3rd Party Risk Management,
Critical Infrastructure Security,
Governance & Risk Management
Concerns Over Supply Chain Vulnerabilities Heightened by National Security and Cyber Threats
The United States federal government has issued a directive to the automotive sector, urging a cessation of procurement of Chinese-produced hardware and software employed in telematics and autonomous driving systems. This measure is being taken due to the identified risks of nation-state hacking and espionage that pose significant threats to national security.
The impending regulations, detailed in an export control rule scheduled for announcement in the Federal Register, will enforce a ban on the importation of software driving these systems beginning in 2027. Additionally, restrictions on Chinese hardware integral to vehicle connectivity will be enacted by 2030, with sales of affected Chinese-manufactured vehicles also halted in 2027.
As the leading global auto exporter, China’s impact on the U.S. automotive market has diminished significantly, particularly following the Trump administration’s imposition of a 27.5% import tariff, which the Biden administration subsequently increased to 100% on Chinese electric vehicles. However, China remains a crucial supplier in the automotive parts landscape, ranking among the top three sources for U.S. manufacturers.
The Alliance for Automotive Innovation, representing major automakers such as GM, Toyota, and Volkswagen, had sought at least an additional year before these restrictions were put into effect but was unsuccessful. Importantly, the new regulations exempt vehicles over 10,000 pounds, including commercial vehicles such as buses that will be addressed in forthcoming regulations, while also extending to Russian-manufactured autos and parts.
Commerce Secretary Gina Raimondo emphasized that vehicles are now sophisticated interconnected devices rather than mere metal constructs, equipped with technologies that could be exploited for malicious purposes. This regulatory approach aims to eliminate Chinese and Russian technologies from U.S. roads and fortify the security of American connected vehicle supply chains.
Recent reports from cybersecurity researchers have amplified concerns about vulnerabilities inherent in modern vehicles, which can be compromised through advanced tactics such as fault injection to install malware. Such methods could enable attackers to manipulate on-board connectivity systems that facilitate communication of critical vehicle data, presenting severe risks not only to consumers but also to national interests.
Regulators are particularly vigilant about the potential exploitation of automated driving systems, where adversarial manipulation could facilitate unauthorized data access or system failures. This treacherous landscape is further complicated by the lack of transparency in how machine learning systems governing these technologies are trained and configured, raising the specter of manipulated outcomes detrimental to safety and security.
In the broader context, access to automotive technologies allows malicious entities to glean sensitive data regarding military and emergency response capabilities, potentially undermining national security interests. As the new regulatory framework develops, the implications for relationships with foreign suppliers, particularly in relation to unmanned aerial vehicles, remain to be formalized under future policy decisions.
