BIS Publishes Connected Vehicle Supply Chain Security ANPRM
Today, DOC’s Bureau of Industry and Security (BIS) published an advanced notice of proposed rulemaking (ANPRM) in the Federal Register (89 FR 15066-15072) on “Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles”. BIS is looking for public comments on the potential impacts of EO 13873, Securing the Information and Communications Technology and Services Supply Chain, on connected automotive vehicles.
Background
In 2019, President Trump issued EO 13873 which found that “foreign adversaries are increasingly creating and exploiting vulnerabilities in information and communications technology and services”. The EO broadly defined the term ‘information and communications technology or services (ICTS)’ to mean “any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display”.
The EO similarly broadly defined the term ‘foreign adversary’ to mean “any foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons”. This could include any number of countries or transnational organizations, but since this EO is more focused on ICTS in commerce, it has generally been taken to specifically mean the Peoples Republic of China (PRC).
In the EO Trump provided the Department of Commerce the authority to determine “which particular technologies or particular participants in the market for information and communications technology or services may be recognized as categorically included in or as categorically excluded from the prohibitions established by this order”.
In publishing this ANPRM BIS is announcing that it is “considering proposing rules that would prohibit certain ICTS transactions or classes of ICTS transactions by or with persons who design, develop, manufacture, or supply ICTS integral to CVs and are owned by, controlled by, or subject to the jurisdiction or direction of foreign governments or foreign non-government persons identified at 15 CFR 7.4 (hereinafter referred to as “15 CFR 7.4 entities”).
Definitions
For the purposes of publishing this ANPRM, BIS is using a working definition of connected vehicle (CV) as “an automotive vehicle that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device.”
BIS is soliciting comments on that definition, specifically asking:
In what ways, if any, should BIS elaborate on or amend the potential definition of ‘connected vehicle’?
Is the term ‘connected vehicles’ broad enough to include autonomous vehicles and related equipment, electric vehicles, or other alternative power sources and related technologies?
Are there other commonly used definitions for CVs that BIS should consider when defining a class of ICTS transactions?
Risk Assessment
In determining whether or not regulations are needed to protect the supply chain for CV’s, this ANPORM looks at the risks associated with those supply chains. Specifically, the ANPRM addresses the following issues with a series of specific questions:
Threat from 15 CFR 7.4 entities (discussion and questions),
Capabilities of CV that 15 CFR 7.4 entities could exploit (discussion and questions), and
Consequences of such exploits (discussion and questions).
BIS also poses questions (without discussion) on the following topics:
Public Comments
The purpose of this ANPRM is to solicit a wide range of public input into the topics discussed above. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # BIS–2024–0005). Comments should be submitted by April 30th, 2024.
Commentary
While there is certainly some amount of justification at specifically looking at the vulnerabilities associated with devices and equipment manufactured by Chinese companies associated with ICTS, this should be viewed within the larger construct of vulnerabilities in ICTS in general. This is especially true since various Chinese government and governmentally influenced APT groups have shown a propensity and capability to compromise vulnerabilities in American and allied ICTS products. Targeting Chinese ICTS components cannot be viewed as a solution to the vulnerability of ICTS products, but only as a small part of the necessary efforts to secure those supply chains.