Endpoint Security , Internet of Things Security
US Pushes Ban on Chinese, Russian Tech in Connected Vehicles
Commerce Department Moves to Regulate Foreign Vehicle Tech Amid Security FearsThe Biden administration took steps Monday to ban Chinese connected vehicle hardware and software from reaching the U.S. market, warning Monday of escalating foreign threats to the information and communications technology supply chain.
See Also: Securing Enterprise IoT: Advanced Threats and Strategies to Respond
The Department of Commerce published a notice of proposed rule-making that would prohibit car manufacturers from importing hardware or software from the People's Republic of China or Russia that enables vehicles to connect to networks or communicate with other devices and share data. The proposed rules also seek public feedback on whether other foreign adversaries such as Iran pose similar national security risks to the ICTs supply chain.
Commerce said China and Russia could gain privileged access to connected vehicles through their components and software to "exfiltrate sensitive data" and potentially "allow remote access and manipulation of connected vehicles." Research cited in the proposed rule shows a sharp rise in remote cyberattacks in recent years, with 95% of all malicious activities in 2023 exploiting network connectivity such as Wi-Fi and Bluetooth.
Chinese car makers - in particular, electric vehicle manufacturers - have aggressively expanded overseas, becoming the world's second-largest automobile exporters in 2023, just behind Japanese auto firms. Although the market for Chinese cars lies mostly outside the United States, in Russia and Latin America, the expansion has proved fraught for American policymakers concerned that modern automobiles loaded with onboard computers offer Beijing an easy avenue into surveilling users and critical infrastructure or even jamming up roads.
Vehicle systems that contain Chinese or Russian software could be exploited to spread malware or inject malicious code into a vehicle's operational systems, according to the proposed rules. Commerce also said foreign adversaries could use remote access to vehicles in the United States "to trigger improper engine shutdown, brake activation or electrical system deactivation."
Lael Brainard, director of the White House's National Economic Council, said the proposed rules are also an effort "to avoid a second China shock," referring to the economic disruption in the U.S. caused by China's rapid rise as a global manufacturing powerhouse in the early 2000s.
"China is flooding global markets with a wave of auto exports at a time when they are experiencing overcapacity," Brainard said during a speech at the Detroit Economic Club. "The administration is determined to avoid a second China shock, which means putting safeguards in place before a flood of underpriced Chinese autos undercuts the ability of the U.S. auto sector to compete on the global stage."
"Americans should drive whatever car they choose - gas-powered, hybrid, or electric," she said. "But if they choose to drive an EV, we want it to be made in America, not in China."
The proposed regulation will significantly improve vehicle cybersecurity in the U.S. by mitigating supply chain threats from known adversaries like China, according to John Sheehy, senior vice president of research and strategy for the research security firm IOActive.*
"The recent supply chain attacks targeting Hezbollah operatives demonstrate how even organizations with mature counterintelligence capabilities can still fall victim to a supply chain interdiction," Sheehy told Information Security Media Group (see: Exploding Hezbollah Pagers Not Likely a Cybersecurity Attack).
"There is no solution to safely allow critical hardware and software components to originate from or pass through" China and Russia, he said, adding: "Ideally this regulation would have been proposed during the Obama administration."
The Commerce Department is requesting public feedback from stakeholders by Oct. 23.
*Updated Sept. 23, 2024 20:35: Adds comment from John Sheehy of IOActive.