Commerce Considers ICTS-related Rules to Address Connected Vehicle Risks
On March 1, 2024, the US Department of Commerce’s (“Commerce”) Bureau of Industry and Security (“BIS”) published an Advance Notice of Proposed Rulemaking1 (the “Notice”) seeking public comments on potential regulation of the information systems that are integral to “connected vehicles,” and that are designed, developed, manufactured, or supplied by persons owned, controlled by, or subject to the direction of jurisdictions and persons determined to be “foreign adversaries.” The Notice highlights ways in which the incorporation of foreign information technology into connected vehicles can raise US national security risks and is intended to inform BIS’s consideration of potential regulation of classes or categories of such transactions, although the Notice itself expresses willingness to consider rules that “narrowly address” those risks.
Background
BIS issued the proposed rulemaking pursuant to its authority under Executive Order 13873 of May 15, 2019 (“the EO”), which declared a national emergency stemming from “foreign adversaries . . . increasingly creating and exploiting vulnerabilities” in information and communications technology and services (ICTS) supply chains. As discussed in our prior Legal Updates on the ICTS framework and implementing regulations (written January 2021 and October 2023), the EO delegates broad authority to Commerce in consultation with other relevant agencies, to restrict, impose mitigation measures on, or potentially unwind, transactions or categories of transactions involving ICTS with ties to a “foreign adversary” that pose undue or unacceptable risks to U.S. national security or US persons. However, Commerce has yet to publish any decisions (categorical or case-by-case) under that authority.
To date, Commerce has defined the following as “foreign adversaries:” China (including Hong Kong), Russia, Cuba, Iran, North Korea, and Nicolas Maduro/the Maduro Regime in Venezuela. However, Commerce’s press release announcing the Notice for connected vehicles specifically focuses on China as presenting a “particularly acute and persistent threat to the US ICTS supply chain related to CVs.”
Key National Security Concerns
The Notice discusses a number of general factors relevant to the risk arising from incorporation of “foreign adversary” ICTS in connected vehicles, including:
- the increase in interconnectivity and autonomous capability of these vehicles;
- their increasing data collection capabilities—with respect to not only the vehicle but its occupants, surroundings, and infrastructure;
- the capability to gather and share data relating to both individual and societal transportation needs;
- the potential direct entry point to sensitive technology and data, as well as the potential for bypassing measures intended to protect safety and security of US persons; and
- the potential exposure to cyber attacks.
Notably, while the Notice discusses those vulnerabilities in general terms, it devotes specific attention to what BIS calls a “particularly acute and persistent threat” posed by the PRC in the connected vehicles context, citing US intelligence findings, public information about China’s cyber capabilities, and aspects of the Chinese legal environment. In the press release accompanying the Notice, Secretary of Commerce Gina Raimondo sums up the national security concerns by stating, “It doesn’t take a lot of imagination to think of how [a] foreign government with access to connected vehicles could pose a serious risk to both our national security and the personal privacy of U.S. citizens.”
Requested Public Comment
The Notice does not telegraph specific regulatory language. Instead, in light of the context summarized above, BIS seeks input on a broad range of questions intended to better inform the rulemaking. These are detailed in the Notice, and include questions relating to:
- the ICTS supply chain for CVs in the United States, with particular attention to the role of “foreign adversaries” in that chain. Issues include categories of ICTS, market leaders, as well as locations where software, hardware, or other ICTS components are designed, developed, manufactured, or supplied, possible alternative sources of supply, and disruption impacts;
- the nature of information sharing between OEMs of CVs in use in the United States and their ICTS suppliers, the scope of access rights and limitations, and issues relating to remote access capabilities;
- data collection and connectivity issues;
- risks posed by aftermarket ICTS integrated onboard CVs; and
- noting the unique CV vulnerabilities related to data collection and connectivity, the collection, storage, access, and control of CV data.
Consistent with BIS’s broader historical practice, it also seeks input on potential mitigation mechanisms, as well as measures that could be used to authorize an otherwise prohibited ICTS transaction or category of transactions involving CVs. Among other considerations, BIS solicits comments on the possibility of granting temporary authorizations to avoid supply chain disruptions and other unintended consequences, potential review criteria the agency might employ in considering temporary authorization applications, and other potential models for granting authorizations.
Takeaways
The Notice has significant implications for business across the CV value chain, including OEMs, parts and component manufacturers, service providers, and developers of related software and technology. Regulations promulgated by BIS pursuant to this rulemaking under the ICTS framework may lead to categorical restrictions with both regulatory compliance and commercial impacts. Affected business across the value chain, both domestic and foreign, should consider the potential impact on their operations and are encouraged to provide comments to inform this important rulemaking process. Importantly, this includes potential consideration of mitigation measures relating to data storage, processing, and information sharing protections that may be crucial in managing the risks relevant to this rulemaking.
Stakeholders are encouraged to participate in the Notice public comment process. Responses are due to BIS by April 30, 2024.