On the way out: A Volkswagen factory in Nanjing near Shanghai, China. Image: DPA Picture Alliance Archive / Alamy

‘It’s an arms race’: is the west ready for Chinese EVs?

Once world-leading, German cars are being overtaken by hyper-connected electric models made in China. Cybersecurity experts warn they could become weapons on wheels
February 10, 2024

In 1879, an American high-school dropout called George Eastman registered a patent for a plate-coating machine. He would go on to found a company that would dominate the global market for film and processing for most of the 20th century.

Eastman made photography cheap and easy or, as Kodak’s marketing had it, “You press the button, we do the rest.” The brand was so embedded in its customers’ lives that another marketing phrase—the Kodak moment—spoke for all the significant personal occasions that millions were able to capture, for the first time in history, on their box Brownie cameras. 

For 100 years, the company was unassailable—a colossus, combining technical expertise, a strong brand and deep pockets. But even though Kodak helped spearhead the development of digital photography—creating one of the first digital cameras in the 1970s—it failed to grasp its transformative impact. In 2012, the company went bankrupt. In a cruel twist, today the “Kodak moment” references the downfall of a market leader that fails to understand the threat of the new.

Now the shade of Kodak is haunting one of Europe’s most important industrial sectors: the German automobile industry. Like Kodak, German auto-manufacturers have dominated their field. Production of the Volkswagen Beetle, favoured by Adolf Hitler as a project to bring affordable motoring to the masses, was revived by the occupying British forces after the war. By 1955, Volkswagen’s Wolfsburg plant was celebrating its millionth car. The VW Beetle was a global hit that was to stay in production for an extraordinary 60 years. Der Spiegel labelled Volkswagen “the German miracle’s favourite child”, the symbol of Germany’s recovery. 

Germany’s reputation for engineering excellence consolidated its market dominance. Between the production factories, dealerships, suppliers and maintenance shops, the automotive industry has been a lynchpin of the German economy, supporting 1,300 companies that employ more than 800,000 people, according to official statistics, and clocking up sales in 2015 of more than €400bn.

But now a seismic shift is threatening the future of this keystone industry. With disconcerting speed, Germany has lost its claim to be the most successful, innovative and pacesetting car industry in the world to China, the unlikely challenger that, for two decades, had provided this German industry with its greatest opportunity. 

Volkswagen was an early mover into China. After an unexpected visit to its Wolfsburg plant in 1978 by a Chinese minister, the first VW factory in Shanghai was established in 1984. VW persuaded other German companies to follow suit.

For more than 40 years, it was a match made in heaven: China was desperate for foreign investment and industrial knowhow, and VW was keen on low production costs, higher profit margins and access to what could become the world’s biggest consumer market. Today, Volkswagen calls China “the second home market”. It earns $4.2bn annually in profits there, operating 34 plants in the country—including one, controversially, in Xinjiang.

Where VW led, others followed. By 2018, Daimler was earning 20 per cent of its profits in the country, and BMW 28 per cent. By June 2022, BMW had three factories in China, and Audi was breaking ground on a new joint venture in Changchun. According to the Mercator Institute for China Studies, Germany’s total investment in production in China had risen 65 per cent between 2015 and 2020 to total €33.6bn. The car industry’s ventures had come to define not only Germany’s but the European Union’s relationship with China, accounting for 42 per cent of the EU’s foreign direct investment there.

Importantly, Germany pulled off this profitable relationship without deindustrialising at home, unlike many other advanced economies that moved their industrial production to China, leaving unemployment and resentment behind in their native markets. Germany continued to manufacture cars in Germany for its home and third markets. It sold its China output in China, riding the two-decades-long wave of rising GDP unleashed by globalisation and Deng Xiaoping’s policy of opening up. The future was looking good.

And so might it have continued, but for international efforts to meet the global crisis of climate change. Efforts that, to succeed, would profoundly impact every aspect of the global economy. 

In 2015, 174 states (and the EU) signed up to the Paris agreement, pledging to keep the rise in global average temperatures below 2.0ºC when compared to pre-industrial levels, preferably below 1.5ºC, and to reach net zero emissions by 2050. Transport, which was responsible for 20 per cent of Germany’s emissions, would have to change.

Germany’s car manufacturers and the German Association of the Automotive Industry (VDA) paid lip service to the need to reduce emissions and lobbied hard, where they saw inconvenience, against regulations designed to achieve it. In earlier climate discussions, the industry had successfully argued both that diesel engines, a highly profitable line for the industry, were more climate friendly than petrol-driven cars, and that, in the future, biofuels would facilitate a carbon-neutral future for the internal combustion engine (ICE), an argument German industry and some leading politicians continue to press. 

Angela Merkel was sympathetic, and the lobbying led to a diesel boom that put some 45m extra diesel cars on Europe’s roads. Germany’s car companies were also obliged to test their emissions for harmful particulate matter and oxides of nitrogen, and report that they met those standards. 

But, in 2015, VW was forced to admit that it had been cheating for years on US diesel-emissions tests, with secret software masking excessive nitrogen oxide pollution. The confession sent shockwaves around the world. Lawsuits and fines followed, and the company’s privileged political position as a trusted national asset was severely tarnished.

The “Dieselgate” scandal cost VW more than €30bn and two changes of CEO. There were other, perhaps bigger, material costs to the industry too: VW had focused on cheating and on lobbying instead of on innovation and the new technologies that a transition to a low-carbon model would demand. It took the fallout from Dieselgate, with its clear-out of senior executives, to move the dial. 

The German federal government had done its best to ensure that Germany became the leading manufacturer of EVs, making €500m available for research and development between 2009 and 2011, and billions more in followup programmes. But it was not until early 2019 that Herbert Diess, VW’s new CEO, presented a strategy overhaul with a wholehearted commitment to developing an electric fleet: VW would launch 70 electric models by 2028 and would become fully CO2-neutral by 2050. Europe’s normally sceptical green groups hailed the plan as a game-changer. William Todts, executive director of Europe’s federation of green mobility NGOs, Transport & Environment (T&E), called it the first credible climate plan by a major automaker. 

The shift had impressed VW’s critics, but it had come late, and the sector still lobbied against the EU proposal to ban the sale of new ICE vehicles by 2035, plans that were finally agreed in 2022. The industry still argued that biofuels would give ICE a future in Europe. 

And there was still the Chinese market, after all.

That was to prove its second major miscalculation.

For three decades, German manufacturers had been the biggest foreign beneficiaries of a booming Chinese car market. In the early 2000s, however, China reached a development crossroads: its economic model had delivered rapid GDP growth but also terrible air and water pollution, soaring carbon emissions and waste, and it was approaching exhaustion. The government recognised that a cleaner, greener, higher value and more efficient model would be essential for China’s economic future, and China began to make plans to capture the global market for clean technologies. Among other measures, the state would invest in nine key industrial sectors. Third on the list was the “new energy” automobile.

China had struggled, unsuccessfully, to build a car industry. Its cities were dominated by Japanese and German brands and the only Chinese car with a regular place in national life was the cumbersome Red Flag limousine favoured by leaders on parade. As China’s planners and entrepreneurs began to develop low-carbon technologies, this lack of an established motor industry left them free to commit wholeheartedly to new ideas of mobility: if they succeeded, the only industry to suffer would be foreign. While German companies were lobbying against growing climate regulation, China set about securing what was needed for the transport of the future.

China’s lack of an established motor industry left planners free to commit wholeheartedly to new ideas of mobility

In 2009, a year after Tesla’s first model went on sale, China began to invest in the development of new energy vehicles, both hybrid and battery operated. The country’s approach was characteristically strategic: its battery companies innovated, and its mining and refining companies secured global supplies of the rare earths and critical minerals essential for battery production. Between 2009 and 2022, the Chinese government put more than 200bn yuan ($29bn) into EV subsidies and tax breaks, further backed by the public procurement contracts that helped the flurry of startups stay in business, as well as investment in charging networks. Tesla also benefitted from subsidies and was courted by the city of Shanghai, opening its first gigafactory there in 2019.

Down in the far south of China, in Shenzhen, the quiet revolution that was to upend German dominance had begun as early as 2003, when Wang Chuanfu, founder of the battery company BYD, bought a failing manufacturer, Xi’an Qinchuan Automobile, to facilitate his ambition to develop new energy vehicles. BYD produced its first car, a reverse-engineered clone of a Toyota ICE, in 2005. The first plug-in hybrid electric vehicle followed in 2008, and BYD’s first battery electric vehicle in 2009. 

By January 2024, BYD was selling more EVs worldwide than Tesla. More concerning for Germany, by 2023 BYD had also overtaken Volkswagen to become the bestselling car brand in China. 

When BYD began its venture into car production, Chinese buyers still preferred foreign brands and conventional cars, but government determination, consumer subsidies and administrative measures gradually chipped away at consumer reluctance. In major cities such as Beijing or Shanghai, car-buyers faced a wait of up to a year to get a licence for a conventional car. An EV, on the other hand, could be out on the road on the day of purchase.

By 2022, the market was well established. The government decided that consumer subsidies were no longer necessary: more than six million EVs were sold in China that year, accounting for around half of global EV sales and, as China’s relations with the EU and US deteriorated, new generations of nationalist consumers had begun to prefer “Made in China” to foreign brands—and besides, Chinese models were no longer second-rate. At 2023 car shows in Shanghai and Munich, large crowds milled around sleekly designed Chinese vehicles, which boast a range of eye-catching digital and entertainment features, including in-car karaoke, matching German models on quality while undercutting them on price. At the VW stand, where only one model was on offer, prospective customers were few.

The Chinese industry had entered a new phase: the end of subsidies led to a fierce price war in 2023, and a new phase of cut-throat competition. With a stalled domestic economy and overproduction, the Chinese industry is desperate to export.

Some 200 miles upstream from Shanghai, a fleet of transporter ships is under construction, each with space for almost 8,000 cars. BYD has ordered eight of them; in total, Chinese shipyards reportedly have orders for 200. This is the fleet that will carry Chinese EVs away from a domestic market plagued by slow growth and low consumer confidence. Many will be heading to Europe.

This has the makings of a perfect storm: German manufacturers are losing market share in China, and China is coming after their home and third markets

For the German auto industry, this has the makings of a perfect storm: they are losing market share in China, and China is coming after their home and third markets. China’s vehicle exports to Europe are already established and BYD is planning to open manufacturing facilities there, as Tesla has done, to circumvent any punitive tariffs. While German companies are struggling with a dip in domestic demand for EVs that is forcing them to cut production, BYD sold more than three million vehicles in 2023, an increase of 61.9 per cent.

For some observers, the industry deserves its fate for lobbying against change instead of embracing it, but the wider implications for the European economy—and for national security—go further. Covid, confrontational wolf warrior diplomacy, China’s tacit support for Russia’s war in Ukraine and China’s own trade practices have damaged its relationships with Europe and even with Germany. The trade imbalance in China’s favour continues to grow, and Europe no longer sees this important economic relationship as a win-win. As China has grown from a locus of cheap manufacturing to an assertive technological competitor, Europe has become more concerned about Chinese inward investment in Europe’s advanced technology sector and the continuing threat to European industry from products that benefit from Chinese government subsidies.

The fate of European solar panel manufacturing has not been forgotten in Brussels, either: Chinese overproduction and a surge in exports was met with protective measures in 2012 that were later dropped when the EU realised it needed the panels to achieve its climate ambitions. Likewise, the debate over China’s EVs will play out in difficult arguments over economic versus climate security.

In September 2023, Ursula von der Leyen, the president of the European Commission, announced an anti-subsidy investigation into Chinese electric vehicles, which, she said, were distorting the EU market and threatening European industry. Shares in Chinese EV companies dropped, and the Chinese government reacted with indignation. China has the capacity, von der Leyen admitted, to react with more punitive measures, for example by restricting the export to Europe of the technologies its industries need. Last October, In a potential taster, China restricted exports of graphite used to make batteries. 

But there are other dangers with Chinese EVs that have not yet become prominent in the debate.

Kodak had failed to exploit its invention of the digital camera, not seeing that mass digital photography and its incorporation into the mobile phone would render its technological expertise and market dominance moot. Likewise, Germany’s car manufacturers failed to understand the depth of the revolution that was underway: what would matter was not only how the car was powered, but the fact that it was connected. Car manufacturers would compete not only with each other, but with IT firms, for dominance.

For Andreas Hoev, a German industrial sociologist, the German auto industry story will go down as an industrial failure on an epic scale. He offers another cautionary tale: the fate of Nokia. 

“In 1998,” he explains, “Nokia was the number one in the world for mobile phones... so far in front that they didn’t understand that their problem was that they made a phone you could put in your pocket. When Apple launched the iPhone, they opened a window to the internet. All you could do with a Nokia was make a call.” 

Likewise, Germany’s engineers are “not able to understand that the new software culture is not about flat screens and karaoke, but that the connected car is a computer on wheels. In China’s smart cities… the traffic lights are speaking to the car and the car is responding, the lines on the road are telling that car where to drive. You can connect it all to arrive at autonomous driving.’’

Across China, according to Xin Guobin, vice-minister of industry and information technology, China is testing intelligent vehicles, including taxis, buses and unmanned delivery, over more than 15,000km of road. In Beijing last year, city authorities issued licences to driverless taxis—the two lead operators were not car manufacturers, but the Chinese tech giant Baidu and an autonomous mobility startup called Pony.ai. 

The global trend for autonomous driving experiments seems set to continue. Consultancy firm IHS Markit predicts that China’s self-driving taxi market will reach 1.3 trillion yuan ($180bn) and account for 60 per cent of China’s ride hailing market by 2030. McKinsey has suggested that autonomous driving could create up to $400bn in revenue by 2035, and bring huge potential benefits—for example, enabling people to work while driving, or possibly boosting safety. 

But the constant interchange of data that autonomous vehicles require raises questions about who will control that data and how it could be used. 

According to Nigel Shadbolt, an artificial intelligence expert and principal of Jesus College, Oxford, the prospect creates a series of complex challenges—ranging from criminal ransomware demands to national-level security risks.

“For a long time, the discussion was about the huge amount of data that was being taken in and what could be done with it,” he explained. “It could be anything from road maintenance to espionage, but each new generation of internet services contains all sorts of potentially bad things, like the capacity to deliberately overload the electricity networks by coordinating peak demand.”

In July 2017, Elon Musk made a speech to the National Governors Association in Rhode Island. “In principle,” he said, “if someone was able to hack all the autonomous Teslas, they could say—I mean just as a prank—they could say ‘send them all to Rhode Island’… and that would be the end of Tesla and there would be a lot of angry people in Rhode Island.”

What Musk did not reveal was that a “white hat hacker”, Jason Hughes, had gained that control a few months earlier. Tesla continues to work with white hat hackers, who use their skills to identify and patch vulnerabilities in systems, to guard against this happening in future.

A vehicle’s manufacturers do not need to hack to access the vehicle: they already have the key.

A fleet of Chinese connected vehicles, however, raises a different set of concerns. Who will benefit from the data the vehicles collect and what is their potential for espionage? What software security guarantees will there be, and what are the risks, in a potential conflict with China, of a malevolent assertion of control over Chinese EVs on the roads of Europe or the UK? After all, a vehicle’s manufacturers do not need to hack to access the vehicle: they already have the key.

These risks may sound farfetched, but China is already acting against them. In March 2021, Reuters reported that Tesla cars had been banned from China’s military bases for security reasons. In June the following year, Teslas were prohibited from entering the northern seaside city of Beidaihe during the annual summer gathering of the Communist party leadership. Weeks earlier, the cars had been banned from driving on some roads in Sichuan’s capital, Chengdu, as party leader Xi Jinping visited the city. Today, the list of Chinese sites from which Tesla is banned is growing rapidly, as the Chinese authorities conclude that the cars’ cameras and geolocation information pose a risk to national security, despite the fact that Tesla is obliged by Chinese law to keep the data it collects in China.

No such regulation exists at present in the UK or the EU. Should it? For Shadbolt, the question of trust is key. “It is possible to turn a connected car into a paperweight on wheels remotely. If control resides with a foreign authority, what confidence do you have?”

Industry experts, however, say that policymakers are struggling to address the risk. One German computer expert, whose work in Germany’s Ministry of Transport involves exploring how to regulate and secure intelligent vehicles, explained the scale of the challenge, beginning with the Internet of Things (IoT)—the networked electronic modules inside every smart device that constantly communicate with the internet.

“There is a vast, interconnected network of IoT which is hard to secure,” he said. “A complete traffic grid consists of thousands of IoT devices that include street signs and traffic lights, various road and environmental sensors. All of these, and the systems that control them, need to communicate with one another, and process, aggregate and analyse all of the data created to manage the collective system, and they are all made in China.”

“The vehicles and the infrastructure supporting those vehicles,” he warned, “are all vulnerable to hackers and a breach could have potentially deadly consequences.”

A skilled attacker could install ransomware on thousands of vehicles, then lock out owners or immobilise until their owners pay up. And an incident involving agricultural machinery in Ukraine points to another set of security risks.

In spring 2022, invading Russian soldiers looted Agrotek-Invest, an authorised dealer for the US agricultural machinery company John Deere in the Ukrainian city of Melitopol. They stole grain and 27 pieces of agricultural equipment, including tractors and harvesting equipment worth approximately $5m, despatching them to Chechnya, 700 miles away. 

Modern agricultural machinery is at the forefront of intelligent, connected operation: John Deere tractors carry torque sensors to measure soil density, humidity sensors that measure soil moisture and location sensors on the roof that plot both on a highly accurate grid.

This highly desirable loot was not enjoyed for long. Agro-Invest tracked the location of its stolen property and operated a remote kill switch, leaving the robbers with an expensive, but now useless, heap of metal. 

The Ukrainian dealership’s kill switch was enabled by vehicle identification number (VIN) locking—the same access point exploited by Hughes in his Tesla hack. A less amusing scenario might include a Russian hack of John Deere systems that could paralyse all its tractors in Ukraine or elsewhere, and if a hacker were an operator with easy access to a fleet of cars—a Chinese state actor, for example—the threat surface widens dramatically.

“A fleet of connected cars sees everything in its surroundings,” one Brussels-based expert says. “It can map an entire city and you could share that information with Russia, for example. We talk of banning Huawei 5G technology in the EU, but all these cars contain Huawei modules.” 

“We haven’t done the basic risk assessment to the energy networks from IoT in solar panels and windmills,” the expert adds. “It would be perfectly possible to shut down large parts of the energy infrastructure remotely, and since fibre-optic networks need energy, you would lose communications as well.”

“As for cars, you could drive in the vicinity of a Nato exercise in northern Europe, collect all the data you need on what you saw, as well as local energy use, and stage a 24-hour blackout, or just render the network unreliable enough to disrupt communications. Or you could stage a blackout on the eve of key elections… the possibilities are enormous.”

The cybersecurity risks range from eavesdropping on conversations inside the car and stealing personal data, to ransomware attacks or paralysing a car or a whole city

Both Russia and China have used cyberattacks as part of their offensive toolkits. Europe and the UK’s roads are already home to hundreds of thousands of Chinese-made connected vehicles, and the cybersecurity risks range from eavesdropping on conversations inside the car and stealing personal data, to ransomware attacks or paralysing a car or a whole city for strategic objectives. Chinese security services have a track record of kidnapping and harassing people abroad; smart cars, which continually listen and learn about their users, collect information that could be used to immobilise vehicles or kidnap targets. Bad actors could remotely turn a vehicle into a weapon, making it jump a red light or mount a pavement full of pedestrians. On a grand scale, entire cities could be paralysed and national girds sabotaged through charging networks.

Even where the car is not Chinese, the electronics almost certainly are, and the universal modules in those electronics, and in other key parts of infrastructure, pose a security risk on an unprecedented scale. 

A British cybersecurity expert explains that data is constantly being gathered from the UK’s millions of smart meters—and other places that are connected, including the smart grid, the gas network, the water network and transport infrastructure. This data is then transmitted by small electronics modules via mobile phone networks. “Governments depend upon these critical infrastructures, of course, and if they don’t act now [to create their own], they’re going to be entirely dependent on Chinese communications,” the expert says.

“An electric car is always connected,” he continues, “via the mobile phone networks to more than one server. Security standards in a module depend on what its software tells it to do. So it’s up to the car manufacturers to trust their component suppliers that the software inside them is only doing what it’s meant to do. There’s no way of testing that. And on the question of trust, the Chinese don’t let western companies into their critical infrastructure. We should have a reciprocal policy.”

Industry insiders who are aware of the security risk complain of the lack of government attention. A senior official in Brussels, for example, tells me that the EU debate is “embryonic”.

The EU has announced that it will consult its member states’ national cybersecurity agencies as part of a coordinated risk assessment of connected vehicles. A similar process in 2020 that assessed the risks of 5G led to an EU-wide directive on cybersecurity, and a new Cyber Resilience Act that is expected to become law in the EU in early 2024 will oblige companies to be responsible for the security of their products. At present, it does not cover cars. 

Last year, British security services reportedly discovered a tracking device in a car used by the prime minister

A working party on autonomous and connected vehicles, which includes the EU, UK and US, and sits within the United Nations Economic Commission in Europe (UNECE), is also developing international guidelines and regulations that countries can adopt. UNECE Regulation 155 came into force in January 2020 and, where it is adopted, provides a common framework for regulating the cybersecurity of road vehicles. Experts point out, however, that these rules do not protect against the broader security risks.

Last year, British security services reportedly discovered a tracking device in a car used by the prime minister. Neither the UK’s National Cyber Security Centre nor GCHQ responded to questions on the security risks of connected vehicles. In a written response, the Department for Transport said: “We’ve developed requirements for all car manufacturers to mitigate against cyber threats in their designs and monitor the risk through the life of their vehicles. We’re exploring options to make these mandatory for all new cars, vans and trucks.”

This would not address the risks outlined above, as Shadbolt points out. “Frankly, the evidence of our ability to foresee these vulnerabilities is not comforting. It’s an arms race, with bad actors hijacking, subverting, and re-programming vehicles, and launching attacks against their security systems. The regulators are coming in late in the day and we have to ask—do we have the expertise to licence this? It depends where control lies.” 

The German government has a target of 15m electric cars on Germany’s roads by 2030, a target that seems unreachable without a continuing surge in Chinese imports. Chinese car companies are seeking to build trust and sell their products. But, like every Chinese company, they are also obliged by law to cooperate with China’s security services and are banned from revealing any cooperation they are called to offer. 

Those Chinese laws contributed to western security concerns about Huawei and its involvement in 5G networks in Britain and elsewhere. The threat that large numbers of Chinese intelligent vehicles pose is not that their manufacturers would want to breach the relationship of trust between them and the customer, but that the Chinese party state may compel them to do so. The point of security thinking is to imagine the worst possible scenarios and plan for them. It seems evident that these go far beyond Germany’s motor industry.