US Commerce Announces Proposed Rule to Secure Connected Vehicle
Supply Chains from Foreign Adversary Threats
[ABS News Service/28.09.2024]
On
23 September, 2024, the U.S. Department of Commerce’s Bureau of Industry and
Security (BIS) published a Notice of Proposed Rulemaking (NPRM) that would
prohibit the sale or import of connected vehicles integrating specific pieces
of hardware and software, or those components sold separately, with a
sufficient nexus to the People’s Republic of China (PRC) or Russia.
The
proposed rule focuses on hardware and software integrated into the Vehicle
Connectivity System (VCS) and software integrated into the Automated Driving
System (ADS). These are the critical systems that, through specific hardware
and software, allow for external connectivity and autonomous driving
capabilities in connected vehicles. Malicious access to these systems could
allow adversaries to access and collect our most sensitive data and remotely
manipulate cars on American roads. The proposed rule would apply to all wheeled
on-road vehicles such as cars, trucks, and buses, but would exclude vehicles
not used on public roads like agricultural or mining vehicles.
BIS
and its Office of Information and Communications Technology and Services
(OICTS) have found that certain technologies originating from the PRC or Russia
present an undue risk to both U.S. critical infrastructure and those who use
connected vehicles. Today’s action is a proactive measure designed to protect
our national security and the safety of U.S. drivers.
“Cars
today have cameras, microphones, GPS tracking, and other technologies connected
to the internet. It doesn’t take much imagination to understand how a foreign
adversary with access to this information could pose a serious risk to both our
national security and the privacy of U.S. citizens. To address these national
security concerns, the Commerce Department is taking targeted, proactive steps
to keep PRC and Russian-manufactured technologies off American roads,” said
U.S. Secretary of Commerce Gina Raimondo.
“The
Biden-Harris Administration is ensuring that Americans can drive the car of
their choice safely and securely – free from risks posed by Chinese
technologies,” said National Economic Advisor Lael Brainard.
“Today,
the U.S. government is taking strong action to protect the American people, our
critical infrastructure, and automotive supply chains from the national
security risks associated with connected vehicles produced by countries of
concern. While connected vehicles yield many benefits, the data security and
cybersecurity risks posed by software and hardware components sourced from the
PRC and other countries of concern are equally clear, and we will continue to
take necessary steps to mitigate these risks and get out ahead of the problem,”
said National Security Advisor Jake Sullivan.
“This
rule marks a critical step forward in protecting America’s technology supply
chains from foreign threats and ensures that connected vehicle technologies are
secure from the potential exploitation of entities linked to the PRC and
Russia,” said Under Secretary of Commerce for Industry and Security Alan F.
Estevez. “The Department of Commerce will continue to take a proactive approach
to address this national security risk before Chinese and Russian suppliers
proliferate within the U.S. automotive ecosystem. Our goal is always to
safeguard our national security.”
“Our
regulatory focus remains steadfast on enhancing the security of our nation’s
critical technologies,” said Elizabeth Cannon, Executive Director of OICTS.
“Without this proposed rule, we would be leaving an open door for foreign
adversaries looking to compromise one of our most important assets, our cars.
BIS is committed to safeguarding our technology supply chains from foreign
adversary manipulation.”
Today’s
proposed rule would prohibit the import and sale of vehicles with certain VCS
or ADS hardware or software with a nexus to the PRC or Russia. The VCS is the
set of systems that allow the vehicle to communicate externally, including
telematics control units, Bluetooth, cellular, satellite, and Wi-Fi modules.
The ADS includes the components that collectively allow a highly autonomous
vehicle to operate without a driver behind the wheel.
The
rule would also prohibit manufacturers with a nexus to the PRC or Russia from
selling connected vehicles that incorporate VCS hardware or software or ADS
software in the United States, even if the vehicle was made in the United
States.
The
prohibitions on software would take effect for Model Year 2027 and the
prohibitions on hardware would take effect for Model Year 2030, or January 1,
2029 for units without a model year.
The
proposed rule is implemented under BIS’s ICTS authorities, as provided for
under Executive Order 13873, “Securing the Information and Communications
Technology and Services Supply Chain.” EO 13873 allows the Department of
Commerce to issue regulations that establish criteria by which particular
technologies may be included in EO 13873’s prohibitions when transactions
involving those technologies (1) pose an undue or unacceptable risk of sabotage
to or subversion of ICTS in the United States; (2) pose an undue risk of
catastrophic effects on the security or resiliency of U.S. critical
infrastructure or the digital economy of the United States; or (3) otherwise
pose an unacceptable risk to the national security of the United States or the
security and safety of U.S. persons.
This
NPRM incorporates public feedback submitted in response to an Advance Notice of
Proposed Rulemaking (ANPRM) on connected vehicles published by BIS on March 1,
2024. BIS is seeking additional public comment on today’s proposed rule from
all interested parties.