For many years, domestic Chinese OEMs have been at the forefront of balancing technological innovation across many domains, from connected features through to robotaxis, with affordability. As an example, BYD, one of China’s most popular domestic OEMs, sells its 2025 Seagull EV from 72,000 yuan – equivalent to $9,900 or £7,690. While BYD now represents one of world’s largest EV manufacturers in the global industry, this success has largely stemmed from its domestic sales – something it shares in common with other OEMs in the region.
However, having secured this success in China, OEMs like BYD are now drafting up, and in some cases executing, plans to expand internationally. For consumers, these plans may represent a more accessible route to EV adoption, due to the more accessible price points offered by many Chinese OEMs. Although, for some international governments, these OEMs represent not just a strong competitor to their domestic automakers, but a risk to the security of their people, networks, and infrastructure.
It is this risk that recently led the Biden-Harris Administration to propose a ban on the import of any connected and autonomous vehicle hardware and software produced in ‘countries of concern’, denoting China and Russia as key examples. In this Insight, we will delve into the details of this proposal – breaking down what is happening, and why, before hearing from Alex Oyler, Director of SBD North America on its impacts and outlining the best practices for responding to the ban ahead of its implementation.
What is happening with the ban and why is it happening?
The origins of this proposal can be found in an investigation by the U.S. Department of Commerce (DoC) into connected vehicle software ordered by President Biden in late February. Carried out in March, the investigation sought to gauge public opinion on the national security risks associated with certain technologies used in connected vehicles. The results of this investigation ultimately encouraged the proposal announced on September 23, 2024 – a notice of proposed rulemaking (NPRM) that, if passed as proposed, would ‘prohibit the sale or import of connected vehicles that incorporate certain technologies and particular components from countries of concern’.
The DoC highlighted that its proposal would also see restrictions on the import or sale of connected vehicles from those countries that use certain connectivity and automated driving systems, as well as the import of connectivity hardware more broadly. Though, at the same time, it would also include procedures designed to provide select parties (such as smaller-profile OEMs) with exemptions, issued on an exceptional basis, to minimize unanticipated, unnecessary, disruption.
Following its announcement, the NPRM has now entered a 30-day public feedback period, through which the Biden-Harris Administration is encouraging interested automotive stakeholders to share their input as they develop the final rule. Following this period, the Administration is aiming to finalize the proposal before January 20, 2025, when the next U.S. President will be inaugurated. If passed, its prohibitions on software would take effect from Model Year 2027, while its hardware-related prohibitions would take effect from Model Year 2030 (or from January 1, 2029, for vehicles without a model year).
The White House said that the motivations behind the proposed ban are rooted in the increasingly connected nature of new vehicles, pointing towards the use of various systems to control vehicle movement, the use of cameras and sensors to enable automated driving functions. While outlining these advancements, it conversely highlighted how connected vehicles could allow malicious adversaries to collect and exploit sensitive information – including vehicle occupant data and detailed information about American infrastructure. Here, it claimed that certain hardware and software information on geographic areas and critical infrastructure could allow these adversaries to not only disrupt the operations of this infrastructure but manipulate connected vehicles as well.
Through its investigation, the DoC further determined that certain technologies utilized in connected vehicles from adversarial countries, like China and Russia, could potentially exploit technologies within America’s supply chain for surveillance and sabotage to undermine its national security. Building on the findings of this investigation, the Biden-Harris Administration developed the proposal with the overarching aim to keep America’s supply chains resilient and secure from foreign threats.
A closer look at the potential impacts of the DoC's proposal
Recognizing the impact this proposal could deliver both across the U.S. and beyond, Alex Oyler, Director of SBD North America, commented: “There are real cybersecurity concerns related to not only potential privacy violations of American consumers, but also the protection of critical infrastructure as EVs become an increasingly important part of the United States' national (critical) energy infrastructure.
There will be enforcement challenges, particularly in software traceability, making OEM adoption of software bill of materials (SBOM) technology of the utmost importance. While most automaker cybersecurity teams are only now recovering from the massive investment in achieving compliance with UNECE R155 overseas, this will be another wave of compliance-related investment. NHTSA must prioritize helping adopt SBOM standards with the automotive supply chain to streamline compliance efforts (and keep costs low for American consumers).”
Next Steps
As vehicle manufacturers in the U.S., China, and around the world react to the proposed ban – adapting their technologies and vehicle line-ups to suit its requirements – OEMs and consumers alike will now be more aware of the potential cybersecurity risks posed by the use and/or integration of automotive hardware and software produced in the China region.
While we have outlined the scope and background of the DoC’s proposal to ban connected vehicles and technologies produced in China, the cybersecurity threat that motivated it is just one of many affecting vehicles globally and encouraging OEMs, suppliers, governments, and more to take action. These threats are routinely identified and assessed by our cybersecurity experts as part of our Cyber Intelligence Guide, which more broadly breaks down hundreds of recent vehicle, backend, and smartphone app attacks affecting some of the newest vehicles on the market.
Designed to analyze and raise awareness on the diverse threats and vulnerabilities to vehicle cybersecurity, the Cyber Intelligence Guide offers deep insights into the recommended defense and mitigation countermeasures against them, while highlighting the significance of incident response analysis to automotive cybersecurity. Within the guide, our experts correlate new cybersecurity threats to the list of vulnerabilities provided by UNECE R155 and help system developers and executives gain insight into how risk management should be applied across their organization, and throughout their supply chain.
Comments