Rules on Connected Vehicle Security Target China

Posted

Citing the Chinese government's broad authority to access and control the "vast amounts of data" generated by by chinese vehicles and components, the US Department of Commerce is preparing rules to bar trading with Chinese Automakers and suppliers of advanced componentry. 

Commerce Thursday announced it seeks public comment to "inform regulations to secure and safeguard the Information and Communications Technology and Services (ICTS) supply chain for connected vehicles (CVs)."

BIS could define a connected vehicle as an automotive vehicle that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device.

BIS is considering proposing rules that would prohibit certain ICTS transactions or classes of ICTS transactions by or with persons who design, develop, manufacture, or supply ICTS integral to CVs and are owned by, controlled by, or subject to the jurisdiction or direction of foreign governments or foreign non-government persons identified at 15 CFR 7.4.

BIS is also considering proposing measures that would allow market participants to engage in otherwise prohibited transactions or classes of transactions if the undue or

unacceptable risks of those ICTS transactions can be sufficiently mitigated using measures that are monitorable.

“It doesn’t take a lot of imagination to think of how foreign government with access to connected vehicles could pose a serious risk to both our national security and the personal privacy of U.S. citizens,” said U.S. Secretary of Commerce Gina Raimondo. “To assess these national security concerns, we are issuing an Advance Notice of Proposed Rulemaking to investigate the national security risks of connected vehicles, specifically PRC-manufactured technology in the vehicles. We need to understand the extent of the technology in these cars that can capture wide swaths of data or remotely disable or manipulate connected vehicles, so we are soliciting information to determine whether to take action under our ICTS authorities.” 

The ANPRM explains how the incorporation of foreign adversary ICTS in CVs can create risks, for example, by offering a direct entry point to sensitive U.S. technology and data or by bypassing measures intended to protect U.S. persons’ safety and security. In such cases, ICTS provided by persons or entities owned, controlled, or subject to the jurisdiction or direction of a foreign adversary may pose undue risks to critical infrastructure in the United States and unacceptable risks to national security. The People’s Republic of China presents a particularly acute and persistent threat to the U.S. ICTS supply chain related to CVs.  

In this ANPRM, the Department seeks feedback on issues, including:

  • definitions;,
  • how potential classes of ICTS transactions integral to CVs may present undue or unacceptable risks to U.S. national security;
  • implementation mechanisms to address these risks through potential prohibitions or, where feasible, mitigation measures; and
  • whether to create a process for the public to request approval to engage in an otherwise prohibited transaction by demonstrating that the risk to U.S. national security is sufficiently mitigated in the context of a particular transaction. 

From the Federial Register Notice:

In order to require mitigation for or to prohibit an ICTS transaction or class of transactions, the Secretary, in consultation with other agency heads, must first determine that the ICTS transaction or class of transactions at issue:

  1. involves ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, which the E.O. defines as “any foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons;” and
  2.  poses: 
    1. . an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States;
    2. an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or 
    3. otherwise poses an unacceptable risk to the national security of the United States or thesecurity and safety of United States persons.

These factors are collectively referred to as “undue or unacceptable risks.”

Federal Register Notice [FR 2024-04382]

Comments

No comments on this item Please log in to comment by clicking here