Chinese-made cars may pose national security risk, US launches probe

The White House is investigating whether Chinese vehicle imports pose a national security risk due to "connected" car technologies.

Chinese connected vehicles "collect large amounts of sensitive data on their drivers and passengers (and) regularly use their cameras and sensors to record detailed information on US infrastructure," the Biden administration said Thursday, announcing the probe.

The US Commerce Department said the investigation will ultimately determine whether the White House will impose new restrictions on Chinese imports.

"China's policies could flood our market with its vehicles, posing risks to our national security," US President Joe Biden said in a statement. "I’m not going to let that happen on my watch."

US Commerce Secretary Gina Raimondo posted about the inquiry on X. "It doesn’t take a lot of imagination to think of how foreign government with access to connected vehicles could pose a serious risk to our national security and the privacy of U.S. citizens, she said.

Part of the probe will also seeks details about where automakers license software for vehicles assembled in the US.

Unexplored 'risks of on-board technology'

“Many on-board technologies in use in vehicles today lack many of the security controls that are commonplace in technologies that we are exposed to in our daily lives,” said Dr. Liz James, automotive expert and senior security consultant at cybersecurity firm NCC Group.

“For example, they often can lack authentication of important command and control messages, and typically have less than optimal and even less scrutinized cryptographic implementations for data encryption, authentication, and authorization,” she explained.

“Given the lack of understanding about the attack surface, this has been relatively unexplored and exploited until now,” James said.

Self-driving vehicles will also factor into the investigation over concerns the cars are able to be piloted or disabled remotely.

“We’ve seen countless data breaches in other industries, but vehicle-related cyber attacks are much less common to date and have typically been focused on an individual level rather across a fleet.”

Baidu autonomous vehicle
Baidu's Apollo Go driverless robotaxi in China. Image by Josh Arslan | Reuters

Concerns about how Chinese companies were handling sensitive data while testing their autonomous vehicles in the US, were triggered among US lawmakers last November.

China’s Secretary General of Passenger Car Association Cui Dongshu has said “it is unfair to target cars from a specific country and impose restrictions on them exclusively.”

James agrees that singling out China is not the answer.

Instead, James said that manufacturers should be focused on the connected features and functionality of the vehicles, performing “robust” threat assessments and adopting more security controls.

Auto-makers should also be tasked with ensuring consumers are made more aware of the data security risks associated with these features, James said.

China EV-makers set sights on North America

US lawmakers face are facing new pressures to restrict Chinese EV imports into the country from Mexico.

Chinese EV makers see Southeast Asia, the Middle East, and Europe as their largest exporting markets and there are very few Chinese-manufactured autos being imported into the US.

In contrast, the Chinese government already poses significant restrictions on US autos and other foreign autos operating in China.

Chinese auto manufacturer BYD, one of the world's highest selling EV-makers, has repeatedly said it has no plan to market its cars in the US.

But Wednesday, BYD changed course and announced on X it would begin selling its Dolphin Mini EV in Mexico at 358,800 Mexican pesos ($21,019.33), less than half the price of the cheapest Tesla.

As a result, the Biden administration is contemplating new tariffs on Chinese-made vehicles.

"Why should connected vehicles from China be allowed to operate in our country without safeguards?" Biden said.

‘Unprecedented action’ against countries of concern

Biden called the new investigation an "unprecedented action to ensure that cars on US roads from countries of concern like China do not undermine our national security."

Roger Grimes, data-driven defense evangelist at KnowBe4 said the probe is really just a “small part of a larger, valid concern of who collects information on who.”

This is a particular concern between nation states, Grimes pointed out. “It's not just cars and 5G networks in the news and of concern to the US gov't, it's also Tik-Tok… really, it's everything,” he said.

“Everyone's information...where they go, what they do, who they interact with is likely for ready sell on hundreds of sites and services and also under the ownership of multiple nation-states,” said Grimes.

Officials told reporters the US government has wide legal powers and could take action with a potentially "large impact."

The Alliance for Automotive Innovation, a trade group representing nearly all major automakers, warned that only data transactions that pose "undue risk to US economic and national security" should be on the table.

The D.C.-based lobby group said the Commerce Department should avoid “low-risk transactions” that could unintentionally impact “advanced vehicle safety technologies."

The Department will seek comments for 60 days before drafting any regulations.