[Federal Register Volume 89, Number 42 (Friday, March 1, 2024)]
[Proposed Rules]
[Pages 15066-15072]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-04382]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
Bureau of Industry and Security
15 CFR Part 7
[Docket No. 240227-0060]
RIN 0694-AJ56
Securing the Information and Communications Technology and
Services Supply Chain: Connected Vehicles
AGENCY: Bureau of Industry and Security, U.S. Department of Commerce.
ACTION: Advance notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: In this advance notice of proposed rulemaking (ANPRM), the
Department of Commerce's (Department) Bureau of Industry and Security
(BIS) seeks public comment on issues and questions related to
transactions involving information and communications technology and
services (ICTS) that are designed, developed, manufactured, or supplied
by persons owned by, controlled by, or subject to the jurisdiction or
direction of foreign countries or foreign non-government persons
identified in the Department's regulations, pursuant to the Executive
Order (E.O.) entitled ``Securing the Information and Communications
Technology and Services Supply Chain,'' and that are integral to
connected vehicles (CVs), as defined herein. This ANPRM will assist BIS
in determining the technologies and market participants that may be
most appropriate for regulation pursuant to the E.O.
DATES: Comments must be received on or before April 30, 2024.
ADDRESSES: All comments must be submitted by one of the following
methods:
The Federal eRulemaking Portal: https://www.regulations.gov at docket number BIS-2024-0005.
Email directly to: [email protected]. Include
``RIN 0694-AJ56'' in the subject line.
Instructions: Comments sent by any other method, to any
other address or individual, or received after the end of the comment
period, may not be considered. For those seeking to submit confidential
business information (CBI), please clearly mark such submissions as CBI
and submit by email, as instructed above. Each CBI submission must also
contain a summary of the CBI, clearly marked as public, in sufficient
detail to permit a reasonable understanding of the substance of the
information for public consumption. Such summary information will be
posted on regulations.gov.
FOR FURTHER INFORMATION CONTACT: Marc Coldiron, U.S. Department of
Commerce, telephone: 202-482-3678. For media inquiries: Jeremy Horan,
Office of Congressional and Public Affairs, Bureau of Industry and
Security, U.S. Department of Commerce: [email protected].
SUPPLEMENTARY INFORMATION:
I. Authorities
On May 15, 2019, the President issued E.O. 13873, ``Securing the
Information and Communications Technology and Services Supply Chain,''
pursuant to the President's authority under the Constitution and the
laws of the United States, including the International Emergency
Economic Powers Act (IEEPA), the National Emergencies Act (50 U.S.C.
1601, et seq.), and Section 301 of Title 3, United States Code. E.O.
13873 declares a national emergency regarding the ICTS supply chain,
finding that ``the unrestricted acquisition or use in the United States
of information and communications
[[Page 15067]]
technology or services designed, developed, manufactured, or supplied
by persons owned by, controlled by, or subject to the jurisdiction or
direction of foreign adversaries augments the ability of foreign
adversaries to create and exploit vulnerabilities in information and
communications technology or services, with potentially catastrophic
effects, and thereby constitutes an unusual and extraordinary threat to
the national security, foreign policy, and economy of the United
States.'' The E.O. further notes that ``[t]his threat exists both in
the case of individual acquisitions or uses of such technology or
services, and when acquisitions or uses of such technologies are
considered as a class.''
In accordance with the National Emergencies Act, the President has
declared each year since E.O. 13873 was published that the national
emergency continues in effect. Continuation of the National Emergency
With Respect to Securing the Information and Communications Technology
and Services Supply Chain, 85 FR 29321 (May 14, 2020); Continuation of
the National Emergency With Respect to Securing the Information and
Communications Technology and Services Supply Chain, 86 FR 26339 (May
13, 2021); Continuation of the National Emergency With Respect to
Securing the Information and Communications Technology and Services
Supply Chain, 87 FR 29645 (May 13, 2022); Continuation of the National
Emergency With Respect to Securing the Information and Communications
Technology and Services Supply Chain, 88 FR 30635 (May 11, 2023).
To address identified risks to national security from ICTS
transactions, E.O. 13873 grants the Secretary of Commerce (Secretary)
(in consultation with other agency heads identified in the E.O.) the
authority to review and, if necessary, impose mitigation measures on or
prohibit any ICTS transaction, which includes any acquisition,
importation, transfer, installation, dealing in, or use of any ICTS by
any person, or with respect to any property, subject to United States
jurisdiction, when the transaction involves any property in which a
foreign country or national has any interest. In order to require
mitigation for or to prohibit an ICTS transaction or class of
transactions, the Secretary, in consultation with other agency heads,
must first determine that the ICTS transaction or class of transactions
at issue: (1) involves ICTS designed, developed, manufactured, or
supplied by persons owned by, controlled by, or subject to the
jurisdiction or direction of a foreign adversary, which the E.O.
defines as ``any foreign government or foreign non-government person
engaged in a long-term pattern or serious instances of conduct
significantly adverse to the national security of the United States or
security and safety of United States persons;'' and (2) poses:
A. an undue risk of sabotage to or subversion of the design,
integrity, manufacturing, production, distribution, installation,
operation, or maintenance of information and communications technology
or services in the United States;
B. an undue risk of catastrophic effects on the security or
resiliency of United States critical infrastructure or the digital
economy of the United States; or
C. otherwise poses an unacceptable risk to the national security of
the United States or the security and safety of United States persons.
These factors are collectively referred to as ``undue or
unacceptable risks.''
E.O. 13873 additionally provides the Secretary with the authority
to issue rules establishing criteria by which particular technologies
or market participants may be categorically included in or
categorically excluded from prohibitions established pursuant to the
E.O. To date, the Department has not pursued or used this authority to
regulate ICTS transactions on a category- or class-wide basis.
Furthermore, E.O. 13873 grants the Secretary the authority to identify
a mechanism and relevant factors for the negotiation of mitigation
measures that would allow approval of an otherwise prohibited
transaction.
II. Background
a. Purpose
Pursuant to the authority delegated to the Secretary under E.O.
13873, BIS is considering proposing rules that would prohibit certain
ICTS transactions or classes of ICTS transactions by or with persons
who design, develop, manufacture, or supply ICTS integral to CVs and
are owned by, controlled by, or subject to the jurisdiction or
direction of foreign governments or foreign non-government persons
identified at 15 CFR 7.4 (hereinafter referred to as ``15 CFR 7.4
entities''). BIS is also considering proposing measures that would
allow market participants to engage in otherwise prohibited
transactions or classes of transactions if the undue or unacceptable
risks of those ICTS transactions can be sufficiently mitigated using
measures that are monitorable.
The purpose of this ANPRM is to gather information to support BIS's
potential development of a rule regarding ICTS integral to CVs. In
particular, BIS seeks public input on certain definitions and its
assessment of how a class of transactions involving ICTS integral to
CVs, when designed, developed, manufactured, or supplied by persons
owned by, controlled by, or subject to the jurisdiction or direction of
a 15 CFR 7.4 entity, could present undue or unacceptable risks to U.S.
national security. These include risks related to threats from 15 CFR
7.4 entities, capabilities of CVs that may increase the likelihood of
vulnerabilities, and consequences to U.S. persons and critical
infrastructure if these vulnerabilities are exploited or intentionally
inserted by 15 CFR 7.4 entities. BIS solicits input on the ICTS most
integral to CVs and most vulnerable to compromise, as well as input on
mechanisms to address identified risks through potential design,
implementation standards and protocols, manufacturing integrity
protection systems and procedures, or prohibitions.
BIS recognizes the benefits of CV technologies and does not imply
through this ANPRM that technologies such as vehicle-to-everything
(V2X) communications are generally unsafe for use in the United States.
Indeed, these new vehicles often provide safer, more fuel-efficient
travel. However, E.O. 13873 is focused on risks that ICTS transactions
might present to national security. Therefore, this ANPRM, which is
being issued pursuant to the authorities granted under E.O. 13873,
seeks public comment on potential means to narrowly address involvement
by persons owned by, controlled by, or subject to the jurisdiction or
direction of 15 CFR 7.4 entities in the design, development,
manufacture, or supply of ICTS integral to CVs where that involvement
may create undue or unacceptable risk to U.S. national security.
Additionally, BIS seeks comment on whether to create a process for
the public to request approval to engage in an otherwise prohibited
transaction by demonstrating that a particular transaction adequately
addresses the risk to U.S. national security. BIS encourages public
feedback to help inform the rulemaking process, particularly regarding
transactions where ICTS supply chains may be impacted by any proposed
rule.
b. Definitions
As an initial matter, BIS is interested in receiving comments on
the applicable
[[Page 15068]]
definition for connected vehicle or CV within the context of
transactions involving ICTS incorporated into such vehicles. BIS could
define a connected vehicle as an automotive vehicle that integrates
onboard networked hardware with automotive software systems to
communicate via dedicated short-range communication, cellular
telecommunications connectivity, satellite communication, or other
wireless spectrum connectivity with any other network or device. Such a
definition would likely include automotive vehicles, whether personal
or commercial, capable of global navigation satellite system (GNSS)
communication for geolocation; communication with intelligent
transportation systems; remote access or control; wireless software or
firmware updates; or on-device roadside assistance.
CVs also integrate hardware that enables connectivity within the
vehicle and/or external connectivity with devices, networks,
applications, and services outside the vehicle. CV safety applications
are designed to increase situational awareness and reduce traffic
accidents through vehicle-to-vehicle (V2V), vehicle-to-infrastructure
(V2I), and increasingly, V2X communications, as contemplated in a
series of Department of Transportation workshops focusing on V2X
communications titled ``Saving Lives with Connectivity.'' See Bill
Canis, Cong. Research Serv., R46398, Motor Vehicle Safety: Issues for
Congress 8 (2021), https://sgp.fas.org/crs/misc/R46398.pdf; U.S. Dep't
of Transp., ITS V2X Communications Summit (2023), https://www.its.dot.gov/research_areas/emerging_tech/htm/ITS_V2X_CommunicationSummit.htm.
BIS arrived at this definition by reviewing existing definitions
for connected vehicles from trade associations and leading research
publications including the Connected Vehicle Reference Implementation
Architecture, U.S. Department of Transportation's Intelligent
Transportation Systems Joint Program Office, Institute of Electrical
and Electronics Engineers research, and Society of Automotive Engineers
standards.
Various terms exist across industry and the U.S. Government to
refer to vehicles that exhibit the connected features explained above.
In addition to input on the term connected vehicle, BIS is seeking
comment on alternative terminology that might better correspond to the
definition of connected vehicle discussed above. Such terminology could
include ``networked vehicles,'' ``intelligent connected vehicles,''
``software-defined vehicles,'' or ``connected autonomous vehicles.''
This ANPRM seeks comment on the definitions to use for a rule
regarding transactions involving ICTS integral to CVs, and
specifically:
1. In what ways, if any, should BIS elaborate on or amend the
potential definition of connected vehicle stated above? If amended, how
will the revised definition enable BIS to better address national
security risks arising from classes of transactions involving ICTS
integral to CVs?
2. Is the term connected vehicles broad enough to include
autonomous vehicles and related equipment, electric vehicles, or other
alternative power sources and related technologies? Does a better term
exist to describe the broader scope?
3. Are there other commonly used definitions for CVs that BIS
should consider when defining a class of ICTS transactions, including
definitions from industry, civil society, and foreign entities? If so,
why would those definitions be more appropriate for the purposes of a
rule?
c. Risks Associated With Connected Vehicles
The automotive industry is constantly undergoing innovation and
change, and as communications and broadband technology advance, so do
the technologies used in automobiles. Particularly relevant for the
purposes of this ANPRM, new technology has fueled a rise in
interconnectivity and autonomous capabilities in new vehicles. An
automobile's value is no longer determined only by the engine, steering
system, and other traditional automotive parts. Increasingly, an
automobile is a compilation of on-board computers; sensors; cameras;
batteries; and various other categories of ICTS software or hardware
tied together through automotive software systems. Over time, vehicle
connections to the internet will evolve even further and new
communication technology will advance vehicle capabilities. These
technological advances will continue to rely on significant data
collection not only about the vehicle and its myriad components, but
also the driver, the occupants, the vehicle's surroundings, and nearby
infrastructure. Moreover, CVs allow for information to be gathered and
shared to address both individual and societal transportation needs.
These technologies may expose the vehicles, and the sectors they
support, to new cyber-enabled attack vectors and vulnerabilities, with
the potential to create novel and potentially profound risks to
national security and public safety. Cyber-enabled vulnerabilities can
be exacerbated if the ICTS integral to CVs is designed, developed,
manufactured, or supplied, by persons owned by, controlled by, or
subject to the jurisdiction or direction of a 15 CFR 7.4 entity.
i. Threat From 15 CFR 7.4 Entities
E.O. 13873 defines the term ``foreign adversary'' to mean any
foreign government or foreign non-government person engaged in a long-
term pattern or serious instances of conduct significantly adverse to
the national security of the United States or security and safety of
U.S. persons. In the rules implementing the E.O. at 15 CFR 7.4(a), the
Secretary has identified the following as foreign adversaries: the
People's Republic of China, including the Hong Kong Special
Administrative Region (PRC); Republic of Cuba; Islamic Republic of
Iran; Democratic People's Republic of Korea; Russian Federation; and
Venezuelan politician Nicol[aacute]s Maduro (Maduro Regime).
The incorporation of ICTS products and services used in the United
States from persons owned by, controlled by, or subject to the
jurisdiction or direction of 15 CFR 7.4 entities' can offer a direct
entry point to sensitive U.S. technology and data and bypass measures
intended to protect U.S. persons' safety and security. This may allow
actors with insider access to gain entry to the systems the ICTS
connects to and ultimately engage in malicious cyber activity.
Consequently, this exploitation may result in undue risks to ICTS and
critical infrastructure in the United States and unacceptable risks to
national security.
The PRC presents a particularly acute and persistent threat to the
United States ICTS supply chain. According to the Office of the
Director of National Intelligence, the PRC likely represents the
broadest, most active, and persistent cyber espionage threat to U.S.
Government and private-sector networks. See Off. Of the Director of
Nat'l Intelligence, Annual Threat Assessment of the U.S. Intelligence
Community 10 (2023), https://www.dni.gov/files/ODNI/documents/assessments/ATA-2023-Unclassified-Report.pdf. The PRC is almost
certainly capable of launching cyber-attacks that could disrupt
critical infrastructure services within the United States and has
conducted cyber espionage operations that have compromised
telecommunications firms, providers of managed services, and broadly
used software. Id. At 10. In short, the PRC has
[[Page 15069]]
engaged in a pattern of hacking and cyber intrusion that demonstrates
the PRC's intent to compromise and exploit U.S. ICTS supply chains and
critical infrastructure, threatening U.S. national security.
The PRC's legal structure also gives broad authority to the state
to co-opt private companies to pursue its objectives. A host of laws
give the PRC government the authority to compel companies located in
the PRC, including automakers and their suppliers, to cooperate with
PRC intelligence and security services. The PRC's 2021 Data Security
Law, for example, makes all private data available to the PRC state
when it is needed for ``national security.'' See National People's
Congress, Data Security Law of the People's Republic of China, Art. 35,
http://www.npc.gov.cn/englishnpc/c2759/c23934/202112/t20211209_385109.html. The PRC's 2017 National Intelligence Law imposes
affirmative obligations on entities and persons subject to the PRC's
jurisdiction to cooperate with intelligence agencies--Article 17 allows
PRC intelligence officials to take control of a private organization's
facilities, including its communications equipment. See National
People's Congress, National Intelligence Law (as amended, 2018), http://www.npc.gov.cn/npc/c2/c30834/201905/t20190521_281475.html. The PRC's
2015 National Security Law obliges citizens and private companies to
provide security and military agencies with all ``necessary support and
assistance.'' See State Council of the People's Republic of China,
National Security Law, Art. 77(5), https://www.gov.cn/zhengce/2015-07/01/content_2893902.htm. Beyond legal obligations, companies established
in the PRC may be required to create internal Chinese Communist Party
(CCP) committees that can exercise influence over corporate decisions.
See National People's Congress, Company Law of the People's Republic of
China, Art. 19, https://www.npc.gov.cn/zgrdw/npc/xinwen/2018-11/05/content_2065671.htm.
The combination of legal authorities and opaque CCP influence make
private companies that are subject to the PRC's jurisdiction
susceptible to requests from intelligence and military officials. PRC
officials can compel PRC firms to provide the PRC government with data,
logical access, encryption keys, and other vital technical information,
as well as to install backdoors or bugs in equipment which create
security flaws easily exploitable by PRC authorities. U.S. Dep't of
Homeland Security, Data Security Business Advisory: Risks and
Considerations for Businesses Using Data Services and Equipment from
Firms Linked to the Peoples Republic of China 2 (2020), https://www.dhs.gov/sites/default/files/publications/20_1222_data-security-business-advisory.pdf. Original equipment manufacturers (OEMs) for
vehicles in the PRC, due to the vast amounts of data generated by their
products, are notable targets for government access. According to open-
source reporting, over 200 automakers that operate in the PRC are
legally obligated to transmit real-time vehicle data, including
geolocation information, to government monitoring centers. See Erika
Kinetz, In China Your Car Could Be Talking To The Government,
Associated Press News (Nov. 29, 2018), https://apnews.com/article/4a749a4211904784826b45e812cff4ca. This pervasive data sharing, which
provides the PRC government with detailed information on the behaviors
and habits of individuals, is indicative of a broader approach to co-
opting private companies--one that raises significant concerns about
how the PRC government might exploit the growing presence of PRC OEMs
and manufacturers of ICTS integral to CVs in foreign markets. The
combination of these factors uniquely elevates BIS's concern regarding
PRC participation in the ICTS supply chain for CVs in the United
States.
BIS seeks to better understand the role of persons owned by,
controlled by, or subject to the jurisdiction or direction of 15 CFR
7.4 entities, particularly the PRC, in the ICTS supply chain for CVs,
and the leverage these entities might exert as a result. In particular,
the ANPRM seeks comments on the following issues:
4. Please describe the ICTS supply chain for CVs in the United
States. Particularly useful responses may include information
regarding:
a. categories of ICTS, such as software or hardware, that are
integral to CVs operating in the United States;
b. market leaders for each distinct phase of the supply chain for
ICTS integral to CVs (such as design, development, manufacturing, or
supply) including, but not limited to: OEMs, tier one, tier two, and
tier three suppliers, and service providers;
c. geographic locations where software (such as the vehicle
operating system), hardware (such as light detection and ranging
(LiDAR) sensors), or other ICTS components integral to CVs in use in
the United States are designed, developed, manufactured, or supplied;
d. involvement in any sector or sub-sector of the U.S. ICTS supply
chain for CVs by persons owned by, controlled by, or subject to the
jurisdiction or direction of a 15 CFR 7.4 entity; and
e. geographic locations where data from CVs in use in the United
States is transmitted, stored, or analyzed.
5. Are there ICTS integral to CVs for which persons owned by,
controlled by, or subject to the jurisdiction or direction of a 15 CFR
7.4 entity are sole source suppliers? To what extent do OEMs of CVs in
use in the United States rely upon suppliers wholly or partially owned
by a company based in or under the control of a 15 CFR 7.4 entity?
6. In what ICTS hardware or software for CVs do persons owned by,
controlled by, or subject to the jurisdiction or direction of a 15 CFR
7.4 entity maintain a technological advantage over U.S. and other
foreign counterparts and how may this dynamic evolve in the coming
years?
7. How, and to what degree, does CV automotive software connect to
GNSS systems that are designed, developed, manufactured, or supplied by
persons owned by, controlled by, or subject to the jurisdiction or
direction of a 15 CFR 7.4 entity? for geolocation and other functions?
8. How might a disruption to the supply of ICTS components for CVs
in use in the United States, including hardware and software, from
persons owned by, controlled by, or subject to the jurisdiction or
direction of a 15 CFR 7.4 entity affect OEMs of CVs in use in the
United States and ICTS suppliers? Where possible, please specify which
disruptions to component supply would be particularly detrimental.
9. To what extent can OEMs procure alternative sources of ICTS
integral to CVs that do not constitute ICTS from persons owned by,
controlled by, or subject to the jurisdiction or direction of 15 CFR
7.4 entities?
10. Please describe the relationship between OEMs of CVs in use in
the United States and their ICTS suppliers. Particularly useful
responses may include the type of information that is shared between
OEMs of CVs in use in the United States and their ICTS suppliers in the
normal course of business, how this information is shared, what access
or administrative privileges are typically granted, and if suppliers
have any capability for remote access or ability to provide firmware or
software updates.
11. What risks might be posed by aftermarket ICTS integrated
onboard CVs and interfaced with vehicle systems, such as tracking
devices, cameras, and wireless-enabled
[[Page 15070]]
diagnostic interfaces? Should aftermarket automotive systems or
components be considered integral to CV operation?
12. To what extent are ICTS components of CVs designed, developed,
manufactured, or supplied by persons owned by, controlled by, or
subject to the jurisdiction or direction of a 15 CFR 7.4 entity present
in critical infrastructure sectors? Are there instances of municipal,
state, or federal funding for procurement of such 15 CFR 7.4 entities'
ICTS integral to CVs for use in critical infrastructure sectors?
13. What other instances exist where persons owned by, controlled
by, or subject to the jurisdiction or direction of a 15 CFR 7.4 entity,
are integrated into the ICTS supply chain for CVs?
ii. Capabilities of Connected Vehicles May Increase the Likelihood of
Vulnerabilities 15 CFR 7.4 Entities Could Exploit
CVs and the components that enable their functionality present
opportunities for exploitation by 15 CFR 7.4 entities via insider
access, which could potentially result in severe consequences to U.S.
persons and critical infrastructure. Increasing the number and scope of
wireless connected components in a vehicle also increases the attack
surfaces through which a malicious actor can gain initial entry. As CVs
gain new and different connectivity capabilities, design,
implementation, and operational protocols need to be added to address
new attack surfaces and maintain the confidentiality, integrity, and
availability of the data that traverse any one functional system. As
demonstrated in controlled environments, attack vectors can be
exploited and may provide access to other functional systems within a
CV. Moreover, once one subsystem has been compromised, depending on the
nature of the vulnerability and the design of the vehicle network
architecture, the attacker might have the ability to move laterally and
eventually gain access to other functional automotive systems. While
integrated functionality may provide seamless communication, comfort,
and operability for the consumer, it is possible that unauthorized
remote access to a particular sensor system could be escalated to
vehicle systems and operations, potentially resulting in injury, loss
of life, and disruption to critical infrastructure networks.
Preliminarily, BIS has identified the following capabilities
associated with CVs that may increase the likelihood of vulnerabilities
that 15 CFR 7.4 entities could exploit:
Data Collection: CVs rely on the collection and integration of
broad and varied data to improve the vehicle's functionality and
safety. This data, which can encompass vehicle-level data (e.g., driver
behavior, vehicle status, geolocation, biometrics, driver mobile phone
data) and environmental-level data (e.g., detailed mapping data, object
detection, traffic patterns), are extracted through various onboard
systems and sensors. The Advanced Driver-Assistance System (ADAS) of a
CV, for example, typically relies on a combination of sensors--radar,
LiDAR, ultrasonic, audio, and video--that are constantly collecting and
processing data. CVs now collect data inside the cockpit as well.
Consumer and commercial CVs increasingly incorporate driver monitoring
systems (DMS) to ensure the driver remains alert and fully able to take
control of the car should autonomous systems fail, and to ensure
commercial truck drivers remain on schedule. More sophisticated DMS
feature driver-facing cameras--including eye tracking, facial
recognition, and microphones--collect potentially sensitive information
about drivers and passengers. This increases the sensitivity of the
data that CVs collect, potentially providing 15 CFR 7.4 entities with
access to biometric information in addition to environmental data.
Connectivity: CVs are connected to and can communicate with a range
of external sources, including the OEM and third-party service
providers, as well as in-car devices like smart phones. In an
increasing subset of vehicles, telematics systems connect the vehicle
with cloud-based services to provide onboard systems with external data
streams (e.g., geolocation, streaming service, assistance service,
emergency notification) and underlie many of a CV's core
functionalities. V2X systems, when widely implemented, will support the
broadcast and reception of messages that enable safety alerts and
mobility advisories. Providing broadcast (radio) communication
capabilities that facilitate driver assistance capabilities may open
cybersecurity vectors that need to be addressed to ensure broadcast
message integrity and authenticity through design, standards,
implementation and manufacturing protocols, and to prevent possible
message and transmission misbehavior.
Further, interconnectivity in the software or hardware components
may amplify risks posed by ICTS integral to CVs that are designed,
developed, manufactured, or supplied by persons owned by, controlled
by, or subject to the jurisdiction or direction of a 15 CFR 7.4 entity.
For example, OEMs enable communication with their vehicle after sale
even when a customer does not subscribe to services, including by
providing software updates and refinements, as well as by enabling or
disabling subscription-based features. This access by the OEM to the CV
provides numerous opportunities for 15 CFR 7.4 entities that own,
control, or have the ability to exert jurisdiction or direction over
the OEM, to insert vulnerabilities allowing for future backdoor attacks
and other malicious behavior. Additionally, individually connected
components and sensors are capable of transmitting data separately from
the vehicle's broader communications suite, including receiving over
the air (OTA) updates without the knowledge or consent of the vehicle
owner or OEM. BIS seeks to better understand the capabilities
associated with technical trends--both current and future--in CV design
and the ICTS components therein. In particular, the ANPRM seeks further
comment on the following:
14. What is the full scope of data collection capabilities in CVs
and the aggregation and scale of data that CVs could collect on U.S
persons, entities, geography, and infrastructure? Who has authorized
access to, or control of, data collected by CVs?
15. What types of remote access or control do OEMs have over their
CVs? Please describe what software or other mechanisms allow for such
remote access or control by the OEM to occur.
16. What cybersecurity concerns may arise from linkages between
sensors in CVs? To what extent can individual sensors and components
communicate OTA independently from the CV's Operating System (OS)?
17. What standards, best practices, and industry norms are used to
secure the interconnection between vehicles and charging
infrastructure? How are battery management systems (BMS) integrated
into a vehicle's automotive software systems, and how are they
protected from malware?
18. How do manufacturers supplement existing cybersecurity
standards and best practices such as the National Highway Traffic
Safety Administration's Cybersecurity Best Practices for the Safety of
Modern Vehicles at each step of the CV supply chain, including design,
manufacturing, and operation?
a. Particularly useful responses will be specific about the types
of programs and practices used such as test and verification, bug
bounties, white hat programs, or end-to-end encryption to secure the
link between vehicle and
[[Page 15071]]
server. See Nat'l Highway Traffic Safety Admin., Cybersecurity Best
Practices for the Safety of Modern Vehicles (2022), https://www.nhtsa.gov/sites/nhtsa.gov/files/2022-09/cybersecurity-best-practices-safety-modern-vehicles-2022-tag.pdf; see also Cybersecurity
and Infrastructure Security Agency, Autonomous Ground Vehicle Security
Guide: Transportation Systems Sector (2021), https://www.cisa.gov/resources-tools/resources/autonomous-ground-vehicle-security-guide.
19. Please describe the automotive software development cycle. BIS
is particularly interested in learning:
a. The degree to which OEMs license software, as opposed to
developing it internally;
b. The extent to which software is developed outside the United
States and, if so, where;
c. What measures are taken to ensure software security and
integrity during the development cycle;
d. If OEMs partner or co-develop automotive software with any
persons owned by, controlled by, or subject to the jurisdiction or
direction of a 15 CFR 7.4 entity; and
e. The extent to which software that is embedded in hardware (e.g.,
firmware) is subject to the development cycle described above.
20. Please describe the relationship between CV OEMs and cloud
service providers (CSPs). Particularly useful responses may describe
what access privileges, controls, and remote capabilities with respect
to CV OEM systems are afforded to the CSP. Additionally, what are the
common shared responsibility models between a CSP and a CV OEM and how
are the communication and systems protected?
21. How do CV OEMs verify the bill of materials and software bill
of materials as authentic for vendors and suppliers, specifically
regarding OS, telematic systems, ADAS, Automated Driving Systems (ADS),
satellite or cellular telecommunication systems, and BMS? If a software
bill of materials is required, to what extent does it provide
information regarding software vulnerabilities, and how is this
information used, stored, and protected?
22. To what extent is software from vendors and suppliers tested
and verified to comply with OEM requirements?
23. What vendor-vetting and supply chain security practices do OEMs
employ when procuring ICTS integral to CVs?
iii. Consequences
The ability of a 15 CFR 7.4 entity to compel private companies
through applicable legal frameworks, combined with the exploitation of
vulnerabilities created by the increase in capabilities of the ICTS
integral to CVs, has the potential to create severe and, in certain
instances, catastrophic consequences for U.S. persons and critical
infrastructure. Through ICTS designed, developed, manufactured, or
supplied by persons subject to the ownership, control, jurisdiction, or
direction of a 15 CFR 7.4 entity, the intelligence agencies of that
entity could obtain access to a wide range of information from
companies in the CV ICTS supply chain to exfiltrate, collect, and
aggregate sensitive data on U.S. persons. These data include location,
traffic patterns, audio and video recordings of the inside and outside
of the car, as well as information about the driver's identity,
finances, contacts, and home address, which can be collected by CVs
themselves or by a passenger's mobile device connected to a CV.
In addition, backdoors embedded in a CV's software could enable a
15 CFR 7.4 entity under certain conditions to obtain control over
various vehicle functions that could include the ability to disable the
vehicle completely. A group of researchers were able to demonstrate a
vulnerability in an OEM's Bluetooth software that allowed access to
some vehicle control systems, initiating remote actions such as
activating the brakes and turning the steering wheel. See Consumer
Watchdog, Kill Switch: Why Connected Cars Can Be Killing Machines and
How to Turn Them Off 37-40 (2019), https://consumerwatchdog.org/sites/default/files/2019-07/KILL%20SWITCH%20%207-29-19.pdf. A similar ability
in the hands of a 15 CFR 7.4 entity that can control or direct an OEM
could allow that entity to disable the controls on an individual
vehicle while it was being driven or to sabotage entire fleets without
having physical access to the vehicles. Finally, because of CVs'
connectivity, they could be used to access multiple critical
infrastructure systems with which they interact, including
telecommunications networks, transportation systems, and the electrical
grid. As CV technology advances, vehicles and charging infrastructure
may increasingly communicate with these systems to manage traffic flows
and grid load. As such, the proliferation of CVs containing vulnerable
ICTS from persons owned by, controlled by, or subject to the
jurisdiction or direction of a 15 CFR 7.4 entity could provide that
entity with a platform for launching distributed denial of service
attacks against intelligent transportation systems, satellite or
cellular communications hardware, or other critical infrastructure. See
Mohammad Ali Sayed, et al., Electric Vehicle Attack Impact on Power
Grid Operation, 137 Int'l J. Electrical Power & Energy Sys. 107784
(2022), https://www.sciencedirect.com/science/article/abs/pii/S0142061521010048; Numaan Huq, et al., Cybersecurity for Connected
Cars: Exploring Risks in 5G, Cloud, and Other Connected Technologies,
Trend Micro Res. (2021), https://documents.trendmicro.com/assets/white_papers/wp-cybersecurity-for-connected-cars-exploring-risks-in-5g-cloud-and-other-connected-technologies.pdf; Anastasios Giannaros, et
al., Autonomous Vehicles: Sophisticated Attacks, Safety Issues,
Challenges, Open Topics, Blockchain, and Future Directions, 3 J. of
Cybersecurity and Privacy 493 (2023). Given these threats,
vulnerabilities, and potential consequences, BIS is considering
identifying the following automotive software systems as the ICTS
integral to CVs most likely to present undue or unacceptable risks if
exploited by 15 CFR 7.4 entities: (i) vehicle OS; (ii) telematics
systems; (iii) ADAS; (iv) ADS; (v) satellite or cellular
telecommunication systems; and (vi) BMS.
As BIS considers whether and how to regulate these software
systems, it seeks additional information, including:
24. Are there ICTS integral to CVs other than those identified in
this ANPRM that could present material risks if they were designed,
developed, manufactured, or supplied by persons owned by, controlled
by, or subject to the jurisdiction of a 15 CFR 7.4 entity? If so,
please discuss how the ICTS could be exploited to pose such a risk.
25. Of the ICTS integral to CVs identified in this ANPRM, which
present the greatest risk to safety or security if they are designed,
developed, manufactured, or supplied by persons owned by, controlled
by, or subject to the jurisdiction or direction of a 15 CFR 7.4 entity?
26. As ADS systems evolve and developers rely on cellular systems
to communicate with ADS-enabled vehicles to support overall operational
capability (e.g., communications to a fleet management office), what
should the U.S. government consider in order to support the development
of this technology securely from 15 CFR 7.4 entity malign activity?
III. Additional Questions for Comment
This ANPRM seeks comment on processes and mechanisms that BIS could
implement in a potential rule to authorize an otherwise prohibited ICTS
[[Page 15072]]
transaction with the adoption of mitigation measures.
Authorizations and Mitigations
27. In what instances would granting a temporary authorization to
engage in an otherwise prohibited transaction under a proposed rule be
necessary and in the interest of the United States to avoid supply
chain disruptions or other unintended consequences?
28. What review criteria should BIS implement when considering an
application for a temporary authorization?
29. What specific standards, mitigation measures, or cybersecurity
best practices should BIS consider when evaluating the appropriateness
of a requested authorization?
30. Are there any U.S. government models, such as the Office of
Foreign Assets Control's sanctions programs or the Export
Administration Regulations, that this program should consider emulating
in granting authorizations?
Economic Impact
31. What economic impacts to U.S. businesses or the public, if any,
might be associated with the regulation of ICTS integral to CVs
contemplated by this ANPRM? If responding from outside the United
States, what economic impacts to local businesses and the public, if
any, might be associated with regulations of ICTS integral to CVs?
32. What, if any, anticompetitive effects may result from
regulation of ICTS that is integral to CVs as contemplated by this
ANPRM? And what, if anything, can be done to mitigate the
anticompetitive effects of regulation of ICTS?
33. What types of U.S. businesses or firms (e.g., small businesses)
would likely be most impacted by the program contemplated in this
ANPRM? If responding from outside the United States, what types of
local businesses or firms (e.g., small businesses) would likely be most
impacted by the program contemplated in this ANPRM?
34. What actions can BIS take, or provisions could it add to any
proposed regulations, to minimize potential costs borne by U.S.
businesses or the public? If responding from outside the United States,
what actions can BIS take, or what provisions could it add to any
proposed regulations, to minimize potential costs borne by local
businesses or the public?
35. What new due diligence, compliance, and recordkeeping controls
will U.S. persons anticipate needing to undertake to comply with any
proposed regulations regarding ICTS integral to CVs that are designed,
developed, manufactured, or supplied by persons owned by, controlled
by, or subject to the jurisdiction or direction of 15 CFR 7.4 entities?
Elizabeth L.D. Cannon,
Executive Director, Office of Information and Communications Technology
and Services.
[FR Doc. 2024-04382 Filed 2-29-24; 8:45 am]
BILLING CODE 3510-33-P