The US Department of Commerce has said that, out of concern for national security, the US will prohibit the use of software developed in Russia and China in automobiles.
Following months of previewing by the Bureau of Industry and Security under the Commerce Department, the final rule was published on Tuesday morning in the federal register.
The Bureau of Industry and Security determined during regulation that specific technologies emanating from Russia or China pose an intolerable and unreasonable threat to U.S. national security.
“Cars today aren’t just steel on wheels – they’re computers,” said Gina Raimondo, departing secretary of commerce, in a news release on Tuesday. Their devices include internet-connected cameras, microphones, GPS trackers, and more. The Commerce Department has taken a vital step toward protecting American privacy and national security with this rule, which will prevent foreign enemies from abusing these technologies to get access to sensitive data.
Model 2030 automobiles will be subject to the hardware prohibitions, whilst Model 2027 cars will be subject to the software limitations.
The department has stated that individuals with a sufficient connection to the PRC or Russia pose an unacceptable and undue threat to national security when they design, develop, manufacture, or supply hardware and software integrated into the Vehicle Connectivity System (VCS) and the Automated Driving System (ADS). This final rule only applies to passenger vehicles.
A second rule pertaining to commercial vehicles will soon be issued, according to the agency.
These proposals were based on national security considerations, according to a senior administration official who told reporters on a conference call that the car sector broadly agreed with them.
“Malicious access to these critical supply chains could allow our foreign adversaries to extract sensitive data, including personal information about vehicle drivers or owners, and remotely manipulate vehicles,” as stated in a Commerce Department press release.
The law also forbids U.S.-made connected vehicles using VCS or ADS software from being sold in the country by manufacturers with a strong enough connection to the PRC or Russia.
The risks posed by Chinese and Russian software, according to another senior administration source, go beyond the vehicle. China may have a simple method to get user data if mobile phones are linked to this software.
“Recent malicious cyber activity, particularly activity that they do that was volt typhoon has really heightened the urgency of preempting even more risk to our critical infrastructure, and we’ve seen not just volt typhoon, but really mounting evidence of the PRC pre-positioning malware in our critical infrastructure, solely for the purpose of sabotage and disruption,” an official in the administration said. The risk of sabotage truly grows dramatically with the probable introduction of millions of linked vehicles onto the road, each having a lifespan of 10–15 years. Second, and relatedly, there is the data security risk, which arises from the vast amounts of personally identifiable information (PII) acquired by these cars in real time, including geolocation data, audio and video recordings, and other live data.
