The BIS Issues an ANPRM to Address the National Security Risks from Connected Vehicles (CVs)
By Nancy A. Fischer, Matthew R. Rabinowitz, Lee G. Petro and Barbra E. Kim, Pillsbury Trade and Sanctions Law
On March 1, 2024 the Department of Commerce’s Bureau of Industry and Security (BIS) issued an Advance Notice of Proposed Rulemaking (ANPRM) seeking public comment on regulations that aim to reduce the national security risks from connected vehicles (CVs) that incorporate technology from countries of concern, including the People’s Republic of China (China).
SOURCE: Pillsbury Law Blog.
Both the White House and the Commerce Department emphasized that CVs collect large amounts of sensitive data on their drivers, passengers and on U.S. infrastructure, and can interact directly with critical infrastructure and be piloted or disabled remotely. Highlighting the potential harm from foreign adversary interference in these CVs, the Biden administration directed the Commerce Department to protect domestic information and communications technology and services (ICTS) supply chains from countries of concern that might gain access to these vehicles’ systems or data. The Biden administration noted the pervasiveness of advanced technologies in CVs, seen in common features like navigation, driver assistance, charging, and cameras and sensors.
The ANPRM seeks information on multiple issues involving the ICTS that are integral to CVs, to help inform and scope potential regulations issued by the Commerce Department on governing use of technology in vehicles from certain countries. The public has 60 days to provide feedback on issues including:
- Risks associated with CVs;
- Questions on (1) data collection, (2) connectivity between CVs and external sources, and (3) interconnectivity in the software and hardware components of CVs, as these are the types of CV capabilities identified as vulnerable to exploitation;
- Information on potential consequences for U.S. persons and critical infrastructure if BIS were to identify certain automotive software systems as most likely to present unacceptable risks if exploited;
- Comments on processes and mechanisms that BIS could implement to authorize otherwise prohibited ICTS transaction with mitigation measures; and
- Potential economic impact to U.S. businesses or the public with such regulation.
BIS’s comment period closes on April 30, 2024. Comments may be submitted online at https://www.regulations.gov/, using docket number BIS-2024-0005. This comment period offers a crucial opportunity for industry stakeholders to proactively shape policy development.
The Biden administration’s recent emphasis on protection of sensitive personal data suggests there may be increased focus by various government agencies on data security and privacy reaching different sectors, including the automotive sector. The BIS ANPRM followed President Biden’s Feb. 28 Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The U.S. Department of Justice then issued an ANPRM seeking comment on potential regulations that would regulate certain data transactions involving bulk U.S. sensitive personal data and government-related data that present unacceptable risk to U.S. national security.
Separately, on Feb. 28, the Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel announced that she had circulated a draft NPRM aimed to protect victims from abusers who use connectivity tools in vehicles to harass and harm victims. This NPRM proposes rules which, if adopted, would take further steps to implement the Safe Connections Act of 2022, which charged the FCC with authority to assist survivors of domestic violence and abuse with secure access to communications. This follows media reports of smart car services being used to stalk and harm victims.