U.S. Cybersecurity Crackdown: New Regulations Reshape Smart Vehicle Supply Chains

Smart vehicle manufacturers are grappling with supply chain disruptions as the U.S. Department of Commerce prepares to enforce new regulations banning the import of connected-vehicle technology from China and Russia due to cybersecurity concerns.

The regulations stem from President Biden's declaration of a national emergency, citing overreliance on Chinese information and communications technology and services (ICTS). The rule requires companies and their suppliers to eliminate any hardware or software sourced from China or Russia in vehicle connectivity systems (VCS) or automated driving systems (ADS).

The goal is to address two major risks: the potential for backdoors in automotive hardware or software that could be exploited by nation-states or cybercriminals, and the possibility of data collection on U.S. drivers via diagnostic features and other tools, explains Yoav Levy, CEO and co-founder of automotive cybersecurity firm Upstream.

“The threat is very real,” Levy notes. “There have been numerous instances of cars being hacked, including their safety systems, as well as cases of data theft or leaks. However, we haven’t yet seen these issues manifest on a large scale.”

Growing Cybersecurity Concerns in the Automotive Market

The rise of software-defined vehicles (SDVs) is transforming the automotive industry, but it also increases the potential for cyberattacks. Historically, automakers used different platforms for various models, resulting in a rapid increase in processors—commonly known as electronic control units (ECUs). While the post-pandemic chip shortage slowed the transition to new platforms, manufacturers are now focused on minimizing the number of ECUs in VCS and ADS systems. For example, Rivian reduced the number of ECUs in its second-generation R1 vehicles from over 100 to just seven.

A New Wave of Cyber-Ban Policies

Aside from Rivian, many vehicles rely on components sourced from China, raising concerns about vulnerabilities tied to foreign-made technology. Ivan Novikov, CEO of API security firm Wallarm, likens this new ban to previous U.S. actions against Chinese technology, including restrictions on Huawei telecommunications equipment, TP-Link home routers, and the social media app TikTok.

“This is the next logical step,” Novikov explains.

The new regulations will prohibit any transactions involving VCS hardware or software linked to entities in China or Russia, as outlined in a 213-page final rule set to take effect after a public comment period. However, there are still uncertainties about how the rules will be implemented.

“It’s unclear who will enforce these regulations,” Novikov says. “Typically, the Department of Transportation oversees safety and security standards, so how it will collaborate with the Commerce Department remains to be seen.”

Supply Chain Challenges and Economic Impact

Experts predict significant impacts on the supply chain. According to Alex Oyler, North America director at automotive consultancy SBD Automotive, while large original equipment manufacturers (OEMs) may not rely heavily on Chinese technology, their suppliers often do.

This shift is part of a broader trend as automakers move toward software-defined vehicles, prompting changes in their relationships with suppliers. Oyler notes that automakers are increasingly specifying component architecture in detail, dictating requirements for processors, memory, and GPUs rather than just functional capabilities.

The transition to alternative supply sources will take years. The Biden administration has granted a grace period, requiring carmakers to phase out software sourced from China and Russia by the 2027 model year and hardware by 2030.

Adapting to these changes won’t be easy, says Levy. “Replacing a supplier is complex,” he explains. “It can involve financial implications, higher costs, or adjustments to the software and architecture to accommodate new components. The difficulty depends on what exactly needs to be replaced.”