Department of Commerce’s Drive to Secure Connected Vehicles

The Biden Administration has initiated steps to address national security risks arising from information and communications technology and services (ICTS) transactions in the automobile industry by drafting regulations pursuant to the 2019 Executive Order 13873 “Securing the Information and Communications Technology and Services Supply Chain,” which declared a national emergency regarding the ICTS supply chain. This Executive Order found that the unrestricted acquisition or use in the United States of technology and services from foreign adversaries posed an extraordinary threat to the national security, foreign policy, and economy of the United States. In an effort to bolster the security of connected vehicles and safeguard national interests, the Administration, through the Department of Commerce’s Bureau of Industry and Security (the “Department”), has called for public input on proposed regulations concerning transactions with persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries[1] (“Foreign Adversaries”) in the design, development, manufacture, or supply of ICTS integral to connected vehicles.

Connected vehicles, equipped with advanced technologies and internet connectivity, offer convenience and efficiency. These technological advancements also introduce vulnerabilities that can be exploited by malicious actors. In light of this, the Department, while recognizing the benefits of connected vehicle technology—safer, more fuel-efficient travel—notes that the incorporation of ICTS products and services used in the United States from Foreign Adversaries can offer a direct entry point to sensitive U.S. technology and data, and bypass measures intended to protect U.S. persons’ safety and security. Thus, the Department has called for public input on regulations focused on the risks that ICTS transactions with Foreign Entities might present to national security and notes that the goal of the proposed regulations is to narrowly address the involvement of Foreign Adversaries in the design, development, manufacture, or supply of ICTS integral to connected vehicles where that involvement may create undue or unacceptable risk to U.S. national security.

In order to gather information to support the Department’s development of such regulations and help inform the rulemaking process, the Department’s call for public input includes a list of 35 questions across a variety of topics. The general categories of the Department’s requests include questions related to definitions of terms that could be used in future regulations (e.g., input on the definition of “connected vehicle” that would either broaden or limit the scope of vehicles subject to the regulation to better address national security risks), the ICTS supply chain for connected vehicles in the United States, and the nature and extent of Foreign Entities’ involvement in the supply chain, risks posed by ICTS-integrated connected vehicles, capabilities of connected vehicles that may increase the likelihood of vulnerabilities that Foreign Entities could exploit, consequences resulting from such exploitation, potential risk mitigation measures, and the economic impact of regulations.

As the automotive industry increasingly integrates advanced technologies, the potential attack surface for cyber threats expands correspondingly. Based on the feedback the Department receives, the Department is expected to promulgate rules and guidance that may prohibit certain ICTS transactions or classes of ICTS transactions by or with persons. The Department will also explore the possibility of permitting market participants to engage in otherwise prohibited transactions or classes of transactions if the undue or unacceptable risks of those transactions can be sufficiently mitigated using measures that are monitorable. The Department has asked stakeholders and the public to provide their comments by April 30, 2024.

Endnotes

[1] The Executive Order defines “foreign adversary” as any “foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of U.S. persons.”  The “Foreign Adversaries” at issue are the foreign governments or foreign non-government persons identified at 15 C.F.R. § 7.4.  Presently, these entities include the following foreign governments or foreign non-foreign government persons: the People’s Republic of China, including the Hong Kong Special Administrative Region, the Republic of Cuba, the Islamic Republic of Iran, the Democratic People’s Republic of Korea, the Russian Federation, and Venezuelan President Nicolás Maduro.