On March 1, 2024, the Department of Commerce’s Bureau of Industry and Security (BIS) issued an Advanced Notice of Proposed Rulemaking (ANPRM) to explore national security risks posed by connected vehicles (CVs) that incorporate Information and Communications Technology and Services (ICTS) from “foreign adversaries,” including China and the Hong Kong Special Administrative Region. The initiative was driven by concerns that such vehicles could be used to collect sensitive data on U.S. citizens and infrastructure or be remotely accessed or disabled, posing risks to national security and personal privacy. According to recent media reports, BIS is expected to propose rules soon that will bar vehicles with Chinese-developed software in vehicles with Level 3 automation or above.
In the ANPRM, BIS inquired into various topics, including:
- The definition of CVs within the context of transactions involving ICTS incorporated into such vehicles. BIS proposed the following initial definition for such CVs: “an automotive vehicle that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device.” This definition would likely include automotive vehicles, whether personal or commercial, capable of global navigation satellite system (GNSS) communication for geolocation; communication with intelligent transportation systems; remote access or control; wireless software or firmware updates; or on-device roadside assistance.
- Information on the role that foreign adversaries play in the supply chain for CVs and the leverage these entities could exert as a result;
- Details of the ICST supply chain in the United States, including categories of ICST software and hardware that are integral to CVs and market leaders within each distinct phase of the supply chain;
- Full scope of data collection capabilities in CVs and the scale of data that CVs could collect on U.S. persons, entities, geography, and infrastructure;
- Any cybersecurity concerns that may arise from linkages between sensors in CVs and the best practices/industry norms on cybersecurity standards relating to ICTS CVs;
- The review criteria and standards that BIS should consider in granting temporary authorizations to otherwise prohibited transactions under a proposed rule; and
- The economic impact of the proposed rule on U.S. businesses.
The deadline for public comments was April 30, 2024. In response, BIS received more than 50 comments from various automakers and trade groups urging BIS to tailor the restrictions narrowly and allow for a phase-in. One of the common themes raised by the commenters was that BIS should focus its restrictive efforts on the technology and services that may pose a national security risk on CVs, rather than the individual components, such as cameras, LIDARs, and radar sensors, that do not have any connectivity capabilities. If BIS proceeds with an overly broad restriction on any hardware and software component in CVs, the commenters warned, it could make it exceedingly difficult for automakers to comply with the rules and, in turn, hike the cost of cars. Additionally, a trade group argued for exclusionary tariffs on all Chinese vehicles, wherever they were made. The group asked BIS to establish safeguard measures against China’s automotive sectors to prevent Chinese companies from obtaining USMCA benefits and to place a greater emphasis in UFLPA enforcement on Chinese auto parts, batteries, and raw materials used in electric vehicles.