Following years of warnings from the U.S. intelligence and security agencies, such as the FBI and CISA, regarding nation-state threats actively targeting critical infrastructure, particularly from China and Russia, the federal government continues to step up its activity to defend against such threats.
Earlier this month, the Commerce Department's Bureau of Industry and Security reported that technologies from those nations pose "an undue risk" to connected vehicle users. Under the newly proposed rules, currently in a 30-day comment period, the sale and import of connected vehicles and components with software or hardware from China or Russia would be banned. The ban is slated to start with model year 2027 for software and 2030 for hardware components.
In a recent interview on CNBC, U.S. Commerce Secretary Gina Raimondo said the Biden administration is taking a proactive step to protect the U.S. critical infrastructure and the privacy of citizens from malicious nation-state activity, warning that risks ranged from Chinese government snooping to remotely turning off connected vehicle functionality.
"If you think about the risks that could be posed to Americans if we had millions of Chinese-connected cars on the road. It gets pretty scary, pretty fast, with the flip of a switch," Raimondo warned on CNBC. "They could have a malfunction in every car. There's [also] a huge amount of data: Where you go, where your kids go, where your house is, where your doctors are — with all of that data being sent back to the Chinese military," she said.
Those moves follow previous extensive steps to restrict Chinese technology in telecommunications equipment and the semiconductor supply chain. Earlier this month, a 51-page study from the House Select Committee on China and the House Homeland Security Committee found Chinese-built maritime cranes in use at U.S. ports pose a risk.
"These modems—although not necessary for the operation of the cranes—created an obscure method to collect information and bypass firewalls in a manner that could potentially disrupt port operations," the report stated. The so-called "backdoor" modems could be used to collect data or to conduct remote operations.
Secretary Raimondo didn't rule out additional actions in the transportation or other industries. "We're [currently] looking at drones that have Chinese and Russian equipment, chips, and software in them," she said. "You could imagine other critical infrastructure, for example, that might have Chinese and Russian connectivity, software, or chips. As we become a more connected world, we have to modernize how we think of national security," Raimondo said.
In previous years, the federal government took action against telecommunication companies, including in 2020 when the FCC labeled both Huawei and ZTE as national security threats and banned federal funds to procure their gear. That ban was broadened in 2022. In 2019, attention went to the energy sector when the federal government confiscated a transformer built in China that was heading to a power station in Colorado.
"It's just not sustainable to do this in every market. Technology manufactured in China will find its way into the United States no matter what happens.
—Joe Saunders, RunSafe Security
Many security industry experts broadly agree with the moves. "If you consider China as a motivated adversary, and you look at their track record, it has a history of stealing intellectual property and data," Joe Saunders, founder and CEO at RunSafe Security Inc., said. "And they certainly have a history of going into markets, trying to dominate and win the technology competition, and using that for leverage. That's true whether that's social media, 5G devices, or even potentially now data from cars. We all need to be concerned, given the track record," Saunders said.
While Saunders believes the moves from the federal government are necessary, he doesn't see industry-wide bans as the ultimate answer. "It's just not sustainable to do this in every market," he said. "Technology manufactured in China will find its way into the United States no matter what happens," he said.
Saunders believes the U.S. needs to develop a long-term, comprehensive strategy, with Congress likely having to set regulations detailing what the nation expects with cybersecurity in critical infrastructure. That could entail security-related regulations mandated within federal government procurement processes, comprehensive software and hardware supply chain security strategies, and security capabilities built into hardware and software found in the critical infrastructure.
While it's a positive step that the federal government is taking critical infrastructure security seriously, it will take a much more comprehensive strategy to ensure the software and hardware that runs essential infrastructure systems are free of malicious interference.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
