Commerce Focuses National Security Scrutiny on 'Connected Vehicle' Supply Chain

Key Points

• On March 1, 2024, Commerce published a notice seeking comments on issues and questions related to transactions involving ICTS integral to “connected vehicles,” when designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction or direction of “foreign adversaries,” including China.
• Issued pursuant to the ICTS authority, the notice indicates that Commerce is considering proposing rules that would prohibit certain transactions (potentially categorically) for ICTS integral to connected vehicles. Commerce is also considering whether mitigation measures, as opposed to prohibitions, may be sufficient to address the risks associated with these transactions.
• While any eventual proposed rule would likely apply to all countries designated as “foreign adversaries” under the ICTS regulations (15 C.F.R. Part 7), the notice focused particularly on the threat posed by China.
• The notice proposes a very broad definition of “connected vehicle” and indicates that Commerce is considering identifying the following technologies as integral to connected vehicles: vehicle operating systems, telematic systems, advanced driver-assistance systems, automated driving systems, satellite or cellular telecommunication systems and battery management systems.
• Comments are due on April 30, 2024.

On March 1, 2024, the Department of Commerce (Commerce), Bureau of Industry and Security (BIS), through its Office of Information and Communication Technology and Services (ICTS), released an advanced notice of proposed rulemaking (ANPRM) seeking public comment to assist BIS with the potential development of a rule regarding ICTS that is integral to connected vehicles (CVs). More specifically, the purpose of the ANPRM is to gather information to enable BIS to assess how classes of transactions involving ICTS integral to CVs, when designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction or direction of “foreign adversaries,” including China, could present undue or unacceptable risks to U.S. national security and whether such transactions should, therefore, be prohibited. The deadline for comments is 60 days following formal publication, i.e., April 30, 2024. There are no immediately effective provisions, and the process for finalizing any eventual regulation is likely to take until at least late 2024, if not longer.

BIS issued this ANPRM to address a perceived threat to national security presented by the capabilities of CVs and how ICTS technologies incorporated into such vehicles create opportunities for exploitation by foreign adversaries. The ANPRM specifically highlights CV capabilities such as data collection (e.g., collection of driver behavior, geolocation, biometrics, mapping data, traffic patterns, etc.), the interconnectivity of CV software and hardware components and the ability to transmit data and communicate with external sources. While investigation and eventual proposed rule would relate to all “foreign adversary” countries, the ANPRM focuses primarily on risks associated with China.

Background on ICTS: BIS identifies the authority for the ANPRM, and any future prohibitions that may follow, as E.O. 13873, “Securing the Information and Communications Technology and Services Supply Chain,” issued by President Trump in May 2019. E.O. 13873 grants the Secretary of Commerce the authority to review and, if necessary, impose mitigation measures or prohibit any ICTS transaction, or class of transactions, involving a foreign adversary that poses an “unacceptable” risk to the national security of the United States or the security and safety of U.S. persons.

The regulations implementing the ICTS E.O. are found in 15 C.F.R. Part 7 (ICTS Regulations) and are administered by the Office of ICTS within BIS. These regulations establish a process for reviewing, mitigating and/or prohibiting a variety of ICTS-related transactions that involve foreign adversaries and detail the types of ICTS items that are covered by the regulations. Pursuant to the E.O., Commerce can also establish criteria by which particular technologies may be categorically prohibited, which it has yet to do in the ICTS Regulations.

National Security Concerns: The ANPRM identifies several potential threats and vulnerabilities created by ICTS integral to CVs that is designed, developed, manufactured or supplied by persons who are owned by, controlled by or subject to the jurisdiction or direction of foreign adversaries, including China. According to BIS, the national security risks arise from CV technologies’ reliance on “significant data collection not only about the vehicle and its myriad components, but also the driver, the occupants, the vehicle’s surroundings, and nearby infrastructure” and that these technologies could expose CVs to “new cyber-enabled attack vectors and vulnerabilities” that could permit unauthorized access to the vehicle’s systems, allowing malicious actors to obtain control over the vehicle, including to potentially disable the vehicle completely. The ANPRM further notes that the connectivity of CVs, including to “telecommunications networks, transportation systems, and the electrical grid” means that CVs could provide a “platform for launching distributed denial of service attacks against intelligent transportation systems, satellite or cellular communications hardware, or other critical infrastructure.”

Potential Prohibitions and Mitigation: The ANPRM seeks public comment — through a series of 35 questions — to guide BIS’s potential development of rules governing ICTS integral to CV, including rules that could prohibit classes of transactions. These questions cover a variety of topics, from better understanding the global market to exploring how the technology operates, among others. The ANPRM also contemplates that BIS could make available measures, such as licenses, that would allow market participants to engage in otherwise prohibited transactions if the risks involved could be sufficiently mitigated.

Definition of CV: The ANPRM proposes defining “CV” to mean “an automotive vehicle that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device.” According to BIS, this definition would likely include vehicles capable of global navigation satellite system (GNSS) communication for geolocation, communication with intelligence transportation systems, remote access or control, wireless software or firmware updates or on-device roadside assistance. BIS is also considering alternative terminology such as “networked vehicles,” “intelligent connected vehicles,” “software-defined vehicles,” or “connected autonomous vehicles” to the extent those terms would better capture what BIS currently intends by “CV.”

Proposed list of ICTS software integral to CVs: While the ANPRM seeks input regarding both hardware and software, it specifically identifies the following automotive software systems as those that it is considering identifying as integral to CVs and posing undue and unacceptable risk:

• Vehicle operating systems (OS): i.e., the software platform that manages all constituent electronic control units allowing the vehicle to operate.
• Telematics systems: i.e., what BIS describes as the systems that “connect the vehicle with cloud-based services to provide onboard systems with external data streams (e.g., geolocation, streaming service, assistance service, [and] emergency notification).”
• Advanced driver-assistance systems (ADAS): i.e., active and passive technologies that assist drivers with safe vehicle operation by detecting obstacles or driver errors and assisting the driver with appropriate response, such as driver monitoring systems (DMS), adaptive cruise control, lane-keep assist, parking sensors and others.
• Automated driving systems (ADS): i.e., systems that enable driving functions to be handled partially or fully by the vehicle.¹
• Satellite or cellular telecommunication systems: i.e., vehicle hardware and software that supports cellular and satellite communications connectivity.
• Battery management systems (BMS): i.e., the hardware and software systems that control the battery functions in electric vehicles, including charge/discharge, charge balancing, performance optimization and other functions.

Countries: The ICTS regulations previously adopted under E.O. 13873 currently define “foreign adversary” to mean China (including Hong Kong), Cuba, Iran, North Korea, Russia and Venezuela. The ANPRM focuses specifically on the threat posed by China, citing examples of the government of China’s intent and capacity to launch cyberattacks and the fact that Chinese companies are subject to a series of “legal authorities and opaque [Chinese Communist Party] influence” that makes “private companies that are subject to PRC jurisdiction susceptible to requests from intelligence and military officials,” including to provide data and other means of access to ICTS hardware and software that could be installed on CVs operating in the United States.

Timing: Comments are due 60 days after formal publication, i.e., April 30, 2024. Following its review of those comments, BIS will issue a proposed rule, inviting another round of comments. Following its review of those comments, BIS will issue a final rule, making the regulations effective likely within 30 or 60 days thereafter. Thus, any final regulation that may result from this investigation is unlikely to become effective until, at the earliest, late this year.

^{1 ADS are considered by the National Highway Traffic Safety Administration (NHTSA) as commensurate with SAE Automation Levels 3 through 5. See NHTSA, Automated Driving Systems 2.0: A Vision for Safety, https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/13069a-ads2.0_090617_v9a_tag.pdf?xid=PS_smithsonian.}