Introduction

On February 29, 2024, the White House and Commerce Department (“Commerce”) announced the publication of an advance notice of proposed rulemaking (“ANPRM”) to support the U.S. Government’s investigation into the national security risks of connected vehicles (“CV”) that incorporate Information and Communications Technology and Services (“ICTS”) from China and other “foreign adversaries.”

Commerce’s Bureau of Industry and Security (“BIS”) published the ANPRM in the Federal Register on March 1, 2024 to seek feedback from industry stakeholders that will “assist BIS in determining the technologies and market participants that may be most appropriate for regulation.” This includes automotive original equipment manufacturers (“OEMs”), tier one, two and three suppliers, aftermarket parts companies, and service providers. BIS is specifically considering proposing rules that would 1) prohibit certain transactions with “foreign adversary” parties involving ICTS integral to connected vehicles, and 2) allow market participants to engage in otherwise prohibited transactions if their national security risks can be sufficiently mitigated.

The ANPRM seeks comments on a number of questions related to (i) the risks and vulnerabilities of incorporation of ICTS into connected vehicles, (ii) the efficacy of mitigation measures for ICTS transactions involving connected vehicles, (iii) potential implementation mechanisms to impose restrictions on ICTS transactions involving connected vehicles, and (iv) the potential for an approval mechanism for certain otherwise prohibited transactions. BIS is soliciting comments for 60 days on these topics, among others, as a significant step toward the implementation of regulations restricting ICTS transactions in the automotive sector. The comment period ends on April 30, 2024.

The ANPRM was issued under Executive Order (“EO”) 13873 (an EO issued by the Trump Administration in 2019), which gives Commerce the authority to review, mitigate, or prohibit ICTS transactions with entities subject to the jurisdiction of a “foreign adversary,” and follows the model of recent agency action adding connected software applications to the scope of ICTS transactions subject to review.

This ANPRM is part of the Biden Administration’s broader effort to address U.S. national security risks stemming from the expanded reach of Chinese-made connectivity technology (e.g., connected software applications, navigation, driver-assist, and other advanced features) and connected vehicles in the U.S. automotive market. The Administration is concerned about the large amounts of sensitive data connected vehicles collect on passengers and drivers, including information collected through cameras and sensors. This concern also extends to the ability of connected vehicles to collect information on critical infrastructure, as well as the ability of these vehicles to be piloted and disabled remotely. In addition to issuing new rules under the ICTS EO, the Administration is also considering increasing tariffs on imports of Chinese vehicles and parts as part of its broader review of the Section 301 tariffs on Chinese imports. These moves mirrors recent concerns expressed by lawmakers on Capitol Hill as well and could prohibit the ability of Chinese auto manufactures to sell vehicles – including EVs – into the U.S. market moving forward for reasons related to both national security and the overall economic competitiveness of the U.S. market.

Public comments on the Proposed Rule are due by April 30, 2024.

Background

In May 2019, the Trump Administration issued Executive Order 13873, "Securing the Information and Communications Technology and Services Supply Chain." The EO declared the unrestricted deployment and use of foreign adversary ICTS in U.S. supply chains a national emergency, and authorized the Secretary of Commerce to prohibit certain transactions involving ICTS that have been “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversary” and that pose an “unacceptable risk” to national security or “undue risk” to critical infrastructure.

In subsequent implementing rules, Commerce has laid out procedures by which the agency can review ICTS transactions to determine whether they present an undue or unacceptable risk due to a foreign adversary's involvement. This framework has been expanded to cover specific ICTS threats like connected software from foreign adversary countries. This newest BIS rulemaking under the EO supports BIS’s recently stated mission of implementation of the ICTS program.

Definition of Connected Vehicles

The ANPRM seeks input on the definition for “connected vehicle,” which the agency proposes to define as “an automotive vehicle that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device.”

In an effort to appropriately determine the scope of the CV definition for rules involving ICTS integral to CVs, BIS seeks input on:

1. Whether and how BIS should amend its CV definition, and if so, how a revised definition would enable BIS to better address national security risks arising from classes of transactions involving ICTS integral to CVs;
2. Whether the term “connected vehicle” is broad enough to include autonomous vehicles, electric vehicles, or other alternative power sources and related technologies, or is there a better term to describe this broad scope;
3. Whether there are other commonly-used definitions for CVs that BIS should consider when defining a class of ICTS transactions, including definitions from industry, civil society, and foreign entities.

Risks and Vulnerabilities of Connected Vehicles

The ANPRM also seeks input on the specific national security risks posted by the CV ICTS supply chain, particularly from ICTS from China. BIS highlights CV ICTS from China as a significant concern, due to the country’s cyber espionage operations, its legal structure empowering the state to co-opt private companies to pursue its objectives, and reporting that automakers in China are legally obligated to transmit real-time vehicle data, including geolocation information, to Chinese Government monitoring centers.

BIS also seeks to understand how advances in automotive connectivity technology might expose CVs or the sectors they support to new forms of cyber exploitation and vulnerability. BIS proposes identifying the following automotive software systems as the ICTS integral to CVs most likely to present undue or unacceptable risks if exploited by foreign adversary entities: (i) vehicle operating systems; (ii) telematics systems; (iii) advanced drive assistance systems; (iv) automated driving systems; (v) satellite or cellular telecommunication systems; and (vi) battery management systems.

In assessing how to implement rules applicable to these software systems, the ANPRM requests comments on a wide range of topics, including:

1. The composition of the CV ICTS supply chain (including which parts of the CV ICTS supply chain stakeholders consider to be integral to CVs, which parts of the supply chain are currently sourced from foreign adversary countries, what alternatives exist for ICTS sourced from foreign adversary countries, and where CV ICTS data is stored);
2. The relationship between OEMs of CVs and ICTS suppliers in the United States (including the relationships between OEMs and cloud service providers, OEM remote access and data collection capabilities, and the nature of OEM software development partnerships);
3. Which ICTS integral to CVs are most vulnerable to compromise and exploitation (including data collection systems and sensors, connectivity and remote access systems, battery management and charging systems), and information regarding the software development cycle for these systems.

Authorization Mechanisms and Mitigation Measures

Finally, the ANPRM seeks input on mechanisms through which BIS could authorize an otherwise prohibited CV ICTS transaction with mitigation measures that allow for sufficient monitoring to address U.S. national security concerns.

In particular, the ANPRM is soliciting comments on:

1. When a temporary authorization would be necessary to avoid supply chain disruptions or other unintended consequences;
2. Criteria and mitigation measures BIS should consider in judging an application for a temporary authorization (e.g., cybersecurity best practices, software development standards);
3. Whether BIS should model its authorization mechanism procedure on other agency’s authorization programs, such as Office of Foreign Assets Control’s or BIS’s licensing procedures.

Next Steps

Companies assessing the impact of regulations that could follow this ANPRM, including automotive OEMs, suppliers, aftermarket parts companies and service providers, should consider their global ICTS supply chain, degree to which it includes ICTS integral to connected vehicles, and cybersecurity standards and best practices.