Bureau of Industry and Security Announces Digital Security Inquiry into the Automotive Industry
On February 29, 2024, the US Department of Commerce Bureau of Industry and Security ("BIS") announced an advanced notice of proposed rulemaking ("ANPRM") that asks for public input on potential regulations to address the risks to national security posed by information and communications technology and services ("ICTS") components of connected vehicles ("CVs").1 The action is part of a wider US government effort to protect sensitive personal data of Americans and strengthen digital infrastructure security.2
The potential CV rule
The main purpose of the ANPRM is to gather public input to aid BIS in developing a potential rule to prohibit the use in CVs of ICTS designed, developed, produced or supplied by entities owned or controlled by, or subject to the jurisdiction of, foreign adversaries. If final rules are adopted, the prohibition would be done under existing regulations for ICTS transactions that BIS has developed to implement Executive Order ("EO") 13873, which President Trump issued in 2019 and President Biden has continued and expanded in EO 14034.3 The ANPRM says that BIS is "considering proposing rules that would prohibit certain ICTS transactions or classes of ICTS transactions by or with persons who design, develop, manufacture, or supply ICTS integral to CVs and are owned by, controlled by, or subject to the jurisdiction or direction of foreign governments or foreign non-government persons […]." The rule may also include "measures that would allow market participants to engage in otherwise prohibited transactions or classes of transactions if the undue or unacceptable risks of those ICTS transactions can be sufficiently mitigated using measures that are monitorable."
Definition of a CV
The ANPRM proposes to define a "connected vehicle" as "an automotive vehicle that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device." Under this definition, if adopted, almost any new vehicle and many existing vehicles could qualify as a CV. In addition, the non-vehicle technology infrastructure the CVs may connect to, such as cloud services or third-party vendor technology infrastructure or consumer devices, are within the scope of the existing ICTS regulations and therefore may be pulled into the scope of any proposed regulation.
The ANPRM's call for public input
Companies involved in manufacturing ICTS inputs used in CVs or in producing CVs that are interested in the outcome can provide comment to BIS in response to the ANPRM. BIS must address public comments in any final rule, so participating in the public comment process can help shape the final outcome and BIS' response may inform any potential legal challenge should a final rule be published. The ANPRM will be open for public comments for 60 days following its March 1 publication to the Federal Register, with comments due by April 30, 2024.
Questions in the ANPRM
BIS details at length in the ANPRM the risks BIS sees in ICTS automotive components produced by entities subject to the laws of China. BIS preliminarily identifies the data collection and connectivity capabilities of ICTS in CVs as key elements of concern and asks for comment on this assessment and whether steps can be taken to mitigate the risks identified in the ANPRM.
Along with seeking comment on the proposed definition of CV and related terms, the ANPRM seeks comments on the national security, privacy and safety risks associated with ICTS in CVs, especially in the following areas:
- the nature of the ICTS supply chain for CVs, including the identity of key manufacturers of ICTS;
- ICTS suppliers who are owned or controlled by foreign adversaries of concern;
- the extent to which CVs connect to global navigation satellite systems operated or controlled by foreign adversaries of concern;
- how disruptions of the ICTS supply chain for CVs would affect manufacturers of CVs used in the United States;
- the scope of data collected by CVs and the cybersecurity imbedded in the ICTS;
- the use and secure development of operating systems and software in CVs;
- what alternative sources of supply are available that are not owned or controlled by foreign adversaries of concern;
- the relationship of ICTS suppliers to auto manufacturers;
- the scope of data collected by CVs and related cybersecurity concerns;
- the extent to which ICTS used in CVs is present in critical infrastructure sectors; and
- the economic impacts to US business or the public of regulations contemplated by the ANPRM.
The BIS ICTS Regulations
The ICTS regulations at 15 CFR 7.4 identify China (including Hong Kong), Cuba, Iran, North Korea, Russia and the Maduro Regime in Venezuela as foreign adversaries for purposes of the ICTS regulations. Under these existing regulations the Secretary of Commerce may prohibit transactions involving ICTS that has been designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction of a foreign adversary if the Secretary determines that the ICTS poses an undue or unacceptable risk to US national security or the safety of US persons. If the ANPRM leads to final regulations prohibiting certain ICTS for CVs, it would be the first prohibition action that BIS has taken under the ICTS regulations.
1 "Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles," 89 FR 15066 (March 1, 2024); see also the BIS press release announcing the action.
2 "Biden-Harris Administration Takes Action to Address Risks of Autos from China and Other Countries of Concern," February 29, 2024.
3 EO 13873 of May 15, 2019, "Securing the Information and Communications Technology and Services Supply Chain," 84 FR 22689 (May 17, 2019) and EO 14034 of June 9, 2021, "Protecting Americans' Sensitive Data From Foreign Adversaries," 86 FR 31423 (June 11, 2021). The implementing regulations can be found at 15 CFR Part 7.
[View source.]