It’s not where buses are made. It’s how they’re controlled
10 Mar 2026| and ASPI staff

A debate over Chinese-made electric buses has arrived in Australia with familiar speed. Talk of potential kill switches has prompted calls to rip and replace foreign vehicles and turn to domestic supply.

But the concerns driving this debate—remote access, software control, opaque data flows—do not stop at the depot gate. They are embedded across modern critical infrastructure, from the vehicles on our streets to the energy systems powering them. The real question is not simply where technology is made but how much visibility, control and assurance we retain once complex, software-defined systems are deployed at scale.

The debate over Yutong buses, already in service in Australian cities, highlights a structural issue. In electrifying transport, buses are still too often treated as rolling stock rather than as networked infrastructure.

Electric buses are rolling computers. They integrate sensors, battery management systems, telematics, cameras, wireless connectivity and remote maintenance platforms. They generate and transmit data continuously. They are updated, monitored and sometimes controlled from afar. In that respect, they resemble distributed energy assets, where software and remote management matter as much as hardware.

That challenge will intensify. Autonomous features, smart traffic integration and predictive maintenance will increase connectivity, not reduce it. The task is to recognise this early and embed security, assurance and governance from the start.

The core risk is not simply that a bus is made in China. It is that digitally enabled technology introduces vulnerability into critical infrastructure unless it is secured by design, properly configured and actively governed. If systems are poorly built or managed, foreign actors do not need privileged supply-chain access to exploit them. They can target misconfiguration, weak identity controls or third-party compromise instead.

Recent reporting has highlighted concerns raised by Britain’s National Cyber Security Centre and Norwegian transport authorities, which extensively tested Yutong buses. Neither asserted evidence of active sabotage. Instead, they framed the issue as risk rather than threat—limited clarity about data flows, remote access and software update pathways.

That distinction matters. A threat implies intent. Risk reflects exposure and uncertainty. Uncertainty is not proof of wrongdoing. But it does reveal a governance and assurance gap that cannot be closed through blanket bans alone. If the challenge is risk rather than proven threat, the response needs to be proportionate and layered. Transparency, contractual controls over updates and access, and ongoing monitoring matter more than one-off certification.

Excluding a vendor achieves little if the replacement technology is architected insecurely or operated without discipline.

Under Australia’s Security of Critical Infrastructure Act, transportation is explicitly recognised as a critical sector. That designation brings shared responsibilities for safety, resilience and continuity of service.

Yet public debate has collapsed into a blunt binary: foreign equals risky; domestic equals safe. Assembling a bus in Australia does not resolve cyber or supply-chain risk. A locally built vehicle can still depend on foreign batteries, control units, firmware, modems and cloud services. The most sensitive components are often deep in the employed technology, not visible on the factory floor.

As ASPI’s earlier work on In Whose Tech We Trust? argued, ownership alone does not determine trust. Control, visibility and accountability do.

That is where analysing the layers of technology that make a system work becomes essential. It means breaking systems down and asking which components would cause serious harm if compromised, which risks can be mitigated through governance and technical controls and which genuinely require exclusion or redesign.

Some risks are intolerable. A true remote kill switch capable of disabling vehicles at scale from outside Australia would fall into that category, as would covert command-and-control channels that bypass operators entirely. In such cases, prescriptive action is justified.

But secure engineering alone does not eliminate every strategic risk. The 5G debate offers a lesson. Britain initially concluded risks associated with Huawei equipment could be mitigated. Australia formed a different view—that under China’s national security laws, no level of inspection could fully offset the structural risk of potential state compulsion.

In some parts of critical infrastructure, governments may reasonably conclude that certain vendors present risks that exceed mitigation.

Other risks, however, are manageable. Data can be required to remain in Australia. Remote access can be constrained. Update pathways can be supervised domestically. These controls are standard in energy and telecommunications. Public transport has simply lagged in applying them consistently.

Not every component warrants scrutiny. Seats, lighting and interior fittings are not national security risks. Treating every bolt as suspect distracts from the parts of the system that warrant scrutiny.

Buying Australian matters. Domestic manufacturing builds capability and resilience. But buying local is not a substitute for assurance.

The real question is not whether a bus is made in China or Australia. It is whether Australia is embedding security-by-design across critical infrastructure while maintaining clear frameworks to exclude genuinely high-risk vendors where strategic conditions demand it.

As transport, energy and other systems modernise in parallel, the ability to understand and govern the full system architecture—rather than isolated assets—will determine whether infrastructure can be trusted as deployed.

Author

Jason Van der Schyff is a fellow with ASPI’s Cyber, Technology and Security program. His research focuses on sovereign industrial capability, secure hardware, and the resilience of critical technology supply chains. James Corera is director of ASPI’s Cyber, Technology and Security Program.

 

Image of an electric Transport Canberra bus, with Telstra tower in the background: Transport Canberra/X.

 

AI contributed no ideas to this article—Jason Van der Schyff and James Corera.

Tags
Share

The Strategist — The Australian Strategic Policy Institute Blog. Copyright © 2026