The US Department of Commerce’s Bureau of Industry and Security (BIS) issued an advance notice of proposed rulemaking (ANPRM) on February 29, 2024 soliciting public feedback on the development of regulations related to the Information and Communications Technology and Services (ICTS) that are integral to connected vehicles (CVs). The ANPRM is designed to evaluate and address national security concerns that may arise from ICTS transactions, particularly those involving entities under the control or influence of foreign adversaries.
The ANPRM, accompanied by a press release, was officially published in the Federal Register on March 1, 2024, with a comment period closing on April 30, 2024. Concurrently, President Biden issued a statement highlighting concerns over CVs from the People’s Republic of China (China), emphasizing the risk of these vehicles collecting and transmitting sensitive data about American citizens and infrastructure back to China, and the potential for these vehicles to be remotely accessed or disabled.
In accordance with the National Emergencies Act, and pursuant to EO 13873, Securing the Information and Communications Technology and Services Supply Chain, the ANPRM states that Commerce is focused on regulating ICTS transactions on a category- or class-wide basis. Specifically, the information collection is expected to aid BIS in identifying which technologies and market players are most suitable for regulation under the executive order.
Moreover, the scope of the ANPRM request seeks to provide BIS detailed insights on the definitions and assessments of ICTS transactions related to CVs, especially those linked to foreign-controlled entities, and how they might present significant or untenable risks to US national security. These risks are particularly concerning given the advanced capabilities of CVs, which could amplify vulnerabilities and have severe implications for US citizens and critical infrastructure if maliciously exploited by foreign actors.
BIS is particularly focused on addressing risks while recognizing the benefits of CV technologies, stating that the ANPRM does not imply that CV technologies (e.g., vehicle-to-everything communications, or V2X) are generally unsafe.
The importance of the information collection process is reflected in part by the relatively expedited comment period assigned to this ANPRM. Generally, BIS has provided between 60 to 90 days for information collection responses, especially in the national security space, where the precision and scope of the information collection will bear directly on anticipated regulatory obligations.
Based on the feedback BIS receives, the agency is expected to promulgate rules and guidance that may prohibit certain ICTS transactions or classes of ICTS transactions by or with persons who design, develop, manufacture, or supply ICTS integral to CVs and are owned by, controlled by, or subject to the jurisdiction or direction of foreign governments or foreign nongovernment persons identified at 15 CFR 7.4 (referred to as “15 CFR 7.4 entities” in the ANPRM). These entities include organizations from China, Cuba, Iran, North Korea, Russia, and Venezuelan Maduro Regime.
Moreover, BIS is exploring the possibility of permitting market participants to engage in otherwise prohibited transactions or classes of transactions if the undue or unacceptable risks of those ICTS transactions can be sufficiently mitigated using measures that are monitorable.
The ANPRM casts a wide net in its request for comments, covering various facets of the ICTS ecosystem for CVs. The general categories include definitions, diligence requirements, identification of threats and vulnerabilities, economic impacts, and mitigation measures.
We outline below several key areas where comments will inform BIS’s approach to the anticipated regulations.
Definition of ‘Connected Vehicle’
The ANPRM solicits input on the definition of a CV within the context of ICTS transactions considering the diverse capabilities of CVs, such as global navigation, intelligent transportation systems, remote access/control, and wireless updates. BIS proposes to define “connected vehicle” as an automotive vehicle that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device.
The agency notes that this definition likely would encompass automotive vehicles, whether personal or commercial, capable of global navigation satellite system (GNSS) communication for geolocation, communication with intelligent transportation systems, remote access or control, wireless software or firmware updates, or on-device roadside assistance. BIS seeks comments on whether to include autonomous vehicles and related equipment, electric vehicles, or other alternative power sources and related technologies.
Supply Chain Risk
The ANPRM indicates that automotive manufacturers in China must send extensive vehicle data to government centers, reflecting a broader strategy to use private companies for government purposes. This raises concerns about the security of ICTS supply chains, particularly for CVs in the United States, and underscores BIS’s worries about China’s participation in these areas. Based on these predicate findings, BIS seeks comments on the following:
Identified Vulnerabilities
BIS has preliminarily identified two vulnerabilities associated with CVs: (1) the collection of vehicle-level data (e.g., driver behavior, vehicle status, geolocation, biometrics, driver mobile phone data) and environmental-level data (e.g., detailed mapping data, object detection, traffic patterns), extracted through various onboard systems and sensors such as LiDAR; and (2) connectivity provided by external sources, including the OEM and third-party service providers designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a 15 CFR 7.4 entity, as well as in-car devices such as smart phones.
BIS seeks comments relating to data collection, cybersecurity, OEMs’ remote control capabilities, and the dynamics between OEMs, cloud service providers, and suppliers. The ANPRM also explores how data is managed and protected, the potential cybersecurity risks from interconnected sensors, standards for securing vehicle-to-infrastructure connections, and the integration of battery management systems.
Additionally, BIS asks about the automotive software development process, the relationship between CV manufacturers and cloud services, the verification of materials and software for authenticity and compliance, and the practices for vetting vendors and securing the supply chain within the ICTS ecosystem of CVs.
Authorization and Mitigation Processes
In alignment with how BIS generally manages national security issues, the ANPRM looks to commentators to advise the agency on mitigation measures that could address the concerns and vulnerabilities raised. BIS invites comments on the processes and mechanisms it could implement to authorize otherwise-prohibited ICTS transactions with the adoption of mitigation measures.
This includes when temporary authorizations may be necessary, criteria for their review, standards for mitigation measures, and whether models such as the Office of Foreign Assets Control’s sanctions or the Export Administration Regulations provide foundational frameworks that could be used in this context as well.
Due Diligence and Compliance
The ANPRM seeks information on the anticipated due diligence, compliance, and recordkeeping controls necessary to comply with any proposed regulations, especially those relating to ICTS designed, developed, manufactured, or supplied by entities under foreign influence.
Within this context, comments regarding the manageability of additional diligence obligations, the ability to access data necessary to determine whether to proceed with a specific transaction, and the operational practicalities of monitoring the changing geopolitical landscape to update any diligence would be particularly useful to BIS’s consideration of how to proceed.
Specific Concerns
The ANPRM asks detailed questions about the data collection capabilities of CVs, types of remote access OEMs have, cybersecurity concerns related to sensor linkages, standards and practices for securing vehicle interconnections, and the automotive software development cycle, including licensing, development location, security measures, partnerships, and the treatment of embedded software.
Economic Impact
The ANPRM also welcomes insights into the potential economic impacts of ICTS regulations on US businesses, the public, and local businesses outside the United States, including anticompetitive effects and measures to minimize costs. Within this request, additional insight regarding the potential for countermeasures or other actions by countries or organizations impacted by any proposed rule would also assist BIS with its policy and regulatory development.
The US automotive sector continues to face economic and security concerns in the growing electric vehicle market and with competition from Chinese electric vehicles, which are making significant inroads into global markets with their competitive pricing strategies and technological offerings. This growing concern has heightened anxiety within the industry, amplifying worries about the potential repercussions for domestic automakers.
In response, President Biden has pledged to safeguard the future of the US auto industry, emphasizing the strategic need to anchor manufacturing and innovation domestically, thereby preserving American jobs. This commitment addresses the immediate competitive threats and highlights a broader national strategy to strengthen the US automotive industry against external vulnerabilities, including cybersecurity and espionage risks associated with foreign-manufactured connected vehicles.
However, with the US government’s intention to expeditiously establish the regulatory framework, engaging the automotive industry and its stakeholders is critical. The comment period offers a crucial opportunity for industry representatives to actively shape policy development.
Thus, businesses in the CV supply chain, including OEMs, component, and service providers, even those based in countries specified under 15 CFR 7.4, are urged to convey their perspectives and propositions either directly by submitting comments or indirectly through industry associations.
In light of the ANPRM and other directives including some recent executive orders that consistently identify certain countries as “countries of concern,” it is also opportune for manufacturers in 15 CFR 7.4 entities to begin championing the narrative that a vehicle’s country of origin does not inherently preclude its conformity with US standards. The crux of the matter for vehicles manufactured by 15 CFR 7.4 entities is to demonstrate their capacity to eschew “back door” functionalities that could facilitate data transmission back to 15 CFR 7.4 entities, ensuring that they are not perceived as mobile extensions of platforms closely scrutinized by the US government.
To proactively address the concerns, vehicle manufacturers are advised to self-mitigate by implementing stringent data handling and privacy measures well before their market entry. By aligning with such precedents, manufacturers can advocate for regulatory adaptations that acknowledge their compliance, thereby earning them a place in the competitive landscape.
This proactive engagement is paramount to ensuring that forthcoming regulations not only buttress national security imperatives but also catalyze innovation and sustain the competitive vitality of the US automotive industry, all while dispensing with unnecessary encumbrances for CV market participants.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: