Connected Vehicles and Emerging Threats

Insights from a high-level roundtable at the Munich Security Forum 2025, by FP Analytics

Increasingly, countries are transitioning to electric and connected vehicles to reduce carbon emissions and more effectively manage transportation networks. But this transformation presents various emerging security risks such as potential vulnerabilities throughout vehicle and component supply chains, automobile manufacturing processes, and in-vehicle and system-wide use of connected technologies. These vulnerabilities pose significant risks to U.S. and allied countries’ national security and economic resilience. 

To address these threats, the U.S. and other countries are working to ensure the resilience and agility of EV supply chains and connected vehicle technology development while safeguarding increasingly digitized public infrastructure networks. Questions remain regarding the ways in which the U.S., E.U., and other allies can mitigate risks and scale up protections, and how the public and private sectors can effectively partner to strengthen economic and national security in this rapidly evolving space.

To explore these questions, Foreign Policy, convened a high-level roundtable on the sidelines of the 2025 Munich Security Conference, bringing together an array of experts and stakeholders across government, industry, and multilateral institutions, to discuss the underappreciated risks associated with connected vehicles and strategies for more effective transatlantic cooperation on these issues. While the discussion was conducted under Chatham House Rule, key takeaways from the roundtable are summarized here without attribution.

Unsecured electric and connected vehicles have the potential to cause significant and cascading damage to civilian and military infrastructure

Connected vehicles have a range of technologies enhancing performance, including internet connections, radar sensors, and cameras that see inside and outside the vehicle, run by software. If that software does not come from a trusted source, it could be accessed and manipulated for nefarious purposes. Experts likened connected vehicles to “roaming data collection platforms” that can record audio conversations, record videos, and conduct significant mapping of towns and cities around the world that can be fed back into government defense databases. Many of the cutting-edge technologies integrated into electronic and connected vehicles are vulnerable to exploitation by malicious actors, making EVs and increasingly connected transport infrastructure potential vectors for malicious activity and targeted attacks across passenger, commercial, and military transport.

China’s rapid market penetration, particularly in Europe, is heightening security risks and shortening the runway to act

Recognizing a range of threat actors, participants highlighted significant and underappreciated risks stemming from Chinese-manufactured vehicles in particular. The market influx has been enabled by the country’s all-of-government approach to EV manufacturing, relatively high degree of subsidization, resulting production overcapacity, and ability to penetrate global markets with highly discounted vehicles. The increasing penetration of EV and connected vehicle markets, particularly in Europe, presents notable data privacy and security risks. In 2022, Chinese EV companies represented 6 percent of Europe’s automotive market share, which grew to 8 percent in 2023 — a significant increase. In Norway, ten cars hitting the road are EVs and represent approximately 30 percent of connected cars on the road. Similarly, across the Atlantic, participants noted Chinese manufacturers’ attempts to expand their presence in the Mexican market and leverage the United States-Mexico-Canada (USMCA) to expand presence in the region. While the U.S. does not allow Chinese connected vehicles into the U.S. market and bans the vehicles from U.S. military bases abroad, concerns remain regarding vehicle software and the entities that have access to, and could ultimately control, driver and consumer data. Beyond the rate of market penetration, the application of artificial intelligence, and specifically the recent integration of DeepSeek into 10 BYD models, has heighted concerns.

Supply chain security is crucial to mitigating surveillance and other security risks of connected and electric vehicles

In addition to vehicle imports, inputs and components could present a range of risks if they have built-in backdoors or override capacity that can be remotely manipulated by malicious state or non-state actors. China is home to over three-quarters of global production capacity for the batteries used in EVs, and it can embed software that is capable of internal and external monitoring into advanced vehicles. In addition to vehicle components, participants expressed concerns regarding port security and the need to increase capacity to track, monitor, and assess shipment deliveries and in-market distribution. While restricting or banning EVs or connected vehicles by manufacturer or country origin would be unlikely to eliminate vulnerabilities from components in the supply chain, several of the attendees noted that the U.S. and its allies could benefit from a system to identify, track, and report vulnerabilities and strengthen verified and/or  trusted supplier networks among allies.  

Addressing vehicle security vulnerabilities is complicated by competing policy priorities

Balancing economic, environmental, and security priorities continues to be a challenge for policymakers and consumers. Across Europe, electric vehicles are heavily subsidized and considered vital to achieving climate change and emissions reductions goals, with policymakers implementing limited, if any, regulation as it relates to the technology’s origin to facilitate uptake. As one participant noted, there are “tectonic shifts” in the European industrial base, and policymakers and the public are concerned about economic growth and competitiveness. European businesses are suffering, and these industries are increasing pressure on policymakers to facilitate production of cheaper, technology-neutral technology for civilian vehicles — with little consideration for the dual-use nature of the technology and the risks that it could introduce. Participants expressed concerns that many leaders’ economic and climate goals have increased “strategic dependency” on potentially high-risk imports. A range of policy scenarios from banning and restricting to allowing Chinese-manufactured EVs and other green tech into Europe have notable tradeoffs and potential impacts on the respective goals. Electric vehicle regulation will require near-term, cross-sectoral dialogue and coordination among ministries and departments of defense, environment, and commerce, whose competing priorities will need to be balanced and reconciled.

Looking ahead: Mitigating risks will require a whole-of-society approach, bringing together consumers, manufacturers, and policymakers

Unlike public infrastructure networks such as 5G, which governments can more readily replace or upgrade when vulnerabilities are identified, security threats in consumer-owned, connected vehicles are diffuse and more difficult to manage once in market, and related risks are proliferating at “warp speed.” Building cyber resilience and introducing cyber security best practices in the electric and connected vehicle market are increasingly pressing and multifaceted challenges that require ongoing public- and private-sector collaboration, as well as clear communication with consumers regarding the policy, economic, and security tradeoffs. Recognizing these common challenges, participants highlighted the need for greater strategic alignment and technical cooperation to mitigate these threats. Core areas for action could include:

• Raising Public Awareness on Connected Vehicle Risks: Participants underscored the urgent need to communicate vehicle security risks to consumers without fearmongering. Those operating within the defense and security space could share information and examples of known intrusions to increase interagency and public awareness of security risks, potentially through a “digital seatbelt” campaign.

• Identifying, Tracking, and Reporting Supply Chain Vulnerabilities: Attendees highlighted the need for more granular assessments of supply chain vulnerabilities, identification of acquisition and ownership of key supply chain nodes, and exploration of “trusted” or “verified” suppliers with NATO, akin to the “Five Eyes” intelligence-sharing process.

• Monitoring Market Penetration and Sharing Intelligence: To maintain “strategic awareness,” participants suggested a process of continuous threat mapping and the establishment of metrics to better understand the degrees of technology saturation that present varying levels of risk so that policymakers across government agencies and ministries can make more informed security-related decisions.

• Strengthening Cross-Institutional Readiness and Ability to Act: While there is growing awareness of the need to protect critical infrastructure, vehicles and transportation-sector vulnerabilities largely remain under the radar. Participants underscored the need to elevate security considerations for non-defense government agencies and apply a security review process, which is familiar to many officials, to commercial and civilian agencies.

• Reviewing Subsidies and Incentives for Vehicle Technology Imports: In the military and defense domains, there is still opportunity to limit introduction of software with risks, but in the civilian sector, it is much more difficult. While many subsidies and consumer incentives in Europe have largely been technology-neutral and not scrutinized for security, limiting financial support and/or market access for higher-risk products could be one approach. The U.S. Senate Armed Service Committee and Emerging Threats Subcommittee will be taking on this issue. In the U.S., bipartisan legislation is advancing that would give the Department of Commerce the ability to conduct a national security review of certain components or vehicle parts for a range of technologies to determine whether that technology should be allowed or denied access to American markets.

While the U.S. and the E.U. have differing approaches to regulation, including with respect to data privacy and data sharing, lessons from the experience with 5G could inform collaborative efforts going forward — notably monitoring the pace of adversaries’ code development. Such monitoring could provide an indication of the pace of technological development and the degree to which it is altering the threat landscape. The assessments could inform policy and incentive frameworks and potentially differentiate vehicles according to the relative integrity of their software engineering. Such efforts, along with the exploration of trading blocs that include attribution factors and penalties for malicious supplier behavior, could help enable partners and allies to mitigate risks amid the ever-evolving threat landscape.

This synthesis report was produced by FP Analytics, the independent research division of The FP Group. Foreign Policy’s editorial team was not involved in the creation of this content.