On February 29, 2024, the Biden administration issued a statement addressing the national security risks to the U.S. auto industry directing the Department of Commerce to conduct an investigation into Chinese made “connected vehicles” (CVs).

Pursuant to Executive Order (E.O.) 13873, the Commerce Department’s Bureau of Industry and Security (BIS) issued an advance notice of proposed rulemaking (ANPRM) seeking public comments related to transactions involving information and communications technology and services (ICTS) that are integral to CVs from China and other foreign adversaries.

The scrutiny into Chinese-origin cars and its foreign-made hardware or software could lead to complicated new regulations or restrictions. This issue continues the U.S. policy pattern of decoupling certain sensitive technology supply chains away from China.

The deadline for comments is April 30, 2024.

Background

On May 15, 2019, the Trump administration issued E.O. 13873, “Securing the Information and Communications Technology and Services Supply Chain.” The E.O. declared a national emergency regarding the ICTS supply chain, declaring that the unrestricted acquisition and use of ICTS created by or at the direction of foreign adversaries could lead to “undue or unacceptable risks” to U.S. national security. Given the broad nature of the EO and potential implications for business, companies have been curious as to the nature of regulations that may be issued under the directive. And both the Trump and Biden administrations have reiterated each year that such a national emergency exists.

The E.O. grants the Commerce Department the authority to review prohibit or mitigate any ICTS transaction or class of transactions (collectively, transactions). The Department can do so if the transactions: (1) involve ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary and (2) pose undue or unacceptable risks to U.S. information and communications technology or services; the security or resiliency of United States critical infrastructure or the digital economy; or the national security of the United States or the security and safety of United States persons.

Foreign adversaries are defined in 15 CFR 7.4 and include the following:

• China (and Hong Kong)
• Cuba
• Iran
• North Korea
• Russia
• Venezuelan politician Nicolás Maduro (Maduro Regime)

Transactions include “any acquisition, importation, transfer, installation, dealing in, or use of any ICTS by any person, or with respect to any property, subject to the jurisdiction of the United States, where the transaction involves any property in which any foreign country or a national thereof has any interest.”

Pursuant to E.O. 13873, BIS is now considering proposing rules that would prohibit or mitigate certain ICTS transactions integral to CVs that involve foreign adversaries which could create an undue or unacceptable risk to U.S. national security. The ANPRM seeks public input and comments on a wide range topics. We include the main topics below.

Definition of Connected Vehicle

BIS’s current working definition of a CV is an “automotive vehicle that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device.” This definition would likely include “vehicles capable of global navigation satellite system (GNSS) communication for geolocation; communication with intelligent transportation systems; remote access or control; wireless software or firmware updates; or on-device roadside assistance.”

The ANPRM seeks comments on the definition of a CV including whether:

1. The definition needs to be amended to better address national security risks arising from transactions involving ICTS integral to CVs;
2. The definition’s scope is appropriate or needs to be broader to include autonomous vehicles, electric vehicles, or other alternative power sources and related technologies;
3. There are any other alternative definitions to consider.

Risks, Threats, and Vulnerabilities of Connected Vehicles

BIS notes the risks of incorporating ICTS products and services by foreign adversaries which can bypass measures intended to protect U.S. persons and allow for malicious cyber activity. BIS highlights a particular risk with Chinese original equipment manufacturers (OEMs) and manufacturers of ICTS integral to CVs because these companies are legally obligated to transmit real-time vehicle data to government monitoring centers.

In order to understand the ICTS supply chain for CVs and its related parties, the potential leverage foreign adversaries may exert, and the capabilities associated with technical trends in CV design and ICTS components, the ANPRM seeks comments on the following:

1. The ICTS supply chain for CVs in the United States including, among others, which ICTS suppliers are integral to CVs and which of them involve foreign adversaries; the relationship between OEMs of CVs in use in the United States and their ICTS suppliers; and whether OEMs can procure alternative sources of ICTS integral to CVs that do not involve foreign adversaries;
2. The current and future technical capabilities associated with CVs and ICTS components including, among others, data collection capabilities; cybersecurity concerns; battery management systems (BMS); CV OEMs and cloud service providers; and the automotive software development cycle;
3. Automotive software systems (vehicle operating systems, telematics systems, Advanced Driver-Assistance System, Automated Driving System (ADS), satellite or cellular telecommunications systems, or BMS) as the ICTS integral to CVs most likely to present undue or unacceptable risks if exploited by foreign adversaries including, among others, which ICTS would present the greatest risk to safety or security; how to develop ADS systems securely; and any other ICTS other than those identified that could present material risks if involving a foreign adversary.

Process and Mechanisms to Prohibit or Mitigate ICTS Transactions

Finally, the ANRPM seeks comments on authorizations and mitigations of potentially prohibited ICTS transactions including, among others, instances of temporary authorizations to engage in otherwise prohibited transactions in order to avoid supply chain disruptions or other unintended consequences; review criteria to be used when considering an application for a temporary authorization; and consideration of any U.S. government models, such as the Office of Foreign Assets Control’s sanctions programs or the Export Administration Regulations that should be emulated in granting authorizations.

Takeaways

• BIS’s actions is a continuation of the decoupling of certain sensitive technology supply chains away from China.
• The ANPRM marks the first time using the authority granted by E.O. 13873. We may see other industries, other than connected vehicles, that could be affected in the future involving ICTS.
• For domestic and foreign car manufacturers, consider conducting a supply chain analysis of ICTS components and determine whether they involve a foreign adversary.
• For industries outside car manufacturers, but incorporate ICTS, be on the lookout for any other regulations that may affect you. We will continue to monitor these developments.

Listen to this post