Last month, the Biden administration proposed a rule to effectively sweep Chinese cars from the U.S. market. If enacted, the rule would ban the sale or import of any “connected vehicle” with certain Chinese technology. Today’s cars are essentially smartphones on wheels, equipped with increasingly sophisticated external connections, software, and sensors that constantly monitor the world around them. The administration rightly worries that Beijing could exploit these underlying technologies to turn American vehicles into unwitting surveillance vans for the Chinese Communist Party—or worse, to hijack them entirely.
Policymakers are slowly awaking to a rise in China’s cyber threat and the United States’ digital vulnerability. If there is a growing consensus to expand the country’s decoupling from Chinese tech, however, there is still no clear vision for how to do so responsibly.
Washington must soon move beyond ad hoc bans against specific apps (such as TikTok) and categories (such as connected vehicles) and articulate a broader policy that identifies clear risks and limiting principles to inform which Chinese technologies Washington can tolerate in the U.S. market, and which it cannot. Absent this, policymakers risk barreling toward an improvisational, potentially vast tech decoupling from China with poorly understood consequences for American consumers, industry, and foreign policy.
The absence of a clear risk mitigation framework for Chinese tech creates uncertainty for the businesses, factories, and farmers who rightly wonder if their Chinese-linked products and components will be the next mole that Washington decides to whack. Today’s vague and easily abused executive power to ban Chinese tech also gives Beijing pretext to justify its own arbitrary restrictions on the $154 billion of U.S. exports to its massive market.
Finally, a small but important detail of the proposed rule prohibits not only the sale of Chinese cars, but also their import. In effect, the United States would not only block China from selling us cars; it would also block exports from countries such as Brazil, Hungary, Indonesia, Mexico, and Thailand, where Chinese carmaker BYD plans to expand production.
As Washington broadens the scope of prohibited Chinese technologies beyond cars, as it surely will, it will increase the economic costs to key partners. If policymakers do this without a clear and justifiable framework, it will needlessly strain bilateral relations and produce growing gaps with partner governments—gaps that Beijing will rush to exploit.
By contrast, Washington has an opportunity to articulate a coherent policy as a model for partners and allies to adopt as they navigate similar questions about how much Chinese technology to allow.
The administration’s newly proposed rule offers the beginnings of such a policy. Its rationale rests on several arguments, all of which could have wider applications.
First, the software in modern cars has significant control over their operation, posing a risk that Beijing could direct or disable them remotely with potentially deadly consequences. Today’s vehicle technologies also collect a vast range of data, including voices, messages, contacts, and location history. This data collection will likely only increase in scope and sophistication over time, as will the real-time sharing of that data with third parties in businesses and government to support everything from tolls to traffic analysis to emergency response. Finally, modern cars feature an increasingly advanced array of cameras and sensors, which the Biden administration argues can capture detailed information about “critical infrastructure.”
Whether or not this was the administration’s intent, its three-part test for risk to personal safety, personal data, and critical infrastructure offers a potential framework for identifying which Chinese technologies warrant restrictions and which don’t. But it remains overly broad.
The United States needs a more defined and defensible framework, and it needs it soon. As smart devices spread in our homes, farms, and factories, so too will the risks to our data and connected infrastructure from opportunistic cyberattackers, such as Beijing.
At the same time, the United States is not currently in a position to sweep all Chinese tech from the economy, at least without significant costs to American consumers, businesses, and industry. Remember, Washington still hasn’t found the full $5 billion required to “rip and replace” equipment from Chinese telecommunications providers Huawei and ZTE from U.S. networks, despite ordering this in 2019. And that’s just one sector.
Last year, China was the United States’ largest source of imports, worth a total of $536 billion. Roughly 27 percent of U.S. imports of “machinery and mechanical appliances” come from China, with a total value of nearly $250 billion. This includes home routers imported from TP-Link; laptops from Lenovo; smart cameras from Hikvision; smart doorbells from Dahua; connected appliances from Haier; and industrial robots from Siasun, FANUC China, and others. All of these Chinese imports present theoretical backdoors for Beijing-backed hackers to compromise a product’s underlying software or firmware.
The deep and complex entanglement of Chinese technologies in the U.S. economy makes it hard to develop clear and uniform criteria to distinguish between acceptable and unacceptable risks. In practice, this has led Washington to eschew the complexity and embrace overly broad authorities that are easily subject to abuse.
For instance, a 2019 executive order allows the president to block any transaction related to the information and communications technology supply chain that poses “an unacceptable risk to the national security of the United States or the security and safety of United States persons.” Concern over the risks of popular Chinese apps also led Congress to pass a law earlier this year that not only set in motion a potential TikTok ban, but also empowered the president to block any “foreign adversary controlled application” that he or she judges to “present a significant threat to the national security of the United States.”
In both cases, the combination of vast authorities and vague invocations of national security constitute no real limit on the Chinese technologies that a future president could ban, regardless of the actual risk posed. For instance, the president has not used his authorities against other fast-growing Chinese apps, such as Temu, an e-commerce platform with more than 50 million monthly active users in the United States.
Although a bipartisan group of senators proposed a more tailored framework last year with the RESTRICT Act—or the Restricting the Emergence of Security Threats that Risk Information and Communications Technology Act—the effort faltered after conservative backlash cast the bill as overly expansive. As a consequence, a status quo of far more expansive executive power endures.
This broad, virtually unchecked authority to ban Chinese apps and products resembles more of a loaded gun than a considered policy. Indeed, the absence of a broader policy to inform—and if necessary, restrain—these decisions makes them more likely to be driven by politics and protectionism than a clear-eyed assessment of genuine security risks.
All of this begs the question: Then what should drive a better framework to mitigate risks from Chinese technologies?
The uncomfortable truth is that a threat to data security alone is likely too capacious a criterion to justify blanket bans on Chinese technology. As we transition to an “Internet of Things,” a growing share of consumer and industrial goods will come equipped with external connections. The United States already has nearly 14 connected devices per person, and by 2030, there could be up to 40 billion connected devices worldwide.
If Washington views any connected device that is also connected to China as an unacceptable threat, then it must prepare for vast disruption and retaliation in the $575 billion of annual U.S.-China trade.
Some policymakers may view this as an inevitable outcome given China’s cyber aggression and geopolitical ambition. But if that’s the case, then they owe it to the country to clearly define which Chinese tech imports pose an unacceptable threat and compensate U.S. households and businesses for transitioning to more secure alternatives—assuming that they exist.
More surgical restrictions are possible. Instead of blanket bans, a new framework could establish restrictions specific to the user, use cases, and sensitivity of the data. A teenager browsing Temu in her bedroom may not imperil national security, but a U.S. Marine or diplomat scrolling at a sensitive location might. A smart camera in a suburban home does not pose the same risk as one installed near a military base or critical U.S. infrastructure. The risk of Beijing penetrating the network of a clothing factory is not the same as a defense contractor, advanced artificial intelligence developer, or major port.
Policy should parse risks and recognize that there is no perfect cybersecurity in a digitally connected global economy; a motivated and well-resourced China will inevitably find soft spots.
If risks to data security alone don’t justify blanket bans on Chinese technology, then what should? Policymakers should ask if the technology meets at least one of the following criteria: It poses a genuine risk of lethal harm to Americans; it would significantly impede the United States’ ability to respond in the case of a military confrontation with China; or it threatens the integrity of U.S. democracy. The use of Chinese-linked technologies in or near critical infrastructure seems like another obvious test, but the Department of Homeland Security’s current list of critical infrastructure spans everything from casinos to football stadiums.
In practice, the proposed framework could justify banning TikTok as a potential Trojan horse for Beijing-directed disinformation, but likely not Temu, Shein, or mobile games from Tencent. It could justify a ban on Hikvision cameras and Siasun industrial robots in U.S. ports and military bases but allow them in homes, hair salons, and less-sensitive industries.
And it could justify blocking Chinese-made vehicles, which a cyberattacker could use to not only traffic Americans’ data, but also to literally drive them into traffic. On the other hand, the proposed framework would probably not justify blanket bans on a connected, Chinese-linked coffee machine, toaster, or toy.
As part of this framework, the next administration should also propose acceptable models to manage the risk of Chinese-connected apps and products that could, in some cases, allow them to operate in the United States. Although TikTok’s proposal to address the U.S. government’s security concerns through “Project Texas” fell short, it’s worth clarifying whether any model could have satisfied Washington. In some cases, the only mitigation will be prohibition.
The proposed framework is far from perfect, and there will undoubtedly be edge cases that test its limits. But it would represent an improvement over the status quo, where a patchwork of broad authorities and vague national security criteria are ripe for confusion and abuse.
For too long, Washington has been asleep to the growing risks of Chinese cyberthreats. The question is not whether the United States should “decouple” from Chinese technologies, but what will determine the extent of the new decoupling—a thoughtful policy that separates unacceptable risks from tolerable ones, or a politically driven, improvisational whack-a-mole that risks needless costs to the United States’ consumers, businesses, industry, and foreign policy?
The post America Needs Clear Standards for China Tech Decoupling appeared first on Foreign Policy.