Commerce Dept. to Block Connected Car Tech from China, Russia

The Bureau of Industry and Security within the U.S. Department of Commerce is expected to release a Notice of Proposed Rule Making this coming Monday, Sept. 23, prohibiting the sourcing of automotive connectivity hardware and related software from Russia or the People's Republic of China for use in connected or autonomous vehicles. The effective date could be as soon as three years from the date of the final rule making.

The particulars behind the proposal will be discussed next Tuesday at MOVE America in Austin on a panel with Evan Broderick, deputy executive director, OICTS, Bureau of Industry and Security in the Commerce Department and, separately, Srivalli Boddupalli, senior data scientist at Lucid Motors. Boddupalli will discuss Lucid Motors' approach to vehicle security in the U.S. and E.U.

The BIS-ICTS sanction derives from an executive order issued on May 15, 2019, indicating that the U.S. President "declared a national emergency regarding the ICTS supply chain, finding that 'the unrestricted acquisition or use in the United States of information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in information and communications technology or services, with potentially catastrophic effects, and thereby constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.'"

The sourcing prohibition covers connectivity hardware operating at or above 450MHz. The proposed rule, which is subject to a comment period that could last a year or longer, comprises four elements:

1.??? Explains the risks

2.??? Identifies specific ICTS systems/components integral to the CV to protect against risks (Automotive Connectivity Systems / Automated Driving Systems)

3.??? Proposes implementation measures to address the risk (Prohibition/Mitigation)

4.??? Establishes compliance and enforcement mechanisms in accordance with the implementing measures (Attestations/Authorizations)

The risks include data collection or exfiltration encompassing personal/biometric data; data on sensitive sites; traffic patterns; and infrastructure data. Also of concern are hacking or remote access for the purposes of disabling or hijacking vehicles, and traffic manipulation or obstruction.

The relevant systems being sanctioned regarding sourcing include telematics cellular band connectivity as well as other connectivity systems such as satellite, Wi-Fi, and some Bluetooth, excluding low frequency systems such as tire pressure monitoring (TPMS) and remote start key fobs. BIS states: "These connectivity systems are the primary gateway between the internal vehicle network and the external world. All communications, either for data exfiltration or remote access pass through this gateway. Regulating this system comports with public comments and internal analysis. Most effective if paired with regulation of another system to affect two links in the attack chain."

The NPRM also impacts autonomous driving software described by BIS as follows: "Automated Driving System (ADS) is defined as hardware and software collectively capable of performing the entire dynamic driving task on a sustained basis. This regulation would specifically regulate ADS software. ADS typically do not require consistent connectivity to execute driving tasks. ADS refers to the software behind higher levels of autonomous driving. Regulating this system comports with public comments and internal analysis. This is a prospective regulation, as there are few PRC-affiliated companies providing ADS in the U.S. at present. These systems are another “link” in the CV attack chain. Protecting two “links” increases regulatory effectiveness."

By focusing on connectivity operating at 450MHz or higher frequencies the NPRM encompasses all cellular, Wi-Fi, Bluetooth, and SiriusXM connectivity. The document is also expected to sanction related software operating at the applicatoin layer, component layer or individual subcomponent layer.

The rule will apply to sourcing of components for connected vehicles including planes, unmanned aerial systems, trains, boats, and automobiles. Also impacted will be all "wheeled vehicles" including “rolling stock,” agricultural vehicles, mining vehicles, port or industrial yard vehicles, and all terrain vehicles. And, finally, all wheeled on-road vehicles including motorcycles, passenger vehicles, busses, small and medium trucks, class 8 commercial trucks, and recreational vehicles.

The proposed rule calls for attestations including:

1.??? Documentation that indicates no covered software present

2.??? A forcing mechanism for industry to build compliance into their corporate governance

3.??? Verification through spot checks with DOT, SVTU & OEM SBOM audits

Some prohibited transactions may be allowed under particular conditions:

1. Any vehicle built before 2026

2. Research and Testing

3. For Demonstration only

4. Small Businesses

The NPRM will spell out the length of the comment and review period. The immediate impact in the U.S. is likely to be minimal. The E.U., on the other hand, is facing more of a horse-is-already-out-of-the-barn proposition with hundreds of thousands of EVs manufactured in China already on the roads most of which will be equipped with connectivity hardware and software sourced from China.

It's a delicate dance likely to significantly disrupt supply chains. Several Western manufacturers of telematics control units and their components, such as Rolling Wireless, have moved to sever their ties to Chinese ownership, joint ventures, or investment to preserve existing car maker relationships and avoid running afoul of emerging sanctions.

If the NPRM is adopted in its current form and China were to respond in kind, the impact on suppliers such as Qualcomm or Samsung could be severe. The E.U. is not expected to pursue similar supply chain sanctions, although there is a more or less de facto shift away from sources in China for connectivity for cars made in the E.U.

In many respects the U.S. market has already accommodated and adjusted to the new rule, now being proposed several years after the original executive order. Exempted from the rule are sensors and other non-connectivity technologies. Observers will be watching the comments closely to gauge the industry's reaction.