The Auto Tech War: U.S. Ban on China and Russia Leaves Industry Scrambling

Over the past decade, the United States quietly has taken measures to regulate data flows to foreign adversaries, such as China and Russia, as well as restricting the use of information and communications technology (ICT) from these countries on connected devices.

The rationale behind these measures is to safeguard national security. Access to data and control of connected technology (e.g., IoT) provides adversaries with the tools to potentially conduct cyber espionage and even attack critical infrastructure. There have been numerous discoveries in recent years of imported hardware and software containing hidden “backdoors,” which are used by hackers to surreptitiously collect data and monitor various activities within the US.  

The latest move in this geopolitical tech battle extends these ICT restrictions to the automotive industry. On January 14, 2025, the Department of Commerce issued a finalized rule banning the sale or import of connected vehicle hardware and software originating from China or Russia, starting with 2027 vehicle models.

So what does this challenge mean for OEMs selling in the US market? At this point, there are more questions than answers, but one thing is clear – OEMs need to start thinking right away about how they are going to comply with this federal ruling. 

Why Worry about Connected Vehicles?

According to regulators, the technologies used in vehicle connectivity and software integrated into automated driving systems are vulnerable to external signals. This presents “an undue and unacceptable risk to national security when designed, developed, manufactured, or supplied by persons” from either China or Russia. 

For example, many vehicles today are equipped with multiple cameras. As you drive, the vehicle is taking videos of your surroundings and – in essence – mapping the city in real time.  Transferring this information, for example, to a Chinese cloud gives the Chinese government access to all this data, basically turning your car into surveillance tool. Moreover, software-defined vehicles collect sensitive data, including personal information about vehicle drivers or owners, which could be maliciously accessed by foreign adversaries.

In addition to these risks, today’s autonomous driving/ADAS type systems are potentially vulnerable to cyber attacks that could allow hackers to remotely manipulate vehicles. Imagine the consequences of an attack from a foreign adversary that takes control over large vehicle fleets for nefarious purposes. 

What Does the Rule Cover?

Let’s dive into the details. The new ban focuses on Vehicle Connectivity Systems (VCS) and Automated Driving Systems (ADS) for passenger vehicles. It prohibits the sales or import of complete connected vehicles or vehicles incorporating hardware and software components from entities linked to China or Russia.

In terms of software, the rule covers everything from the operating system and middleware to application software and backend systems. Firmware and open source software are exempt. The software-related bans take effect for 2027 model year vehicles, while hardware bans take effect for 2030 model year vehicles.

OEMs will be required to submit an annual Declarations of Conformity to certify compliance with the rule. These declarations require the provision of detailed information about the VCS hardware and covered software, including due diligence documentation.

Huge Repercussions for OEMs Across the Entire Automotive Supply Chain

So who’s affected by this directive? 

Any Chinese or Russian citizen or resident who isn’t a U.S. citizen or permanent resident is covered by the rule. In other words, a freelance Russian software engineer in Cyprus developing a piece of software for a third-party vehicle supplier could be problematic.

At the company level, things get even more complicated. Any entity that can be directly or indirectly influenced by China or Russia—through ownership, jurisdiction, shareholder structure, or board seats—is affected. Volvo Cars, for example, is owned by a Chinese holding company. Will it need to rethink its ownership structure or market focus to comply with this rule in 2027? 

Given the fact that many OEMs are integrating software components from over 100 vendors, these questions have huge commercial implications for both OEMs and their suppliers.

The Proof Is in the Pudding

Now we arrive at the crux of the problem. As mentioned above, each connected vehicle is required to provide a declaration of conformity stating that none of its components come from China or Russia. Beyond that, the OEM must submit evidence supporting this declaration. So how do you prove conformity? 

The difficult part is identifying the relevant components within the vehicle architecture. A typical vehicle has over 50 ECUs, while each ECU may contain dozens of software libraries from a large number of suppliers. Due to the complexity of the automotive supply chain, OEMs and Tier 1 suppliers are not always aware of the software composition of the components they receive from their downstream suppliers.

In many cases, the culprit is going to be buried deep down the supply chain. Similar to software vulnerability scanning (mandatory per UNR 155), OEMs are going to need advanced tools to be able to identify software developed by foreign adversaries. Once the problematic components are identified and reported, the OEM can then turn to the supplier and request an updated version without the problematic software or a complete replacement.

To illustrate the complexity, consider a software company working with Chinese subcontractors who develop software that is integrated into the middleware stack. How does the vehicle manufacturer  drill down into the middleware layer and identify the hardware and the software pieces that are an integral part of the vehicle architecture in order to mitigate the risk?

Compliance Challenges for OEMs

Working groups have already been formed to discuss and analyze the technical challenges that this rule presents across the automotive supply chain. At this initial stage, OEMs and suppliers are grappling with several high-level issues, including:

• Very Broad Scope – OEMs don’t yet have a detailed understanding of the government expectations.  The high level objective was defined – but the devil’s always in the details. MEMA, the leading trade association for vehicle suppliers in North America, has already raised concerns about the broad scope of the rule, particularly regarding Advanced Driver Assistance Systems (ADAS) and Battery Management Systems (BMS).

What exactly needs to be prohibited in the backend systems and telecom services, for example, requires further clarification. Perhaps most importantly, there is no clear view of what the acceptance criteria are for identifying the relevant hardware and software components.

• Compliance Timeline – As noted, software bans are scheduled to take effect for 2027 vehicle models, with hardware bans kicking in for 2030 models. This timeline is a major concern given the nature of the automotive development and production cycle. OEMs and their partners have already started the design and development work for their next generation vehicles, including the procurement of hardware and software. If they have to renege on these supply chain commitments, they’re going to incur huge losses.
  
  In light of these issues, MEMA has already requested a two-year extension for suppliers to comply with the new requirements, citing the complexity of supply chains and the need for thorough due diligence.
  
• Intellectual Property – Another challenge is protecting the intellectual property related to proprietary software. If companies are required to submit Software Bill of Materials (SBOM) and Hardware Bill of Materials (HBOM) to regulators, they need to be sure their intellectual property is secure and not exposed to competitors. The challenge here is to comply with the regulation (i.e., show that the vehicle does not contain components from entities linked to China or Russia) without compromising confidential and proprietary information. 

How Can We Help?

Similar to their efforts to comply with recent cyber security regulations, OEMs will need tools, processes and expertise to allow them to identify and report prohibited components. This may include, for example, products that scan for Chinese or Russian components and generate reports indicating suspected Chinese or Russian components in software and hardware assets. 

To meet cyber security regulations like UNR 155 and ISO 21434, many OEMs and suppliers already scan their assets for vulnerabilities. New risk management processes and tools will need to be added to identify prohibited software and hardware from China or Russia, inspect suspicious components and replace them as needed. PlaxidityX has already enhanced its Software Supply Chain Security product to scan SBOMs for these forbidden components and generate reports to help OEMs comply with the new rule.

In addition, OEMs will need to set up processes and conduct internal audits and external third party assessments aimed at identifying potential issues at the hardware and software procurement stage. This type of due diligence can help OEMs avoid unpleasant surprises later in the development process.

Need help in evaluating and assessing the new rule and building a compliance strategy? Contact the PlaxidityX Services team to explore processes and tools that could help in identifying the supply chain.