Smart-Vehicle Makers Face Supply Chain Disruption Due to New Regulations

The US Department of Commerce is planning to enforce new regulations banning the import of connected-vehicle technology from China and Russia over cybersecurity fears. This move aims to address concerns about vulnerabilities in automotive hardware and software that could allow a nation-state or criminal organization to implant a backdoor.

Background and Motivation

The Commerce Department pursued these new regulations after President Biden declared a national emergency over concerns that the United States had become overreliant on China for information and communications technology and services (ICTS). The rule mandates that companies and their suppliers eliminate hardware or software imported from China or Russia in their vehicle connectivity system (VCS) or in their automated driving system (ADS).

Addressing Concerns

The regulations aim to address two main concerns: the potential for vulnerabilities in automotive hardware and software that could be exploited by nation-states or criminal organizations, and the collection of data on US drivers through diagnostic features and other mechanisms. According to Yoav Levy, CEO and co-founder of automotive cybersecurity provider Upstream, "The threat is definitely real." He notes that there have been many cases where vulnerabilities in automotive systems have been exploited.

Shift to Alternative Suppliers

The shift to alternative suppliers will take years, with the Biden administration allowing carmakers a grace period to comply with the regulations. Software components can no longer be sourced from China and Russia starting with 2027 car models, while by 2030 car models must contain no hardware from prohibited sources. However, making such changes will not be easy, as Upstream’s Levy notes. "It’s not that easy to replace a supplier," he says. "There are financial implications with the supply chain – maybe it’s going to be more expensive, or there may be some changes to software that they would need to do for the new supplier – an adjustment to the architecture. … It really depends on what they are actually going to replace."

Impact on the Automotive Industry

The regulations will require carmakers to become more prescriptive in the specification of the components they are sourcing, with a focus on the component architecture rather than just the functional requirements. This is known as a build-to-print relationship, where the OEM provides requirements for the component architecture, such as the processor, memory, and GPU. As a result, the automotive industry will need to adapt to these new regulations and find alternative suppliers, which will take time and effort.