The US Commerce Department announced a rulemaking Monday to prohibit the sale or import of certain connected-vehicle components and software with close ties to Russia or China, citing national security concerns.
Malicious access to increasingly connected motor vehicles on US roads could enable foreign adversaries to remotely manipulate cars, and, in “extreme” scenarios, even “shut down or take control,” said US Secretary of Commerce Gina Raimondo during a press call Sunday. The notice of proposed rulemaking aims to prevent the mass installation of certain Chinese and Russian vehicle parts in the US, before cars and trucks with embedded internet capabilities become as common as they are in Europe, said Raimondo.
“We’re not going to wait until our roads are filled with cars and the risk is extremely significant,” she said. Although Raimondo didn’t identify any car or part makers by name, she pointed to Europe as a “cautionary tale.” She described the proposed policy as a “proactive” one, since the agency believes these components are not yet common on US roads.
Foreign adversaries are strengthening their abilities to remotely access and wield cars’ geolocation systems, remote entry, or wireless connection for mass-scale surveillance and sabotage purposes, said Raimondo. The NPRM cites a Trump era executive order declaring a national emergency over foreign threats against communications technology and its supply chain, which is now part of a sweeping Biden administration effort to crack down on security threats coming from China.
Commerce in March released an advanced notice of proposed rulemaking identifying six countries as targets of their plan to ban the import of components that could be used to surveil drivers in the US, including China, Russia, Iran, North Korea, Venezuela, and Cuba. The latest proposal narrows the agency’s focus to China and Russia, while the officials briefing reporters on Sunday emphasized threats mainly from China.
The Proposal
Connected cars collect a “massive amount” of sensitive personal data, including geolocation information, audio and video recordings, and pattern-of-life analyses, US National Security Advisor Jake Sullivan said on the press call.
The proposed rule will focus on two types of technologies: programs and parts integrated into vehicle connectivity systems and software in automated driving systems. The former enables Bluetooth, cellular, satellite, and Wi-Fi connectivity, which is common in US vehicles manufactured in at least the last decade. The latter enables vehicles to operate partially or fully autonomously, a spectrum of technology becoming more pervasive across new cars on US roads.
The proposed rule won’t just target car parts. The proposal—covering cars, trucks, and buses—would also prohibit manufacturers “with a nexus” to China or Russia from selling connected vehicles with those systems in the US—even if the vehicle was made domestically.
If adopted, the software prohibitions would take effect with 2027 vehicle models, while the hardware prohibitions would kick-in for 2030 models, according to the bureau.
The Commerce Department’s effort comes amid a Senate probe into several Chinese automakers’ data governance practices. Sens. Gary Peters (D-Mich.) and Marsha Blackburn (R-Tenn.) launched the investigation earlier this month, seeking information by Sept. 30 about whether the companies are required to or have been asked to share user data with any Chinese government authority.
The agency is the latest to address connected car technology. The Federal Communications Commission is separately pursuing its own effort that focuses on whether changes to its implementation of the Safe Connections Act of 2022 are necessary to protect domestic abuse survivors. The Federal Trade Commission has warned car manufacturers it will “take action to protect consumers” against illegal data collection.
Public comments on the proposed rule are due 30 days after publication.
To contact the reporters on this story:
To contact the editor responsible for this story: