The following is a record of the speech:
Good afternoon, Huang Peng, deputy chief engineer of National Industrial Information Security Development Research Center and director of Information Policy Research Institute. On behalf of the Center, I would like to report the latest research achievement of our team-Intelligent Networked Vehicle Data Security Research. This study is preliminary, and I hope to get guidance from leaders and experts in the future. Today, I will mainly report on five aspects. First, the connotation and development status of intelligent networked vehicles; Second, the development trend of intelligent networked automobile data security; Third, car companies' understanding of intelligent networked car data security is deepening; Fourth, network security enterprises are "promising" in the intelligent networked automobile data security market; Fifth, the government actively coordinates the development of intelligent networked automobile industry and data security protection.
First, the connotation and development status of intelligent networked vehicles
As a new and important field and scene, the development of intelligent networked vehicles is unstoppable. Mainstream countries and industry organizations have made some important arrangements for intelligent networked vehicles from the perspectives of systems, products, equipment and networks.
It is considered that intelligent networked vehicles are different from traditional automobile equipment and have at least four remarkable characteristics.
The first is interconnection, which is the basic feature.
The second is software definition. It is a very important feature to develop from the initial mechanical drive to the future data drive. A few years ago, Volkswagen announced that it would invest 3.5 billion euros to build its own car operating system, while the cost of Tesla software accounted for 40% of the cost of the whole vehicle, and the number of lines of S series code exceeded 400 million. Many companies talk about setting up their own software technology companies and developing their own operating systems and apps to adapt to the wave of software-defined cars. At least 60% of the value of future intelligent networked cars comes from software, so future intelligent networked cars are new information technology terminals.
The third is unmanned driving. Just now, Professor Zhu explained in depth the application and risks of driverless driving at different levels and in different scenarios.
The fourth is green and low carbon. In the future, intelligent networked vehicles are mainly electric vehicles, which are very suitable or adapted to the national requirements and layout related to "double carbon".
In addition, we also made a preliminary analysis of the intelligent networked automobile industry chain, from the upstream parts and software to the downstream corresponding content, platform, data and service providers to travel, insurance, leasing, maintenance and other aspects, the whole industry chain has also been constantly evolving. China has laid out the layout in all aspects of the industrial chain, but the core system components are still more dependent on imports. Recently, some breakthroughs have been made in technology research and development, but there is still a certain gap from market-oriented mass production.
Second, the development trend of intelligent networked automobile data security
The main feature of intelligent networked vehicles is that data has become an important value point to drive the development of vehicles. This development trend has new requirements and risks for the safety of vehicles and data, which requires that the safety of intelligent networked vehicles be considered from the perspective of vehicle life cycle on the one hand and data life cycle on the other.
Based on these two dimensions, we find that the data security risks brought by intelligent networked vehicles in the future are still very large and prominent, involving at least four aspects:
First, the industry's awareness of data security needs to be improved. The recent occurrence of a series of corresponding events will affect consumers' confidence in the safety of intelligent networked vehicles to a certain extent.
Second, the risk of data leakage is huge, threatening personal privacy. Because intelligent networked cars collect corresponding information in order to better realize automatic driving or give drivers a better experience, we learned in the process of investigation that an intelligent networked car should collect at least 10TB of data every day, which is not only huge, but also involves the travel trajectory, habits, voice, video and so on of drivers and passengers. Once infringed, it will reveal personal privacy.
Third, there are many loopholes in network security, which threaten personal and property safety. In 2020, there will be more than 2.8 million malicious attacks worldwide. Hackers can control the driving of vehicles through cyber attacks, and can also use software vulnerabilities to control intelligent networked vehicles, so the threats and risks are also very great.
Fourth, it may threaten national security. In order to better realize the interaction between vehicles, roads and surrounding infrastructure, intelligent networked vehicles will also collect data of surrounding scenes and important geographical information. If the accuracy reaches a certain level, it will affect or threaten national security.
We have seen that some countries, especially developed countries and industry organizations, have also introduced management norms and measures. The United States, the European Union and the International Automobile Manufacturers Association have all passed some principled and strategic laws and regulations, including some detailed and operational guidelines.
Different intelligent networked automobile manufacturers have different understanding or protection capabilities for data security due to different genes. We believe that at present, the most important intelligent networked automobile manufacturers come from three types of enterprises:
The first category is traditional car companies, and the development model is gradual, including domestic independent brands and joint venture brands. These traditional car companies are promoting the development, application and digital transformation of related new technologies, but overall, their awareness and ability are still in the process of development.
The second category is information technology enterprises, such as Baidu, Ali, Tencent, Huawei, Didi, Xiaomi and other information technology enterprises. Based on their strong capabilities and ecology in the field of information technology, these enterprises have vigorously promoted the corresponding technical systems and autonomous driving systems, and entered the intelligent networked automobile industry by leaps and bounds.
The third category is the new force of building cars. Ideal, future, Tucki, etc. In their development process, they are all radical, and their consideration and layout of data security also have their own characteristics.
Guidehouse, a world-renowned consulting firm, analyzed the existing competition pattern in the field of intelligent networked vehicles, and found that among the current leaders, four enterprises are basically information technology enterprises. At this stage, enterprises with information technology background have certain advantages in entering the intelligent networked automobile industry.
Interestingly, we know that Tesla has been listed as a' follower' by Guidehouse, mainly because the agency believes that Tesla's autonomous driving ability and safety guarantee ability have a certain gap compared with its propaganda.
There are still some differences between the three different types of intelligent networked automobile manufacturers in understanding and protecting data security, especially in the layout of corresponding capabilities, including the adjustment of organizational structure and the ability to adapt to new security requirements. However, we find that these three types of enterprises are also cross-border integration and learning from each other.
Third, car companies' understanding of car data security is deepening.
We investigated some automobile companies and summarized their understanding and measures of current data security. Car companies are paying more and more attention to data security. Domestic mainstream enterprises intend to greatly enhance their ability to ensure data security by strengthening technical means and management mechanisms.
But in fact, the risks are also very prominent: First, the autonomous controllability of core devices needs to be further improved, such as sensors, chips, radar antennas and so on. It also belongs to the field of "card neck" of intelligent networked cars. Second, the lack of corporate management responsibility, many car companies often carry out some data management work in a "black box" state, making the existing protection mechanism and management measures difficult and lagging behind. Third, there are few actual landing cases and lack of specific guidance and practical guidance. Many enterprises are wandering around the border, and the cost of exploration is also high, and there are many places that need to be further clarified.
From the suggestion point of view, we suggest that car companies improve their data security capabilities from two angles. The first is to improve the safety and controllability of the core basic technology, which involves the intrinsic safety of vehicles. The second is to improve the comprehensive protection ability of data security and adopt a new generation of information technology, including blockchain technology, traffic detection technology and state secret technology. , improve the comprehensive protection ability.
Fourth, network security enterprises are "promising" in the intelligent networked automobile data security market.
Domestic mainstream network security companies are actively deploying new intelligent networked car tracks, mostly based on their traditional products, and then make some adaptive adjustments and optimizations from the perspectives of cloud, management and terminal according to the new scenarios of intelligent networked cars, including data level. Some corresponding network security products are also put forward in the aspects of detection and service.
We investigated Tianrongxin, a domestic security manufacturer, and have formed a comprehensive penetration testing tool and service covering vehicle gateway, ECU, T-BOX, cloud and APP. The next case comes from Baidu, whose autopilot security architecture has covered the whole life cycle of data security.
It can be said that the field of intelligent networked vehicles is a huge market for the network security industry or network security enterprises, but there are also many challenges. First, the existing network security products and solutions can not meet the security requirements of intelligent networked vehicles. Second, the paths of security solutions are different. Some network security companies focus on vehicle security, while others focus on cloud security. Although none of these solutions is better, they need to learn from each other. Third, there are still problems in the application of safety products, such as cost and awareness. We also put forward two suggestions. First, it is suggested that these network security enterprises develop targeted related products and solutions for different scenarios of intelligent networked vehicles to improve their promotion. The second is to explore a network security insurance scheme suitable for intelligent networked car scenes. Insurance is very common in the automobile field, but data security insurance or network security insurance can provide integrated protection for automobile enterprises, users and many information technology service enterprises in the industrial chain.
Verb (abbreviation of verb) The government actively coordinates the development of intelligent networked automobile industry and data security protection.
First of all, at the level of policy planning, the government has issued relevant standard guidelines, including some policy documents, to strengthen the management and control of data throughout its life cycle and emphasize the classification and grading of data.
Second, at the level of laws and regulations, the Network Security Law, the Data Security Law, the Personal Information Protection Law (draft), and the automobile data security management regulations (draft for comments) issued by the Network Information Office have already reflected some targeted considerations of the government. We support the Network Information Office and the Ministry of Industry and Information Technology to issue more detailed management regulations and guidelines, and give guidance and guidance from the legal and regulatory level, so as to better guide the practice of the whole industry.
Third, the standard system has been continuously improved, including top-level systematic standards and special standards, which are being introduced and constantly revised and improved.
Fourth, the pilot application has been accelerated, such as the cross-border data pilot in Shanghai Lingang New Area, and some pilots related to road test, risk assessment and risk management and control are also being promoted. Intelligent networked car itself is a new thing, which involves a very complex system. It is really necessary for the government to carry out pilot demonstration work, sum up some excellent practices and carry out follow-up promotion.
Of course, from the perspective of the government promoting industrial development and ensuring data security, it also faces important challenges. First, the whole legal system and standard system still lag behind the development speed of the industry. Second, there is a problem of multi-head supervision, and it is necessary to refine some industry management requirements as soon as possible. From the perspective of data security supervision, the National Network Information Department is the lead department, but when it comes to the promulgation of specific industry rules, it also needs industry authorities and some important industry associations to promote related work. Third, practical measures are not enough. One of the basic tasks of data security supervision and governance is to classify and grade data. For data, we should manage it, but we should not manage it too hard. What needs to be managed, which needs strong supervision means and which needs to flow in the market, a very basic job is data classification and grading.
Our suggestions include four aspects: First, coordinate industrial innovation and development to ensure data security. The second is to introduce guidelines and management rules for data classification and grading as soon as possible. Some important domestic industries, such as finance and industrial internet, have issued corresponding classification and grading guidelines, which can be used for reference by the intelligent networked automobile industry. The third is to establish an ex ante risk assessment and an ex post emergency mechanism. For example, national professional and technical institutions can explore how to provide better services and support. Fourth, pay attention to cross-border data flows. At present, China pays more attention to this issue, and the national network information department is also conducting intensive research. I hope to refine the corresponding data flow rules while learning from the global common practices.
The above is the main content of our current report. In the process of writing the report, we also got the support of some car companies and network security companies. After that, we also hope to cooperate with the enterprises and experts present here, so that we can do more in the field of intelligent networked automobile data security.