US to ban Russian, Chinese software and hardware in vehicles
The United States is going to ban Russian and Chinese software in vehicles, according to the Department of Commerce, due to national security concerns.
The final rule, posted on the federal register Tuesday morning, comes after the Commerce Department's Bureau of Industry and Security previewed the rule months ago.
During the rulemaking process, the Bureau of Industry and Security found that certain technologies originating from China or Russia present an undue and unacceptable risk to U.S. national security.
"Cars today aren't just steel on wheels they're computers," outgoing Commerce Secretary Gina Raimondo said in a news release Tuesday. "They have cameras, microphones, GPS tracking, and other technologies that are connected to the internet. Through this rule, the Commerce Department is taking a necessary step to safeguard U.S. national security and protect Americans' privacy by keeping foreign adversaries from manipulating these technologies to access sensitive or personal information."
The software bans will apply to Model 2027 cars, while the hardware bans will apply to Model 2030 vehicles.
The final rule, which only applies to passenger vehicles, establishes that hardware and software integrated into the Vehicle Connectivity System (VCS) and software integrated into the Automated Driving System (ADS), the systems in vehicles that allow for external connectivity and autonomous driving capabilities, present an undue and unacceptable risk to national security when designed, developed, manufactured, or supplied by persons with a sufficient nexus to the PRC or Russia, the department said.
The department says it will issue a separate rule addressing commercial vehicles in the near future.
A senior administration official told reporters on a conference call that the automotive industry largely agreed with these recommendations, which were based on national security concerns.
"Malicious access to these critical supply chains could allow our foreign adversaries to extract sensitive data, including personal information about vehicle drivers or owners, and remotely manipulate vehicles," according to a release from the Commerce Department.
The rule also prohibits manufacturers with a sufficient nexus to the PRC or Russia from selling new connected vehicles that incorporate VCS hardware or software or ADS software in the United States, even if the vehicle was made in the United States.
Another senior administration official said that the dangers of Chinese and Russian software extend beyond the car. If mobile phones are connected to this software, it could give China an easy way to extract user data.
"Recent malicious cyber activity, particularly activity that they do that was volt typhoon has really heightened the urgency of preempting even more risk to our critical infrastructure, and we've seen not just volt typhoon, but really mounting evidence of the PRC pre-positioning malware in our critical infrastructure, solely for the purpose of sabotage and disruption," a senior administration official said. "With potentially millions of connected vehicles coming on the road, you know, each with 10-to-15-year lifespans, the risk of sabotage really increases substantially. The second set of risks, as was alluded to as well, are this data security risk given the massive amount of sensitive personal data, including geo location data, audio, video recordings and other live data that's collected connected by these vehicles."
