Shut Out: Data Security and Cybersecurity Converge in Next Wave of US Tech Controls

The US has launched its next wave of tech controls, this time with a focus on the cross-section of data security and cybersecurity concerns around China. The US administration asserts that its proposed rules on human personal data and connected vehicles are narrow and targeted, but there are no small yards in regulating the digital economy. Internet of Things ecosystems rely on the interconnectivity of devices, people, and data flows, making virtually every node a potential risk vector. With the new US moves affecting a wide range of industries, from connected vehicles to biotech, companies will need to undergo a mindset shift toward more proactively assessing how their products, services, and data flows could pose national security risks to US critical infrastructure and US persons, and what mitigation measures to take—to include potentially unwinding relationships with Chinese partners and suppliers.

Our key takeaways:

• Where data security and cybersecurity meet. With an executive order on data security and accompanying Department of Justice rulemaking, the US is crafting a more coherent regulatory framework to restrict cross-border flows of data on US persons. The relatively narrow scope allows the US to argue that it remains committed to a free and open internet, but national security concerns do not stop at human personal and military-related data. The US is also conditioning the facilitation of cross-border data flows on secure and trustworthy ICT systems at home and abroad.
• Commerce’s Information and Communications Technology and Services (ICTS) program is alive. The US has a diverse toolkit to regulate ICT infrastructure, as evidenced by a groundbreaking Commerce ICTS investigation into an entire class of technology—connected vehicles. The Commerce probe threatens to further splinter EV supply chains between “in China, for China” and “China-free” US markets. The probe also sets an important precedent for other connected systems to come under scrutiny, including agtech and biomanufacturing, autonomous and automated systems, large language AI models, and cloud-based computing.
• Beware the long arm. There is strong potential for extraterritorial US ICT measures given the inherent interconnectivity of ICT systems across borders and how the US is framing a theory of harm around the risk of Chinese OEMs and suppliers being co-opted by the Chinese government to enable malicious cyber activity. Cracking down on sensitive bulk data transfers via third parties may also lead the US to cover more of the map, similar to the design of US export controls on semiconductors and advanced computing.
• Surgical strikes. New US data security measures appear to address several long-running policy debates without taking the political heat for banning companies outright. For example, restrictions on human genomic data and on bulk personal health data may deter US biotech/pharma firms from using Chinese firms like BGI for genomic sequencing and Wuxi Biologics for contract research. Moreover, restrictions on bulk personal data, including geolocation data and biometric identifiers, may handicap prominent Chinese social media and e-commerce platforms active in the US market, from TikTok to Temu.

The next wave

The Biden administration made two big back-to-back announcements last week—a much-anticipated executive order and accompanying Advance Notice for Proposed Rulemaking (ANPRM) on data security—alongside a Commerce ICTS investigation into connected vehicles. The data security executive order focuses on personal data genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personal identifiers. The ICTS investigation by Commerce focuses on transactions relating to the ICT supply chain for connected vehicles.

Under the Sullivan doctrine, US tech controls aimed at China began with the most tangible target: advanced semiconductors and the tools used to make them. They soon expanded to cover the intangibles: restrictions on US outbound capital and know-how to Chinese firms in a “small yard” of force-multiplying technologies—semiconductors, AI, and quantum computing, but not (yet) biotech. Then came novel Infrastructure-as-a-Service measures for cloud service providers to monitor and restrict access to high-performance compute capacity, a work in progress that aims in part to prevent Chinese entities from using the data centers utilizing high-end chips to conduct training runs for large AI models.

In this next wave, US tech controls are permeating a broader domain, covering the data flows and ICT conduits that power an increasingly digitalized economy. As a result, the implications will be far-reaching for a range of industries, challenging the notion that US tech ring-fencing can be confined to a small yard.

The data security and cybersecurity measures work in tandem. If the theory of harm is that US sensitive data can be collected and exploited by bad actors, then step one is to shore up definitions on what constitutes sensitive data, step two is to identify all the ways—both licit and illicit—that data can be transmitted to those bad actors, and step three is to scrutinize the technology itself that enables the collection, storage, and transfer of data in connected systems, which in turn could create backdoors for malicious cyber behavior.

Toward a more coherent data security framework

On paper, the data security EO and associated ANPRM are relatively narrow in scope and intent.  They plug holes in the US’s patchwork approach to data security rules but stop short of establishing a full-blown data security regime like the EU’s GDPR.

Prohibitions focus on the transfer of Americans’ bulk personal data, genomic data, and US government-related data to countries of concern. In justifying restrictions, the policy documents outline a theory of harm on how such data can be used for malicious intent: health and financial data that reveal vulnerabilities along with data on daily routines, habits, and patterns of individuals may be harnessed to spy, blackmail, coerce, influence, or intimidate US persons. The DOJ is tasked with establishing a licensing process and risk-based compliance program for companies to adopt and mitigate access to data by countries of concern (see Table 1).

Surgical strikes

Despite its apparent narrow scope, the impact of the data security measures could end up being quite broad. In fact, in one fell swoop, the Biden administration appears to be addressing several long-standing policy debates. For example:

• Bye-bye, BGI? US lawmakers have been calling for blunt restrictions on Chinese “biotech entities of concern,” including genomic sequencing firm BGI and its subsidiaries MGI and Complete Genomics. By prohibiting the transfer of US human genomic data, these firms—which are all “subject to the jurisdiction” of the PRC and thus qualify as “covered persons”—would theoretically be restricted from collecting sequenced genomic data on US persons. Rather than sanctioning these specific biotech companies as some US legislation has advocated, the measures home in on the theory of harm around US personal data harnessed by a Country of Concern more broadly.
• Targeting Chinese contract research development and manufacturing organizations (CRO/CDMOs)? US lawmakers have also been calling for restrictions on Wuxi AppTec and Wuxi Biologics, two major CRO/CDMOs used by prominent biotech and pharmaceutical companies for clinical trial management, data analysis, and other R&D activities. In placing restrictions on personal health data and human genomic data, and in raising concerns that even anonymized or de-identified data can be de-anonymized and re-identified to reveal exploitable health information, the data security measures would dissuade US pharmaceutical and biotech companies from outsourcing R&D to Chinese entities that entails the handling of US personal health data. At the same time, the US FDA has rejected data from China-only clinical trials—another drawback for US pharmaceutical and biotech companies using China-based CRO/CDMOs unless they are only focused on the ‘in China for China’ market. Altogether, these moves appear aimed at deterring companies from increasing US healthcare dependencies on China.
• Putting TikTok to bed? The DOJ Fact Sheet on the data security ANPRM says that the program “will not ban apps or social-media platforms, and it will not be about any single app or technology.” Instead, it explains that the measures focus on “the most serious data security risks posed by sensitive data collected and used by apps and social media platforms.” In other words, the US administration is not about to make the controversial move of explicitly banning TikTok in an election year. But the ANPRM would appear to include TikTok owner ByteDance as a “covered person,” meaning that if the geolocation data and biometric identifiers on US users it collects through social media platforms it controls is sold via “vendor agreements” to advertisers and third-party developers, then it may be subject to these restrictions. In theory, this could make it extremely hard for TikTok to operate in the US if it has to disable critical features on the platform. Similar restrictions could apply to popular Chinese e-commerce sites that are also in US regulatory crosshairs, such as Temu and Shein.

A diverse toolkit

The data security measures should be seen as a building block toward a more cohesive data security regime. For now, the US has kept the focus on sensitive personal data on US persons. But as AI models accelerate the expansion of data banks and as infrastructure becomes more interconnected in a fast-growing digital economy, other non-human and non-personal data could eventually be considered sensitive from a national security perspective (e.g. genetic sequences of crops or livestock, or data tied to the operationality of US critical infrastructure, including transportation, telecom, energy, water, and financial services).

At this stage, the US may be reticent to go beyond personal data in classifying other types of sensitive data subject to restrictions under this framework. Indeed, the latest data security measures discuss at length how the US is committed to a free and open internet and is not sliding toward a more state-heavy, generalized data security regime with, for example, broad restrictions on cross-border data flows and requirements on data localization.

But other tools are in development to address growing data security concerns around non-personal but still highly sensitive data. For example, government-funded research can be subject to tighter oversight and limited access to countries of concern. The US is still in the early stages of establishing oversight of foundational AI models and underlying training data, with a recent Executive Order on Artificial Intelligence that requires government agencies to designate Chief AI Officers and coordinate with the National Institute of Standards and Technology (NIST) under Commerce in advancing a framework for assessing AI-related risks. Moreover, Commerce export controls are expanding to cover Infrastructure-as-a-Service, placing a growing burden on cloud service providers to monitor for potentially harmful end-use. Export controls may further evolve to cover certain classes of important data as IP.

Targeting internet plumbing

The US can also target the ICT conduits that facilitate data flows more broadly. The US has expansive authorities to deny market access to companies of countries of concern that supply internet equipment and software, from Wi-Fi modules and base stations to software stacks and cloud services to the sensors and chips that power these systems. This is where the US commitment to a free and open internet and cross-border data flows contains an important qualifier: the free flow of data across borders must be facilitated by secure and trustworthy ICT infrastructure.

To that end, the data security measures task the DOJ-led Committee for the Assessment of Foreign Participation in the US Telecommunications Services Sector (also known as Team Telecom) to prioritize reviews of submarine cable system licenses linked to or located in countries of concern. Learning from the messy Huawei and ZTE 5G unwinding, the US has been more proactive in blocking Chinese companies from international subsea cable projects involving US funding. The Federal Communications Council (FCC), which holds licensing authority for a range of ICT transactions, has also been leaning more heavily into national security issues. In new rulemaking by the FCC last year, licensees would need to disclose foreign ownership and use of “untrusted” equipment and “foreign-owned managed network service providers” and may be subject to regular national security reviews.

But the Commerce ICTS program, revived last week, may be the most potent tool for ICT-related theories of harm.

Casting a wide net on connected vehicles

Last week’s second major policy announcement, a Commerce ICTS investigation into connected vehicles, is designed to evaluate risks to US national security stemming from ICT inputs for connected vehicles that are designed, developed, manufactured, or supplied by countries of concern.

Under a rule born during the Trump administration and expanded under the Biden administration, the ICTS rule gives Commerce and the executive branch broad authorities to review, prohibit, or impose mitigation measures on virtually any ICT transaction due to national security concerns (see Table 2 for a reference on ICTS authorities and definitions). This is an untested tool, and so the ultimate outcome of the investigation is unknown and potentially quite broad.

This investigation keeps with the Sullivan doctrine of imposing preemptive measures on technology domains. Rather than chase specific companies in complex value chains, the US is identifying entire classes of technologies—advanced semiconductors in the case of BIS export controls and connected vehicles in the case of the current ICTS investigation—around countries of concern operating and supplying key nodes in US critical infrastructure. The primary intent is to get ahead of the problem to avoid the need for costly rip-and-replace orders.

This means companies will need to undergo a complete mindset shift: away from reactive adjustments to concrete regulations toward proactive due diligence in assessing how their products and services could pose data security, cybersecurity, and ultimately national security risk to US critical infrastructure, and what measures they can take to mitigate those risks (to include foregoing Chinese partners and suppliers.)

Preparing for the worst

The Commerce ANPRM deliberately defines “connected vehicles” broadly, encompassing any vehicle with even basic GPS functions (See Table 2 on key definitions of the Commerce ICTS investigation). The idea is to cast a wide net on the full vehicle ICT architecture and make it incumbent on industry players to pressure test the US administration’s theories of harm and propose reasonable mitigation measures.

The ANPRM lays out the following logic:

• Data collection: Connected vehicles are full of ICT components like onboard computers, sensors, cameras, and battery systems. As technology advances, vehicles will rely even more on such devices to collect, process, transmit, and store information. This includes data on driver and occupant behavior, vehicle status, geolocation, and biometrics, as well as data on nearby surroundings, including infrastructure.
• Connectivity: Vehicles can connect to external networks, including OEM and third-party service providers, cloud-based services via telematics systems, critical infrastructure—including telecommunications systems, transportation systems, and the electrical grid—and in-car devices, such as smartphones.
• Consequences: This increases the attack surfaces for a malicious actor to gain initial entry for cyber-enabled malicious activities, including espionage, harm to public safety, and disruption of critical infrastructure.

The argument itself is relatively simple, but the devil will be in the details in assessing to what degree individual and networked hardware and software inputs create cyber-enabled vulnerabilities. As the ANPRM argues, even if an individual component or system has a benign and highly specific function for the safety and operationality of the vehicle, such devices or software may create an entry point for a state-backed cyber actor to infiltrate the US transportation system at large.

The concern is not merely theoretical. A recent CISA/NSA/FBI report documented how China-backed hacking group Volt Typhoon has been exploiting vulnerabilities in routers, firewalls, and VPNs to target water, transportation, energy, and communications systems across the US. The report details how a malicious actor can move laterally across systems once they gain entry, putting the broader network at risk, and suggests that such operations pre-position malicious cyber actors to conduct destabilizing attacks on US critical infrastructure in a geopolitical conflict scenario. These concerns are a big driver behind another recent Executive Order and $20 billion investment through grants focused on replacing Chinese-made port crane infrastructure.

The ANPRM puts cybersecurity experts in high demand to assess these risks and offer mitigation steps. And, as many would argue, there is no way to achieve complete protection from cyberattacks; the emphasis instead should be on layered defense. Moreover, it doesn’t necessarily take a Chinese-made input to enable a PRC-backed cyber-attack. But the organizing principle at play is “an ounce of prevention is worth a pound of cure.” In operating under the assumption that foreign adversaries will continue launching cyber operations on US critical infrastructure, the US administration is looking to US industry to assist in shoring up defenses.

Extending a longer arm

The ANPRM gets stretchy when it delves into why scrutiny is focused on China-linked ICT inputs. The document asserts that:

• PRC data security laws give broad authority to the state to “co-opt” private companies to pursue state objectives.
• This could include providing the state with “data, logical access, encryption keys, and other vital technical information, as well as to install backdoors or bugs in equipment which create security flaws easily exploitable by PRC authorities.”
• Auto OEMs are big targets for “government access” in China. For example, China’s regulations already require auto OEMs to transmit real-time data—including geolocation data—to government monitoring centers.

It then notes:

“According to open-source reporting, over 200 automakers that operate in the PRC are legally obligated to transmit real-time vehicle data, including geolocation information, to government monitoring centers. […] This pervasive data sharing, which provides the PRC government with detailed information on the behaviors and habits of individuals, is indicative of a broader approach to co-opting private companies—one that raises significant concerns about how the PRC government might exploit the growing presence of PRC OEMs and manufacturers of ICTS integral to [connected vehicles] in foreign markets.”

This line deserves some unpacking. As the data security EO and ANPRM outline, geolocation data can be used to track behaviors and patterns of individuals to exploit them. The US is referencing the same theory of harm here in highlighting the risk to individuals. But the use case they cite is in China, not the US. In fact, the theory of harm around a vehicle’s ability to collect personal data (including geolocation data) is the same the Chinese government has used in demanding oversight of OEMs collecting such data on persons in China.

The argument raises a host of questions on the implicit intent of potential restrictions on Chinese ICTS for connected vehicles:

• Chinese-made vehicles barred from the United States? If Chinese OEMs engage in pervasive data sharing with the Chinese government, then a Chinese-made electric vehicle in the US could compromise US personal sensitive data. The end result could be that Chinese-manufactured EVs could be restricted from the US market on cybersecurity grounds.
• Chinese ICT inputs barred from connected vehicles in the United States? If the theory of harm is that a Chinese supplier can be co-opted by the Chinese government to install backdoors for malicious cyber activity, then broader restrictions could follow with the intent of getting US auto OEMs and suppliers to unwind their partnerships and supply agreements with Chinese entities. Covered technologies could include sensors and microcontrollers, in-car software, internet modules, and even battery systems, as highlighted in the ANPRM.
• A very long arm? The ANPRM highlights the risk of the Chinese government exploiting Chinese OEMs and ICTS manufacturers for connected vehicles in foreign markets. This sets the stage for potential extraterritorial measures if the US deems that Chinese ICT suppliers are a liability for connected vehicles in the US, regardless of where the manufacturing of those inputs is taking place, whether in China or fast-growing EV manufacturing hubs in Germany, Mexico, Thailand, and Brazil, where Chinese EV makers have been investing heavily (see: Pole Position: Chinese Investments Boom Amid Growing Political Backlash.)
• “In China, for China” EV manufacturing? If US ICT restrictions are limited to connected vehicles deployed in the US, then will auto OEMs and their suppliers be forced to bifurcate supply chains into China-free manufacturing for the US and “in China, for China” operations?

Carrots and sticks

It will take time for Commerce to understand the value chain for connected vehicle systems and identify chokepoints and emerging dependencies where Chinese firms are concentrated. MNCs in the connected vehicle value chain will meanwhile be operating in a cloud of uncertainty as Commerce deliberates potential measures.

That may be the point. Similar to the lengthy launch of an outbound investment screening regime, companies in this connected vehicle technology space have been put on notice. That chilling effect could deter US companies from investing in and deepening partnerships with fast-growing Chinese EV suppliers when the risk of regulatory entanglements is clearly rising.

The ANPRM language also reveals an intent to assess spillover effects of removing Chinese ICT suppliers and to identify non-Chinese suppliers to replace them. The implication is that market opportunities can expand for companies that can position themselves as compliant and China-free suppliers for the US and partner markets. This is where industrial policy incentives, trade defense, cybersecurity, and data security intertwine. For example, the ANPRM asks what ICTS hardware or software for connected vehicles Chinese entities “maintain a technological advantage over US and other foreign counterparts [in] and how may this dynamic evolve in the coming years?”

Even as economic security measures threaten to raise input costs, industrial policy incentives (like IRA tax credits that are designed to extricate Chinese inputs) combined with trade defense (like higher tariffs on Chinese-made EVs) aim to level the playing field and boost US competitiveness in markets where Chinese firms are being denied access. Industry groups like the Alliance for American Manufacturing are already explicitly advocating for “exclusionary” tariffs to fend off Chinese EV competition. Amid long-running trade disputes, ICT cybersecurity restrictions could be the more efficient means of barring Chinese EVs from the US market.

On our watch list

With incisive new data security measures and the potential for wide-ranging controls on connected vehicle technologies, the US has once again expanded the frontier for tech controls. Here is what we’re watching in the months ahead:

• US extraterritoriality. The potential for long-arm application of US ICT measures will be top of mind for many countries and companies who will have to contemplate whether it will be worth trying to align with US standards for what constitutes safe and trustworthy ICT networks. The potential cost? Loss of access to the US market in emerging technology spaces. Not to mention the potential for the US to leverage its security and intelligence ties in making the case that such cooperation can only endure if cross-border data flows and ICT networks are secure.
• The Trump factor. Notably, the main tools in play (ICTS Rules, Team Telecom) were established during the Trump administration and expanded by the Biden administration. This momentum is likely to endure, regardless of who wins the upcoming US election. Chinese cyber operations are also driving the urgency for activating these tools. But ICT concerns can also cut in multiple directions. Espionage concerns that the US is raising against China have similarly been raised by partner countries against the United States given the inherent advantages the US has over ICT supply chains, from subsea cables to cloud services. Given this already touchy area, Trump’s transactional diplomacy may strain US efforts to align data and ICT standards abroad.
• The German tipping point. The economic security climate has evolved considerably since the early days of the Trump administration’s diplomatic crusade to purge 5G networks of Huawei. The European Commission published a review of its 5G Toolbox last June, saying that only 10 of the EU’s 27 member states had taken steps to restrict the use of high-risk vendors in their 5G networks, and has tied EU funding of 5G rollouts to whether member states bar Huawei and ZTE. The EU is also actively deploying trade defense measures targeting China, including an ongoing probe into Chinese EV imports. For companies that are already deeply integrated in Chinese EV supplier networks (see Tipping Point? Germany and China in an Era of Zero-Sum Competition), the US ICT investigation should serve as another wake-up call to potential regulatory entanglements creeping closer to home.
• Potential for broader G7 alignment on data security standards? The US has been a laggard on data security regulations, concerned that overreach will undermine a US commitment to an open and free internet and the facilitation of cross-border data flows. The US even goes out of its way to differentiate its new data security measures from Europe’s general-purpose GDPR. But the US also draws a clear distinction between democratic values and illiberal approaches to data security. With the US finally leaning in on data security measures, there is greater potential for credible G7 alignment on data security norms—an objective long held by Japan in promoting its Data Free Flow with Trust The implication? An emerging trade bloc of countries bound by common data security standards would de facto exclude China and reward countries that align with the G7 standard.
• The ICTS template for targeting connected systems. Connected vehicles is the first investigation, but it won’t be the last. Other potential areas for scrutiny include ICTS products and services integral to biomanufacturing, agtech, autonomous or unmanned systems, artificial intelligence and machine learning, e-commerce, and cloud-based computing and storage.
• China’s response. As the US homes in on data security and cybersecurity threats, we can expect China to mirror many of these moves with its own robust toolkit. China already has state-directed technology self-reliance campaigns underway in trying to wean itself off US-made inputs where possible. Cybersecurity measures have also been raised in retribution, as the CAC did last year when it targeted US memory chipmaker Micron with a cybersecurity probe following the first wave of US chip controls. Informal bans can target US electronics firms like Apple and Dell. More importantly, Beijing will likely interpret the latest moves as another forceful decoupling step designed to chase investment out of China. This dynamic can, in turn, make Beijing more paranoid about data being weaponized by the US to drum up more restrictions, leading to stronger enforcement of existing data security laws in China and scrutiny over “work secrets.” In the end, this will only justify further action by the US and partners concerned about the exposure of their companies and citizens in China. And so, the cycle continues.