01-30-2025, 06:35 AM
News American CISOs should prepare now for the coming connected-vehicle tech bans
<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>In a groundbreaking shift in automotive supply chain regulation, the White House <a href="https://china.usembassy-china.org.cn/fact-sheet-safeguarding-america-from-national-security-risks-of-connected-vehicle-technology-from-china-and-russia/">announced</a> a new rule <a href="https://www.bis.gov/press-release/commerce-finalizes-rule-secure-connected-vehicle-supply-chains-foreign-adversary">issued by the Commerce Department’s Bureau of Industry and Security</a> (BIS) a week before the end of the Biden administration that will ban in-vehicle connectivity system (VCS) hardware and software from China (including Hong Kong) or Russia from US passenger vehicles.</p>
<p>Automakers that sell in the US will have to meet two deadlines to comply with the rule: model year 2027 for software compliance and model year 2030 for hardware compliance.</p>
<p>This rule follows an <a href="https://www.csoonline.com/article/1313005/chinese-espionage-a-prime-concern-for-connected-vehicles.html">advance notice of proposed rulemaking (ANPRM)</a> and <a href="https://www.csoonline.com/article/3538831/us-to-ban-connected-vehicle-tech-from-china-russia-due-to-national-security-risks.html">a notice of proposed rulemaking (NPRM)</a> that the Commerce Department published in 2024. BIS is expected to complement this passenger vehicle rule soon with a round of rulemakings that address the more complex topic of commercial vehicles, such as heavy trucks and industrial vehicles.</p>
<p>The rule addresses risks identified in <a href="https://www.federalregister.gov/documents/2019/05/17/2019-10538/securing-the-information-and-communications-technology-and-services-supply-chain">Executive Order 13873</a>, issued by President Donald Trump in 2019, which declared a national emergency regarding the ICTS [information and communications technology] supply chain. President Joe Biden subsequently extended the national emergency, with the most recent extension in May 2024.</p>
<h2 class="wp-block-heading" id="chinese-automotive-tech-is-the-real-focus-of-the-ban">Chinese automotive tech is the real focus of the ban</h2>
<p>The ban aims to prohibit any “ICTS transactions that pose undue or unacceptable risks to US national security, critical infrastructure, or the digital economy.” It spells out specific criteria for determining prohibited transactions, focusing on risks of sabotage, catastrophic effects, and unacceptable national security risks.</p>
<p>The White House noted that the Commerce Department “assesses that certain hardware and software used in connected vehicles (CVs) could enable mass collection of sensitive information, including geolocation data, audio and video recordings, and other pattern-of-life analysis.”</p>
<p>Despite the ban’s inclusion of Russia, most experts understand that the focus of the prohibition is Beijing and the country’s ongoing large-scale amassing of data and pre-positioning inside US digital networks of all kinds. “I think they made the reasoning behind it pretty clear when they included in the rule language that China’s government is pre-positioning on US critical infrastructure to have destructive or disruptive effects,” Dakota Cary, strategic advisory consultant at SentinelOne, tells CSO.</p>
<p>As recent research by automotive security researchers Sam Curry and Shubham Shah underscored, vulnerabilities in internet-connected cars <a href="https://samcurry.net/hacking-subaru">can be exploited</a> to cause real-world damage. Still, no real-world evidence exists that China has engaged in malicious behavior regarding the technology it provides to connected vehicles.</p>
<p>Even so, experts say CISOs should start conducting due diligence when acquiring new vehicles, educating staff on the rule, and staying informed on any developments that might cause changes in the rule down the road.</p>
<h2 class="wp-block-heading" id="who-is-affected-whats-prohibited-and-what-must-suppliers-do">Who is affected, what’s prohibited, and what must suppliers do?</h2>
<p>The rule BIS released is complex and intricate and relies on many pre-existing definitions and policies used by the Commerce Department for different commercial and industrial matters.</p>
<p>However, in general, the restrictions and compliance obligations under the rule affect the entire US automotive industry, including all-new, on-road vehicles sold in the United States (except commercial vehicles such as heavy trucks, for which rules will be determined later.) All companies in the automotive industry, including importers and manufacturers of CVs, equipment manufacturers, and component suppliers, will be affected.</p>
<p>BIS said it may grant limited specific authorizations to allow mid-generation CV manufacturers to participate in the rule’s implementation period, provided that the manufacturers can demonstrate they are moving into compliance with the next generation.</p>
<p>The transactions prohibited under the rule include knowingly:</p>
<ul class="wp-block-list">
<li>Importing into the US VCS hardware that is designed, developed, manufactured, or supplied by persons linked to China or Russia;</li>
<li>Importing into or selling within the US completed connected vehicles that incorporate VCS or ADS (automated driving systems] software designed, developed, manufactured, or supplied by persons linked to China or Russia; and</li>
<li>Selling or distributing in the US (including through robotaxi and rideshare services) completed connected vehicles that incorporate VCS hardware or covered software if the seller is linked to China or Russia, regardless of whether the vehicles are manufactured or assembled in the US.</li>
</ul>
<p>Connected vehicles and related component suppliers <a href="https://www.foley.com/insights/publications/2025/01/bis-rule-prohibiting-connected-vehicle-imports-linked-china-russia/">are required</a> to scrutinize the origins of vehicle connectivity systems (VCS) hardware and automated driving systems (ADS) software to ensure compliance. Suppliers must exclude components with links to the PRC or Russia, which has significant implications for sourcing practices and operational processes.</p>
<p>To address these challenges, some suppliers are exploring partnerships with third-party certification firms to assist in supply chain mapping and regulatory compliance.</p>
<h2 class="wp-block-heading" id="is-china-really-a-security-threat-to-connected-vehicles">Is China really a security threat to connected vehicles?</h2>
<p>Like so many US actions taken to restrict the use of Chinese technology, little evidence exists that China has used its supply chain technologies to engage in sophisticated espionage or cause real-world damage. “It’s interesting that the rule has expressly stated that China’s own behavior is part of the reason we got here,” Cary says. “And I think that’s an important anchor to say they have exhibited behavior.”</p>
<p>Cary admits that publicly available evidence regarding China’s misuse of connected car technology is lacking. However, he points to many factors that create concern, including <a href="http://www.npc.gov.cn/englishnpc/c2759/c23934/202112/t20211209_385109.html">Chinese laws</a> that may keep the country’s offensive capabilities under wraps.</p>
<p>“In the same way that we haven’t seen China disrupt or use destructive <a href="https://www.csoonline.com/article/3632044/more-telecom-firms-were-breached-by-chinese-hackers-than-previously-reported.html">cyberattacks against critical infrastructure</a>, that doesn’t mean that we don’t think that they can’t do that,” Cary says. “That lack of them having executed that type of operation doesn’t mean we don’t think they can. And so that’s very similar in this case.”</p>
<p>Ivan Novikov, CEO at Wallarm, emphasizes a distinction between China’s collection of data and the level of vulnerabilities that US officials fear might be exploitable in Chinese software. “The Biden administration wanted to protect US users and car drivers from transferring their data to China,” he said. “It essentially could be sold and so on because the data governance law in the US is just not as advanced as in Europe with GDPR or California with the CCPA [the California Consumer Privacy Act].”</p>
<p>Regarding the security of Chinese software, Novikov says, “We have a common sense that the software is less secure than the software produced somewhere else.” But he disputes this characterization. “I don’t think that Chinese cars are somehow more hackable than all the other cars in the world.”</p>
<h2 class="wp-block-heading" id="what-role-should-cisos-play">What role should CISOs play?</h2>
<p>Although only automakers and vehicle suppliers will have an obligation to comply with the rules, CISOs should play a key role in ensuring that any vehicles their organizations own are secure and legally up to snuff.</p>
<p>“They’re going to need to collaborate with their procurement teams to make sure that the vehicles that are purchased align with these new regulations, particularly as we get closer to 2027,” Vanessa Miller, partner at law firm Foley and head of the firm’s national auto team,” tells CSO. “The burden of compliance with the final rule rests on the vehicle manufacturers and importers, but CISOs play a crucial role in safeguarding their organizational assets.”</p>
<p>As a matter of general operating procedure, “any current vehicle fleet should be looked at for security vulnerabilities associated with existing components to look at software updates that may be prudent to mitigate those risks,” Miller says. On top of that, “you’re going to want uniformity across your fleet after 2027, and you’re not going to want to worry about being flagged for noncompliance for something that you purchased retroactively.”</p>
<p>Figuring out the supply chain for organizational vehicles will soon become necessary for most CISOs. “There’s going to be some pointed questions that someone needs to ask to get to the bottom of the supply chain and see where the software is coming from and who owns it,” Miller says. “Look at things like the vendor management and supply chain policies in place to ensure that the burden is on the vehicle manufacturer to certify these things.”</p>
<p>Novikov says that for organizations buying vehicles knowing that the cars will be in service past 2027, it wouldn’t hurt to get “at least some sort of letter of engagement or letter of usage of components” that stipulates they’re not using Chinese or Russian components in the cars, even though the rules do are not retroactive before model year 2027.</p>
</div></div></div></div>
https://www.csoonline.com/article/381054...-bans.html
<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>In a groundbreaking shift in automotive supply chain regulation, the White House <a href="https://china.usembassy-china.org.cn/fact-sheet-safeguarding-america-from-national-security-risks-of-connected-vehicle-technology-from-china-and-russia/">announced</a> a new rule <a href="https://www.bis.gov/press-release/commerce-finalizes-rule-secure-connected-vehicle-supply-chains-foreign-adversary">issued by the Commerce Department’s Bureau of Industry and Security</a> (BIS) a week before the end of the Biden administration that will ban in-vehicle connectivity system (VCS) hardware and software from China (including Hong Kong) or Russia from US passenger vehicles.</p>
<p>Automakers that sell in the US will have to meet two deadlines to comply with the rule: model year 2027 for software compliance and model year 2030 for hardware compliance.</p>
<p>This rule follows an <a href="https://www.csoonline.com/article/1313005/chinese-espionage-a-prime-concern-for-connected-vehicles.html">advance notice of proposed rulemaking (ANPRM)</a> and <a href="https://www.csoonline.com/article/3538831/us-to-ban-connected-vehicle-tech-from-china-russia-due-to-national-security-risks.html">a notice of proposed rulemaking (NPRM)</a> that the Commerce Department published in 2024. BIS is expected to complement this passenger vehicle rule soon with a round of rulemakings that address the more complex topic of commercial vehicles, such as heavy trucks and industrial vehicles.</p>
<p>The rule addresses risks identified in <a href="https://www.federalregister.gov/documents/2019/05/17/2019-10538/securing-the-information-and-communications-technology-and-services-supply-chain">Executive Order 13873</a>, issued by President Donald Trump in 2019, which declared a national emergency regarding the ICTS [information and communications technology] supply chain. President Joe Biden subsequently extended the national emergency, with the most recent extension in May 2024.</p>
<h2 class="wp-block-heading" id="chinese-automotive-tech-is-the-real-focus-of-the-ban">Chinese automotive tech is the real focus of the ban</h2>
<p>The ban aims to prohibit any “ICTS transactions that pose undue or unacceptable risks to US national security, critical infrastructure, or the digital economy.” It spells out specific criteria for determining prohibited transactions, focusing on risks of sabotage, catastrophic effects, and unacceptable national security risks.</p>
<p>The White House noted that the Commerce Department “assesses that certain hardware and software used in connected vehicles (CVs) could enable mass collection of sensitive information, including geolocation data, audio and video recordings, and other pattern-of-life analysis.”</p>
<p>Despite the ban’s inclusion of Russia, most experts understand that the focus of the prohibition is Beijing and the country’s ongoing large-scale amassing of data and pre-positioning inside US digital networks of all kinds. “I think they made the reasoning behind it pretty clear when they included in the rule language that China’s government is pre-positioning on US critical infrastructure to have destructive or disruptive effects,” Dakota Cary, strategic advisory consultant at SentinelOne, tells CSO.</p>
<p>As recent research by automotive security researchers Sam Curry and Shubham Shah underscored, vulnerabilities in internet-connected cars <a href="https://samcurry.net/hacking-subaru">can be exploited</a> to cause real-world damage. Still, no real-world evidence exists that China has engaged in malicious behavior regarding the technology it provides to connected vehicles.</p>
<p>Even so, experts say CISOs should start conducting due diligence when acquiring new vehicles, educating staff on the rule, and staying informed on any developments that might cause changes in the rule down the road.</p>
<h2 class="wp-block-heading" id="who-is-affected-whats-prohibited-and-what-must-suppliers-do">Who is affected, what’s prohibited, and what must suppliers do?</h2>
<p>The rule BIS released is complex and intricate and relies on many pre-existing definitions and policies used by the Commerce Department for different commercial and industrial matters.</p>
<p>However, in general, the restrictions and compliance obligations under the rule affect the entire US automotive industry, including all-new, on-road vehicles sold in the United States (except commercial vehicles such as heavy trucks, for which rules will be determined later.) All companies in the automotive industry, including importers and manufacturers of CVs, equipment manufacturers, and component suppliers, will be affected.</p>
<p>BIS said it may grant limited specific authorizations to allow mid-generation CV manufacturers to participate in the rule’s implementation period, provided that the manufacturers can demonstrate they are moving into compliance with the next generation.</p>
<p>The transactions prohibited under the rule include knowingly:</p>
<ul class="wp-block-list">
<li>Importing into the US VCS hardware that is designed, developed, manufactured, or supplied by persons linked to China or Russia;</li>
<li>Importing into or selling within the US completed connected vehicles that incorporate VCS or ADS (automated driving systems] software designed, developed, manufactured, or supplied by persons linked to China or Russia; and</li>
<li>Selling or distributing in the US (including through robotaxi and rideshare services) completed connected vehicles that incorporate VCS hardware or covered software if the seller is linked to China or Russia, regardless of whether the vehicles are manufactured or assembled in the US.</li>
</ul>
<p>Connected vehicles and related component suppliers <a href="https://www.foley.com/insights/publications/2025/01/bis-rule-prohibiting-connected-vehicle-imports-linked-china-russia/">are required</a> to scrutinize the origins of vehicle connectivity systems (VCS) hardware and automated driving systems (ADS) software to ensure compliance. Suppliers must exclude components with links to the PRC or Russia, which has significant implications for sourcing practices and operational processes.</p>
<p>To address these challenges, some suppliers are exploring partnerships with third-party certification firms to assist in supply chain mapping and regulatory compliance.</p>
<h2 class="wp-block-heading" id="is-china-really-a-security-threat-to-connected-vehicles">Is China really a security threat to connected vehicles?</h2>
<p>Like so many US actions taken to restrict the use of Chinese technology, little evidence exists that China has used its supply chain technologies to engage in sophisticated espionage or cause real-world damage. “It’s interesting that the rule has expressly stated that China’s own behavior is part of the reason we got here,” Cary says. “And I think that’s an important anchor to say they have exhibited behavior.”</p>
<p>Cary admits that publicly available evidence regarding China’s misuse of connected car technology is lacking. However, he points to many factors that create concern, including <a href="http://www.npc.gov.cn/englishnpc/c2759/c23934/202112/t20211209_385109.html">Chinese laws</a> that may keep the country’s offensive capabilities under wraps.</p>
<p>“In the same way that we haven’t seen China disrupt or use destructive <a href="https://www.csoonline.com/article/3632044/more-telecom-firms-were-breached-by-chinese-hackers-than-previously-reported.html">cyberattacks against critical infrastructure</a>, that doesn’t mean that we don’t think that they can’t do that,” Cary says. “That lack of them having executed that type of operation doesn’t mean we don’t think they can. And so that’s very similar in this case.”</p>
<p>Ivan Novikov, CEO at Wallarm, emphasizes a distinction between China’s collection of data and the level of vulnerabilities that US officials fear might be exploitable in Chinese software. “The Biden administration wanted to protect US users and car drivers from transferring their data to China,” he said. “It essentially could be sold and so on because the data governance law in the US is just not as advanced as in Europe with GDPR or California with the CCPA [the California Consumer Privacy Act].”</p>
<p>Regarding the security of Chinese software, Novikov says, “We have a common sense that the software is less secure than the software produced somewhere else.” But he disputes this characterization. “I don’t think that Chinese cars are somehow more hackable than all the other cars in the world.”</p>
<h2 class="wp-block-heading" id="what-role-should-cisos-play">What role should CISOs play?</h2>
<p>Although only automakers and vehicle suppliers will have an obligation to comply with the rules, CISOs should play a key role in ensuring that any vehicles their organizations own are secure and legally up to snuff.</p>
<p>“They’re going to need to collaborate with their procurement teams to make sure that the vehicles that are purchased align with these new regulations, particularly as we get closer to 2027,” Vanessa Miller, partner at law firm Foley and head of the firm’s national auto team,” tells CSO. “The burden of compliance with the final rule rests on the vehicle manufacturers and importers, but CISOs play a crucial role in safeguarding their organizational assets.”</p>
<p>As a matter of general operating procedure, “any current vehicle fleet should be looked at for security vulnerabilities associated with existing components to look at software updates that may be prudent to mitigate those risks,” Miller says. On top of that, “you’re going to want uniformity across your fleet after 2027, and you’re not going to want to worry about being flagged for noncompliance for something that you purchased retroactively.”</p>
<p>Figuring out the supply chain for organizational vehicles will soon become necessary for most CISOs. “There’s going to be some pointed questions that someone needs to ask to get to the bottom of the supply chain and see where the software is coming from and who owns it,” Miller says. “Look at things like the vendor management and supply chain policies in place to ensure that the burden is on the vehicle manufacturer to certify these things.”</p>
<p>Novikov says that for organizations buying vehicles knowing that the cars will be in service past 2027, it wouldn’t hurt to get “at least some sort of letter of engagement or letter of usage of components” that stipulates they’re not using Chinese or Russian components in the cars, even though the rules do are not retroactive before model year 2027.</p>
</div></div></div></div>
https://www.csoonline.com/article/381054...-bans.html