Sep 24, 2024Ravie LakshmananNational Security / Regulatory Compliance

The U.S. Department of Commerce (DoC) said it’s proposing a ban on the import or sale of connected vehicles that integrate software and hardware made by foreign adversaries, particularly that of the People’s Republic of China (PRC) and Russia.

“The proposed rule focuses on hardware and software integrated into the Vehicle Connectivity System (VCS) and software integrated into the Automated Driving System (ADS),” the Bureau of Industry and Security (BIS) said in a press statement.

“These are the critical systems that, through specific hardware and software, allow for external connectivity and autonomous driving capabilities in connected vehicles.”

The agency said nefarious access to such systems could enable adversaries to harvest sensitive data and remotely manipulate cars on American roads.

The proposal extends to all wheeled on-road vehicles such as cars, trucks, and buses. Agricultural and mining vehicles are not included.

The BIS said “certain technologies” from China and Russia pose “undue risk” to U.S. critical infrastructure, as well as those who rely on connected vehicles, leading to a potential scenario that could undermine the national security and privacy of U.S. citizens.

“This rule marks a critical step forward in protecting America’s technology supply chains from foreign threats and ensures that connected vehicle technologies are secure from the potential exploitation of entities linked to the PRC and Russia,” said Under Secretary of Commerce for Industry and Security Alan F. Estevez.

Pursuant to the ban, the import and sale of vehicles with certain VCS or ADS hardware or software with a nexus to China or Russia will be prohibited.

It also aims to block manufacturers with ties to the PRC or Russia from selling connected vehicles that incorporate VCS hardware or software or ADS software in the U.S., even if the vehicle was made in the country.

“The prohibitions on software would take effect for Model Year 2027 and the prohibitions on hardware would take effect for Model Year 2030, or January 1, 2029 for units without a model year,” the BIS said.

In a coordinated statement, the White House said the step is a move to ensure that U.S. automotive supply chains are resilient and secure from foreign threats. It added the increasing connectivity of vehicles to U.S. digital networks creates an environment to gather and exploit sensitive information.

“Certain hardware and software in connected vehicles enable the capture of information about geographic areas or critical infrastructure, and present opportunities for malicious actors to disrupt the operations of infrastructure or the vehicles themselves,” the White House also pointed out.

The development comes as internet-connected vehicles have increasingly become yet another avenue for companies to gather valuable data, in some cases going to the extent of capturing highly invasive videos and images via Tesla car cameras and even sharing users’ driving habits with car insurance providers.