Biden’s Proposal to Ban Chinese and Russian Software in Connected Vehicles: What it Means for the Automotive and Mobility Industries

The Biden administration recently announced a proposal aimed at banning Chinese and Russian-developed software in connected vehicles sold in the U.S. This move, outlined as part of the broader national security strategy, is intended “to secure the American people, including our children, from potential surveillance the U.S.”, as outlined by US Commerce Secretary Giana Raimondo on September 22.

Here’s what we know so far – a detailed breakdown of the proposal, its implications, and how car makers should prepare for this (potentially) new rule.

What Was Just Announced and the Timeline

On September 23, 2024, the National Economic Advisor Lael Brainard revealed during a speech at the Detroit Economic Club in Michigan, the Administration’s intent to limit the use of Chinese and Russian software in the American automotive sector. The proposal stems from concerns over safety and security risks in connected cars and ensures that US supply chains are resilient from foreign software threats that could potentially be used for espionage, data breaches, or malicious attacks on U.S. infrastructure.

According to the NYTimes, the proposed rule (pdf) could go into effect before President Biden leaves office in January 2025, leaving car makers with roughly a year to reconfigure their supply chains, software partnerships, and cybersecurity practices to comply with the new law.

A subset of the above rule would ban the sales of vehicles with automated driving (ADAS) components and systems from China or Russia. This proposed rule is farther down the line – 2029-2030, banning self-driving (autonomous) tech made in Russia or China from being used on US Roads, even if the vehicles are made in the US.

Operational and Financial Implications for Car Makers

If the proposed ban is approved and becomes law, car makers will face significant operational and financial challenges. We’ve outlined four areas of concern:

1. Supply Chain Disruption: Many car makers source software components from Chinese companies due to cost efficiencies or specialized capabilities, such as advanced driver assistance Systems (ADAS) and autonomous driving features. The proposal will force manufacturers to sever ties with these suppliers and seek alternatives, potentially disrupting production lines and causing delays in vehicle rollouts.
2. Cost of Compliance: Car makers will need to invest in alternative software providers or develop more software in-house. This shift will lead to increased R&D expenses, software recertification, and integration costs. The financial burden could be substantial.
3. Innovation Slowdown: Chinese companies have been pioneers in developing advanced technologies like battery tech, electrification, autonomous driving, and more. Car makers that rely on these technologies may experience a temporary innovation gap as they transition to new software providers or decide to develop more software in-house. And while car makers are no strangers to software development, scaling up that operation is very complex.
4. Potential Retaliation: Banning Chinese and Russian software could lead to reciprocal trade restrictions from these countries, further straining US car makers with global operations. Tariffs or export bans on crucial materials or components could exacerbate supply chain challenges.

Cybersecurity Practices and Compliance: SBOM and Supply Chain Security

To comply with the proposed ban and mitigate the risks associated with foreign software, car makers will need to beef up their existing cybersecurity practices, including the generation of audit reports to prove they adhere to the regulation. Three key areas of focus in our opinion are the Software Bill of Materials (SBOM), supply chain security management, and compliance audits.

1. Software Bill of Materials (SBOM): SBOM is a detailed record of the software components and their origins that are used within a connected vehicle. The Biden administration has stressed the importance of SBOM in ensuring national security, especially as connected vehicles become more reliant on software for key functions like infotainment, electrification, and autonomous driving.
2. Supply Chain Security Management: Car makers should reevaluate their software supply chain to ensure that no software from banned sources enters their systems via a 3rd or 4th party supplier. This requires thorough vetting of all 3rd party software providers and the implementation of a transparent, software supply chain security scoring system for auditing your suppliers.
3. Automated Compliance Audits: To maintain compliance, car makers must implement routine security audits, focusing on software vulnerabilities stemming from the wider ecosystem (EV charging stations, cloud providers, power grid, and more). Car makers should aim to automate their compliance management, to not only list the origin of their software packages and libraries but also to deploy a risk-driven approach towards product security.

Schedule an exclusive demo to see firsthand our leading product security platform in action.

FAQs

1. Why is the US banning Chinese and Russian software?
The US is concerned that software from these countries could be used for cyber espionage or malicious attacks on critical infrastructure, including connected vehicles. The ban aims to enhance national security by mitigating these risks.

2. How will the ban affect car makers?
Car makers will need to overhaul their supply chains, find new software partners, and ensure all software components comply with US regulations. This will likely lead to increased costs and potential delays in vehicle production.

3. What is SBOM, and why is it important?
SBOM is a detailed inventory of all software components used in a vehicle. It helps ensure that automakers can trace the origins of their software and avoid using code from banned sources, thereby complying with national security regulations.

4. What happens if a car maker doesn’t comply?
Non-compliance could result in fines, vehicle recalls, and reputational damage. Car makers must also perform regular audits and ensure strict cybersecurity practices.