I work in rail safety. Two major non-Chinese train companies attempted to merge a few years ago, explicitly to build a company that could compete with China's national company, and provide safer alternatives to state-sponsored cyberhacking of Western rail.
It fell down to an anti-monopoly decision by a single person in the EU ministry, who killed the proposal. Several attempts were made to streamline the merger, but she wouldn't budge.
As a result, CRCC continues to win contracts abroad, largely (it is believed) by undercutting competition. IP theft is known to be one objective of their at-loss or low-profit contracts (I've been involved in fighting that, specifically).
It's hardly a stretch to imagine that having control of the rail in countries that might oppose you militarily is strategically huge.
This article is about busways, but the parallels are obvious.
About a year ago a Polish rail equipment supplier brought a lawsuit over a locomotive because it was serviced by a third-party, and the service was enabled by jailbreaking software in the locomotive.
Surveillance tech in products doesn't necessarily imply grey zone warfare. But that doesn't make it a good thing either.
The problem with "oh, but wait, this merger actually improves competition" is that mergers are a contagion. A large competitor's mere existence creates an economic imperative for more mergers. This happens both horizontally (across multiple firms) and vertically (up and down the supply chain). When you get big, you can start stripping your vendors' and customers' of their profit margin, which means they need to get big to compensate. Even if a merger might have positive competitive effects, it still spreads the contagion. Which is a problem, because anyone who doesn't or can't get big will get fucked. That includes individual consumers and workers.
If the problem is that Chinese companies are shipping train firmware with backdoors, then you need to ban those companies. Problem is, given the Newag situation[0], I don't think they can actually do this at the level of individual procurements. So they need specific EU directives banning this behavior and explicitly adding a process by which procurement can ban suppliers for prior noncompliance. What facilitating an illegal merger will do is reduce the EU's bargaining power with industry, ensuring that we get more backdoored trains and more risk.
[0] Short version: they got caught shipping firmware that bricks the train if you take it to a third-party repair shop, even though the contract specifically mandated Newag provide repair manuals. EU agencies and member states do not have the power to disqualify Newag from future tenders for failing to adhere to prior ones, so they keep winning contracts
The European champion would still be ten times smaller than the Chinese but would have factual monopoly in Europe. I don’t think blocking the merger was entirely unreasonable.
The west is too lax on some of these officials. People like this should be thoroughly investigated. China is flagrantly breaking the rules of the WTO that the west has set up, having state backed companies, and these people are either purposefully or unintentionally undermining the west's efforts to fight back.
So put 70% anti dumping duties (tariffs) on CRCC trains like they did with ebikes?
This will probably get fixed with software audits necessary for compliance under the NIS2 directive. The EU fixed the problem with more regulation and bureaucracy, ensuring that only the big boys can comply. Protect us from China by becoming China?
If you are a capitalist, you should be pro-acquisition (i.e. of smaller firms) and anti-merger (for larger firms), because mergers are a form of crony capitalism that leads to reduced product quality and market dysfunction.
First, merging firms reduce the number of products they sell, with the effects materializing one year after the M&A and accelerating over the next several years.
Second, merging firms tend to drop and add products at the periphery of their joint product portfolio.
Third, the net effect is an increase in the similarity among the products that firms offer following a merger or acquisition.
This finding has been consistently true since people have started measuring merger outcomes, "we find that each merger is associated with a quality decrease (increase) in markets where the merging firms had (had no) pre-merger competition with each other, and the quality change can have a U-shaped relationship with pre-merger competition intensity. Consumer gains/losses associated with quality changes, which we monetize, are substantial " – https://www.sciencedirect.com/science/article/abs/pii/S01677...
It is doubtful that merging two companies would have improved the EU's capability to compete with Chinese state operators. On the other hand, lowering the capital threshold to create a new entrant would definitely improve the EU's competitive position and capabilities, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=cele...
> Two major non-Chinese train companies attempted to merge
Siemens (Germany) and Alstom (France)
> It fell down to an anti-monopoly decision by a single person in the EU ministry, who killed the proposal
Margrethe Vestager, the European Commissioner for Competition at the time (2019). At the time of the decision, she said "No Chinese supplier has ever participated in a signaling tender in Europe or delivered a single very high speed train outside China. There is no prospect of Chinese entry in the European market in the foreseeable future." This has since been proven to be a bad prognostication, as China Railway Signal & Communication (CRSC) is actively deploying its ETCS Level 2 signaling system on the Budapest–Beograd railway line in Hungary[1]; and China has delivered trains to Serbia, leased trains to Austria's Westbahn, acquired German locomotive manufacturer Vossloh Locomotives, and participated in a public tender in Bulgaria for electric trains.
She is no longer in that position. She has as of 2024 become "tough on China,"[2] acknowledging mistakes made in the past and touting how "China came to dominate the solar panel industry... and is running the same game now, across strategic industries including electric vehicles, wind turbines and microchips."
She now says Biden's IRA was a mistake, that Europe has been de-industrializing and that is not a good thing, and that Europe has been too afraid to impose tariffs on China out of fear of retaliation from China.
It sounds remarkably similar to the MAGA playbook on trade and re-industrialization.
Is there really not enough room in the global market for two smaller companies to compete (and win) against CRCC?
I think this is especially not that big a deal considering the national security implications. I expect Norway would contract with a non-Chinese company for bus, rail, everything from now on due to that, regardless of whether or not they are smaller than the CRCC.
Is there a strategy where China could remain a supplier of "lobotomized" hardware? Example: China supplies the trains, but all the silicon must be added after import.
You are, of course, referring to Alstom and Siemens.
"A slap in the face is more effective than ten lectures. It makes you understand very quickly." —Leopold van Sacher-Masoch
Siemens received the slap in the form of Stuxnet. Industrial controls and transport are not the same business unit, but enough of the message got around internally.
I firmly believe Alstom would not be making such garbage today, at least not from a cybersecurity perspective, had this merger gone ahead. And, let's say, I know quite well exactly what type of hot garbage they unfortunately continue to make.
Honestly I couldn't care less considering how scummy our train making companies are, I'm fine with Chinese selling trains on a loss for pieces of paper. It's their problem if they want to build them and ship them for pennies, their loss.
Our companies meanwhile are all turning in John Deere, and I'm glad the merger was blocked.
The security part, obviously I do care but this article says very little about it.
So... did the Chinese company put Romanian SIMs in the busses? Or was it an importer that installed those? Are there fleet management features enabled by that connectivity or are they actually secret?
Also, why would they purchase busses that they thought couldn't be remotely monitored or controlled?! That seems like a very valuable feature for public transport.
Whats sad is Norway sits right next to the country which manufactures Scania and Volvo Busses, but instead buys busses from thousands of km away. I suppose cost is all that maters these days, even for national infrastructure which must remain in control and secure.
I know for a fact that at least one of those companies also installs SIM cards in all their busses.
The only difference is who could potentially use the backdoor, and yes Sweden seems slightly less poised to attack Norway than China. At least these days. Because, let's face it, the Swedes owned Norway back in the day and them wanting their oil-rich lucky cousin back at home is deranged but not as much as the Chinese wanting the fjords....
If your transport is accessible remotely, it can be hacked remotely.
This reminds me of that story about Polish Trains. In that case GPS was used to execute a kill code.
https://social.hackerspace.pl/@q3k/111528162462505087
Ah, and they never review iPhones/Android phones after Israeli companies demonstrated they can backdoor any cellphone on this planet, and especially after they demonstrated they can explode consumer devices and maim 3000+ people overnight.
They don’t review Windows machines either after the Snowden revelations.
How many wars did the Chinese start in the past century?
1929 – Sino-Soviet Conflict (Chinese Eastern Railway) — ROC authorities moved to seize the CER in Manchuria; the USSR responded militarily. (Initiation: ROC seizure.)
1954–1955 – First Taiwan Strait Crisis — PRC began large-scale shelling of Kinmen/Matsu and amphibious operations (e.g., Yijiangshan). (Initiation: PRC artillery/offensives.)
1958 – Second Taiwan Strait Crisis — PRC opened intense bombardment of Kinmen/Matsu. (Initiation: PRC artillery.)
1962 – Sino-Indian War — PRC launched major offensives in October after a series of frontier incidents. (Initiation: PRC large-scale attack; India calls it unprovoked, PRC says “counter-attack.”)
1967 – Nathu La & Cho La clashes (India border) — Firefights erupted while India was fencing the pass; Chinese forces are generally assessed to have fired first at Nathu La. (Initiation: PRC fire in initial clash.)
1969 – Sino-Soviet Border Conflict — PLA ambushed Soviet troops on Zhenbao/Damansky Island in March; further clashes followed. (Initiation: PRC ambush.)
1974 – Battle of the Paracel Islands (vs South Vietnam) — PLAN/PLA forces expelled RVN units and took full control of the Paracels. (Initiation: PRC naval attack in contested area.)
1979 – Sino-Vietnamese War — PRC invaded northern Vietnam in February. (Initiation: PRC cross-border invasion.)
1984–1989 – Sino-Vietnamese Border War (post-1979 phase) — PRC mounted periodic offensives and artillery duels (e.g., Laoshan/Johnson Mountain). (Initiation: multiple PRC attacks in a protracted conflict.)
1988 – Johnson South Reef Skirmish (Spratlys, vs Vietnam) — PLAN engaged Vietnamese forces and seized the reef. (Initiation: PRC assault during standoff.)
Internal (civil/unification campaigns)
1926–1928 – Northern Expedition — ROC (KMT) launched a national unification war against warlords. (Initiation: ROC campaign.)
1930–1934 – Encirclement Campaigns against the Chinese Soviet — ROC initiated successive large operations against CCP base areas. (Initiation: ROC offensives.)
1949–1950 – Hainan & Zhoushan/Coastal-Islands Campaigns — PRC amphibious operations against ROC-held islands during the civil war endgame. (Initiation: PRC landings.)
1950–1951 – Tibet (Chamdo campaign → occupation) — PLA entered eastern Tibet and compelled the Seventeen-Point Agreement. (Initiation: PRC invasion; PRC frames as “peaceful liberation.”)
All I can say is that shivers go down my spine what could happen if one of those OEM's that have remote updates possible would get their keys compromised. You could brick hundreds of thousands of vehicles. I would be scared shitless to store those things.
>The transport operator stressed there is no evidence of misuse but said the discovery moves concerns “from suspicion to concrete knowledge”. (...) The case comes as Chinese electric buses are increasingly adopted across global markets,
If a state wants to hide strategic "war/espionage" control, they don't use eSims and open mobile communications, trivially discoverable and traceable. Sounds like some bs "IoT" / telemetry shit manufactures are shoving down our throats for over a decade.
The other side is feigning shock at common industry practices (don't all Tesla's require a net connection for example), to paint it as some unique issue, and kill their sales. In other words , just another episode in the trade war.
Not unlike the DJI drones, which added all kinds of shit because the regulators demanded it, and then they act surprised that it has that shit...
It should be required that all software running on vehicles should have its source code submitted to the regulators along with the tooling to create reproducible builds, with the expectation that the regulators can audit it for back doors. This should apply to cars, buses trains and planes.
Duh. What is so surprising here? Is there any serious machinery from any manufacturer that does not have said remote-access feature? For example Deere equipment looted by Russia was remotely disabled by Deere.
Hospitals all of the world are wholesale switching to chinese equipment - particularly mindray monitors/anaesthetic machines. China could brick all of these hospitals. We are so incredibly dependent on them.
I do worry if they are adding this to buses what are they doing to MacBooks and your phone? Do people here think these devices are compromised or should we take Apple’s word for it!?
It's a bit of a non-issue if you ask me. This remote-access feature sounds like what we usually call a software update feature if it came from a country we weren't scared of.
China disabling our buses? Really? That would be insanely petty and useless.
I think maybe we're straining at gnats and swallowing camels, considering virtually all our phones, computers, TVs etc. come with auto update features, usually giving someone in the US the theoretical capability to brick it. And considering what was done to Karim Khan, I'd say they're far more likely to actually use it.
This is exactly why BYD is and should continue to be banned in the US. It’s not that they are doing this, but that they have done it and they have the capability
[+] [-] IAmBroom|4 months ago|reply
It fell down to an anti-monopoly decision by a single person in the EU ministry, who killed the proposal. Several attempts were made to streamline the merger, but she wouldn't budge.
As a result, CRCC continues to win contracts abroad, largely (it is believed) by undercutting competition. IP theft is known to be one objective of their at-loss or low-profit contracts (I've been involved in fighting that, specifically).
It's hardly a stretch to imagine that having control of the rail in countries that might oppose you militarily is strategically huge.
This article is about busways, but the parallels are obvious.
[+] [-] Zigurd|4 months ago|reply
Surveillance tech in products doesn't necessarily imply grey zone warfare. But that doesn't make it a good thing either.
[+] [-] kmeisthax|4 months ago|reply
If the problem is that Chinese companies are shipping train firmware with backdoors, then you need to ban those companies. Problem is, given the Newag situation[0], I don't think they can actually do this at the level of individual procurements. So they need specific EU directives banning this behavior and explicitly adding a process by which procurement can ban suppliers for prior noncompliance. What facilitating an illegal merger will do is reduce the EU's bargaining power with industry, ensuring that we get more backdoored trains and more risk.
[0] Short version: they got caught shipping firmware that bricks the train if you take it to a third-party repair shop, even though the contract specifically mandated Newag provide repair manuals. EU agencies and member states do not have the power to disqualify Newag from future tenders for failing to adhere to prior ones, so they keep winning contracts
[+] [-] adrianN|4 months ago|reply
[+] [-] ecshafer|4 months ago|reply
[+] [-] l5870uoo9y|4 months ago|reply
[+] [-] jayde2767|4 months ago|reply
[+] [-] goalieca|4 months ago|reply
[+] [-] sharken|4 months ago|reply
https://ec.europa.eu/commission/presscorner/detail/es/ip_19_...
[+] [-] petre|4 months ago|reply
This will probably get fixed with software audits necessary for compliance under the NIS2 directive. The EU fixed the problem with more regulation and bureaucracy, ensuring that only the big boys can comply. Protect us from China by becoming China?
[+] [-] stein1946|4 months ago|reply
[+] [-] areoform|4 months ago|reply
This finding has been consistently true since people have started measuring merger outcomes, "we find that each merger is associated with a quality decrease (increase) in markets where the merging firms had (had no) pre-merger competition with each other, and the quality change can have a U-shaped relationship with pre-merger competition intensity. Consumer gains/losses associated with quality changes, which we monetize, are substantial " – https://www.sciencedirect.com/science/article/abs/pii/S01677...
It is doubtful that merging two companies would have improved the EU's capability to compete with Chinese state operators. On the other hand, lowering the capital threshold to create a new entrant would definitely improve the EU's competitive position and capabilities, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=cele...
[+] [-] CGMthrowaway|4 months ago|reply
Siemens (Germany) and Alstom (France)
> It fell down to an anti-monopoly decision by a single person in the EU ministry, who killed the proposal
Margrethe Vestager, the European Commissioner for Competition at the time (2019). At the time of the decision, she said "No Chinese supplier has ever participated in a signaling tender in Europe or delivered a single very high speed train outside China. There is no prospect of Chinese entry in the European market in the foreseeable future." This has since been proven to be a bad prognostication, as China Railway Signal & Communication (CRSC) is actively deploying its ETCS Level 2 signaling system on the Budapest–Beograd railway line in Hungary[1]; and China has delivered trains to Serbia, leased trains to Austria's Westbahn, acquired German locomotive manufacturer Vossloh Locomotives, and participated in a public tender in Bulgaria for electric trains.
She is no longer in that position. She has as of 2024 become "tough on China,"[2] acknowledging mistakes made in the past and touting how "China came to dominate the solar panel industry... and is running the same game now, across strategic industries including electric vehicles, wind turbines and microchips."
She now says Biden's IRA was a mistake, that Europe has been de-industrializing and that is not a good thing, and that Europe has been too afraid to impose tariffs on China out of fear of retaliation from China.
It sounds remarkably similar to the MAGA playbook on trade and re-industrialization.
[1]https://www.railwaygazette.com/infrastructure/china-railway-...
[2]https://www.politico.eu/newsletter/brussels-playbook/vestage...
[+] [-] kelnos|4 months ago|reply
I think this is especially not that big a deal considering the national security implications. I expect Norway would contract with a non-Chinese company for bus, rail, everything from now on due to that, regardless of whether or not they are smaller than the CRCC.
[+] [-] xnx|4 months ago|reply
[+] [-] markus_zhang|4 months ago|reply
[+] [-] ThePowerOfFuet|4 months ago|reply
"A slap in the face is more effective than ten lectures. It makes you understand very quickly." —Leopold van Sacher-Masoch
Siemens received the slap in the form of Stuxnet. Industrial controls and transport are not the same business unit, but enough of the message got around internally.
I firmly believe Alstom would not be making such garbage today, at least not from a cybersecurity perspective, had this merger gone ahead. And, let's say, I know quite well exactly what type of hot garbage they unfortunately continue to make.
It's a shame.
[+] [-] epolanski|4 months ago|reply
Our companies meanwhile are all turning in John Deere, and I'm glad the merger was blocked.
The security part, obviously I do care but this article says very little about it.
[+] [-] BrenBarn|4 months ago|reply
[+] [-] t-3|4 months ago|reply
Also, why would they purchase busses that they thought couldn't be remotely monitored or controlled?! That seems like a very valuable feature for public transport.
[+] [-] MisterTea|4 months ago|reply
[+] [-] eliasson|4 months ago|reply
[+] [-] mort96|4 months ago|reply
[+] [-] Stevvo|4 months ago|reply
[+] [-] thatwasunusual|4 months ago|reply
[+] [-] dsign|4 months ago|reply
The only difference is who could potentially use the backdoor, and yes Sweden seems slightly less poised to attack Norway than China. At least these days. Because, let's face it, the Swedes owned Norway back in the day and them wanting their oil-rich lucky cousin back at home is deranged but not as much as the Chinese wanting the fjords....
[+] [-] dlgeek|4 months ago|reply
[+] [-] sdfhbdf|4 months ago|reply
See: https://cyberdefence24.pl/cyberbezpieczenstwo/blokady-w-poci...
[+] [-] gessha|4 months ago|reply
[+] [-] hopelite|4 months ago|reply
[+] [-] ChrisArchitect|4 months ago|reply
Danish authorities in rush to close security loophole in Chinese electric buses
https://www.theguardian.com/world/2025/nov/05/danish-authori...
[+] [-] linhns|4 months ago|reply
[+] [-] josefritzishere|4 months ago|reply
[+] [-] bronlund|4 months ago|reply
[+] [-] submeta|4 months ago|reply
They don’t review Windows machines either after the Snowden revelations.
How many wars did the Chinese start in the past century?
[+] [-] avereveard|4 months ago|reply
1929 – Sino-Soviet Conflict (Chinese Eastern Railway) — ROC authorities moved to seize the CER in Manchuria; the USSR responded militarily. (Initiation: ROC seizure.) 1954–1955 – First Taiwan Strait Crisis — PRC began large-scale shelling of Kinmen/Matsu and amphibious operations (e.g., Yijiangshan). (Initiation: PRC artillery/offensives.) 1958 – Second Taiwan Strait Crisis — PRC opened intense bombardment of Kinmen/Matsu. (Initiation: PRC artillery.) 1962 – Sino-Indian War — PRC launched major offensives in October after a series of frontier incidents. (Initiation: PRC large-scale attack; India calls it unprovoked, PRC says “counter-attack.”) 1967 – Nathu La & Cho La clashes (India border) — Firefights erupted while India was fencing the pass; Chinese forces are generally assessed to have fired first at Nathu La. (Initiation: PRC fire in initial clash.) 1969 – Sino-Soviet Border Conflict — PLA ambushed Soviet troops on Zhenbao/Damansky Island in March; further clashes followed. (Initiation: PRC ambush.) 1974 – Battle of the Paracel Islands (vs South Vietnam) — PLAN/PLA forces expelled RVN units and took full control of the Paracels. (Initiation: PRC naval attack in contested area.) 1979 – Sino-Vietnamese War — PRC invaded northern Vietnam in February. (Initiation: PRC cross-border invasion.) 1984–1989 – Sino-Vietnamese Border War (post-1979 phase) — PRC mounted periodic offensives and artillery duels (e.g., Laoshan/Johnson Mountain). (Initiation: multiple PRC attacks in a protracted conflict.) 1988 – Johnson South Reef Skirmish (Spratlys, vs Vietnam) — PLAN engaged Vietnamese forces and seized the reef. (Initiation: PRC assault during standoff.)
Internal (civil/unification campaigns) 1926–1928 – Northern Expedition — ROC (KMT) launched a national unification war against warlords. (Initiation: ROC campaign.) 1930–1934 – Encirclement Campaigns against the Chinese Soviet — ROC initiated successive large operations against CCP base areas. (Initiation: ROC offensives.) 1949–1950 – Hainan & Zhoushan/Coastal-Islands Campaigns — PRC amphibious operations against ROC-held islands during the civil war endgame. (Initiation: PRC landings.) 1950–1951 – Tibet (Chamdo campaign → occupation) — PLA entered eastern Tibet and compelled the Seventeen-Point Agreement. (Initiation: PRC invasion; PRC frames as “peaceful liberation.”)
[+] [-] jjangkke|4 months ago|reply
[deleted]
[+] [-] RealityVoid|4 months ago|reply
[+] [-] coldtea|4 months ago|reply
If a state wants to hide strategic "war/espionage" control, they don't use eSims and open mobile communications, trivially discoverable and traceable. Sounds like some bs "IoT" / telemetry shit manufactures are shoving down our throats for over a decade.
The other side is feigning shock at common industry practices (don't all Tesla's require a net connection for example), to paint it as some unique issue, and kill their sales. In other words , just another episode in the trade war.
Not unlike the DJI drones, which added all kinds of shit because the regulators demanded it, and then they act surprised that it has that shit...
https://uavcoach.com/dji-ban/#7
[+] [-] hgomersall|4 months ago|reply
[+] [-] hollow-moe|4 months ago|reply
[+] [-] wood_spirit|4 months ago|reply
BYD electric busses have recently rolled out where I live in Sweden.
[+] [-] rramadass|4 months ago|reply
Why Israel Just Banned 700 Chinese Cars from Its Military—And What It Means for Security - https://securityboulevard.com/2025/11/why-israel-just-banned...
IDF recalls 700 Chinese EVs used by senior officers over security concerns - https://www.thejc.com/news/israel/idf-recalls-chinese-evs-se...
[+] [-] FpUser|4 months ago|reply
[+] [-] chhxdjsj|4 months ago|reply
[+] [-] andy_ppp|4 months ago|reply
[+] [-] vintermann|4 months ago|reply
China disabling our buses? Really? That would be insanely petty and useless. I think maybe we're straining at gnats and swallowing camels, considering virtually all our phones, computers, TVs etc. come with auto update features, usually giving someone in the US the theoretical capability to brick it. And considering what was done to Karim Khan, I'd say they're far more likely to actually use it.
[+] [-] cronelius|4 months ago|reply
[+] [-] unknown|4 months ago|reply
[deleted]
[+] [-] throwmeaway307|4 months ago|reply