In Ohio, Internet-connected vehicles made in China will not be allowed within 25 miles of U.S. military bases and major government facilities - National Security

• Legislation will stop Chinese connected cars from infiltrating U.S. market.

  
  

• The entry of any Chinese technology supplier into a state's domestic market is tantamount to authorizing Beijing's infiltration.

  
  

• Over the past decade, China has embarked on a massive buildup of its cyber capabilities, and today Beijing poses a formidable threat in cyberspace. Chinese cyberespionage activities are increasingly sophisticated and use advanced tactics, techniques and procedures (TTP), such as exploiting vulnerabilities and third-party compromise, to infiltrate victims' networks. China's main spy agency, the Ministry of State Security (MSS), conducts the majority of cyber espionage operations globally to acquire political, economic, and personally identifiable information.

Today, U.S. Senator Sherrod Brown (D-OH) introduced his Countering Adversary Reconnaissance (CAR) Act of 2024, new legislation to protect U.S. national security facilities, critical infrastructure, and American citizens by prohibiting connected vehicles produced in China and other adversaries near U.S. military bases and other federal installations.

GettyImages

The CAR Act of 2024 will:

• Prohibit the operation of CVs made by Chinese companies or other foreign adversaries from within 25 miles of DoD buildings, sensitive infrastructure, and Federal government facilities.

• Direct the DHS Secretary, Transportation Secretary, Commerce Secretary, National Intelligence Director, Attorney General, and Defense Secretary to jointly prescribe regulations to enforce the prohibition of CVs.

• Require a study within 120 days on the national security concerns presented by covered technology to be conducted by the DHS Secretary, National Intelligence Director, Attorney General, and Defense Secretary.

• Because of the prevalence of DoD and federal buildings, much of the U.S. would be covered by the above restrictions, making it impractical and unprofitable to import Chinese connected vehicles in the first place – protecting our national security and Americans’ personal data.

Internet-connected vehicles use information and communications technology services to collect a range of sensitive information, including sensor data and images, biometric data like fingerprints and voice recordings, vehicle location, financial information, and vehicle information.

U.S. Senator Sherrod Brown

Vehicles are becoming increasingly equipped with new technologies that enable safer and more fuel-efficient travel for drivers and passengers. However, information and communications technology and services that are integral to such connected vehicles (CVs) contain vulnerabilities that may pose risks to U.S. national security if exploited. Connected vehicles controlled by foreign adversaries like China can offer a direct entry point to sensitive technology and data and can potentially bypass security measures. Chinese-made cars and the underlying technology enable the Chinese Communist Party to access sensitive personal data of Americans and of critical U.S. infrastructure, presenting unacceptable national security risks.

“Ohio has a number of federal installations that deal with military secrets and sensitive technology, including Wright-Patterson Air Force Base. We can’t have cars and trucks traveling near—or even into places like Wright-Patterson that are collecting large amounts of data and then making that information available to the governments of China and other U.S. adversaries. Senator Brown’s leadership on this issue is helping to protect national security,” said Jeff Hoagland, President and CEO of the Dayton Development Coalition.

“With the rapid advancement of vehicle technology, ensuring the security of information and communications technology in connected vehicles has become paramount,” said Michael Stumo, CEO of the Coalition for a Prosperous America. “Vehicles equipped with Chinese-made technologies pose significant risks, including the potential for reconnaissance and surveillance by foreign adversaries. This legislation addresses these threats and safeguards U.S. national security by prohibiting the operation of connected vehicles and components made by Chinese companies within 25 miles of Department of Defense buildings, sensitive infrastructure, and other Federal government facilities. This proactive measure will not only protect our national security and critical infrastructure but also deter the importation of vehicles that pose unacceptable risks to our country.”

Brown is leading efforts to stop China from infiltrating the American auto industry. In April, he called on the President to ban Chinese-made electric vehicles in the U.S. to combat the economic and national security threats posed by Chinese automakers. In May, he urged the Biden Administration to ban all Chinese internet-connected vehicles and smart vehicle technology that is designed, developed, manufactured, or supplied from China. He also slammed the Biden Administration’s decision to allow the electric vehicle tax credit to go toward cars made using a key battery component from China.

Understanding Chinese state cyber-espionage

Over the past decade, China has embarked on a massive buildup of its cyber capabilities, and today Beijing poses a formidable threat in cyberspace. The country has accomplished this transformation by achieving three objectives:

• Beijing has reorganized its cyber policy-making institutions;

• the PRC has developed sophisticated cyber offensive capabilities;

• Beijing implements cyber espionage to steal foreign intellectual property on an industrial scale.

Such cyber operations pose a serious threat to the governments of many countries, to businesses and to critical infrastructure networks.

Chinese cyber-espionage activities are increasingly sophisticated as they use advanced tactics, techniques and procedures (TTP) such as vulnerability exploitation and third-party compromise to infiltrate victims' networks. China's top spy agency, the Ministry of State Security (MSS), conducts the majority of global cyber espionage operations to acquire political, economic intelligence (such as the illicit acquisition of technology discussed later), and personal identification.

State computer espionage, therefore, is part of the genus of the various tools - Xi Jinping calls them Magic Weapons - implemented by the CCP to pursue a predatory economic strategy. Cybersecurity legislation, for example, is a weapon for China's cybersecurity research and industry by requiring companies and researchers to report all discovered software and hardware vulnerabilities to the government before reporting them to vendors. This policy, combined with internal hacking competitions and cooperation agreements with Chinese universities, provides Beijing's security services with a constant stream of vulnerabilities to exploit for state-sponsored operations.

According to intelligence experts, cyber espionage is "the activity of surreptitiously surveiling an organization's networks and exfiltrating data for economic gain, competitive advantage, for political or military reasons, or for academic purposes that can be accomplished even by independent contractors (or “paid hackers”) mandated by the state” (13). Furthermore, cyberespionage has advantages because it eliminates some of the risks associated with traditional espionage techniques and allows for an increase in the amount of information that can be collected at any given moment.

The cyber-expropriation of technology and big data is an example of how the CCP leverages its capabilities to achieve strategic goals. Beijing is generally considered the perpetrator of the most serious damage globally. In addition to clandestine espionage - carried out by government agencies, organizations, commercial entities, individual entrepreneurs, Chinese expatriates, Chinese and foreign researchers - the theft of technology and data takes place through IT raids.

Even the former director of the National Security Agency (NSA) - the body of the US Department of Defense which deals, together with the CIA and the FBI, with national security - US General Keith Alexander, defined this predatory activity as the "largest wealth transfer in history". Currently, all 56 FBI offices conduct China-related economic espionage investigations.

In 2017, the Commission on the Theft of American Intellectual Property estimated that intellectual property theft costs the US economy up to $600 billion a year, with a significant impact on jobs and innovation. This figure approaches the Pentagon's annual national defense budget and exceeds the total profits of the top 50 Fortune 500 companies.

A report from the CNBC Global CFO Council found that in 2019, one in five American companies had their IP stolen in China. Anything of commercial value can be illegally acquired by Beijing.

As for the dynamics, the non-traditional collection and theft of IP is not carried out randomly by individuals acting on their own behalf. Beijing has enacted at least two dozen laws that have created a state apparatus for the transfer of foreign technology to laboratories in China that operate on information provided by compatriots working abroad. The apparatus also maintains databases of foreign cooperatives and distributes salaries, treatments and money to foreign donors of high-tech innovations. In addition, the facility is responsible for looking after agents willing to serve China from outside the country. Beijing targets all foreign sources of innovation, including universities, companies and government laboratories, exploiting both their openness and ingenuity.

As we will see below, a potential threat to national security arises precisely from the purchases (and use) of "commercial off-the-shelf" (COTS) hardware and software from Chinese-owned or controlled companies. On this aspect, the United States already sounded the alarm in 2019 when a report by the Inspector General of the DOD identified the purchases of Chinese computers, printers and video cameras as a potential risk.

According to advisers to the US government, illegal collection activities cover four main areas:

• computer espionage, perpetrated on a global scale through an ad hoc program;

• large-scale technological espionage;

• non-traditional collection;

• new types of hybrid espionage between cyber and human technology.

The 2016 US China Economic and Security Review Commission report states: “China appears to be conducting a commercial espionage campaign against US companies that involves a combination of cyber espionage and human infiltration to systematically penetrate the information systems of US companies to steal their intellectual property, devalue it and acquire it at drastically reduced prices.”

The most damaging channel for intellectual property theft remains Chinese cyber espionage. In fact, cyberespionage is both a means of stealing science and technology from foreign states, and a method of gathering information for potential attacks against the military, governmental and commercial technical systems of target countries. These cyber intrusions, therefore, pose a fundamental threat to the economic competitiveness and national security of the affected states.

The FBI has consistently warned that China poses the greatest espionage threat to the United States. Its director, Christopher Wray, reiterated in June 2022 that the Chinese government is methodical and "hackers in support of long-term economic goals."

“China operates on a scale that Russia does not come close to. They have a hacking program bigger than all other major nations combined. They have stolen more American personal and corporate data than all nations combined. And they show no sign of tempering their ambition and aggressiveness.” Currently, the FBI opens a new counterintelligence investigation into Chinese actions every 12 hours.

In March 2023, cybersecurity firm Mandiant reported that “Chinese cybercriminals have hacked US government departments and telecommunications companies.” Google's Mandiant cybersecurity division has released a report on hacker techniques and practices, which reveals the use of a vulnerability in Fortinet software as part of this malicious campaign. The band is highly sophisticated and can reportedly remain within a system undetected for years. The criminal group, dubbed UNC3886 by Mandiant, has struck twice in the past six months, having previously used a VMware vulnerability to target the same victims in September 2022.

There is no possibility to challenge the CCP's decisions in the Chinese Courts. And there is no mandate for data or due process if a plaintiff wants to challenge an illegal intrusion. Users who access China's technology providers such as TikTok, WeChat or AliPay expose themselves to Beijing's social credit system and other data processing. China also maintains a foreign nationals database for a variety of purposes. The risks, therefore, are incalculable.

Governments, therefore, should be aware that Chinese malicious actors are gaining access to their systems through loopholes in ordinary commercially available technologies, whether or not they are owned and operated in China. And Chinese companies are particularly dangerous, because the establishment of China's National Intelligence Law in 2017 increases the risk of them transmitting sensitive third-party data to Beijing.