, let’s be clear,” Kenney said. “Everything’s warehoused here, designed here, photographed here. All the income that comes from that stays here.”
Several sellers said they are considering raising prices if Trump’s tariffs stick around.
The vast majority of products on Amazon are sold by third-parties, but tariffs will also impact the company’s first-party brands.
That includes Amazon Basics-branded batteries, which compete against the likes of Duracell and Energizer by retailing at lower prices, said Jason Goldberg of the Publicis Groupe.
If Amazon has to raise the price of its own batteries, he said, “consumers are likely to have a preference for that well-known, familiar brand.”
The Seattle-based tech company is likely to wait at least six months before passing the tariff costs on to consumers, said Dan Ives of Wedbush Securities.
“The last thing they want to do is right away just pass it to the consumer, because you don’t know how transitory this is,” said Ives, adding that Amazon likely got “well ahead of this” by diversifying its supply chain outside of China.
That’s a strategy many Amazon sellers are also trying.
Amazon did not immediately respond to a request for comment.
Reviving U.S. manufacturing?
Some categories, like toys, have a long history of being manufactured in China and have thus far been exempt from tariffs. Jay Foreman started his career at a toy factory in Brooklyn, New York, about 40 years ago.
Manufacturing migrated to China more than 30 years ago because of, “not only a tremendous workforce, but they’ve invested in the infrastructure to create a toy manufacturing supply chain,” said Foreman, CEO of Basic Fun, which makes popular toys like Tonka Trucks, Care Bears, Lincoln Logs, Tinker Toys, and Lite-Brite.
“Whether you’re making a Tonka Truck in China or an Apple iPhone, they figured it out. They’re making quality product there and it’s tough to replicate elsewhere,” Foreman said.
Workers making Care Bears at a factory in Ankang, China.
CNBC
A lot of toy manufacturing moved to Vietnam, Mexico and India in the last five years because of China tariffs during Trump’s first term, Foreman said. But many of the toy factories there are also owned by Chinese companies, he said.
“So you’re sort of not escaping doing business with the Chinese,” Foreman said.
Other product categories, like teas, can’t easily be grown in the U.S. because of the climate.
“You need high humidity. Usually you need to be at a very high altitude. And those things only come together in certain parts of the world, ” said James Fayal, who runs high-energy tea brand Zest. With its green tea grown in coastal China and black tea in India, Fayal said he’ll have to pass the cost on to consumers because he doesn’t have a U.S. option.
For the brands that do manufacture in the U.S., the tariffs are creating a competitive advantage, those companies said.
“Put our products side by side to a competitor’s that is getting it overseas and it’s a night and day difference,” said Dayne Rusch of Vyper Industrial.
Vyper’s American-made stools and other shop equipment range in price from $350 to $650 while foreign-made alternatives can sell for less than $40, Rusch said.
At the National Hardware Show in March, Rusch said he was approached by many vendors asking if Vyper would consider manufacturing their products.
“There’s a huge opportunity for OEM manufacturers to start taking on more work from these people that were purchasing overseas and start making it here in the United States,” Rusch said.
The other sells that spoke to CNBC said it’s not financially feasible to relocate manufacturing to the U.S., even though it would allow them to avoid tariffs.
Some, like William Su, are moving manufacturing completely out of China, but staying overseas. Su set up a factory for his Teamson brand in Vietnam in reaction to China tariffs during Trump’s first term. He’s now in talks to manufacture in India. Trump hit both countries with significant tariffs last week, although they’re temporarily on hold.
Surrounded by her colorful baby products in California, Kenney told CNBC she considered opening her own manufacturing site.
“But that’s way over my head and out of my budget,” she said. “I would love to be able to manufacture in the U.S., but the truth is that the infrastructure is not there.”
With fewer factories in the U.S. than in China, Kenney said the cost to make her products domestically would be double or triple what she pays now.
“The people in China are hungry for the work,” she said. “They’ll get back to you right away. They make sure you get your shipments right away. They’re on it.”
Ending ‘de minimis’
There is one tariff announcement Trump made that’s a boon for U.S-based sellers like Kenney: closing the loophole known as “de minimis.”
This exemption allowed orders under $800 to avoid paying duties and taxes, and it’s what made absurdly low prices possible on direct-from-China sites like Temu, Alibaba and Shein. U.S. Customs and Border Protection said it processed more than 1.3 billion de minimis shipments in 2024, up from over 1 billion shipments in 2023.
Chinese sellers send small orders directly to U.S. customers to keep shipments under the $800 limit. U.S. sellers like Kenney don’t often qualify for de minimis because they ship in large quantities by the pallet, bringing products to their warehouses for quality checks instead of shipping straight to customers from Chinese factories.
Kenney used to sell her most popular product, a set of six silicone baby spoons, for $9.99 on Amazon. She’s reduced the price to $7.99 to compete with knockoffs that sell for as low as $3 on Temu.
“I’ve even had them rip off all of my photos and content that I’ve created and use it to sell their knockoff products,” Kenney said.
Dusty Kenney showed CNBC some of her PrimaStella brand kids feeding products she sells on Amazon, at her warehouse in San Rafael, California, on March 25, 2025.
Katie tarasov
Trump briefly put de minimis on hold in February. Days later, he temporarily reinstated the loophole because huge numbers of Chinese packages started piling up at U.S. post offices and customs offices ill-equipped to collect duties at such a fast pace.
The president on April 2 again announced that he was ending de minimis, effective May 2.
The White House said “adequate systems” are now in place to collect tariffs. It added that the loophole is being closed to target “deceptive” Chinese-based shippers who “hide illicit substances, including synthetic opioids, in low-value packages to exploit the de minimis exemption.”
Foreman of Basic Fun said his Tonka Truck goes through many layers of inspection before landing on Amazon.
“Anything that comes in on de minimis is not going through that safety scrutiny at all,” Foreman said. “Small packets that might have included a dress or some kind of tchotchke might have been stuffed with illegal drugs or things like that, might be counterfeit, might be bootlegs or knockoffs.”
Some Amazon sellers were benefiting from de minimis, particularly on its separate direct-from-China site Amazon Haul, which launched in November to compete with Temu. But killing de minimis will be a net positive for Amazon because it will hurt competitors like Temu, said Ives at Wedbush Securities.
De minimis is a “loophole that’s been tugging at Amazon really for the last 18 months,” Ives said.
What remains to be seen is how Trump’s tariffs will shift in coming weeks and what tariffs other countries will impose on U.S. goods. Those pose a risk for Amazon and its U.S. merchants that sell to foreign customers.
“It just has a cascading impact across the entire economy,” Goldberg of Publicis Groupe said. “Uncertainty is really bad for business, regardless of who wins or loses on any specific tariff.”
The technology giant, down 13% so far this month and down 23% since the start of 2025, surged more than 15% Wednesday after President Donald Trump announced a 90-day pause on some tariffs and dropped the tariff on most countries to 10% to allow negotiations.
Semiconductor stocks reliant on production and manufacturing outside the U.S. also slumped, with the VanEck Semiconductor ETF shedding nearly 5% after a 17% gain and its best session ever. While the sector has been excluded from the recent tariffs, chipmakers have sold off on fears that tariffs will eat away at demand and hurt the economy. Targeted tariffs also remain on the horizon.
