Research group: data security and cybersecurity to converge in next wave of US tech controls over concerns around China

“Companies [in connected vehicles to biotech] will need to undergo a mindset shift toward more proactively assessing how their products, services, and data flows could pose national security risks to US critical infrastructure and US persons, and what mitigation measures to take—to include potentially unwinding relationships with Chinese partners and suppliers,” the Rhodium group says.

The Biden administration made two big back-to-back announcements last week—a much-anticipated executive order and accompanying Advance Notice for Proposed Rulemaking (ANPRM) on data security—alongside a Commerce Information and Communications Technology Services (ICTS) investigation into connected vehicles. The data security executive order focuses on personal data genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personal identifiers. The ICTS investigation by Commerce focuses on transactions relating to the ICT supply chain for connected vehicles.

Under the Sullivan doctrine, US tech controls aimed at China began with the most tangible target: advanced semiconductors and the tools used to make them. They soon expanded to cover the intangibles: restrictions on US outbound capital and know-how to Chinese firms in a “small yard” of force-multiplying technologies—semiconductors, AI, and quantum computing, but not (yet) biotech. Then came novel Infrastructure-as-a-Service measures for cloud service providers to monitor and restrict access to high-performance compute capacity, a work in progress that aims in part to prevent Chinese entities from using the data centers utilizing high-end chips to conduct training runs for large AI models.