In January 2024, U.S. law went into effect that would ban smart cars with Russian and Chinese technology and protect the vehicle supply chain due to concerns about the privacy of consumer data – and, more importantly, remote manipulation of driving vehicles impacting passenger safety. These laws are to take effect in vehicles less than 10,000 pounds starting as early as 2027.
That same month, the Commerce Department also proposed a ban on drones made in Russia – and China (the source of most drones sold in the U.S., according to a Yahoo News Article). From the article, the Commerce Department’s Bureau of Industry and Security (BIS), “seeks to implement a rule that would explain how foreign adversary involvement in supply chains, including acute threats from China and Russia — may offer our adversaries the ability to remotely access and manipulate these devices…”
Now, U.S. port authorities are raising national security concerns around Chinese-made cranes, which constitute the majority of crane tech in American ports, according to a CBS news episode. In the episode, experts explain how these robotic devices, which are remotely maintained by a Chinese military contractor, could be used to shut down the food supply, local economy, and military operations reliant on these ports.
As well, the new administration, under U.S. President Trump, is pushing for more American-made infrastructure devices, according to the CBS report linked above. And the U.S. looks to continue to expand these restrictions to other infrastructure systems.
“An Unusual and Extraordinary Threat”
For example, back in 2020, then-President Trump tried to ban bulk power system products from China and Russia. His Executive Order (EO) “Securing the United States Bulk Power System,” didn’t pass, mostly because of grid operator pushback. In the order, he identified foreign-made electric equipment as “an unusual and extraordinary threat to national security, foreign policy, and the economy of the United States.”
In the EO he also stated, “I further find that the unrestricted acquisition or use in the United States of bulk-power system electric equipment designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in bulk-power system electric equipment, with potentially catastrophic effects.”
Now that President Trump is back in office, it’s quite likely that his administration will (if it hasn’t already), pick up this torch again.
Banning Consumer Apps
Interestingly, now that he’s back in office, President Trump in February 2025 issued a temporary stay against a TikTok ban, despite that in 2020, he was in favor of banning TikTok and even helped co-author the “Protecting Americans from Foreign Adversary Controlled Applications Act,” known as the RESTRICT Act, which was signed into law in late 2024.
The RESTRICT Act is part of Public Law 118-50—bipartisan legislation to protect Americans by preventing foreign adversaries from targeting, surveilling, and manipulating them with the use of online applications. The law makes it “Unlawful for an entity to distribute, maintain, or update (or enable the distribution, maintenance, or updating of) a foreign adversary-controlled application by carrying out, within the land or maritime borders of the United States, any of the following:
(A) Providing services to distribute, maintain, or update such foreign adversary-controlled application (including any source code of such application) by means of a marketplace (including an online mobile application store) through which users within the land or maritime borders of the United States may access, maintain, or update such application.
(B) Providing internet hosting services to enable the distribution, maintenance, or updating of such foreign adversary-controlled application for users within the land or maritime borders of the United States.”
And yet, now that he is back in office, President Trump put a 75-day freeze on the TikTok ban because Internet hosting providers were losing business.
Artificial Intelligence software, particularly DeepSeek, is also under consideration for bans. In this case, lawmakers have expressed concern over concerns that login and other personal and professional information will be shared with China’s largest state-owned mobile firm.
If Ever a Time for SBOMs
In addition to applications built on AI platforms from foreign adversaries, the restrictions also apply to open-source code that the applications are built upon. Given how many foreign contributors share code in popular source code libraries, carrying this out will be harder than it sounds.
In a recent interview with TalkSecure, John Weiler, Agile Master and CXO, CoFounder of IT-AAC, (IT Acquisition Advisory Council), explained. “The Linux Foundation has over 250 Chinese contributors, the largest pool of any national interest in open-source code. Just let that sink in a moment.”
Most commercial applications for consumers and embedded systems like cars openly share their country of origin. However, when you include open-source components under the legislation, even U.S.-developed applications can run afoul of the laws. With legislation specifically calling out open-source, the responsibility falls to those who “disseminate or distribute” foreign adversarial components. This includes product companies and resellers.
Laws banning software and firmware from foreign adversaries will drive more demand for Software Bills of Materials, which are becoming increasingly useful, particularly when combined with advanced BCA (Binary Composition Analysis).
Advanced BCA should identify instances and the origins of third-party components and version upgrades that system engineers need to make informed decisions on what third-party code to use in their applications. Since so much of today’s code includes open-source components, the infrastructure to manage what could be thousands of SBOMs for each software product will continue to scale, particularly through third-party platforms.
The time to identify these components is now since many of these laws will start to apply to products in 2027 (some in 2030). Using a combination of BCA and SBOMs will help product companies get a head start on identifying components that will need retooling and stay competitive in an increasingly hostile political landscape.
Resources:
Generating SBOMs via industry-standard SBOM formats using BCA with CodeSentry
2025 Software Manufacturing Predictions: SBOMs, Compliance and More
SBOMs Critical to Software Supply Chain Security – Black Hat 2024 Recap
