Remarks: Skateboard chassis / domain controller + real name, company, position
Today, intelligent connected cars have been called "mobile computers that can carry people.". While it acquires the huge advantages of ICT as a terminal and converts it into dividends, it will inevitably be contaminated with threats and risks from the mobile Internet.
Data collection, storage, use, transfer, destruction, application software access control, moderation interface exposure, redundant functional permissions, protocol security, OS security, code security, attack protection, etc., these originally belong to the ICT security risk of proper nouns, are gradually appearing in intelligent networked vehicles, and then superimposed on the attributes of their vehicles, the situation has become more complicated.
Lengthy and complex industrial chains can breed countless weak links, massive code hides vulnerabilities that can be exploited or attacked, and data cloud and privacy protection challenges brought by dense sensors...
It is no exaggeration to describe the current situation of intelligent networked vehicles in information security by "coexistence of development and threats, vision and risk symbiosis".
How to curb threats and reduce risks is only a problem facing car manufacturers, intelligent driving solution providers, and cloud platform service providers, and it is also a problem that the national government needs to solve.
It is necessary to avoid the potential harm and ripple effect brought about by technological innovation, and to reserve enough space for technological development, and to ensure that technology commercialization is not constrained by policies...
The whip of "legal policy" in the hands of the government is tight or loose, whether it is supervision or unbundling, whether it is explicitly prohibited or encouraged to promote, and every move of the policy will have a great impact on the development of the intelligent networked automobile industry, which deserves the attention of all practitioners.
As a new thing in the intelligent and connected automotive industry, what aspects does information security contain?
How is the mainland's legislative framework on information security in intelligent and connected vehicles built?
What are the representative policies to be concerned about?
What are the phased outcomes within the legislative framework that are worth looking forward to?
What aspects need to be improved in the follow-up?
You can find the answer to these in this article.
This article does not have interesting passages, no resonant spits, nor emotional feelings, but only complex legal norms, obscure and difficult to understand the analysis of articles, as plain and accurate as possible and strive for rigorous and clear logic, and these have nothing to do with the refreshing and pleasant feeling of reading.
It is conceivable that this is a tweet that is destined to be dismal, but if it can help readers in the intelligent networked automotive industry to build a general framework for the information security of intelligent and connected vehicles, then this article can also be regarded as somewhat useful.
PART I. Whatever
What are the specific aspects of information security of intelligent and connected vehicles?
The information security of intelligent networked vehicles can be roughly divided into network security, application security and data security according to different objects. These three are cross-linked, relying on each other and influencing each other, in simple terms, that is, you have me, I have you.
The objects of network security include the hardware, software, and data stored in the network system.
The core requirements of network security are that hardware and software will not be changed or destroyed, and the massive data generated during network communication that contains various important information will not be tampered with, and the data will not be lost or leaked.
Specifically, the network security of intelligent networked vehicles refers to mobile communication networks, vehicle-mounted communication networks, roadside communication networks, satellite communication networks, etc. that are not affected by any situation, are not interrupted by any factors, can operate reliably and normally, and the data required for the normal operation of intelligent networked vehicles can be guaranteed by integrity, availability and real-time.
The explanation of terms may be a little boring, but here is an example.
Taking the current hot V2X as an example, the intelligent traffic lights and smart cameras configured on urban roads are more common roadside intelligent network equipment. These devices real-time access to the dynamic information of intelligent networked vehicles passing through this section of the road (speed information, location information, driving status, etc.), uploaded to the traffic operation supervision platform, the platform by analyzing congestion, traffic violations, the location of special vehicles with priority road rights and other information, the overall adjustment of the signal light duration configuration, and in the form of wireless signal to the intelligent networked car to push the signal light switching information, through the roadside unit to remind the vehicle of the road conditions in front, early warning such as ice or slippery dangerous roads, Remind vehicles to avoid other traffic participants in construction areas or intersections, etc.
Looking further, smart network cars, road infrastructure, cellular network facilities, and even pedestrian-worn mobile phones and wearable devices... Traffic participants who can produce data are intertwined into a fine spider web, and the data follows the invisible and untouchable spider silk, gushing out from the intelligent networked car and continuously returning.
The efficiency of vehicle traffic has been improved, the personal safety of traffic participants has been guaranteed, and exhaust emissions have been further reduced, all based on safety networks.
The image is from Visual China
The basis of this global network is a variety of communication devices, including intelligent networked car terminals, and the real-time communication between these communication devices and the cloud platform of the traffic operation supervision department relies on network security.
None of this can be said without a secure network.
To understand what app security is, we can start with the app that is closest to the consumer.
Intelligent connected cars are known as the new traffic entrance of the mobile Internet, and if you want to sit on this name, you will inevitably have to compete with mobile phones for traffic. Almost all automakers are ambitious to make vehicles a "third living space", sparing no effort to occupy the user's time and attention.
From games, Weibo to movies, tv, from singing bars to Steam, and even WPS office software and learning powers, more and more mobile apps appear on the big screen of car central control.
When these partial entertainment attribute Apps are down, users will certainly feel troubled and inconvenient, but more is to continue to use the mobile app when the attitude of tolerance or neglect, at most helplessly ridicule a sentence of "restart Dafa is good".
However, when this situation appears in intelligent connected cars, especially on apps with the function of controlling vehicles, the situation has undergone a qualitative change, and the consequences of uncontrolled Apps are no longer a sentence or ridicule that can be brushed over.
Apps developed on Android are almost invariably exposed to the three major risks of malicious code, secondary packaging and information leakage.
The application app with remote control function has become one of the most common and convenient ways for hackers to invade cars while bringing users convenient functions such as remote unlock start, active summoning, remote control parking, and opening the trunk.
If, during use, these apps are hacked or attacked, and the safety and correctness of the output instructions cannot be guaranteed, then the control of the vehicle's power system and steering system may be stolen. Once the user loses control of the vehicle, the resulting property damage and safety accidents, the consequences are extremely serious.
At that time, the scene of a large number of cars flying out of the parking building under the control of hackers will no longer be limited to the movie.
Image from Fast & Furious 8
Let's look at data security.
Similar to mobile apps, users use car apps, which means to share a series of data with the vehicle, such as personal information, biometrics, network browsing records, consumption records, geographical location, payment passwords, and video and audio recorded by the DMS camera in the car.
These fall under the category of data security.
By analyzing these data, car companies and app operators can more accurately generate "guess what you like", making the vehicle another "indispensable intimate partner" in life after the mobile phone. The basis of these "vote for your favorite" recommendations is the massive amount of personal information obtained from users by car companies and app apps.
If the goal of these apps is the user's time, attention and wallet, personal data security, then the goal of in-vehicle sensors is closer to driving and the vehicle itself, from the perspective of information security, public data security.
During the operation of intelligent connected vehicles, lidar, millimeter wave radar, cameras, and vehicle CAN/Ethernet networks continuously generate and collect data related to road information and driving behavior information.
These millions of camera footage and annotated object information collected on public roads are fed to AI training computers to train intelligent driving algorithms that enable vehicles to continue to evolve, be able to drive safer, handle complex situations more reliably, adapt more quickly to localization, and better promote the development of new features and new technologies, thus forming a positive cycle.
Tesla, for example, and its artificial intelligence training computer Dojo are the most typical examples of "making good use of data".
Graphs are derived from the network
However, the same protagonist, the same factor of production, has the opposite effect.
The same Tesla, in the early days, the network rumors that officials drove Tesla into sensitive areas of the mainland, Tesla front camera to obtain internal road information, suspected data leakage, and then triggered many areas to Tesla issued a "ban on travel and stop" order. This is also a textbook case, but Tesla has become a "negative teaching material" in it.
Data, as a necessary factor of production for the automotive industry, is neutral and pure in its own right.
However, how is the data collected? How will it be used, served to whom, for what purpose, what impact will it have, and furthermore, will private personal information be resold to third parties? Will in-car images be illegally disseminated? Will the account password be illegally stolen and encroached? Will the trajectory of daily life be followed by voyeurism? Will sensitive areas and important facilities be illegally leaked?
The answers to these questions, we can not ask for internally, from the data itself, can only look outward, seek a fair and neutral answer.
Consumers, manufacturers and operators urgently need to alleviate and solve the worries and concerns that have been amplified as the sales of intelligent and connected vehicles continue to rise.
We need the "tight curse" of laws and regulations to nip the excessive use of data, illegal processing and illegal abuse in the bud, so that data can maintain the original intention of "science and technology for good".
PART II. How to manage
How does the mainland build a legislative framework for the information security of intelligent and connected vehicles?
Before understanding the mainland's laws and regulations on the information security of intelligent and connected vehicles, we need to be roughly clear about what the mainland's legislative framework is.
Mainland legislative frameworks generally operate on two legs – top-down top-level legal design and bottom-up regional, experimental legislation.
The top-down top-level legal design has strict logic and comprehensive coverage, but for the rapidly changing and ever-changing new technologies, new functions and new products, it is often impossible to quickly adjust, nor can it provide specific operational guidelines to solve practical problems, and there will be current laws and regulations that restrict technological development or even conflict.
At this time, the demonstration area and local regulations show the advantages of "small and beautiful". They are like "test fields" that can be tried from the bottom up on a small scale in a local area, avoiding conflicts between technology and laws by giving special legislative powers to special special economic zones, so as to adapt to development and fill in the gaps.
The benefits of such small-scale, pilot-type legislation are very clear. First, the scope of the pilot is limited, but whenever there is an accident, the problem can be immediately extinguished and the scope of influence can be controlled. Second, the legislation that takes the "green channel" can quickly respond to new situations, keep up with the speed of technological development, and have a very strong practical reference effect on the formation of practical and feasible legal provisions with practical operational significance.
As an extremely important part of the development of intelligent and connected vehicles, information security also follows the legislative model of "two-pronged approach" + "going in opposite directions".
Images are from the web
In terms of top-level design, the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China and the Personal Information Protection Law of the People's Republic of China together constitute the legal framework for the information security of mainland citizens.
Organize public information from the network
These three laws were deliberated and adopted by the National People's Congress and are aimed at information security for the whole industry. On the other hand, the information security of the whole industry must be premised and based on these three major laws, and it is not allowed to be exceeded.
It can be popularly understood that these three laws build a skeleton framework for all industries in terms of information security, and different industries are like different bone areas, skulls, trunk bones, limb bones, they each have their own characteristics and characteristics, different skeletal meridians, flesh and blood and even capillaries, skin texture are different, then it is necessary for different levels of legislatures, national ministries, local governments and industry associations to issue targeted laws and regulations, management norms, standard systems, and regulation notices for different industry characteristics. Fill up the tangible, non-solid bones.
(Partial) legislative content related to intelligent networked vehicles Collated from the network public information
Last year, when Didi's "IPO to the United States was investigated and removed from the shelves by China's state Internet information regulator, the relevant departments investigated Didi on the basis of the Cybersecurity Law of the People's Republic of China."
In the form of legislation of the People's Congress, the Cybersecurity Law stipulates the basic principles, main tasks, major guiding ideologies and concepts of the state's network security work; clarifies the rights, obligations and responsibilities of departments, enterprises, social organizations and individuals; elevates mature policy provisions and measures into laws, providing a legal basis for the work of government departments; and establishes a series of basic systems for national network security.
Therefore, it can be understood that the Cybersecurity Law of the People's Republic of China is the "basic law" of network security in the mainland. It has given the mainland cyber security work a basic legal framework and basic system, reflecting the overall situation and foundation.
Compiled from the Cybersecurity Law of the People's Republic of China
The Data Security Law of the People's Republic of China, the second of the three major laws, is the first law in mainland China to be named after "data" and "data security", clarifying for the first time the principles of regulation of "data".
Its key contents include the establishment of the concept of "national core data", which clearly elevates data security to the category of national security; the establishment of a hierarchical and classified data management system; and the setting of a "red line" that is not allowed to be touched for incidents involving data security risks, such as violating the national core data management system or illegally providing important data abroad.
Compiled from the Data Security Law of the People's Republic of China
The Personal Information Protection Law of the People's Republic of China is another important piece of the puzzle in the legal framework of data security in the mainland.
The Personal Information Protection Act mainly revolves around the handling of personal information.
Corresponding rules have been established from different angles such as processing rules, cross-border provision, individual rights, processor obligations, protection authorities, and legal liabilities, and special rules have been emphasized for sensitive personal information and the handling activities of state organs.
Compiled from the Law of the People's Republic of China on the Protection of Personal Information
Generally speaking, these three laws are also called the "superior law" of mainland citizens' information security, which has the characteristics of wide object-oriented and full coverage, and is a top-level design that reflects the will of the state. As for the other way in the opposite direction, it needs to be paved jointly by national ministries, local governments, industry associations, and standards groups.
PART III. Representation
Which laws and regulations are worth paying attention to?
At present, all ministries and commissions, local governments and industry associations, standards committees and other institutions are actively responding to the three higher-level laws, in their respective management scopes and jurisdictional areas, or began to hold symposiums, invite major car companies and intelligent driving head enterprises to express their own views, and on this basis, revise and revise the existing laws and regulations have adapted to technological development; or based on technology trend prediction, use their own legislative power, break through the limitations of higher-level laws, and introduce management regulations specifically to promote the access and commercialization of intelligent networked vehicles.
Taking the "Opinions on Strengthening the Access Management of Intelligent Connected Vehicle Manufacturers and Products" issued by the Ministry of Industry and Information Technology as an example, although the "Opinions" refers to the access management of intelligent networked vehicles and is not aimed at information security, it still sets out a separate chapter for the provisions of intelligent networked vehicles in terms of information security for detail, which shows its emphasis on information security.
Compiled from the "Opinions on Strengthening the Management of Intelligent and Connected Vehicle Manufacturers and Product Access"
It can be seen that the laws and regulations on the information security of intelligent and connected vehicles are accelerating in a comprehensive and systematic manner with different scopes of rights and responsibilities, different granularity, and different jurisdictions.
In these "protection nets" that are being carefully compiled, there are many representative and breakthrough content that is very worthy of attention, including network security, data security and personal information security.
In terms of cybersecurity, OTAs are eye-catching.
After a long period of market education, consumers have now fully accepted the function optimization, replacement, addition, remediation and correction of vehicles in the form of OTAs. It is even believed that only a vehicle with OTA capabilities can be called a smart networked car.
However, more and more consumers are also finding that the OTA that was originally used to enhance the use of vehicles has changed its taste, carrying a lot of "private goods" that are not known to users.
Graphs are derived from the network
Quietly through the OTA to the user's vehicle "lock", trying to limit the vehicle power, to expand the safety range, improve safety redundancy, and the resulting vehicle performance is reduced, but to let the ignorant car owner to bear.
After the car App is updated by the OTA, the user is informed that if he does not agree to let the vehicle record and collect the user's personal information, then the App will directly exit, and the user will not be able to use the remote control of the vehicle and other functions.
Whether to accept the overlord clause or accept the vehicle function restrictions, as if asking the owner whether to cut off the left hand or the right hand, the choice question without the right to choose has become a thorn in the throat of the owner.
OTAs have become boxes with Schrödinger cats, and consumers don't know if this update is some kind of improvement in functionality and experience, or a cover-up for some design flaw.
In essence, compared with the traditional technical service activities, OTAs have only updated the technical means, and their essence remains unchanged, and OTAs are still technical service activities. Whether the OTA is a recall measure or a technical service activity measure, it must fulfill the filing obligation.
In other words, whether it is SOTA that involves software upgrades such as navigation, in-car entertainment, and human-computer interaction, or FOTA related to updating steering, braking, vehicle control, and intelligent driving, it needs to be filed.
On November 25, 2020, the State Administration for Market Regulation issued the Notice on Further Strengthening the Supervision of Remote Upgrade Technology Recalls of Vehicles, and on June 4, 2021, the Quality Development Bureau of the State Administration for Market Regulation issued the Supplementary Notice on the Filing of OTA Technology Recalls for Remote Upgrades of Vehicles, making OTA recalls more operational.
The two notices state that if the technical service activities are carried out through the OTA, then it is necessary to file in advance, if the product defects are eliminated through the OTA, then the recall will be treated, and the undefined defects and the new defects caused by it should also be effectively fulfilled in accordance with the law.
In other words, a recall is a recall, no longer an ambiguous description of optimization or update can obscure the past, and an OTA is no longer an "umbrella" and "fig leaf" for recalls.
For the standardized operation after the accident such as the vehicle being invaded and remotely controlled in the OTA process, there are also relevant provisions in the two notices: producers are required to report to the State Administration for Market Regulation and carry out investigations, and it is not allowed to have concealed defects or privately handled without filing, if any, mobilize mass forces, welcome reports, and jointly supervise the behavior of enterprises with consumers.
Compiled from the "Notice on Further Strengthening the Supervision of Recall of Remote Upgrade Technologies for Automobiles"
On September 13, 2021, the Equipment Center of the Ministry of Industry and Information Technology issued the "Notice on Carrying out Self-inspection work on Automotive Data Security and Network Security", and on September 15, 2021, the Ministry of Industry and Information Technology issued the "Notice of the Ministry of Industry and Information Technology on Strengthening the Network Security and Data Security of the Internet of Vehicles", which also clarified the work and requirements related to the software upgrade of intelligent and connected vehicles.
Introduce five dimensions of enterprise management, assessment and verification, access testing, process control, and government supervision, and once again emphasize the need to take the initiative to file and declare before upgrading activities to ensure the consistency of automobile product production, and not to add or update automotive autonomous driving functions through OTA without approval.
In terms of data security, we can understand the intervention, restrictions and constraints of the legal system on automotive data security by interpreting the "Several Provisions on the Management of Automotive Data Security (Trial)" jointly issued by the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security and the Ministry of Communications in October last year.
The bill is mentioned in particular because it is the first law in the country to protect data security in the automotive industry.
The content of the Provisions is undertaken from the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law, and puts forward requirements from many aspects such as management objects, actual scenarios, to regulatory requirements, specific measures, and capacity building.
According to the usual thinking, automobile manufacturers are the main person in charge and the main object of supervision of automobile data security, but the Provisions put forward the concept of "automobile data processor" and cover this concept in the entire chain of the automotive industry. Not only automakers, but also hardware and software suppliers, dealers, maintenance agencies and mobility service companies are also automotive data processors, and these roles also need to be included in the regulatory scope, which echoes the fact that "automotive data is generated from the production stage".
Similarly, the broad and abstract term "important data of the automotive industry", which has been passed down by word of mouth, is also fixed in the Provisions through actual scenarios - map information, sensitive areas and the personal information of more than 100,000 people are classified as "important information".
The two major elements of the scope of supervision (what to manage) and the object of supervision (who to manage) are clarified, and the next step is naturally to put forward requirements to the objects of supervision.
According to the saying that "risks are inevitable, but risks can be reduced", all regulatory objects should establish data security management systems and early warning processing capabilities, and need to submit risk assessment reports regularly and make response plans for data security incidents.
As for the data storage and transmission that has been on the cusp of Didi and Tesla, it is clearly stated in the "Provisions" - important data is stored in China according to law. Data that does need to be transferred across borders must be assessed in advance and the data can only be exported after it has been reviewed.
Many foreign and joint venture companies, including Tesla, have built or are building data centers in China, and said that "all user data will be stored in China", which is the direct impact and embodiment of the regulation.
It can be said that the "Several Provisions on the Management of Automotive Data Security (Trial)" has been greatly refined compared with the higher-level law, which is of great significance for the standardization and standardized development of data security in the automotive field.
However, it should also be pointed out that the provisions mentioned in the Provisions still have a lot of content that needs to be explained and refined, and there are still many practical difficulties for automotive data processors, and it is necessary to continue to issue detailed documents to explain and explain them, in order to effectively guide automotive data processors to carry out practical work.
Compiled from several provisions on the management of automotive data security (trial implementation)
In terms of personal information, due to the closeness to personal daily life, it is related to the vital interests of almost everyone, and many car companies have been exposed to a variety of unreasonable self-interested operations, each exposure has caused a wide range of complaints and complaints, personal related and public opinion pressure, the results of the superposition of the hatchback, resulting in everyone paying special attention to the legislation of intelligent networked vehicles in terms of personal information.
In fact, there are indeed a lot of laws, regulations and management opinions that give relevant provisions on personal information.
Among the many laws and regulations, we have listed the following key contents of personal information legislation according to the two characteristics of basic and high frequency:
Definition of Personal Information.
The so-called personal information, usually understood is the owner of the car or the driver and occupants of the car, the people sitting in the car are obtained by the vehicle electronically (camera, microphone, etc.) information, such as their whereabouts, fingerprint voiceprint face bio information, account password, social circle layer, etc., but these are only narrow personal information, "Several Provisions on the Management of Automobile Data Security (Trial)" Extend this concept, in addition to the personnel in the car, personal information also includes people outside the car, Their appearance (bioinformatics) and their location and trajectory (geographic information) can be captured through the camera outside the car, which naturally belongs to the category of personal information.
In summary, information from natural persons that is captured through on-board cameras or other on-board sensors is defined as personal information.
Rights and Obligations Regarding the Collection and Processing of Personal Information.
In response to the problem that apps always collect users' personal information in a ghost state of "long eyes behind their backs", the "Several Provisions on Automotive Data Security Management (Trial)" clearly puts forward the "default non-collection principle" - unless the driver sets itself, the default setting is not collected every time he drives. The rule immediately plugs the most favorite loophole for car data processors to prevaricate users' doubts with the disclaimer that "collection is turned on by default and manually closed by the user".
For the subsequent processing of collected information, the method of "notification and consent" is adopted. The car information processor needs to inform the user about the location, duration, use and use of the information, etc., and obtain the consent of the user, which reflects the respect for the user's right to process his own information.
As for the personal information of natural persons outside the car, although it is impossible to use the method of "informing and consenting", the "Several Provisions on the Safety Management of Automobile Data Security (Trial)" also fills this gap, that is, it is necessary to anonymize such information, contour the face information in videos/photos, and delete the pictures that can directly identify natural persons.
Restrictions on recommendations and ads.
In view of the app recommendation and advertising problems that exist all the time, we can learn about the relevant solutions from the Shenzhen Special Economic Zone Data Regulations implemented on January 1, 2022.
The Data Regulations put forward the concept of "data rights", strengthen the protection of personal data, and clearly require enterprises not to forcibly ask for user authorization, and users have the right to refuse to be profiled and recommended. That is to say, users can refuse the "guess you like" that the major Apps come to you, and can use the App functions normally without sharing their preferences and habits with the App, so as to maintain personal privacy from snooping and being forced to monetize.
Compiled from the Shenzhen Special Economic Zone Data Regulations
PART IV. Breakthrough
What are the phased results to look forward to?
In summary, we can clearly see such a slowly unfolding picture.
Top-level design, government departments continue to strengthen the intelligent network vehicle information security policy system, formulate a special plan for the development of information security, and carry out unified and effective overall management and standardized guidance for intelligent networked vehicle information security.
Down, all functional departments and local governments have issued laws and regulations and different types of demonstration areas specifically for the information security of intelligent and connected vehicles in accordance with their respective jurisdictional authorities, loosening restrictions, keeping up with development, tracking risks, and controlling impacts.
Further down, industry associations, standards committees, etc. have established a standard system for network security and data security of intelligent and connected vehicles to solve the problem that there are fewer standards and regulations related to information security, and it is difficult to implement the system.
The overall planning is clear, well planned and methodical.
The ultimate purpose of the slow promotion is to remove obstacles and obstacles in information security in the production, listing, road and commercialization of intelligent and connected vehicles.
The good news is that we are likely to see results this year - the Regulations on the Administration of Intelligent and Connected Vehicles in the Shenzhen Special Economic Zone have been released in 2022 after three trials since they were publicly solicited for comments in March 2021.
This will be the first regulation in mainland China to regulate the management of intelligent and connected vehicles, and its final introduction will directly promote the commercialization of intelligent connected vehicles from a demonstration area to a commercial landing.
In other words, everyone is likely to see the intelligent networked vehicles with iron plates on the streets of Shenzhen this year exercising their normal right of way.
Compiled from the Regulations on the Administration of Intelligent and Connected Vehicles in the Shenzhen Special Economic Zone (Draft for Solicitation of Comments)
The Regulations on the Administration of Intelligent And Connected Vehicles in the Shenzhen Special Economic Zone also list "network security and data security" as a separate chapter, requiring enterprises related to intelligent connected vehicles to obtain network security testing certification, establish a network security assessment and management mechanism as soon as possible, and formulate data collection and privacy protection plans.
The "Management Regulations" also specifically mention that car companies are allowed to obtain desensitization data and information on road violations and traffic accidents related to intelligent and connected vehicle products. This means that car companies or intelligent driving solution providers can use massive data to build different types of simulation scene libraries, improve the quantity and quality of scene libraries, train intelligent driving systems to cover more extreme situations, and accelerate the optimization and iteration of intelligent driving systems. Of course, all this must be based on the four words of "legal compliance".
As one of the few cities with the legislative power of the special zone and a complete industrial chain of intelligent and connected vehicles, the Shenzhen Special Economic Zone has made full use of the legislative power of the special zone, forming the first visible and tangible fruit, providing valuable experience and reference for other cities in the information security of intelligent and connected vehicles, and exploring experience and laying a solid foundation for relevant national legislation, which is of great significance.
PART V. To be continued
What else needs to be improved?
Shenzhen's legislative breakthrough is naturally worth looking forward to, and the success of intelligent networked vehicles on the road is worth celebrating, but we are more concerned about when it can be applied on a large scale nationwide from point to point.
According to the "Technology Roadmap 2.0" released by the China Association of Automotive Engineers in 2020, highly automated intelligent networked vehicles will begin to enter the market in 2025, while the sales of L2 and L3 intelligent connected vehicles will reach more than 50%, and will rise to 70% in 2030.
Similarly, the "New Energy Vehicle Industry Development Plan (2021-2035)" issued by the General Office of the State Council also includes 2025 as the target number of years for commercial application of highly autonomous vehicles in limited areas and specific scenarios.
These time points and targets at hand are all indications that the intelligent networked car industry is accelerating its development and maturity.
The goals and routes are clear, the benchmarks are ready to be set, and all that remains is a practical task.
Collect existing publicly available information,
The "General Technical Requirements for Automotive Software Upgrades" is a strong target and is expected to be approved at the end of this year. It will further standardize and concretize the relevant requirements for automotive software upgrade management.
Laws and regulations on the information security of intelligent and connected vehicles are also expected to be introduced this year, including general technical requirements for software upgrades and technical requirements for vehicle information security, and form a strong standard in 2023.
In 2025, a relatively complete network security and data security standard system for the Internet of Vehicles will be formed.
At the end of 2030, we will initially build a network security and data security standard system for the Internet of Vehicles.
These general technical requirements, mandatory standards, recommended standards, standard systems, etc., can provide guidance for the automotive data processors in the industrial chain at the practical level, so that they can have laws to follow and rules to follow.
Car companies, or more accurately vehicle data processors need to realize that the number of objective and large-scale data has become the "oil and trade" of the information age, rather than delving into how to use data to create maximum economic value, following national policies and regulations, reasonable and compliant processing of information is more important, need to be considered in the first place.
Continuously track and interpret the update and revision of laws and regulations, actively participate in the discussion and formulation of industry standard systems, manage constraints and test and evaluate all links and parts in the supply chain, establish a permanent leading organization for information security within the company, be fully responsible for the storage, transfer, encryption, analysis, use and guarantee of data, and build a great wall of vehicle information security, which should be listed at the top of the to-do list of automotive data processors.
The information security of intelligent networked vehicles is an invisible offensive and defensive game. Many times, the huge cost of information security cannot be quantified as a financial report. But incalculable value does not mean zero value, and is more likely to mean priceless.
To paraphrase Maslow's theory of needs, comparing the needs of security with the needs of pleasure, consumers will also vote with real money. Anyone who wants to pretend to be an ostrich, turn a blind eye, prevaricate, it doesn't matter, the iron fist of the law will teach him to be a man.
Reference:
Intelligent Connected Vehicle Technology Roadmap 2.0
"New Energy Vehicle Industry Development Plan (2021~2035)"
Medium- and Long-term Development Plan for the Automotive Industry
Cybersecurity Law of the People's Republic of China
Data Security Law of the People's Republic of China
Law of the People's Republic of China on the Protection of Personal Information
Regulations on Graded Protection of Network Security (Draft for Solicitation of Comments)
Provisions on the Administration of Security Vulnerabilities in Network Products
Measures for The Review of Network Security (Draft Amendments for Solicitation of Comments)
Several Provisions on the Security Management of Automobile Data (Trial Implementation)
Opinions on Strengthening the Management of Access to Intelligent and Connected Vehicle Manufacturers and Products
Regulations on the Promotion of Artificial Intelligence Industry in Shenzhen Special Economic Zone (Draft)
Shenzhen Special Economic Zone Data Regulations
Regulations on the Administration of Intelligent and Connected Vehicles in Shenzhen Special Economic Zone
Supplementary Notice on the Filing of OTA Technology Recall for Remote Upgrade of Automobiles
Notice on Further Strengthening the Supervision of Recalls of Remote Upgrade Technologies for Automobiles
Guidelines for the Construction of Networking Network Security and Data Security Standard System
Write at the end
About submissions
If you are interested in contributing to the "Nine Chapters of Intelligent Driving" ("Knowledge Accumulation and Collation" type article), please scan the QR code on the right and add the staff WeChat.
Note: When adding WeChat, be sure to note your real name, company, and current position
As well as information such as submission intentions, thank you!
"Knowledge Accumulation" manuscript quality requirements:
A: The information density is higher than the vast majority of reports of the vast majority of securities companies, and it is not lower than the average level of "Nine Chapters of Intelligent Driving";
B: Information should be highly scarce, more than 80% of the information needed is not seen in other media, if based on public information, there needs to be a particularly strong exclusive view. Thank you for your understanding and support.