US Commerce Announces Proposed Rule to Secure Connected Vehicle Supply Chains from Foreign Adversary Threats

 

[ABS News Service/28.09.2024]

On 23 September, 2024, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) published a Notice of Proposed Rulemaking (NPRM) that would prohibit the sale or import of connected vehicles integrating specific pieces of hardware and software, or those components sold separately, with a sufficient nexus to the People’s Republic of China (PRC) or Russia.

The proposed rule focuses on hardware and software integrated into the Vehicle Connectivity System (VCS) and software integrated into the Automated Driving System (ADS). These are the critical systems that, through specific hardware and software, allow for external connectivity and autonomous driving capabilities in connected vehicles. Malicious access to these systems could allow adversaries to access and collect our most sensitive data and remotely manipulate cars on American roads. The proposed rule would apply to all wheeled on-road vehicles such as cars, trucks, and buses, but would exclude vehicles not used on public roads like agricultural or mining vehicles.

BIS and its Office of Information and Communications Technology and Services (OICTS) have found that certain technologies originating from the PRC or Russia present an undue risk to both U.S. critical infrastructure and those who use connected vehicles. Today’s action is a proactive measure designed to protect our national security and the safety of U.S. drivers.

“Cars today have cameras, microphones, GPS tracking, and other technologies connected to the internet. It doesn’t take much imagination to understand how a foreign adversary with access to this information could pose a serious risk to both our national security and the privacy of U.S. citizens. To address these national security concerns, the Commerce Department is taking targeted, proactive steps to keep PRC and Russian-manufactured technologies off American roads,” said U.S. Secretary of Commerce Gina Raimondo.

“The Biden-Harris Administration is ensuring that Americans can drive the car of their choice safely and securely – free from risks posed by Chinese technologies,” said National Economic Advisor Lael Brainard.

“Today, the U.S. government is taking strong action to protect the American people, our critical infrastructure, and automotive supply chains from the national security risks associated with connected vehicles produced by countries of concern. While connected vehicles yield many benefits, the data security and cybersecurity risks posed by software and hardware components sourced from the PRC and other countries of concern are equally clear, and we will continue to take necessary steps to mitigate these risks and get out ahead of the problem,” said National Security Advisor Jake Sullivan.

“This rule marks a critical step forward in protecting America’s technology supply chains from foreign threats and ensures that connected vehicle technologies are secure from the potential exploitation of entities linked to the PRC and Russia,” said Under Secretary of Commerce for Industry and Security Alan F. Estevez. “The Department of Commerce will continue to take a proactive approach to address this national security risk before Chinese and Russian suppliers proliferate within the U.S. automotive ecosystem. Our goal is always to safeguard our national security.”

“Our regulatory focus remains steadfast on enhancing the security of our nation’s critical technologies,” said Elizabeth Cannon, Executive Director of OICTS. “Without this proposed rule, we would be leaving an open door for foreign adversaries looking to compromise one of our most important assets, our cars. BIS is committed to safeguarding our technology supply chains from foreign adversary manipulation.”

Today’s proposed rule would prohibit the import and sale of vehicles with certain VCS or ADS hardware or software with a nexus to the PRC or Russia. The VCS is the set of systems that allow the vehicle to communicate externally, including telematics control units, Bluetooth, cellular, satellite, and Wi-Fi modules. The ADS includes the components that collectively allow a highly autonomous vehicle to operate without a driver behind the wheel.

The rule would also prohibit manufacturers with a nexus to the PRC or Russia from selling connected vehicles that incorporate VCS hardware or software or ADS software in the United States, even if the vehicle was made in the United States.

The prohibitions on software would take effect for Model Year 2027 and the prohibitions on hardware would take effect for Model Year 2030, or January 1, 2029 for units without a model year.

The proposed rule is implemented under BIS’s ICTS authorities, as provided for under Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain.” EO 13873 allows the Department of Commerce to issue regulations that establish criteria by which particular technologies may be included in EO 13873’s prohibitions when transactions involving those technologies (1) pose an undue or unacceptable risk of sabotage to or subversion of ICTS in the United States; (2) pose an undue risk of catastrophic effects on the security or resiliency of U.S. critical infrastructure or the digital economy of the United States; or (3) otherwise pose an unacceptable risk to the national security of the United States or the security and safety of U.S. persons.

This NPRM incorporates public feedback submitted in response to an Advance Notice of Proposed Rulemaking (ANPRM) on connected vehicles published by BIS on March 1, 2024. BIS is seeking additional public comment on today’s proposed rule from all interested parties.