On February 29, US President Joe Biden announced “unprecedented actions to ensure that cars on US roads from countries of concern like China do not undermine our national security.” He asked the Commerce Department to launch an advanced rulemaking (ANPRM) on connected vehicles with technology from those countries and to take action to respond to the risks.
In its ANPRM, the Department’s Bureau of Industry and Security (BIS) said it is considering proposing rules prohibiting certain kinds of information and communications technology and services (ICTS) and transactions by anyone subject to the jurisdiction or direction of selected foreign governments. These governments include China, the Hong Kong Special Administrative Region (PRC), Cuba, Iran, North Korea, Russia, and Venezuela.
BIS hopes to collect information relevant to the technologies and market participants that might be appropriate for ultimate potential regulation. The ANPRM focuses on foreign governments or related parties that could pose a risk of sabotage, catastrophic events, or other undesirable outcomes that threaten US critical infrastructure or national security.
However, the ANPRM also notes that in addition to these risks, China likely represents the broadest, most active, and most persistent cyber espionage threat to the US government and private networks. Experts suggest this risk of espionage poses a more significant Chinese threat to the rapidly emerging market of connected vehicles (CVs) than outright damaging attacks.
China is likely studying CV models
The ANPRM states that “China’s legal structure also gives broad authority to the state to co-opt private companies to pursue its objectives,” given that a host of laws give the Chinese government the ability to compel companies within its borders, including automakers and their suppliers, to cooperate with its intelligence and security services.
The ANPRM states, “The combination of legal authorities and opaque CCP influence make private companies subject to the PRC’s [People’s Republic of China] jurisdiction susceptible to requests from intelligence and military officials. PRC officials can compel PRC firms to provide the PRC government with data, logical access, encryption keys, and other vital technical information, as well as to install backdoors or bugs in equipment which create security flaws easily exploitable by PRC authorities.”
The ANPRM also maintains, “According to open-source reporting, over 200 automakers that operate in the PRC are legally obligated to transmit real-time vehicle data, including geolocation information, to government monitoring centers.” It asks for comments on the degree to which components in the ICTS supply chain for CVs come from Chinese suppliers.
No current data indicates how much Chinese technology is in CVs made in the US or other Western countries. However, China has sought to dominate the world of electric vehicles (EVs) for over two decades, with Shanghai’s Gigafactory accounting for over half of Tesla’s cars produced in 2022. By the last quarter of 2023, Chinese car maker BYD even surpassed Tesla as the top EV maker in the world, with its inexpensive EVs proving popular across Europe.
With this growing dominance in the EV market, it wouldn’t be a reach to say that China is also closely studying CV models, “China wants to lead the world in electric vehicles and is producing them,” Lindsay Gorman, senior fellow for emerging technologies, Alliance for Securing Democracy at the German Marshall Fund, tells CSO. “The strategy is generally to copy the best technology and the best processes and then displace those competitors even as it provides a market environment that private companies have a very hard time saying no to because of the cheap labor, the less expensive manufacturing, and probably fewer regulations and hurdles to go through on the surface.”
Gorman thinks that despite China’s competitive advantage in industrial manufacturing, such as EV production, its well-documented expertise in intellectual property theft has likely also led it to intensely study how Western automakers who produce vehicles in China design and assemble their cars. “A lot of the German car makers, for example, have their production facilities in China, and they have sophisticated manufacturing and production processes,” she says.
“So, I wouldn’t be surprised if PRC car companies are taking note of how these international manufacturers operate and have a design on displacing the Audis and the BMWs of the world over the next 10, 20 years.” She adds, “What we’re likely to see might be many instances of China investigating the role of data and the strategic national value of data in our connected systems.”
China’s legal structure is a sign of China’s intent
What isn’t clear is whether China has already begun to exploit its advantages in espionage and intellectual property theft to develop a connected vehicle strategy. The Commerce Department’s rulemaking says a “host” of Chinese laws can compel companies to cooperate with intelligence and security services.
In particular, the ANPRM cites the 2021 Data Security Law of the People’s Republic of China, which interlocks with two other laws: the 2017 National Security Law of the People’s Republic of China and the 2015 National Intelligence Law. Experts maintain that, like many other Chinese laws, these intentionally vague laws signal what China intends to do.
“These laws, like the National Security Law of 2017, for example, are often best thought of as descriptors of state action more than constraints on it,” Gorman says. “I think we generally think of the laws that Congress passes as ‘this is what we can do and this is what we can’t do.’ In China, the laws signal an intent to maybe what the state is already doing or what it intends to do. I don’t view it as constraining.”
“I would go even a step beyond that to say that the actions of the government party are not to be constrained by the law,” Dakota Cary, a non-resident fellow at the Atlantic Council, tells CSO. “They’re not bumpers on the road but guideposts for the directions that government ministries or threats may take. Irrespective of what’s been written down, the government can take whatever action it chooses.” He adds, “The Chinese government was likely collecting intelligence from its own companies that were operating overseas well before there was a law written down in place that said they could do so.”
Little public evidence of China’s misuse of security, intelligence laws
Because China almost certainly forbids companies from revealing when they have received such intelligence requests, some examples point to China’s active role in doing so. Chinese telecom tech giant Huawei, which has long been viewed as an extension of the Chinese government by the US government, was entangled in a major intellectual and US government battle over the theft of T-Mobile intellectual property. “Not just intellectual property, but physical property theft against T-Mobile where employees back in China, quite probably connected to the CCP, were demanding that employees in Washington state get access to this proprietary robotic arm that T-Mobile had to test its cell phones,” Gorman says.
Before that, Huawei allegedly transmitted data from the African Union (AU) Headquarters in Addis Ababa, Ethiopia, to servers in China, which many believed was the Chinese government’s use of Huawei equipment to spy on foreign activity. In 2023, a former ByteDance engineer, Yintao Yu, alleged in a wrongful termination suit that China’s communist party used a “god” credential to monitor ByteDance-owned TikTok users protesting in Hong Kong.
What is certain is that China is fully aware that CVs have significant espionage capabilities. In mid-2022, authorities in the mid-coastal town of Beidaihe, China, prohibited Teslas from entering the district for two months surrounding a secretive annual summer party conclave that Xi Jinping attended. Other reports have surfaced of Tesla bans near government facilities due to data security and surveillance concerns.
“China does not allow Teslas to drive near their important political officials, including heads of the Chinese Communist Party,” Cary says. “And so, it’s very clear that China does understand conceptually that these vehicles can collect a lot of sensitive information. They also prevent their military personnel from owning Teslas.”
What will the ANPRM accomplish?
Given that the US knows little about China’s role in CVs and the absence of real-world examples of how China has wielded its opaque security and intelligence laws, it’s hard to tell what Commerce’s ANPRM will yield. Gorman thinks the development is the first in “many instances of investigating the role of data and the strategic national value of data in our connected systems. This is something we’ve been calling for a while now. We have singled out connected vehicles as one of these key applications of the internet of things where vehicles are generating massive volumes of data.”
Cary believes Biden’s action reflects that “we’re realizing that by making all of our devices smart and integrated and trying to use all that data for better products and AI and the whole rest of it, if you can’t trust your other participants in that system,” then it’s time to start creating separate systems. The bottom-line, he says, is that “there’s an intense interest on the Chinese government to do espionage, and there are no limits on what kind of access it can gain from the tech companies that supply some of these central technologies that have been rapidly adopted in the US.”