December 2, 2024 | Memo

Laser Focus: Countering China’s LiDAR Threat to U.S. Critical Infrastructure and Military Systems

December 2, 2024 | Memo

Laser Focus: Countering China’s LiDAR Threat to U.S. Critical Infrastructure and Military Systems

Introduction

“Only by mastering crucial core technologies within our own hands,” said Chinese Communist Party General Secretary Xi Jinping, “can we [China] truly seize the initiative in competition and development, and fundamentally safeguard our national economic security, national security, and security in other domains.”1 Xi’s declaration underscores his desire to transform China into a science and technology great power, which, he argues, hinges on tightening “international production chains’ dependence on China.”2 LiDAR, a remote sensing technology with both military and civilian applications, stands at the center of Beijing’s bid for technological superiority.

Xi’s technological vision is not just an ambition — it is already materializing. Today, Chinese companies are rapidly consolidating control over the global LiDAR market, with PRC-origin sensors now widely deployed across civilian and military networks worldwide, including in the United States. These sensors often serve as essential nodes within interconnected public safety, transportation, and utility systems, which is a clear benefit to the United States. However, Chinese LiDAR’s system-wide integration also leaves its users vulnerable to espionage and sabotage, potentially enabling Beijing to access sensitive U.S. data or disrupt critical operations.

For decades, Beijing has used cyber operations to breach sensitive networks and infiltrate critical infrastructure in the U.S.3 China’s military and intelligence services could leverage Chinese-made LiDAR systems for espionage purposes, much as they have exploited the compromised communication gear sold by Chinese telecommunications giant Huawei.4 The widespread adoption of Chinese-made LiDAR technology also advances Xi’s “comprehensive national security” (总体国家安全) concept, which merges technological development with state security to enhance China’s geopolitical advantage.5 In practice, Beijing could weaponize Western reliance on Chinese-made systems by manipulating or disrupting LiDAR supply chains as it has done repeatedly with rare earth elements to pressure other countries into accepting its strategic demands.

This memo provides an overview of LiDAR technology, detailing its expanding use across the United States. Next, it examines how LiDAR operates and how China could exploit the broad adoption of PRC-made LiDAR sensors to facilitate espionage or sabotage of critical U.S. networks and infrastructure. Finally, the memo outlines actionable steps policymakers can take to prevent Chinese exploitation of LiDAR technologies and protect U.S. national security.

Countering Chinese LiDAR dominance requires integrating LiDAR into a comprehensive industrial policy that bolsters U.S. technological leadership and economic competitiveness. This approach must go beyond simply reducing reliance on untrusted vendors from foreign countries of concern. It should also focus on expanding domestic LiDAR production capacity and fostering trusted supply-chain partnerships with allied nations. Establishing and enforcing rigorous cybersecurity standards for LiDAR technology will also be essential to safeguarding critical infrastructure and ensuring LiDAR’s secure integration into both civilian and military networks. 

LiDAR Backgrounder

LiDAR (or Light Detection and Ranging) is an advanced remote sensing technology that uses laser pulses to create highly detailed, three-dimensional maps of surrounding environments. By calculating the time it takes for these pulses to return to a sensor, LiDAR can generate precise spatial data far exceeding traditional methods, like radar and sonar. While LiDAR was originally developed in 1961 by Hughes Research Laboratory for lunar exploration, it has evolved into an indispensable tool in a wide range of civilian and military applications worldwide.6

LIDAR image of World Trade Center collapse site shows area topography; darker red marks lower elevations. (Photo by NYC Office of Emergency Management/Getty Images)

The technology’s most well-known civilian application is in the autonomous vehicle (AV) industry, where LiDAR sensors enable real-time object detection and safe navigation in dynamic driving environments. LiDAR has also been integrated into drone, train, and airport transportation systems for similar purposes. Additionally, utility companies and critical infrastructure providers are increasingly using LiDAR to monitor pipelines, power lines, and rail networks, proactively identifying structural weaknesses and environmental hazards before they compromise system integrity.

Urban planners are also integrating LiDAR with artificial intelligence and machine learning to build so-called “safe cities.”7 For example, many cities rely on LiDAR sensors to monitor traffic flows at major road intersections and automatically adjust traffic signals to reduce congestion. LiDAR-enabled alerts can also provide emergency responders with critical, real-time information about vehicle accidents and other safety hazards, enabling more efficient response times. Lastly, LiDAR can optimize city services, such as waste management and energy distribution, by delivering precise data on usage patterns and infrastructure conditions, streamlining resource allocation, and enhancing public safety.8

LiDAR’s applications are becoming essential to modern military and defense systems, too. U.S. reconnaissance and missile guidance systems rely on LiDAR to enhance target acquisition, terrain analysis, and navigation in hostile environments. Looking toward the future of warfare, the Department of Defense’s Joint All-Domain Command and Control initiative aims to integrate data and technology across military platforms to improve battlefield awareness, which will include outfitting next-generation autonomous military vehicles and drones with fully integrated LiDAR suites.9 For instance, the U.S. Army’s Future Vertical Lift program, focused on developing advanced helicopters, will rely on LiDAR for real-time terrain mapping and obstacle avoidance capabilities.10

Military Applications of LiDAR

  • Battlefield Mapping: Enables precise terrain analysis, including in urban environments.
  • Enemy Detection: Helps locate enemy positions and infrastructure.
  • Navigation: Enhances movement by providing detailed spatial awareness.
  • Sea Mine Detection: Identifies the depth of underwater threats.
  • Laser Weapon Support: Predicts performance by analyzing atmospheric conditions.
  • High-Altitude Surveillance: Systems like DARPA’s HALOE map large areas rapidly from the air, offering advanced data collection over 100,000 feet above ground.

China has also prioritized LiDAR as part of its ongoing military modernization. Under its “intelligentized warfare” concept, the People’s Liberation Army (PLA) is integrating LiDAR into defense systems to boost battlefield awareness and precision-strike capabilities.11 LiDAR has reportedly been installed on autonomous Chinese military platforms, including an autonomous fighting vehicle developed by the PLA in partnership with UISEE Technology and Dongfeng Motors. Equipped with advanced LiDAR from Chinese manufacturers such as Hesai, these and other LiDAR-enabled platforms are poised to become a “trump card,” or decisive advantage, in enhancing Chinese reconnaissance operations, according to Chinese state media.12

Source: China Central Television broadcast of Hesai LiDAR (circled) on PLA Autonomous Fighting Vehicle (2022)

Today’s use cases aside, LiDAR’s potential remains largely unrealized. The global LiDAR market is projected to exceed $2.8 billion by 2025, driven by demand for high-resolution mapping, autonomous systems, and automation technologies.13 North America accounted for 36.6 percent of LiDAR-related revenue in 2021, the highest percentage in the world.14 While non-Chinese companies in the United States, Germany, Canada, and Israel are key competitors operating on a level playing field, Chinese LiDAR firms benefit from extensive state support, giving them an outsized advantage.15 This state backing allows Chinese companies to dominate the market, especially in price-sensitive sectors, with Chinese firms accounting for more than 80 percent of global LiDAR sales.16 As LiDAR adoption grows, China’s market dominance could provide Beijing with strategic leverage across other emerging industries, such as precision agriculture, renewable energy, and advanced robotics.

LiDAR Functionality and Known Risks

LiDAR’s transformative potential is undeniable, but its rapid proliferation carries significant risks. The technology’s ability to collect and transmit precise spatial data makes it a prime tool for espionage and sabotage, especially when these systems are manufactured or otherwise controlled by companies located in foreign countries of concern. These risks are set to intensify as LiDAR systems are increasingly deployed near critical infrastructure, transportation hubs, utility grids, and defense nodes across the United States.

China has long recognized LiDAR’s strategic value. In 2018, China identified LiDAR as a critical “chokepoint technology,” and in 2020, Beijing directed that LiDAR be integrated into military systems.17 Through its military-civil fusion strategy, which mandates that Chinese companies collaborate with China’s defense and intelligence agencies, Beijing has blurred the lines between civilian and military technologies.18

At least one Chinese LiDAR company, Hesai, has acknowledged in investment disclosures that the Chinese government “may influence or intervene” in its “operations at any time.”19 Such disclosures highlight the inherent national security risks associated with embedding PRC-manufactured LiDAR systems in U.S. and foreign infrastructure.20 While Hesai denies any affiliation with China’s military, its inclusion on the Defense Department’s Section 1260H list, which designates companies linked to the Chinese military-industrial complex, underscores the U.S. government’s concerns. Notably, after Hesai’s legal challenge briefly led to its removal from the 1260H list in October 2024, the Defense Department promptly re-listed the company “based on the latest information.”21

Chinese law not only facilitates military-civil fusion, it mandates cooperation between Chinese companies and state security agencies. China’s 2017 National Intelligence Law, 2021 Data Security Law, and recently revised Counter-Espionage Law require Chinese companies, including LiDAR manufacturers, to assist state intelligence operations.22 China’s National Intelligence Law, for example, explicitly requires “all organizations and citizens” to support, assist, and cooperate with national intelligence efforts.23 This legal framework extends far beyond China’s borders, potentially enabling the Chinese government to exploit PRC-manufactured LiDAR systems abroad. This jeopardizes the security of any nation that integrates Chinese-made LiDAR into its networks and critical infrastructure systems.

China’s exploitation of civilian technologies for espionage and sabotage purposes is well documented. As FBI Director Christopher Wray testified in 2024, “China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike.”24 The U.S. Department of Commerce has also warned that adversaries could exploit networked devices, including surveillance cameras, drones, and other connected systems, such as LiDAR.25 Similarly, the Department of Defense recognizes that China is actively targeting U.S. critical infrastructure, aiming to disrupt societal functions and interfere with military operations during both peace and wartime.26

Despite these and other known risks, the methods that adversaries such as China could use to exploit LiDAR technology remain poorly understood. Understanding exactly how LiDAR works and how foreign adversaries could exploit its known vulnerabilities is key to preventing its misuse.

How LiDAR Works and Adversarial Risks

LiDAR sensors are equipped with high-speed optical transceivers, including laser emitters and photodetectors, which enable them to transmit and receive information through light pulses. Modern LiDAR systems use coded light pulses, or “fingerprints,” to distinguish their signals from background noise and reduce interference from other sensors.27 With each new generation of LiDAR, the sophistication of pulse encoding increases, potentially introducing more serious risks.

Specifically, as pulse codes become more complex, adversaries could develop new methods to manipulate these signal patterns, potentially using them to interfere with LiDAR systems and the broader networks to which they are connected. This could involve designing “fingerprints” that disrupt LiDAR sensor functionality, including the disabling of a sensor’s safety features.

Figure 1: Standard LiDAR connection box (power, ethernet, GPS).

As LiDAR’s signal processing capabilities advance, each sensor’s supporting hardware is also becoming more sophisticated, further increasing the risk of exploitation. This vulnerability arises from several factors. First, LiDAR sensors utilize advanced embedded processors and non-volatile memory to store firmware, operational logs, and other information. The complexity of these advanced processors could allow for the introduction — and concealment — of malicious code or firmware backdoors that are difficult to detect and neutralize, even upon close inspection.

The incorporation of advanced custom silicon chips in many newer LiDAR sensors, especially those produced in China, presents another layer of risk. These custom chips can be specifically engineered to include hidden vulnerabilities, known as “hardware trojans,” which could provide a LiDAR company or other hostile actor with unauthorized access or control over LiDAR devices.

Furthermore, LiDAR sensors often rely on embedded operating systems, such as Linux, and use Ethernet standards for data transmission. As a result, these sensor systems typically connect to the broader internet, significantly increasing their vulnerability to cyberattack. For instance, many LiDAR sensors include a built-in web interface, accessible via a standard browser and powered by an onboard web server. These web interfaces, if not properly secured, could be remotely accessed and manipulated by hackers or LiDAR companies located in foreign countries of concern to gain control over deployed LiDAR sensors and potentially LiDAR-enabled networks.

What is more, LiDAR systems frequently receive software updates over the internet, often affecting network settings, cybersecurity protocols, and core sensing algorithms. These over-the-internet updates, especially those originating in foreign countries of concern, could introduce additional cybersecurity vulnerabilities, making Chinese-made LiDAR systems highly vulnerable to manipulation.28

Given these hardware and software configurations, LiDAR systems produced by companies located in foreign countries of concern, or otherwise beholden to adversarial governments, are highly vulnerable to two specific cybersecurity threats: disruptive attacks that could disable or misdirect the technology, and unauthorized data exfiltration that could compromise sensitive information.

Disruptive Cyberattacks

Like other connected technologies, LiDAR systems are inherently vulnerable to cyberattacks. However, these risks increase significantly when sensors are manufactured in, or by companies beholden to, foreign countries of concern. Foreign adversaries or the companies they control could potentially embed malicious code in the encrypted components found in most LiDAR sensors, making detection extremely difficult. These types of compromises raise serious cybersecurity risks, particularly because LiDAR’s integration into supply chains and transportation networks creates single points of failure. Manipulating even a small number of sensors could have widespread repercussions.

Figure 2: Illustrative example of a network attack.

LiDAR sensors, as networked devices often connected via Ethernet and linked to systems with internet access, are highly vulnerable to a specific type of disruptive cyberattack known as a network-based attack.29 These attacks commonly rely on malware, which can be embedded at multiple stages: during manufacturing, network integration, or through routine firmware updates. Once malware is installed, attackers can remotely access LiDAR sensors via internet-connected pathways (or access points), potentially disabling the sensors or manipulating them to malfunction or transmit false information.

For example, after gaining remote access to one of these compromised networks, cyber actors could instruct LiDAR sensors to send false fingerprints to other nearby sensors, causing them to malfunction. Such an attack could result in targeted disruptions or the disabling of select safety systems in these networks. In extreme cases, it could cause widespread failures of entire LiDAR-dependent systems, leading to large-scale disruptions in public safety and national defense operations, such as paralyzing autonomous vehicle networks or hindering critical infrastructure monitoring.

The threat of attacks that cause LiDAR sensors to transmit false information is equally severe. Compromised sensor activity could erode policymaker confidence in the reliability of LiDAR-dependent systems, including advanced weapons platforms. This potential loss of faith could undermine strategic decision-making and policymaker resolve to deploy these systems during future conflicts. During wartime, LiDAR-enabled weapons could fail when needed most. Similarly, sensor malfunctions could sow doubt about the integrity of LiDAR-dependent critical infrastructure systems. This extends to systems needed to support future force mobilization, such as domestic rail networks, potentially jeopardizing U.S. military readiness and responsiveness.

Another type of disruptive cyberattack targeting LiDAR systems is an optical attack, in which an adversary sends coded light pulses directly to the sensor’s lens. Unlike network-based attacks, optical attacks do not require internet connectivity, making them difficult to detect. The only known mitigation for optical attacks is to use LiDAR sensors from a trusted source, though even this relies on the assumption that the sensors have not been tampered with during manufacturing or distribution.

This vulnerability becomes clear when considering how an optical attack could be executed. Modern LiDAR sensors transmit and receive “fingerprints” over long distances, even at very low signal levels. These fingerprints reduce interference by ensuring each LiDAR system can identify its unique signal. However, a malicious manufacturer under the control of an adversarial nation could embed malware that activates upon detecting a second, hostile “fingerprint.” In such a scenario, an external light source could transmit this adversarial fingerprint to compromised LiDAR sensors, triggering adverse effects as soon as the hostile signal is recognized.

An adversarial fingerprint could disable the sensor immediately or trigger it to stop functioning at a pre-determined point in the future. In many respects, these optical attacks resemble electronic warfare techniques such as GPS jamming. Unlike jamming, however, they do not require continuous interference. A single instance of interference could potentially disable thousands of LiDAR sensors, leading to widespread disruption across the systems that depend on them, such as those that monitor critical infrastructure.30

The malware necessary to carry out an optical attack could be embedded in the LiDAR sensor during its manufacturing process or introduced later via routine firmware updates. For instance, malicious code could be hidden deep within the millions of transistors found in the custom silicon chips used in modern LiDAR receivers, making it nearly impossible to detect prior to or after deployment.

Moreover, given the extreme sensitivity of modern LiDAR receivers, these types of optical attacks could be delivered from ground-based and airborne systems. For example, an attack could be initiated by something as simple as an individual using a handheld laser device to send the adversarial “fingerprint” to nearby LiDAR sensors. To cover larger geographic areas, delivery would likely involve high-altitude balloons and/or aircraft equipped with ground-directed laser systems.

Figure 3: Illustrative example of an optical attack.

Importantly, the emitted signal does not need to strike the LiDAR sensor directly to achieve its intended effect, as LiDAR systems are designed to detect faint secondary reflections from distant objects. This means that even if the sensor is shielded from direct exposure, an optical attack could succeed by illuminating the general area within several hundred meters of a LiDAR sensor.

Satellite-based laser systems, similar to those already deployed on remote monitoring satellites, could also disable compromised LiDAR sensors in critical areas across the United States within seconds. For instance, a satellite emitting a laser beam with a 5-meter diameter at Earth’s surface and a pulse repetition frequency of 10 megahertz could deliver an optical attack across a 60-square-kilometer area, the size of Manhattan, in just 0.3 seconds. An area the size of Washington, DC, (160 square kilometers) could be targeted in approximately 0.8 seconds.

China’s advancements in satellite-based laser systems, such as those observed in recent orbital missions, heighten the risk of Beijing using space-based technologies to disable compromised LiDAR sensors. Last year, a Chinese satellite, the Daqi-1, was observed using its onboard laser system to take measurements around the Hawaiian Islands.31 Additionally, Chinese state media reported that a Chinese Changguang remote sensing satellite successfully demonstrated space-to-ground laser links.32 These examples indicate that Chinese-controlled satellite laser systems are already in orbit with the demonstrated capability to conduct optical attacks across wide geographic regions, including within the United States.

Unauthorized Data Exfiltration

While disruptive cyberattacks can occur through network-based and optical methods, data exfiltration usually requires an internet connection to covertly transmit sensitive information abroad. This is an area where China has long excelled. In 2018, Chinese hackers breached U.S. Navy defense contractors, stealing data related to undersea warfare and missile programs.33 Similarly, in 2021, Huawei was found to have transmitted sensitive data from surveillance systems installed at the African Union headquarters to servers in China for over five years.34

Figure 4: Illustrative example of delivery systems for optical attacks.

These and other documented examples show how China leverages unauthorized data exfiltration to conduct both military and industrial espionage.

Recent intelligence warnings underscore the serious threat posed by LiDAR systems linked to foreign countries of concern, particularly with regard to unauthorized data exfiltration in the automotive sector. An Estonian Foreign Intelligence Service bulletin revealed that a Chinese LiDAR manufacturer planned to transmit data collected from vehicles in Estonia back to China.35 The unnamed Chinese company was reportedly developing LiDAR systems for self-driving cars in Estonia that would scan the local environment and transmit this information to Beijing. Although data collected for autonomous driving is typically deleted if non-essential, this Chinese firm intended to transfer all environmental data to a China-based database, raising concerns about the potential exploitation of this technology for Chinese intelligence purposes, such as mapping foreign infrastructure, identifying sensitive locations, or tracking patterns of movement. 

Figure 5: Illustrative example of data exfiltration.

Other industries using LiDAR face similar vulnerabilities. The absence of standardized cybersecurity regulations across sectors leaves safeguarding efforts decentralized, with protection varying widely by industry. This sector-by-sector approach results in weak and inconsistent security measures, with many users lacking the knowledge or protocols to prevent data from being covertly transmitted to adversarial entities.

An additional data exploitation risk stems from the fact that an increasing number of LiDAR manufacturers, including those from China, are offering cloud-backed software with their sensor systems. These solutions are often sold to state and local governments in the United States for applications such as traffic management. However, much of the data collected by these systems is stored by the manufacturer.36 If the manufacturer is located in China, it is legally obligated to share information with the Chinese government, including military and intelligence agencies. This creates a direct pathway for Beijing to access and exploit sensitive U.S. data, including the ability to analyze traffic patterns, infrastructure layouts, and other critical data that could inform military, cyber, or espionage operations targeting U.S. cities.

One notable example of such exploitation was the recent “Cloud Hopper” cyber-espionage campaign, attributed to a hacker group linked to China’s Ministry of State Security.37 The campaign targeted foreign cloud service providers, exploiting vulnerabilities to steal intellectual property and sensitive government data from companies and organizations across several industries.38 This incident highlights how Chinese cyber actors can leverage cloud services, potentially including those tied to LiDAR manufacturers, to access vast amounts of sensitive information.39

Limitations of Current Cybersecurity Protocols and Certifications

A LiDAR manufacturer under the influence of a foreign country of concern could embed malware in devices in ways that are nearly impossible for customers or third-party cybersecurity organizations to detect. While cybersecurity standards such as ISO/SAE 21434 and ISO/IEC 27001 provide best practices for automotive cybersecurity and information security management, they are not designed to safeguard products sourced from untrustworthy manufacturers.

Most cybersecurity certifications are essentially compliance checks that rely on information provided directly by the manufacturer and rarely include a review of source code. Auditors typically examine documentation about the manufacturer’s development processes and cybersecurity protocols and then certify products based on whether this documentation meets established standards. These certifications presume the manufacturer is trustworthy and the information provided is accurate.

However, certifications alone cannot guarantee the security of a particular product. A LiDAR manufacturer located in or otherwise beholden to a foreign country of concern could easily program hidden malware into its devices that would evade typical detection techniques by cybersecurity auditors. Detecting the malware would require significant penetration testing, which is expensive, highly technical, and uncommon.

A recent event illustrates the limitations of existing cybersecurity protocols and certifications in detecting firmware errors or malware in Chinese LiDAR sensors. On March 1, 2024, at precisely 12:00 a.m. Coordinated Universal Time (UTC), two LiDAR sensor models produced by Chinese manufacturer Hesai were involved in a global, synchronized disruption. This disruption was caused by a firmware error that failed to account for 2024 being a leap year.40 The sensors incorrectly calculated timestamps after being synchronized to UTC, which is the standard used by LiDAR systems. The result was the grounding of autonomous vehicle fleets in both China and the United States due to timing mismatches between Hesai’s LiDAR sensors and the vehicles themselves.

The affected LiDAR models, the Hesai Pandar 40 and QT, are commonly used in U.S. autonomous vehicles. Several hundred vehicles were impacted during this incident, with some fleets grounded for over 24 hours. Zoox, a U.S. autonomous vehicle company, was the first to alert Hesai to the issue. While this incident was almost certainly the result of an unintended firmware error, not malware, it went unnoticed by Hesai’s customers and by third-party cybersecurity organizations that had certified Hesai’s products — until the malfunction shut down vehicle fleets.

This event underscores how a malicious attack using an intentional time trigger could cause far more widespread disruption if significant numbers of compromised LiDAR systems from adversarial nations were deployed in consumer vehicles or critical infrastructure. If an unintentional error like this can go undetected by cybersecurity auditors and customers, intentionally hidden malware would likely prove equally elusive.

Policy Recommendations

LiDAR sensors are becoming crucial for automating and controlling key U.S. infrastructure, including dockyards, drawbridges, traffic signals, and autonomous vehicles. As LiDAR deployment accelerates — particularly in connected vehicles — millions of these systems will be operating across the United States in the coming years. LiDAR’s rapid expansion heightens security risks, particularly when sensors are sourced from countries of concern, such as China. These vulnerabilities could severely compromise U.S. infrastructure and defense systems.

Figure 6: Illustrative example of potential impacts of disruptive cyberattacks.

The U.S. government is beginning to address the security risks posed by Chinese technology. In late September 2024, the Department of Commerce’s Bureau of Industry and Security proposed a rule to ban the sale or importation of connected vehicles using specific Vehicle Connectivity Systems (VCS) and Automated Driving Systems (ADS) linked to China or Russia.41 This includes telematics, cellular, and satellite modules in VCS and ADS software. However, this proposed rule does not explicitly cover LiDAR systems or other use cases beyond vehicles, leaving many broader vulnerabilities unaddressed.

To address the risks posed by adversary-influenced LiDAR systems, U.S. policymakers must prioritize LiDAR in America’s broader industrial policy. This includes fostering domestic LiDAR competition and building strong public-private partnerships between American LiDAR manufacturers, the U.S. government, and key civilian stakeholders, such as utility and car companies. These and other proactive measures will be necessary to avoid costly “rip-and-replace” scenarios in the future, akin to ongoing efforts to remove untrusted Huawei telecommunications gear from U.S. networks.

Other potential steps to address critical LiDAR-related vulnerabilities and safeguard U.S. infrastructure include the following: 

Strengthening ICTS Scrutiny of LiDAR Under Commerce Department Authorities

  • Expand ICTS Review to Include LiDAR Systems: The Commerce Department’s Information and Communications Technology and Services (ICTS) unit should explicitly include LiDAR systems as a category for future national security reviews.
  • ICTS Unit Risk Assessments and Mandatory Disclosures for LiDAR Providers: The ICTS unit at the U.S. Department of Commerce should mandate that companies importing LiDAR systems from countries of concern provide detailed disclosures about the hardware, software, and security features of their products. Security vulnerabilities should be publicly disclosed, particularly those that could affect critical infrastructure. The next U.S. administration should consider issuing an executive order to enhance these requirements, utilizing the ICTS unit’s existing regulatory authorities to ensure thorough risk assessments for high-risk technologies, including LiDAR, from countries of concern.
  • Ban the Use of PRC-Made LiDAR in Critical Sectors: ICTS, under its existing authorities from Executive Order 13873, should evaluate the risks posed by Chinese-manufactured LiDAR in critical infrastructure sectors such as transportation, energy grids, public safety, and defense systems. If deemed necessary, ICTS should consider restricting the procurement of Chinese-made LiDAR in these sectors, much like it has done with Huawei and ZTE equipment.

Blocking Chinese LiDAR From DoD Supply Chains:

  • Maintain Hesai on the Chinese Military Companies List: Congress and the Department of Defense should ensure that Chinese LiDAR manufacturers, including Hesai and others potentially connected to the Chinese military, are thoroughly investigated and remain listed on the Defense Department’s Chinese Military Companies list. This designation restricts their access to U.S. markets and prevents their integration into American defense systems, safeguarding national security.
  • Legislate a Ban on DoD Procurement of Chinese LiDAR Sensors: Congress should consider including legislation in the National Defense Authorization Act to explicitly ban the Department of Defense from procuring LiDAR sensors manufactured by companies based in foreign countries of concern. This ban could mirror other recent legislation prohibiting the department from procuring problematic Chinese-made battery systems.

Enhancing Cybersecurity Standards for LiDAR Systems

  • Establish Sector-Specific Cybersecurity Standards for LiDAR: The National Institute of Standards and Technology (NIST), along with the Cybersecurity and Infrastructure Security Agency (CISA), should develop sector-specific cybersecurity standards for LiDAR systems in critical infrastructure, such as traffic management and smart cities. Congress should consider passing legislation requiring NIST to establish these standards and mandating compliance by federal contractors and grant recipients.
  • Mandate Regular Penetration Testing and Audits of LiDAR Systems: Public- and private-sector LiDAR users should be required to conduct regular penetration testing and cybersecurity audits to ensure their systems are resilient against unauthorized access or manipulation. Congress could consider amending the Federal Information Security Modernization Act to include specific provisions for connected systems, including LiDAR.

Regulating LiDAR Data Usage and Preventing Data Exfiltration

  • Enforce Strict LiDAR Data Localization Requirements: All data collected by U.S. government entities and state/local governments using LiDAR systems should be stored domestically to prevent data exfiltration. Congress could consider amending the CLOUD Act or the International Emergency Economic Powers Act to mandate data localization requirements for LiDAR technology.
  • Develop a National Framework for LiDAR Data Security in Transportation Networks: The Department of Transportation (DoT), in coordination with the Transportation Security Administration at the Department of Homeland Security (DHS), should create a national framework for securing LiDAR data in autonomous vehicles and traffic management systems. This framework should mandate encryption standards, data retention policies, and data-sharing restrictions.

U.S. State-Level Action on Procurement and Regulation

  • Enact State-Level Procurement Bans for Chinese LiDAR Systems: State legislatures should consider adopting procurement bans on PRC-made LiDAR technologies for public infrastructure systems, similar to how states such as Texas and Florida have enacted targeted bans on Chinese drones.

Building Trusted LiDAR Supply Chains With Allied and Partner Nations

  • Launch a “Trusted LiDAR” Supply Chain Initiative: The United States should partner with allies such as Germany, Canada, South Korea, Israel, and Japan to build secure LiDAR supply chains, ensuring these systems meet high cybersecurity standards for use in civilian and military sectors. Congress could also consider legislation to provide targeted tax incentives and subsidies for domestic or allied LiDAR production. This would be similar to the incentives offered to semiconductor producers under the CHIPS Act, albeit on a much smaller scale.
  • Develop a NATO Working Group on Emerging LiDAR Risks: The United States should initiate a NATO (North Atlantic Treaty Organization)-led assessment of LiDAR’s cybersecurity risks in joint military operations. This effort would include developing countermeasures against potential cyber and optical attacks on LiDAR. The Department of Defense should propose establishing a permanent NATO working group dedicated to these concerns, with support from member states’ military cybersecurity units.

Empowering Law Enforcement and Regulatory Agencies

  • Evaluate the Feasibility of DoT Procurement Bans: Congress could consider legislation that would ban the DoT from procuring LiDAR sensors manufactured by companies based in foreign countries of concern. Such measures could also restrict the use of DoT funds, such as SMART Grants, to ensure they are not used for acquiring LiDAR systems produced by these entities.
  • Increase and Enforce Section 301 Tariffs on Chinese LiDAR: The U.S. Trade Representative should consider increasing the existing 25 percent tariff on LiDAR imports from China to 50 percent or higher to counter unfair competition caused by state subsidies and oversupply practices in China. Additionally, Customs and Border Protection should be tasked with investigating past LiDAR imports from Chinese companies to ensure proper enforcement of tariffs. This would help protect U.S. LiDAR manufacturers from predatory pricing and support a more competitive domestic market.
  • Create a DHS Task Force on Emerging LiDAR Threats: DHS, through CISA, should create an inter-agency task force focused on emerging threats posed by LiDAR systems, with a particular emphasis on vulnerabilities in transportation and critical infrastructure. The task force should release regular public reports on vulnerabilities, mitigation strategies, and incident response planning for cyberattacks targeting LiDAR systems.
  • Expand the ‘Covered List’ to Include Chinese LiDAR Manufacturers: The Federal Communications Commission (FCC) should add Chinese LiDAR manufacturers to its “Covered List” of banned entities, preventing U.S. companies from using federal subsidies to purchase these systems. Congress could also direct the FCC to investigate this issue through new legislation, if needed.
  • Conduct an ODNI-Led Technical Threat Assessments for Foreign LiDAR Systems:
    The Office of the Director of National Intelligence (ODNI) should lead inter-agency efforts to conduct comprehensive technical threat assessments on LiDAR systems sourced from foreign adversaries. These assessments would evaluate cybersecurity vulnerabilities, espionage risks, and supply-chain concerns, providing crucial intelligence for protecting U.S. infrastructure and military capabilities.

Increasing Public Awareness and Transparency

  • Require Transparency for Municipal LiDAR Deployments: Municipal governments deploying LiDAR systems in public infrastructure projects (such as smart cities) should be required to notify the federal government about the source of the technology and whether it originates from a foreign country of concern. This transparency measure will allow communities to make informed decisions about the technology being integrated into their environment. Congress should require such disclosures as part of federal grant conditions, mandating that recipients of federal infrastructure funding disclose technology sources.

Conclusion

China’s rapid advancements in LiDAR technology, underpinned by state-led initiatives and Xi’s comprehensive national security strategy, present escalating risks to critical infrastructure, defense systems, and technological independence. As Beijing seeks to expand its influence over LiDAR supply chains, the United States and its allies must implement robust policies to secure their own LiDAR capabilities and protect against foreign exploitation. Acting now to address these vulnerabilities will safeguard national security and preserve the resilience of vital technological ecosystems.

Download Memo

Download
Laser Focus: Countering China’s LiDAR Threat to U.S. Critical Infrastructure and Military Systems

Issues:

Issues:

China

Topics:

Topics:

United States China