The Commerce Department on Tuesday announced a new rule barring certain Chinese and Russian connected car technology from being imported to the United States.
Software and hardware built into Vehicle Connectivity Systems (VCS) — such as telematics control units and cellular, satellite and Wi-fi functions — which are manufactured in China and Russia will be banned, along with any connected cars containing them.
Separately Russian and Chinese Automated Driving System (ADS) software — which self-driving vehicles rely on to run without a driver — will be prohibited under the new rules.
The rules only applies to passenger vehicles due to supply chain challenges, but the Commerce Department said in a press release that it recognizes the “acute national security threat” foreign adversaries pose to commercial vehicles and signaled that it soon plans to separately issue a rule addressing vulnerabilities in trucks, buses and other such vehicles.
Hardware and software with a “sufficient nexus” to China and Russia fall under the rule. That standard also applies to cars made in the United States containing Chinese and Russian technologies.
The rule will not take effect until January 2026 for software products and January 2029 for hardware. Sales of connected cars with VCS and ADS systems tied to China and Russia — even if manufactured domestically — will be banned as of January 2026.
Importers and manufacturers will be required to give the Commerce Department’s Bureau of Industry and Security an annual declaration pledging that they are complying with the new rules.
When Commerce proposed the rule in September it said the regulation was meant to address the threat posed by China and Russia hacking into connected cars and taking individual’s personal information as well as granular details about U.S. critical infrastructure. Officials said at the time that if adversarial governments manufacturing VCS and ADS systems wanted to, they could even remotely control cars as they drive in American neighborhoods.
“Cars today aren’t just steel on wheels – they’re computers,” Commerce Secretary Gina Raimondo said in a statement. “They have cameras, microphones, GPS tracking, and other technologies that are connected to the internet.”
“Through this rule, the Commerce Department is taking a necessary step to safeguard U.S. national security and protect Americans’ privacy by keeping foreign adversaries from manipulating these technologies to access sensitive or personal information,” Raimondo said.
A White House announcement said the new rule will help the U.S. protect itself from Chinese cyber espionage and intrusion operations.
The announcement noted that Chinese state-sponsored cyber actors such as Volt Typhoon have already shown the Chinese government is “pre-positioning on – and potentially launching disruptive cyberattacks targeting – U.S. critical infrastructure.” Russia poses a similar threat, the announcement said.
“The American transportation system is vital to facilitating commerce, essential services, and daily life,” the announcement said. “This rule ensures that our critical infrastructure is not exposed to the risk of foreign adversary-controlled supply chains that could provide bad actors with the means to disrupt U.S. critical infrastructure.”
Chinese and Russian government access to connected vehicle data could also allow them to gather sensitive information tracking individuals, including geolocation data, audio and video recordings and “pattern-of-life” analysis, the White House said.
The Alliance for Automotive Innovation, the country’s largest lobbying organization for automakers, released a statement supporting the rule and noting that it worked closely with the Commerce Department to shape it.
“The auto industry communicated our support for a final rule that addresses the unacceptable risks associated with information and communications technology and services designed, developed, manufactured or supplied by foreign adversaries like China and Russia,” John Bozzella, president and CEO of the organization, said in a statement.
The Commerce Department set a reasonable time frame for automakers to adhere to the rule, Bozella said.
“Changing the world’s most complex supply chain can’t happen overnight,” the statement said. “In this respect the final rule strikes a good balance.”
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.
