Commerce Dept. to look at privacy, cyber risks from Chinese-sourced connected vehicle equipment
The Department of Commerce is investigating the potential national security risks of connected vehicles and associated technologies that are sourced from China or other U.S. adversaries — before they become ubiquitous in the U.S.
The move does not include any bans on those products from specific countries or organizations, but the investigation could lead to halting transactions of such equipment from China or any associated companies. The Commerce Department’s Bureau of Industry and Security will issue an advanced notice of public rulemaking on Thursday that seeks public comments as the agency considers implementation.
The concern centers around the rapid increase of technologies in vehicles that come with software that harvests massive amounts of data and can control nearly every aspect of the vehicle, such as brakes or even power. While China does not have a large market in the U.S., the country is flooding foreign markets and there are concerns that those vehicles may soon become widespread in the U.S., Biden administration officials said during a media briefing Wednesday.
“Most cars these days are ‘connected’ — they are like smart phones on wheels. These cars are connected to our phones, to navigation systems, to critical infrastructure, and to the companies that made them. Connected vehicles from China could collect sensitive data about our citizens and our infrastructure and send this data back to the People’s Republic of China. These vehicles could be remotely accessed or disabled,” President Joe Biden said in a statement ahead of the release. “So today, I am announcing unprecedented actions to ensure that cars on U.S. roads from countries of concern like China do not undermine our national security.”
One of the concerns is that modern vehicles vacuum up reams of data of what should be private information, and are more properly described as computers on wheels than the automobile from 20 years ago. The notice comes a day after Biden signed an executive order that directs the Justice Department to bar companies and individuals from selling certain types of large datasets — such as personal health, biometric, and geolocation data, among others — to countries of concern. A senior administration official said that Thursday’s announcement is complementary but distinct from that executive order.
The Commerce investigation leverages authorities granted by President Donald Trump through an executive order aimed at restricting companies from using telecommunication manufacturers that are considered aligned with foreign adversaries, which came amid widespread concern regarding the China-based company Huawei. The commerce secretary has identified countries beyond China as foreign adversaries — dubbed 15 CFR 7.4 entities -— including Hong Kong, Cuba, Iran, North Korea, Russia, and Venezuela President Nicolás Maduro.
However, Beijing remains the main concern and cybersecurity is another key aspect to the investigation, officials said, noting that China’s broad authority over companies within the country could be used to gather data or carry out cyberattacks.
“Imagine if there were thousands or hundreds of thousands of Chinese-connected vehicles on American roads that could be immediately and simultaneously disabled by somebody in Beijing. So it’s scary to contemplate the cyber risks, espionage risks that these cause,” Commerce Secretary Gina Raimondo said.
The potential for scaled attacks using vulnerabilities in the software of vehicles has been demonstrated by multiple security researchers over the years. Last year, security researchers found around 20 vulnerabilities within the application programming interfaces, or APIs, that could have given hackers access to some 15.5 million automobiles. A litany of third-party software on vehicles are being used to connect and interconnect apps, infotainment systems, and motion systems, among many other applications for consumers.
Beyond consumer-grade automobiles, software that controls fleets of vehicles have been found with vulnerabilities that could allow hackers to manipulate airbags, see a live feed inside the car, and, of course, turn off the vehicle at a massive scale, all at the same time. Researchers found one such company that had few cybersecurity protections that allowed for such attacks and the ethical hackers were so concerned about the vulnerability that they did not name the company for months out of fear of malicious and potentially life-threatening attacks. The company refused to acknowledge the vulnerability, which the researchers said is an issue that is not uncommon.
While the Commerce investigation will look into the potential threats of connected vehicles from Chinese companies, the move will not probe existing technologies within the U.S. that may have vulnerabilities that could be exploited by China or another threat group.
The call for comments seeks to explore exactly how to define connected cars, what equipment is vital for operations, relationships between manufacturers and suppliers, potential risks, potential mitigations, and existing bug bounties, among many other issues that run the gamut of connected vehicles.
