Concerns about Chinese Technology Spur Administration Action in Latest Biden Executive Order on Connected Vehicle Security
President Joe Biden issued an Executive Order (EO) today on “Securing the Information and Communications Technology and Services Supply Chain” to address “the national security risks posed by connected vehicles from countries of concern, including the People’s Republic of China.” The administration’s motive behind this is simple: keep foreign adversaries out of American data, especially sensitive information that can be used toward nefarious ends. In the context of China, specifically, it’s widely understood that data, in all its various forms and content, serves a strategic purpose in the country’s ambitions to retain power domestically, project power abroad, and plan for national security and military scenarios.
Under the EO, the Department of Commerce will investigate national security risks posed by connected vehicles from countries of concern (primarily China). It is also the first time its Bureau of Industry and Security will take action on “protecting domestic information and communications technology and services supply chains from national security threats.” While the EO itself does not grant statutory authority for the Department of Commerce to bar Chinese companies from conducting business in the United States, it is intended to send a signal to Congress to consider granting additional authorities in this context. Already under consideration is the bipartisan RESTRICT Act, which would allow the Department of Commerce to “identify, deter, disrupt, prevent, prohibit, investigate, and mitigate transactions” involving information and communications technology products and services between foreign adversaries and U.S. persons.
As vehicles are increasingly manufactured with advanced technology that may pose risks related to security and privacy, ensuring adequate cybersecurity and data protection measures for our connected vehicle ecosystem is crucial to protect against potential threats in our car-centric society. Even absent a comprehensive data privacy and security law that protects Americans and their sensitive data, consumers should especially be aware of how their data may end up in the wrong hands.
This move by the administration recognizes the reality that Chinese car manufacturers are in a position to expand their presence and dominance globally, including in the U.S. automobile market (despite steep tariffs imposed on the import of Chinese cars). Chinese companies (as well as companies operating in China) are subject to Chinese government jurisdiction, where they may be compelled to provide sensitive data to the government.
In an increasingly digitized and online world, this also means that there are ramifications for digital data and the transmission of data that have national security and privacy considerations. Sensitive driver biometric data, vehicle data, navigation data, and critical infrastructure data are at risk of being transferred to our phones, car manufacturer companies, and third-party vendors associated with various car features, such as electric vehicle charging stations. Similarly, connected vehicles also increasingly use software and hardware that may expose the vehicles to cyber-enabled attack vectors and vulnerabilities. The elements of connected vehicle supply chains, from end-users to manufacturers to third-party providers to critical infrastructure that supports vehicles, create ample opportunities for companies and organizations that have malicious intent to extract sensitive data or create and exploit vulnerabilities associated with connected vehicles.
While this EO, and the companion Department of Commerce Advance Notice of Proposed Rulemaking, do not indicate current intent to take regulatory action, they do emphasize the importance of addressing these vulnerabilities to safeguard national interests. Implementing robust security protocols and fostering collaboration among stakeholders are essential steps in mitigating the national security risks associated with connected vehicles.
Collaborative efforts to establish clear standards and guidelines for vehicle manufacturers and suppliers will be crucial in reducing vulnerabilities and enhancing the resilience of connected vehicles. By fostering a culture of information sharing and best practices, we hope to see improved security measures and controls that mitigate connected vehicles as a vector for potential threats.
This analysis was written before the full EO was released.