To Drive National Security, Secure Supply Chains and Personal Data

Today, the U.S. Commerce Department proposed rules aimed at future-proofing the supply chain for the next generation of automobiles from national security threats by significantly restricting the use of Chinese and Russian software and hardware in connected vehicles sold in the United States. Connected vehicles use computer systems to assist drivers; for example, by communicating with other vehicles to avoid collisions or sensing its surroundings to allow a vehicle to drive autonomously. The new notice of proposed rule-making (NPRM) focuses on two key elements in connected vehicles: vehicle connectivity systems (VCS), the software and hardware—such as Bluetooth and Wi-Fi—that allow cars to connect to cellular and other external networks, and automated driving systems (ADS), the software that allows cars to navigate without a driver. Under the NPRM, the Commerce Department would tightly restrict the use of hardware or software that has a “sufficient nexus” to China and Russia and would prohibit the domestic sale of connected vehicles manufactured in those countries.

Without the new restrictions, U.S. officials worry that connected vehicle–technology could provide a treasure trove of data to Chinese and Russian parties. Data collected on vehicle computer systems could jeopardize individual drivers and passengers, while also sharing geographic details about critical U.S. infrastructure. In a worst-case scenario, Secretary of Commerce Gina Raimondo said that an adversary could “shut down or take control of all their vehicles operating in the United States, all at the same time.”

While the new rules could disrupt supply chains for the auto industry, they have been crafted with phase-in timelines to facilitate that transformation, as well as support for advisory opinions that would clarify implementation and compliance requirements, and a carve out to protect vehicle prototyping by entrepreneurs. The rules differentiate between hardware supply chains and software supply chains, recognizing that hardware supply chains often take longer to adjust. The NPRM provides car manufacturers a longer time horizon to phase out Chinese and Russian hardware, with prohibitions on hardware going into effect on January 1, 2029 (or Model Year 2030), while prohibitions on software will take effect for Model Year 2027. The proposed approach to securing software supply chains is especially noteworthy; it will require some software suppliers to develop and disclose a software bill of materials (SBOM), a machine-readable inventory of a given piece of software’s components, dependencies, and interrelationships between its components.

Broadly, the order appears to reflect lessons learned from the U.S. government’s efforts to “rip and replace” Huawei equipment from telecommunications networks, which began in 2019. That effort started after Chinese-owned Huawei equipment was already in widespread use in the United States, and cost the U.S. government billions of dollars in reimbursement and direct replacement costs, with billions more earmarked for future efforts.

The announcement comes at a moment when increasing U.S. restrictions on Chinese products—including the forced TikTok divestiture, 25 percent tariffs on Chinese-produced connected vehicles, and 100 percent tariffs on Chinese electric vehicles (EVs)—have raised concerns that national security claims are being used as a pretext to defend domestic markets and producers. (Chinese auto manufacturers, powered by enormous state subsidies, have rapidly expanded their footprint worldwide over the past two years, with Chinese EV exports increasing 1,016 percent between 2018 and 2023 globally). This NPRM has been crafted with a degree of specificity that clearly targets critical supply chain vulnerabilities: restrictions target hardware that supports connectivity, for example, but not the plastic body of the car. Moreover, the order seeks to mitigate supply chain threats before they have scaled so exponentially that it would be near impossible to address them.

These new restrictions are undoubtedly a step in the right direction for U.S. supply chain security and national security interests. Yet they also illuminate continued, structural gaps in the toolkit the U.S. government can use to ensure data security. Connected vehicles pose more than threats of espionage and disruption. Addressing data policy risks with tools meant for economic tradecraft or cybersecurity will always be an imperfect solution to the problem. Those risks are well documented, as leading automakers including General Motors, Honda, and Hyundai, have repeatedly sold vast arrays of data, including acceleration and braking data, to third-party data brokers. Restrictions on the types of software and hardware in cars will close a backdoor for data access, but the front door remains wide open so long as Americans’ personal data is available to any actor or government willing to write a check. This NPRM is the perfect encapsulation of how agencies are forced to use imperfect tools to address clear, expansive risks. The longer the United States goes without stronger personal data privacy protections, the longer a critical piece of U.S. national security remains unattended.