The Data Security Risks Inherent in Chinese Auto Imports

Modern vehicles are essentially surveillance platforms, experts tell China Commission at a recent hearing.

A recent U.S.-China Economic and Security Review Commission hearing delved into the topic of Chinese data acquisition. Panelists discussed the ways in which the Chinese government is using cyber techniques to obtain data abroad – in areas such as biotechnology, military infrastructure, artificial intelligence and more – in support of its economic and national security objectives, often illegally.

It’s a pressing issue that should be taken seriously. But the panelists spoke specifically about an issue the Alliance for American Manufacturing has talked about lot about lately: The spread of “connected” Chinese vehicles into international auto markets, and the national security impact of their potential introduction here.

It can be hard to imagine how a car could potentially be collecting data. Today’s automobiles, however, are a lot different than they used to be. They’re full of high-tech components that can connect to the Internet, a modern car can film the surrounding area and listen to what a driver is saying. And the rise in popularity of electric vehicles has made many car batteries even more complex.

 “We should see modern automobiles not just as forms of transportation but as sensor platforms that are gathering a wide variety of data, storing it, and transmitting it in ways that create risks, both of espionage but also of sabotage,” testified Dr. Chris Miller, a in Tufts University’s Fletcher School and a fellow at the American Enterprise Institute.

“Most people think of cars as just the device that gets them to and from the place of work or the places that they’re going, but modern automobiles can’t function without dozens of different types of sensors.”

That’s a real concern when China is involved. The Chinese government has made data acquisition a tentpole in its broader industrial and national security policy objectives.

 “The [People’s Republic of China] is collecting data not only to know more, but to act faster, shape markets, shorten innovation cycles, map vulnerabilities, identify people, and hold U.S. intervention infrastructure at risk,” testified Joseph Lin, who leads a cyber warfare firm.

“We should see modern automobiles not just as forms of transportation but as sensor platforms that are gathering a wide variety of data, storing it, and transmitting it in ways that create risks, both of espionage but also of sabotage.”

Dr. Chris Miller, Tufts University’s Fletcher School and American Enterprise Institute fellow

China is demonstrably willing to go to great lengths to secure data, including cyberattacks in 2024, and is reportedly planning more. Who’s to say they wouldn’t take advantage of the data from Chinese autos if they were to be let in to the country? And it’s not just fully Chinese-built autos that are concerning, either. We’ve been able to keep those out thus far but, as Miller noted in his testimony, U.S. automotive supply chains are increasingly rife with Chinese-made components. So, if your car were to have a camera, sensor or microphone sourced from China, your data could be at risk even if the rest of the car was built elsewhere.

We have concrete proof that Chinese autos are collecting people’s data. Dr. Miller in his oral testimony pointed to a study conducted in Norway that found that a microphone in a Chinese-built car was storing data and transmitting it to China, with no record of what was done with it. That’s a glaring security risk.

There’s also a real possibility that China could sabotage electric vehicles, rendering them unusable. The evidence comes from another Norwegian study documented by Dr. Miller where researchers placed a Chinese-built bus down a mine. There, they were still able to access a “kill switch” — meaning China could access vehicles anywhere and cause them to shut down (and even possibly catch fire). That’s an attack scenario that would be catastrophic in a conflict, possibly rendering roadways unusable if there were enough affected vehicles on them.

Currently, there are regulations in place that are preventing these worst-case scenarios. For example, a U.S. Department of Commerce rule, which came into effect in early 2025, limits the presence of software and communications hardware sourced from adversarial governments in cars sold in the United States. That’s an important first step. But since it was borne out of an executive action, there is no long-term guarantee that this rule will stay in place.

This is why the Connected Vehicle Security Act is so important. This bipartisan piece of legislation would officially ban any connected vehicles and car software and hardware sourced from adversarial nations, including China. It would safeguard the domestic auto industry from a deluge of subsidized import competition, yes. It’s also a critical step in protecting U.S. national security.

Join us in calling on Congress to pass this legislation by signing the petition here. And check out the entire hearing on China’s data acquisition strategy here.