Hogan Lovells 2024 Election Impact and Congressional Outlook Report
15 November 2024
On Feb. 29, 2024, the White House announced that the Commerce Department’s Bureau of Industry and Security would issue an advance notice of proposed rulemaking as part of the Biden Administration’s investigation of national security risks of connected vehicles (“CV”) from China and countries of concern. Driven by concerns that CVs “collect large amounts of sensitive data” that “could be exploited in ways that threaten national security,” the Administration seeks stakeholder input, including from automotive original equipment manufacturers, subsystem suppliers, aftermarket parts companies and service providers, whose CV supply chains include Information and Communications Technology and Services (“ICTS”) from “foreign adversary” countries. To inform regulations restricting such ICTS transactions, BIS is soliciting comments for 60 days, until April 30, on specific risks posed by foreign adversary-ICTS in CVs, technologies that are most vulnerable, and potential mitigation measures.
On February 29, 2024, the White House and Commerce Department (“Commerce”) announced the publication of an advance notice of proposed rulemaking (“ANPRM”) to support the U.S. Government’s investigation into the national security risks of connected vehicles (“CV”) that incorporate Information and Communications Technology and Services (“ICTS”) from China and other “foreign adversaries.”
Commerce’s Bureau of Industry and Security (“BIS”) published the ANPRM in the Federal Register on March 1, 2024 to seek feedback from industry stakeholders that will “assist BIS in determining the technologies and market participants that may be most appropriate for regulation.” This includes automotive original equipment manufacturers (“OEMs”), tier one, two and three suppliers, aftermarket parts companies, and service providers. BIS is specifically considering proposing rules that would 1) prohibit certain transactions with “foreign adversary” parties involving ICTS integral to connected vehicles, and 2) allow market participants to engage in otherwise prohibited transactions if their national security risks can be sufficiently mitigated.
The ANPRM seeks comments on a number of questions related to (i) the risks and vulnerabilities of incorporation of ICTS into connected vehicles, (ii) the efficacy of mitigation measures for ICTS transactions involving connected vehicles, (iii) potential implementation mechanisms to impose restrictions on ICTS transactions involving connected vehicles, and (iv) the potential for an approval mechanism for certain otherwise prohibited transactions. BIS is soliciting comments for 60 days on these topics, among others, as a significant step toward the implementation of regulations restricting ICTS transactions in the automotive sector. The comment period ends on April 30, 2024.
The ANPRM was issued under Executive Order (“EO”) 13873 (an EO issued by the Trump Administration in 2019), which gives Commerce the authority to review, mitigate, or prohibit ICTS transactions with entities subject to the jurisdiction of a “foreign adversary,” and follows the model of recent agency action adding connected software applications to the scope of ICTS transactions subject to review.
This ANPRM is part of the Biden Administration’s broader effort to address U.S. national security risks stemming from the expanded reach of Chinese-made connectivity technology (e.g., connected software applications, navigation, driver-assist, and other advanced features) and connected vehicles in the U.S. automotive market. The Administration is concerned about the large amounts of sensitive data connected vehicles collect on passengers and drivers, including information collected through cameras and sensors. This concern also extends to the ability of connected vehicles to collect information on critical infrastructure, as well as the ability of these vehicles to be piloted and disabled remotely. In addition to issuing new rules under the ICTS EO, the Administration is also considering increasing tariffs on imports of Chinese vehicles and parts as part of its broader review of the Section 301 tariffs on Chinese imports. These moves mirrors recent concerns expressed by lawmakers on Capitol Hill as well and could prohibit the ability of Chinese auto manufactures to sell vehicles – including EVs – into the U.S. market moving forward for reasons related to both national security and the overall economic competitiveness of the U.S. market.
Public comments on the Proposed Rule are due by April 30, 2024.
In May 2019, the Trump Administration issued Executive Order 13873, "Securing the Information and Communications Technology and Services Supply Chain." The EO declared the unrestricted deployment and use of foreign adversary ICTS in U.S. supply chains a national emergency, and authorized the Secretary of Commerce to prohibit certain transactions involving ICTS that have been “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversary” and that pose an “unacceptable risk” to national security or “undue risk” to critical infrastructure.
In subsequent implementing rules, Commerce has laid out procedures by which the agency can review ICTS transactions to determine whether they present an undue or unacceptable risk due to a foreign adversary's involvement. This framework has been expanded to cover specific ICTS threats like connected software from foreign adversary countries. This newest BIS rulemaking under the EO supports BIS’s recently stated mission of implementation of the ICTS program.
The ANPRM seeks input on the definition for “connected vehicle,” which the agency proposes to define as “an automotive vehicle that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device.”
In an effort to appropriately determine the scope of the CV definition for rules involving ICTS integral to CVs, BIS seeks input on:
The ANPRM also seeks input on the specific national security risks posted by the CV ICTS supply chain, particularly from ICTS from China. BIS highlights CV ICTS from China as a significant concern, due to the country’s cyber espionage operations, its legal structure empowering the state to co-opt private companies to pursue its objectives, and reporting that automakers in China are legally obligated to transmit real-time vehicle data, including geolocation information, to Chinese Government monitoring centers.
BIS also seeks to understand how advances in automotive connectivity technology might expose CVs or the sectors they support to new forms of cyber exploitation and vulnerability. BIS proposes identifying the following automotive software systems as the ICTS integral to CVs most likely to present undue or unacceptable risks if exploited by foreign adversary entities: (i) vehicle operating systems; (ii) telematics systems; (iii) advanced drive assistance systems; (iv) automated driving systems; (v) satellite or cellular telecommunication systems; and (vi) battery management systems.
In assessing how to implement rules applicable to these software systems, the ANPRM requests comments on a wide range of topics, including:
Finally, the ANPRM seeks input on mechanisms through which BIS could authorize an otherwise prohibited CV ICTS transaction with mitigation measures that allow for sufficient monitoring to address U.S. national security concerns.
In particular, the ANPRM is soliciting comments on:
Companies assessing the impact of regulations that could follow this ANPRM, including automotive OEMs, suppliers, aftermarket parts companies and service providers, should consider their global ICTS supply chain, degree to which it includes ICTS integral to connected vehicles, and cybersecurity standards and best practices.
Please contact any of the listed Hogan Lovells lawyers if you would like to provide comments to BIS during the 60-day comment period, which ends on April 30, 2024, or if you have questions about how any subsequent rules and regulations could affect your business. We would be happy to assist you.
Authored by Ajay Kuntamukkala, Kelly Ann Shaw, Stephen Propst, Patrick Miller, and Meghan Anand.