Following up on an initial move earlier this year, the Biden administration has issued a proposed rule that would limit the ability to sell vehicles produced by Chinese companies, or vehicles produced by non-Chinese companies in China, in the U.S. market, based on concerns about national security.

As CTM reported in February, President Biden directed the Bureau of Industry and Security (BIS) at the Commerce Department to investigate potential national security concerns related to Chinese access to Americans' "connected vehicles." BIS published an Advanced Notice of Proposed Rulemaking (ANPRM), through which it sought public comment on the issue.

In a statement at the time, Biden said that "China is determined to dominate the future of the auto market, including by using unfair practices," and "China’s policies could flood our market with its vehicles, posing risks to our national security." He then explained the specific issue with "connected" vehicles, noting that "they are like smart phones on wheels": "These cars are connected to our phones, to navigation systems, to critical infrastructure, and to the companies that made them." That leads to the problem that "[c]onnected vehicles from China could collect sensitive data about our citizens and our infrastructure and send this data back to the People’s Republic of China," and these vehicles could even be "remotely accessed or disabled."

Administration officials said that over the course of the seven month investigation, they identified several specific national security risks associated with connected vehicles manufactured by Chinese companies in particular.

First, there are cybersecurity risks, particularly as connected vehicles become integrated into critical infrastructure, including through charging stations, power generation, storage systems, and smart roads and cities. There is evidence, they said, that the Chinese government is pre-positioning malware in critical infrastructure for the purpose of sabotage and disruption.

Second, there are data security risks, given the massive amount of personal data, including geolocation data, audio and video recordings collected by these vehicles, on drivers, passengers and their surroundings.

Today, the Biden administration issued a Notice of Proposed Rulemaking to address these concerns, pursuant to the Commerce Department's Information and Communications Technology and Services (ICTS) authorities (a White House fact sheet is here). Comments are due 30 days after official publication of the Notice in the Federal Register, which is scheduled for September 26. BIS explained that it is soliciting comment on "a proposed rule to prohibit transactions involving Vehicle Connectivity System (VCS) hardware and covered software designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the People’s Republic of China, including the Hong Kong Special Administrative Region (PRC), or the Russian Federation (Russia)."

In doing so, administration officials explained that modern automobiles leverage advanced technologies to enable functionalities from navigation to assistance to electric charging. Many of these technologies collect large volumes of information on drivers and their environments while connected constantly with their personal devices, other cars, infrastructure and original manufacturing vehicles and components. For this reason, they said, connected vehicles and the technologies they use bring new vulnerabilities and threats, especially in the case of vehicles or components developed in China.

If finalized, they said, the new rule would effectively ban vehicles that rely on certain Chinese technologies from driving on American roads.

In the ANPRM, the officials explained, they had identified two particular risks that they were trying to address:

• The potential for massive amounts of data to be exfiltrated from the vehicles.
• The potential to remotely manipulate the vehicle.

The NPRM proposes several categories of prohibitions on certain hardware and software supporting the vehicle connectivity system and the automated driving system. Absent a General or Specific Authorization, it would:

• (1) prohibit VCS Hardware Importers from knowingly importing into the United States certain hardware for VCS (“VCS Hardware,” as further defined below);
• (2) prohibit connected vehicle manufacturers from knowingly importing into the United States completed connected vehicles incorporating certain software that supports the function of VCS or ADS (VCS and ADS software are collectively referred to herein as “covered software,” as further defined below);
• (3) prohibit connected vehicle Manufacturers from knowingly Selling within the United States completed connected vehicles that incorporate covered software; and
• (4) prohibit connected vehicle manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia from knowingly selling in the United States completed connected vehicles that incorporate VCS hardware or covered software.

In terms of the timing of the regulations, they would be phased in. The software prohibition will take effect for model year 2027, about a year after the final rule is effective. The prohibition on the sale of vehicles by auto manufacturers with a nexus to China or Russia will also take effect for model year 2027. And the prohibition on the import of the VCS hardware will take effect four years from the effective date of the final rule, so model year 2030 or somewhere around January 1, 2029.

In terms of whether there have been any security incidents with Chinese vehicles so far, administration officials emphasized that the capability is there and China likes to pre-position itself in U.S. systems in the event of some sort of confrontation. Thus, while they did not point to any specific incident to date, given "the pattern of malicious cyber conduct and given some of the vulnerabilities in the U.S.," they considered it prudent to act now.

Officials also clarified that U.S.-branded vehicles that are made in China, such as those from Tesla, would be covered by the provision.

The administration said it considered alternative measures that could mitigate the problem, but concluded that none of them adequately addressed the national security risks. They did indicate that they would be open to such measures in the future if ones could be found that would address the problems.

Administration officials also pointed to the experience of the telecoms sector, where billions of dollars has been spent to rip and replace Chinese telecom equipment. The goal with connected vehicles, they indicated, is to get ahead of the problem and ensure that they don't have to spend more money down the road in order to solve a significant national security challenge.

With regard to international cooperation, administration officials emphasized that they had been meeting with allies and partners on these issues, and these countries shared the U.S. concerns. Many of these countries are undertaking their own investigations and considering their own potential measures to mitigate the risks. These countries are also watching closely what the U.S. does in this regard and how it works in practice, administration officials said.

Officials also noted that China has, for many years now, put in place restrictions of its own that do not allow connected vehicles to operate in China unless those vehicles provide data to Chinese entities and only use Chinese software.

Separately today, while discussing the American auto industry, National Economic Advisor Lael Brainard offered the following remarks on the Commerce Department action:

... today, we are taking action to guard against safety and security risks in connected cars and ensure that our auto supply chains are resilient from foreign threats. Connected cars have the ability to exchange data with other cars, your personal devices, America’s infrastructure, our power grid, and auto manufacturers. The computer systems that power these cars can control vehicle movement and collect sensitive driver and passenger data, and the cameras and sensors embedded within them can record detailed information about our country and citizens.

There are many benefits associated with connected vehicle systems, such as promoting safety, assisting drivers with navigation, and reducing emissions. But where we source these technologies has important implications for our national security, safety on our roads, and the resilience of our auto supply chains.

China has taken steps to dominate the future of connected vehicles by dominating the software and hardware systems associated with those cars. But connected vehicles with Chinese software and hardware systems could expose the American people to new risks. Without the appropriate safeguards in place, sensitive data on Americans could be passed to Chinese authorities, or connected vehicles might provide a backdoor for malicious foreign actors to engage in espionage or sabotage.

That is why, today, the Department of Commerce is using its ICTS (Information and Communications Technology Services) authorities for the first time to propose a new rule that would ban vehicles that rely on Chinese software and hardware from driving on American roads.

Recall that for years China has required vehicle and battery makers to rely on Chinese data centers and software providers as a condition of operating in China.

In effect, this rule will protect against potential vulnerabilities while allowing Americans to benefit from all that connected vehicles and technological innovation have to offer.