1. Industry challenges and solutions
As vehicles become more connected and intelligent, new cybersecurity and data security issues continuously emerge. The boundary of vehicle security protection expands, the risk of security hazards increases, and the difficulty of security supervision and governance rises.
Challenge 1: The automotive supply chain is complex, making security governance difficult. Automakers, as the primary producers of vehicles, rely on supply chain management to drive information security capability building across the industry. This makes supplier management and overall information security governance particularly challenging.
Challenge 2: Vehicles interact with many external systems, complicating industry coordination. Vehicles connect to the cloud, charging stations, roadside infrastructure, and other cross-domain or cross-industry systems. A security issue in any link can affect vehicles, so cross-industry coordination is difficult.
Challenge 3: Regulatory authorities are increasingly diverse and policies are fragmented, raising compliance pressure for companies. With integrated vehicle-road-cloud solutions, connected vehicles relate closely to smart traffic and smart city construction. Management needs for vehicle information security, surveying and mapping, and geographic information resources involve multiple supervisory departments such as the national cryptography authority, the ministry of natural resources, and the housing and urban-rural development authority, which makes oversight more complex.
Challenge 4: Companies often adopt single-point technologies or products for protection, lacking a coordinated, standardized, and systematic security mindset. At the same time, the introduction of many new technologies and connected features increases information security risks, exposing a lack of professional design, development, and test-and-validation tools specific to automotive information security.
To address these challenges, consider the following recommendations:
Recommendation 1: In line with R155 regulation and ISO/SAE 21434 requirements, automakers should establish an enterprise-level automotive information security management system, including mechanisms for managing supplier product information security. This addresses governance at the organizational level and builds controllable core technical capabilities at the product level to address implementation. Establish a vehicle security monitoring, warning, and response platform based on in-vehicle IDPS and cloud VSOC to manage cybersecurity and data security across the product lifecycle.
Recommendation 2: Promote the construction of a cross-domain, cross-industry information security ecosystem for connected vehicles, and foster collaborative cooperation through industry associations and industrial alliances.
Recommendation 3: Refer to international automotive information security regulations and, considering the situation in China, accelerate the establishment of information security standards and regulations for automaker market access and product market entry. Build the three systems of CSMS, SUMS, and DSMS, speed up related technical standards, and establish nationally authorized automotive information security compliance testing and certification organizations to ensure regulatory policies are effectively implemented.
Recommendation 4: Support joint innovation in key core technologies, for example by organizing coordinated R&D through dedicated scientific and technological programs. Promote co-construction and sharing of automotive information security core data. For instance, according to regulations on cybersecurity vulnerability management, build an authoritative automotive industry vulnerability database to help companies manage vulnerabilities compliantly and embed vulnerability management throughout the product lifecycle to improve security assurance.
The construction of a defensive information security system for connected vehicles and the development of the industry require broad and deep collaboration among government, industry, and companies. This includes government-level top-level design and the development of regulations, standards, and monitoring systems; industry-level open cooperation, shared resources, and ecosystem building; and company-level compliant operation, technical R&D, talent development, and lifecycle information security platform construction.
2. Future recommendations for connected vehicle information security
With the accelerated adoption of connected vehicles, automotive network security and data security have become an important part of national information security. It is therefore necessary to coordinate automotive cybersecurity and data security, establish a rational technical standard system and effective security review mechanisms, strengthen government oversight and industry self-discipline, improve laws and regulations, clarify responsibilities and authorities, enable multi-department collaboration, and build a complete automotive cybersecurity and data security ecosystem to support the healthy and rapid development of China’s connected vehicle industry.
Establish a national-level automotive information security situational awareness, monitoring, and supervision platform. Make full use of big data, cloud computing, digital twin, artificial intelligence, and quantum communications to achieve real-time situational awareness, timely risk prediction, and efficient security response, providing reliable security assurance for national smart traffic and smart city construction.
Data has become a critical production factor in the data economy and a key driver of high-quality development for connected vehicles. However, the industry currently faces four major problems: insufficient data volume, severe data silos, significant data security risks, and underutilized data value. These issues constrain the transformation of the automotive industry.
Building an automotive industry data trading platform is a feasible solution. Such a platform can enable lightweight, low-cost data sharing, circulation, and trading to maximize data utility, optimize allocation, and create value.
The platform can aggregate upstream and downstream companies in the automotive value chain to form industry synergy and a data-sharing ecosystem that empowers the connected vehicle industry. Ensuring data security compliance and transaction trustworthiness is fundamental to establishing and promoting such a platform. Technologies like blockchain and privacy-preserving computation, as well as standardization of data structures, data interaction, and transaction processes, are critical.
Pay close attention to vehicle owners' safety rights and personal privacy demands. Research indicates that Chinese vehicle owners increasingly focus on vehicle security, which may become a consideration in purchasing decisions. Their awareness and expectations for data and personal privacy protection vary.
As vehicle intelligence and connectivity technologies mature and are widely applied, vehicle owners and their vehicles become sources for data collection and sharing, so personal privacy protection becomes an essential concern. It is necessary to establish accurate and trustworthy data security compliance standards and regulatory requirements, provide robust privacy protection channels for vehicle users, avoid unnecessary data leakage, and protect owners' privacy.
In addition, for disputes and litigation related to automotive information security, establish an authoritative redress mechanism to protect vehicle owners' legal rights and assist in enforcement, creating a safe, transparent, and trustworthy information environment and service platform for owners.
Talent is a key factor in ensuring the development of China’s automotive information security industry. Automotive information security is a rapidly evolving field that requires many interdisciplinary, versatile professionals. Training such talent is essential. Knowledge across multiple disciplines is needed, including familiarity with automotive engineering—especially automotive electronic and electrical architecture—as well as computer science, network security, and cryptography.
Establish dedicated academic programs and courses to strengthen talent development. Companies should increase investment in talent cultivation, build specialized R&D and technical support teams, and continuously improve capabilities in security development and operations. Industry-wide talent exchange platforms can help identify and mobilize talent, promote knowledge exchange, and advance the industry.
Global automotive network and digital security issues are transnational; international cooperation is an important means to build an automotive information security ecosystem. Encourage and support Chinese automakers and industry associations to actively participate in international forums on automotive information security, present China’s policies and best practices, and strengthen collaboration with relevant international organizations to contribute Chinese perspectives to international standards and regulations.
