Biden Administration Proposes Ban on Chinese Vehicles and Russian Tech for Autonomous Vehicles on U.S. Roads

Citing increasing national security concerns, the U.S. Commerce Department has proposed a ban on new vehicle software originating within China or Russia, and includes software within the supply chain. The ban, if approved, would take effect in 2027 for new internet-connected vehicles sold for use on U.S. public roads, including cars, trucks, and buses. It would exclude vehicles not used on public roads such as those for agriculture.

A second proposed rule would ban imports and sales of vehicles with automated driving hardware created in China or Russia. This ban would go into effect for the 2030 model year or January 2029. Such a delay gives the U.S. vehicle industry time to remove any prohibited software and hardware and also to find suitable replacements.

The two proposals are now in a 30-day review period. A final draft of each will be available at the end of the year, 2024, and, if enacted, in place by January 20, 2025.

According to Reuters, the U.S. Commerce Department said the rule would amount to a ban on all vehicles manufactured in China yet it would allow Chinese automakers to seek "specific authorizations" for exemptions. Also, European manufacturers who use software from China or Russia could also apply for exemptions although the criteria for those exemptions is not currently available.

The Issue
The U.S. concern with software originating from China and Russia consists of two parts.

There is concern about personal data flowing back to either China or Russia regarding vehicle use within the United States. This includes data around geolocation, such as places of employment, childrens’ schools, or medical services, as well as any payments used within the vehicle for third-party services within the vehicle such as Spotify. In certain scenarios, cellular services could also be accessed remotely, as in vehicle-to-vehicle (V2V) or vehicle-to-infrastructure (V2I) 5G communications.

Secondly, there is concern about remote access and/or software backdoors. A scenario might be that with remote access, someone in China or Russia could cripple or otherwise completely disable a fleet of vehicles on roads within the United States. If all the vehicles from a brand suddenly stop on the road at the same time, nationwide, it would pose an immediate threat to the drivers and also to the vehicles around them. This would of course require a certain critical mass of drivers to adopt the vehicles first in order to pose a genuine national threat. Hence the ban was proposed.

In a statement, Commerce Department’s Gina Raimondo said it’s important to have the ban in place "before suppliers, automakers and car components linked to China or Russia become commonplace and widespread ... We're not going to wait until our roads are filled with cars and the risk is extremely significant."

Software Bans Already In Place
Such a national security ban on software origin has already been used by the Biden Administration. This summer, the US banned the sale of Moscow-based Kaspersky Antivirus products and any future updates to its existing customers, citing national security concerns. The US Department of Commerce said that Kaspersky's software could be used to identify sensitive data and make it available to Russian government officials. The company has denied such allegations but has agreed to leave the US market.

Both China and Russia have implemented their own bans mandating that all enterprises in their countries use only domestically produced software, including operating systems. This move effectively eliminates competition from Google, Adobe, and Microsoft in those markets.

This new vehicle software and hardware ban, if enacted, would prohibit importing or selling systems designed, developed, manufactured, or supplied by vendors with close connection to China or Russia. The vehicle software and hardware ban would also apply to imports and sales of vehicles using those countries' connectivity features such as Bluetooth, cellular, satellite, and Wi-Fi.

It’s uncertain how the proposed regulations would affect certain automakers like Volvo, which is primarily owned by the Chinese conglomerate Geely Holding. Volvo has an assembly plant for its worldwide distribution in Chengdu province, China. Also, as noted, European automakers may also be affected, and may also need to apply for exemptions.

One way for U.S. vehicle manufacturers to know the pedigree of its software supply chain is to use Software Bills of Materials (SBOMs). SBOMs are used to show individual components and version numbers within a software binary. Additionally, the software used in hardware (firmware) would also need its own SBOM. By knowing the components of a binary, an OEM can be assured that it is not incorporating prohibited software.

About the Author

Joseph M. Saunders is Founder & CEO, RunSafe Security.

Featured

  • Live from GSX 2024: Post-Show Recap

    Another great edition of GSX is in the books! We’d like to thank our great partners for this years event, NAPCO, LVT, Eagle Eye Networks and Hirsch, for working with us and allowing us to highlight some of the great solutions the companies were showcasing during the crowded show. Read Now

    • Industry Events
    • GSX
  • Research: Cybersecurity Success Hinges on Full Organizational Support

    Cybersecurity is the top technology priority for the vast majority of organizations, but moving from aspiration to reality requires a top-to-bottom commitment that many companies have yet to make, according to new research released today by CompTIA, the nonprofit association for the technology industry and workforce. Read Now

  • Live from GSX 2024: Day 3 Recap

    And GSX 2024 in Orlando, is officially in the books! I’d like to extend a hearty congratulations and a sincere thank-you to our partners in this year’s Live From program—NAPCO, Eagle Eye Networks, Hirsch, and LVT. Even though the show’s over, keep an eye on our GSX 2024 Live landing page for continued news and developments related to this year’s vast array of exhibitors and products. And if you’d like to learn more about our Live From program, please drop us a line—we’d love to work with you in Las Vegas at ISC West 2025. Read Now

    • Industry Events
    • GSX
  • Bringing New Goods to Market

    The 2024 version of GSX brought with it a race to outrun incoming hurricane Helene. With it’s eye on Orlando, it seems to have shifted and those security professionals still in Orlando now have a fighting chance to get out town. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity

Webinars

New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3