US Push for Cybersecurity: Banning Chinese and Russian Technology in Connected Vehicles

ROY BACHAR

Chief Business Officer

September 30, 2024

With the rise of connected vehicles, the line between the automotive and technology sectors has become increasingly blurred. Vehicles today are not just mechanical machines; they are sophisticated computers on wheels. While this technological evolution has brought convenience, new revenue models for automakers, and advanced safety features, it has also introduced new cybersecurity risks. Recognizing these challenges, the Biden administration has proposed new regulations aimed at improving the cybersecurity of connected vehicles, specifically targeting software and hardware from countries like China and Russia. The rule would cover all on-road vehicles but exclude agricultural or mining vehicles not used on public roads, as well as drones and trains. We can safely assume that additional off-road and agriculture equipment will be added in the future, due to their direct impact on macroeconomic conditions, supply chains, and public safety.

The proposal was first introduced in February 2024 and was signed off by the White House in late September 2024. This move underscores the growing importance of securing automotive technology and the entire ecosystem against cyber threats to ensure road safety and national security. Earlier in September, the Biden administration locked in steep tariff hikes on Chinese imports, including a 100% duty on electric vehicles as well as new hikes on EV batteries and key minerals. 

Connected vehicles rely heavily on software and hardware to provide services such as navigation, entertainment, autonomous driving, and real-time communication with other devices. This interconnectivity, while innovative, opens up potential vulnerabilities that can be exploited by malicious actors at a massive scale. Cyberattacks on connected vehicles could lead to data theft, loss of control over the vehicle, or even potential threats to passenger safety. Upstream’s research showed a steep increase in the impact of cyber incidents in 2023; cyber incidents affecting thousands or even millions of vehicles now account for nearly 50% of total incidents. 

For example, previous research and attacks have demonstrated that hackers can gain remote access to a vehicle’s critical systems, including brakes, steering, and engine. The consequences of such cyberattacks pose serious safety and privacy risks. Thus, ensuring robust cybersecurity in connected vehicles is not only about protecting data but also about protecting lives.

The Biden Administration’s Proposal: A Step Towards Greater Vehicle Security

The proposed rule by the Biden administration, which was reported to prohibit Chinese-made software and hardware in US vehicles, aims to mitigate the potential security risks posed by foreign technology in the automotive sector. 

According to Reuters, the prohibitions would extend to other foreign US adversaries, including Russia. This move aligns with the government’s broader strategy of safeguarding ‘Critical Infrastructure’ and digital ecosystems from foreign interference and potential cyber threats.

“When foreign adversaries build software to make a vehicle that means it can be used for surveillance, can be remotely controlled, which threatens the privacy and safety of Americans on the road,” Gina Raimondo, US Commerce Secretary, told CNBC. “You can imagine the most catastrophic outcome theoretically if you had a couple of million cars on the road and the software was disabled,” Raimondo said to Reuters.

The rationale behind this proposal stems from concerns about supply chain security. Chinese companies have faced allegations of exploiting software backdoors for espionage, raising fears that connected vehicle components sourced from China could potentially expose American vehicles to surveillance or cyberattacks. By restricting the use of Chinese-made technology in connected vehicles, the Biden administration seeks to reduce the risk of foreign intrusion into the US automotive network.

The proposed rule outlines a phased timeline for implementation, aiming to gradually reduce the use of Chinese-made technology in US vehicles. The first phase focuses on software, with a ban set to take effect in the 2027 model year, allowing automotive manufacturers time to identify alternative, secure software sources. This phase includes every software component in the vehicle,  including onboard and offboard elements that directly or indirectly interact with ECU configuration and connectivity.

The second phase targets hardware, with restrictions slated for the 2030 model year or January 2029. This staggered approach provides the industry with a clear timeline to adapt their supply chains, invest in secure technology, and strengthen overall vehicle cybersecurity. By setting these deadlines, the US government underscores its commitment to national security while giving manufacturers the necessary time to transition smoothly.

Balancing Innovation and Cybersecurity

While the new rule reflects a proactive stance on cybersecurity, it raises questions about balancing security concerns with the need for innovation, especially amid the growing usage of Generate AI that democratizes advanced analytics and capabilities. Many automotive manufacturers rely on global supply chains to source components, and imposing restrictions on certain foreign technologies could pose challenges in terms of cost, production, and technological development.

To address this, automotive companies need to strengthen their cybersecurity posture, regardless of where their software and hardware components originate. Implementing rigorous cybersecurity standards, conducting regular risk assessments, and building partnerships with trusted suppliers are crucial steps toward creating a secure and resilient vehicle network.

As connected vehicles continue to become an integral part of modern life, cybersecurity risks will continue to risk and pose concerns. The proposed rule by the Biden administration serves as a reminder that cybersecurity must be at the forefront of automotive innovation. It highlights the need for a collaborative approach between government, industry stakeholders, and technology providers to establish robust cybersecurity frameworks that protect both consumers and national security. 

The new rule is likely to have both short- and long-term impacts on the automotive industry. In the short term, manufacturers may face increased costs as they shift to non-Chinese vendors for software and hardware components. Chinese suppliers have historically offered more cost-effective solutions, so sourcing from other regions could pressure profit margins and potentially lead to higher vehicle prices for consumers. 

Indeed, according to the US Commerce Department and as reported by Reuters, vehicle sales can drop by up to 25,841 and prices rise if the proposed rules go ahead. The Commerce Department also estimated the rule could bar $1.5 billion to $2.3 billion in vehicle inputs from Chinese or Russian companies for vehicles sold in the US. The Commerce Department stated that the rule would also amount to a ban on all vehicles manufactured in China, as they would have internet-connected vehicle software and hardware, but would allow Chinese automakers to seek specific authorizations for exemptions.

Additionally, finding new, reliable suppliers and adjusting supply chains may slow production and innovation in the short term. In the long term, however, the rule could drive the industry to develop more secure, resilient supply chains, fostering an ecosystem of trusted vendors and potentially spurring domestic production of key automotive technologies. This includes adopting advanced encryption methods, implementing over-the-air security updates, building secure, tamper-resistant hardware, securing connected API-driven applications and services, and monitoring the fleet via a dedicated vehicle SOC. This shift could also encourage manufacturers to invest more in cybersecurity research and development, ultimately strengthening vehicle safety cybersecurity resilience.

In June 2023, NHTSA took a similar approach and prioritized safety cybersecurity over the Massachusetts ‘Right to Repair’. In a letter to 22 US automakers, NHTSA highlighted the importance and critical impact of cybersecurity, warning against potential manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking. 

The Biden administration’s proposed rule to restrict Chinese-made software and hardware in US vehicles is a significant step toward enhancing the cybersecurity and safety of connected vehicles. As the automotive industry continues to evolve, embracing cybersecurity best practices will be crucial in securing the future of transportation. In this rapidly changing landscape, safeguarding vehicles from cyber threats is not just a matter of protecting data—it’s about preserving public safety and national security on the road.

Monitoring and Mitigating Cyber Risks Across the Connected Vehicle Ecosystem

Upstream offers OEMs a fundamental and innovative shift in the approach to automotive and smart mobility cybersecurity with the first cloud-based detection & response platform (XDR), purpose-built for the connected vehicles ecosystem. Monitoring in-vehicle components, IoT devices, telematics, DTCs, consumer applications, OTA updates, EV chargers, and more – Upstream leverages the wealth of data already generated and collected from vehicles, IoT devices, and applications, to detect potential anomalies. Moreover, having access to data from multiple OEMs and mobility providers enhances Upstream’s detection capabilities for unique mobility use cases.

Upstream enables prompt and effective threat mitigation and SOC optimizations with Generative AI-powered investigations, automated remediation, and response, leveraging domain expertise in automotive cybersecurity and field-proven playbooks.

To ensure a proactive approach to cybersecurity, Upstream offers a mobility-specific cyber threat intelligence and risk assessment, based on custom collection and analysis of intelligence from multiple public, deep, and dark web sources for a clear understanding of the mobility threat landscape, emerging risks and leaked data across the supply chain. In addition, Upstream supports OEMs with dedicated and managed SOC services that contextualize mobility data to effectively and rapidly mitigate cybersecurity threats, leveraging field-proven playbooks and automated workflows.

Newsletter Icon

The 2024 Global Automotive Cybersecurity Report

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

Navigating the Evolving Automotive Cybersecurity Regulatory Landscape

Originally published on: April 11, 2024 The automotive industry’s digital transformation has ushered in an era of unprecedented connectivity and technological advancement. Yet, it is…

Read more

Korean OEM Hack Emphasizes the Urgent Need for Strong API Security in Connected Vehicles

The rise of connected vehicles marks a significant milestone in automotive innovation, providing advanced features such as remote start, real-time navigation, and diagnostics. These smart…

Read more

US Push for Cybersecurity: Banning Chinese and Russian Technology in Connected Vehicles

With the rise of connected vehicles, the line between the automotive and technology sectors has become increasingly blurred. Vehicles today are not just mechanical machines;…

Read more

As Cyber Risks Escalate, ISO/WD 24882 Sets New Standards for Safety and Availability in Agricultural OEMs

The digital transformation sweeping through the Automotive and Mobility ecosystem has also made its mark on the Agriculture sector. As a result, OEMs, suppliers, and…

Read more
Skip to content