Commerce proposes ban on connected-car tech from China, Russia

The Commerce Department proposed a rule to prohibit the sale of connected vehicle components made in China and Russia, citing concerns that the hardware and software could allow the U.S. foreign adversaries to collect sensitive data and disrupt critical infrastructure.

The rule, unveiled Monday, targets “vehicle connectivity systems” — which refers to equipment that links vehicles to external networks, including Bluetooth, cellular, satellite and Wi-Fi modules — and “automated driving systems”  that enable autonomous vehicles to function without a driver at the wheel, according to a White House blog post.

The software prohibitions would take effect starting with model year 2027, while hardware prohibitions would apply to model year 2030 or to units without a model year beginning January 1, 2029.

“Cars today have cameras, microphones, GPS tracking and other technologies connected to the internet,” Commerce Secretary Gina Raimondo said. “It doesn’t take much imagination to understand how a foreign adversary with access to this information could pose a serious risk to both our national security and the privacy of U.S. citizens.”

Commerce is seeking public feedback on the rule, with a 30-day window open for comments beginning Monday. The agency in February said it was launching an investigation into the national security risks enabled by connected vehicles, a broad term that describes vehicles equipped with technologies allowing them to communicate with external networks.

“As a principle, I want to emphasize that China opposes the U.S. generalization of the concept of national security and discriminatory practices against Chinese companies and products. We urge the U.S. to respect market principles and provide Chinese companies with an open, fair, transparent, and non-discriminatory business environment,” said Chinese embassy spokesperson Liu Pengyu. “China will firmly safeguard its legitimate rights and interests.”

Russia’s foreign ministry and its embassy in Washington, D.C. did not return requests for comment.

Beijing in particular has previously pushed back on U.S. claims of cyber risks enabled by industrial equipment made by Chinese firms, but Raimondo doubled down on the need for Monday’s action.

“This is not about trade or economic advantage,” she said in a call with reporters that previewed the proposal. “This is a strictly national security action.”

Officials have expressed concerns about hacking, espionage and sabotage opportunities that may be enabled by foreign rivals’ technologies bolted onto vehicles that link into infrastructure like charging stations, gas stations and related transportation mechanisms. 

A GOP-led report released earlier this month found that numerous seaports around the U.S. contain technology originating from Chinese manufacturers that could create backdoors for gathering data, evading firewalls and interfering with ports’ activities.

A House bill introduced this month would bar the Transportation Department from using taxpayer dollars through grants, loans or direct acquisitions to procure equipment that contains light sensing and ranging technologies — known colloquially as LiDAR — made by China and other foreign adversaries, Nextgov/FCW first reported.

Russia and China’s national security laws, combined with their state-driven economies, allow their governments to pressure tech companies into serving their intelligence interests. But the full extent of their access into U.S. systems remains unclear, as does whether these infiltrations are primed and ready to sabotage or disable American infrastructure.

The Monday proposal stems from a Trump-era executive order that empowered the Commerce Department with greater authorities to secure U.S. supply chains. President Joe Biden in February signed an executive order designed to curb adversarial nations from acquiring and exploiting the sensitive personal data of Americans, targeting data broker arrangements with countries of concern.

Relatedly, Commerce in June barred the sale of cybersecurity products made by Russia-based Kaspersky Labs, a blanket move that prevents America’s private sector from buying Kaspersky offerings altogether after a preexisting 2017 ban on Kaspersky offerings for U.S. government systems.