US bans Chinese and Russian tech in cars

The United States has said it is banning certain technology made in China and Russia from cars, trucks and buses. US officials claim the technology in question poses a security risk to vehicles that operate within its borders. So, what should we know about it? Here’s the University of Oxford’s Ciaran Martin. Ciaran helped set up the UK’s National Cyber Security Centre…

Ciaran - I think it is a worry in two different ways. One is that these things need to be secure. So these things in effect, the software in particular will issue commands, they'll respond to instructions, so they'll tell the car what to do or they'll beacon out a request, essentially, to connect to something to help the car move. And its software can be full of flaws. That means it can make mistakes, but also it can be hacked into. So you can see where at least the theoretical worry is that if you don't design this properly, and then even if you design it properly if you don't secure it properly, you could interfere with the car. The second worry then is about data. Clearly in a very contested world with great power rivalries and the US, for example, seeing China and Russia as threats, where people are, where they're going, their pattern of life, what they do is of great interest potentially, at least in respect of some people. And if their cars are also, as well as computers on wheels, just automatic data generators on wheels, you can see the spying risk. And taken together, I think the American government has said that part of its, if you like, risk reduction strategy is to ban component parts for the hardware and software for modern vehicles coming from China and Russia after the implementation period.

Chris - Are we at risk of throwing out the baby with the bath water though? Because for instance, as one engineer told us who works on roads earlier this year, there is enormous amounts of very helpful data being collected by drivers all over the country all the time, which is now helping them to tell the national highways where the potholes are. That's just one example, but we've got a wealth of data flowing in that can make driving safer, can make road usage more convenient and safer. And if we're not careful, we could end up losing that.

Ciaran - The issue here isn't really the collection of data. That data will still be being generated. It's the security of the data that is concerning the Biden administration. So it will presumably plan to use the data itself for the very things you've talked about in terms of road improvements. It wants to make sure that sensitive data, for example in sensitive persons or around sensitive areas, isn't easily available to those they might see as adversaries. I think the challenge is slightly different. It's not so much throwing out the data baby with the bath water. It's actually about the holistic way in which you need to secure these things. Just because something's made in China or Russia and frankly we're talking China here, Russia doesn't make that much of this stuff. So what the Biden administration has announced is essentially about China is a perfectly defensible part of the risk reduction strategy. But if something is made in China, it's easier for China to manipulate it or to steal the data from it. But even if it's not made in China, if it's not properly secured, it can be hacked into by China or somebody else. So I think this is only one part of a strategy and to be honest, for me it's not the most important part. The most important part is securing these things properly.

Chris - Do you think or do we have evidence that they're already compromised a lot of these and other devices and so that this is prudent politics, they're acting on this on good information?

Ciaran - I think it's a defensible and sensible measure, but I think it's not the total answer to securing modern vehicles. In fact, I don't think it's close to the totality of the necessary answer. I also think it's important we shouldn't panic people here. We shouldn't allow, and we're not allowing, modern cars to be built in an absolutely crazy way where a glitch in software drives you off the road or stops your brakes from working. Where an easy to do computer hacking operation does the same things. We're not allowing cars to be built in that way and it's actually going to be fiendishly difficult, assuming we do this properly as I believe we are doing, it's going to be fiendishly difficult for even the best hacker to target a particular car to know that that particular component with a particular software vulnerability is in a particular car at a particular time and do something really, really malicious to it. So let's not overdo the risk. As long as we're sensible about the way we build these things and the way we regulate the safety of the product, we shouldn't be talking about sort of human catastrophe situations. I think the data risk is more of a worry. It's harder to secure, but again, just banning particular countries doesn't completely negate that risk.

Chris - I'm slightly surprised we're talking about cars. Not you and me. I mean as in politically in the world. Because haven't we had all the same conversations already with 5G and the UK infrastructure and also people worried about nuclear power plants that are being constructed by China or by Chinese organisations in various places?

Ciaran - I think each case is slightly and subtly different. There's one similarity with the 5G discussion that I know very well, which is that restricting or banning a particular country doesn't automatically completely secure a 5G network. If our telecoms infrastructure has historically been quite insecure. And I think the British government's reforms of a 2022 change in the law were vitally important in saying not just that Chinese companies couldn't do this or that, but also saying anybody building telecoms infrastructure had to conform to much higher security standards. For example, Russia, which is a voracious hacker of critical systems, but doesn't have any telecoms equipment of its own, so that Russia can't easily hack into these systems. So that's one thing they have in common. Where I think it's slightly different is you could take a completely hawkish approach to Chinese trade and say you're not going to buy clothes from China, but people don't see a strategic risk from clothes. What about a piece of metal? What about a battery that doesn't do much? Then you get into components and some of the components in cars will do very little. Some of the components in cars will do quite a lot. And you want more restrictions on the latter, but also you'll wanna make sure that the components that are quite clever and that can effectively control the car are safe from all sorts of external threats, not just they're not built in China. So there are different things that apply to different situations. You mentioned nuclear power that was essentially about who financed it, not so much who built it. With 5G, it was about who built some of the hard infrastructure for the big bits of mast and so forth, that power telecoms networks. What we're talking about here is the little bits that drive modern cars.