Connected Vehicle Rule Published

Posted

The Commerce Department proposed prohibiting the sale or import of connected vehicles integrating specific pieces of hardware and software, or those components sold separately, with a sufficient nexus to the People’s Republic of China (PRC) or Russia.    

Published by the Bureau of Industry and Security, the rule focuses on hardware and software integrated into the Vehicle Connectivity System (VCS) and software integrated into the Automated Driving System (ADS). These are the critical systems that, through specific hardware and software, allow for external connectivity and autonomous driving capabilities in connected vehicles.

"Malicious access to these systems could allow adversaries to access and collect our most sensitive data and remotely manipulate cars on American roads," states the notice.

The proposed rule would apply to all wheeled on-road vehicles such as cars, trucks, and buses, but would exclude vehicles not used on public roads like agricultural or mining vehicles. 

BIS and its Office of Information and Communications Technology and Services (OICTS) have found that certain technologies originating from the PRC or Russia present an undue risk to both U.S. critical infrastructure and those who use connected vehicles. 

“Cars today have cameras, microphones, GPS tracking, and other technologies connected to the internet. It doesn’t take much imagination to understand how a foreign adversary with access to this information could pose a serious risk to both our national security and the privacy of U.S. citizens. To address these national security concerns, the Commerce Department is taking targeted, proactive steps to keep PRC and Russian-manufactured technologies off American roads,” said U.S. Secretary of Commerce Gina Raimondo.   

“While connected vehicles yield many benefits, the data security and cybersecurity risks posed by software and hardware components sourced from the PRC and other countries of concern are equally clear, and we will continue to take necessary steps to mitigate these risks and get out ahead of the problem,” said National Security Advisor Jake Sullivan.

“Without this proposed rule, we would be leaving an open door for foreign adversaries looking to compromise one of our most important assets, our cars,” said Elizabeth Cannon, Executive Director of OICTS.    

Today’s proposed rule would prohibit the import and sale of vehicles with certain VCS or ADS hardware or software with a nexus to the PRC or Russia.

  • The VCS is the set of systems that allow the vehicle to communicate externally, including telematics control units, Bluetooth, cellular, satellite, and Wi-Fi modules.
  • The ADS includes the components that collectively allow a highly autonomous vehicle to operate without a driver behind the wheel. 

The rule would also prohibit manufacturers with a nexus to the PRC or Russia from selling connected vehicles that incorporate VCS hardware or software or ADS software in the United States, even if the vehicle was made in the United States.   

The prohibitions on software would take effect for Model Year 2027 and the prohibitions on hardware would take effect for Model Year 2030, or January 1, 2029 for units without a model year.  

The proposed rule is implemented under BIS’s ICTS authorities, as provided for under Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain.”   

This NPRM incorporates public feedback submitted in response to an Advance Notice of Proposed Rulemaking (ANPRM) on connected vehicles published by BIS on March 1, 2024. BIS is seeking additional public comment on today’s proposed rule from all interested parties. 

Definition: of Connected Vehicle

BIS proposes to narrow its definition to mean, “[a] vehicle driven or drawn by mechanical power and manufactured primarily for use on public streets, roads, and highways, that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device. Vehicles operated only on a rail line are not included in this definition.”

Due Diligence

BIS is not currently proposing specific due diligence requirements. Instead, VCS hardware importers and connected vehicle manufactures are given flexibility to provide evidence of compliance efforts tailored to their unique operations. Such efforts could include using third-party researchers or independently conducting supply chain diligence.

Compliance

BIS anticipates that this rule would primarily impact VCS Hardware Importers or connected vehicle manufacturers, such as OEMs and importers of completed connected vehicles, as well as Tier 1 and Tier 2 suppliers of VCS Hardware.

For these entities, three compliance mechanisms—Declarations of Conformity, general authorizations, and specific authorizations—are available, depending on whether the VCS hardware importer or connected vehicle manufacturer wishes to engage in an otherwise prohibited transaction.

LIDAR not included

While many commenters identified LiDAR systems as a concern, there was disagreement about the nature of the vulnerability posed by these systems. Some commenters noted that LiDAR systems could be manipulated to cause grave harm (e.g., to ignore pedestrians) given their instrumental role in vehicle guidance. However, BIS’s further technical analysis found that LiDAR generally lacks the ability to transmit from the vehicle and does not, as a standalone system, control the vehicle. Importantly, BIS notes that in many cases, ADS exerts control over both LiDAR and the vehicle and thus presents a higher risk.

Aftermarket Telematics

Aftermarket telematics devices, including fleet tracking devices and systems, that fulfill functions consistent with the definition of VCS hardware are covered by this proposed rule.

Russia?

BIS notes that "while Russia has historically been less active in the global automotive sector than the PRC, the Russian government has recently sought to revitalize its own domestic auto manufacturing industry..."  

The notice continues "like the PRC, the Russian government employs a suite of laws that enable it to compel domestic companies with overseas operations to provide data gleaned through foreign ventures or to surrender similar operational assets to the Russian state.."

The text of the proposed rule is available here.

Comments

No comments on this item Please log in to comment by clicking here