US Pushes for Ban on Chinese, Russian Technology in Connected Cars

The Commerce Department issued a notice of proposed rulemaking to prohibit automakers from importing hardware or software from the People’s Republic of China or Russia that enables vehicles to connect to networks, communicate with other devices, or share data. The proposed rule also seeks public feedback on whether other foreign adversaries, such as Iran, pose similar national security risks to the ICT supply chain.

The Commerce Department said China and Russia could gain privileged access through connected car parts or software, potentially “exfiltrating sensitive data” and “enabling remote access to or operation of connected vehicles.” Remote cyber attacks have skyrocketed in recent years, with 95% of malicious activity expected to exploit network connections such as Wi-Fi and Bluetooth by 2023, according to research cited in the proposed rule.

Chinese automakers, especially electric car makers, are aggressively expanding overseas, becoming the world’s second-largest auto exporter after Japan by 2023. Markets for Chinese cars are mainly outside the United States, in Russia and Latin America, but this expansion presents challenges for U.S. policymakers who worry that modern cars with on-board computers could give the Beijing government an easier way to monitor users and critical infrastructure, and even clog roads.

According to the proposed rule, vehicle systems equipped with Chinese or Russian software could be exploited to spread malware or inject malicious code into the vehicle’s operating systems. The Commerce Department also said foreign adversaries could remotely access vehicles in the U.S. to “cause inappropriate engine shutdown, braking, or the shutdown of electrical systems.”

White House National Economic Council Director Lael Brainard said the proposed regulations were also an effort to avoid a “second China shock,” referring to the economic turmoil in the United States caused by China’s rapid emergence as a global manufacturing power in the early 2000s.

“China is overwhelming global markets with a wave of auto exports at a time of overcapacity,” Brainard said in a speech to the Detroit Economic Club. “The Administration is determined to avoid a second China shock, and that means playing catch-up before a flood of low-cost Chinese vehicles cripples the U.S. auto industry’s ability to compete globally.”

“Americans should be able to drive the car of their choice, whether it’s gasoline, hybrid or electric,” she said, “but if they choose an EV, it should be made in America, not China.”

According to John Sheehy, senior vice president of research and strategy at investigative security firm IOActive, the proposed regulations would significantly improve U.S. automotive cybersecurity by mitigating supply chain threats from known adversaries like China.*

“The recent supply chain attack targeting Hezbollah operatives demonstrates that even organizations with mature counterintelligence capabilities can fall victim to supply chain interdiction,” Sheehy told Information Security Media Group. (See: Hezbollah Pager Explosions Likely Not a Cybersecurity Attack.)

“There is no solution that would allow critical hardware or software components to travel safely from or through China or Russia,” he said, adding that “ideally, these restrictions would have been proposed during the Obama administration.”

The Commerce Department is seeking public feedback from stakeholders by October 23.

*Updated 20:35 September 23, 2024: Added comment from John Sheehy of IOActive.