The U.S. proposes banning certain Chinese and Russian car parts by 2030 to safeguard against cyber threats, like data collection and remote control of some vehicles.
.png?width=1920&height=1080&name=On%20the%20Road%20to%20Safety%20(4).png)
On September 23, 2024 the U.S. Department of Commerce announced a Notice of Proposed Rulemaking (NPRM) that would ban some Chinese and Russian-made car parts from being used in the U.S. because of security concerns. The proposed rule centers on the technology used in the Vehicle Connectivity System (VCS) - like Bluetooth, cellular, satellite, and Wi-Fi modules - and the Automated Driving System (ADS), which is what allows for autonomous cars. A lot of these technologies have gained popularity in recent years, as 58 million self-driving cars are projected to be sold globally by 2030. While these features make driving more convenient, they also pose a cyber risk.
An intrusion into these systems could have severe consequences, ranging from the collection of sensitive data through the external connection properties to the remote control of cars on U.S. roads by foreign adversaries. The rule would stop companies linked to China or Russia from selling cars with the banned hardware and software in the United States, even if the car was made in the U.S. The restrictions on the technology would start in 2027 for the software and 2030 for the hardware, or January 1, 2029 for units that do not have a model year. Vehicles that aren’t used on public roads, like tractors, are unlikely to be affected by the proposed. Still, the vast majority of vehicles (cars, trucks, buses) would be subject to the rule.
The proposed rule comes after a number of cyber intrusions on critical infrastructure from Russia and China. Russia’s war with Ukraine has been a driving factor behind its cyberattacks on energy facilities there, but also all across Europe. Of course, the U.S. has not been left out from these critical infrastructure campaigns. Sandworm, a hacking operation backed by the Russian military, targeted a water facility in Texas, as well as others in Poland and France. In the Texas facility, the hackers remotely turned on the pumps, making the tank water overflow.
In January 2024, the FBI and DOJ disrupted Volt Typhoon, a China-sponsored cyber group that used a botnet to quietly gain access to several organizations in nine different sectors, including transportation, information technology, and education. Unfortunately, this disruption didn’t end the foreign threat to American cybersecurity infrastructure. More recently, another hack from a China-backed group (similarly named, Flax Typhoon) also used a botnet to infect over 260,000 devices all over the world, with half of them being in America. Though they were also disrupted by the FBI, the depth of the hack - not just accessing critical infrastructure but also accessing cameras, video recorders and storage devices - is a sign that there will be more dangerous hacks in the future.
Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA) believes that these hacks could amount to another event like the faulty Crowdstrike Falcon update, which effectively rendered 8.5 million computers around the world useless for a business day. At the annual Black Hat cybersecurity conference, Easterly said looking at the Crowdstrike fallout made her realize “this is exactly what China wants to do, but without rolling back the updates such that we could all reboot our systems…A war in Asia will be accompanied by very serious threats to Americans — the explosion of pipelines, the pollution of water systems, the derailing of our transportation systems, the severing of our communications.” This context makes the Commerce Department’s decision feel much more substantiated.
In the press release for the proposal, Alan F. Estevez, the Under Secretary of Commerce for Industry and Security, said the NPRM “marks a critical step forward in protecting America’s technology supply chains from foreign threats and ensures that connected vehicle technologies are secure from the potential exploitation of entities linked to the PRC and Russia.” Already, a 100% tariff on Chinese electric vehicles has been levied; hopefully, this additional measure by the Department of Commerce will be enough to curb cyber threats to America’s vehicles.