Automakers Argue for Narrow Rule on Chinese Advanced Vehicles Technology

BIS had said in February that it planned to write rules on whether technologies used to navigate, avoid collisions, charge electric vehicles and connect cell phones to cars' infotainment systems pose an "unacceptable risk to the national security of the United States or the security and safety of United States persons" when those technologies are made by firms in or owned by a "foreign adversary" (see 2402290034).

More than 50 comments were submitted before the deadline and published last week, with a labor union, politician and trade group backed by unions arguing that any Chinese-owned firm, whether operating in the U.S., Mexico or other country, should be barred from making buses, subway cars, heavy trucks or cars and trucks for sale in the U.S. market.

The Alliance for American Manufacturing said connected vehicles made by China could harm U.S. national security -- and the auto sector faces a growing economic threat. AAM called Chinese investment in car parts in Mexico "alarming."

As it has before, AAM called for exclusionary tariffs on all car imports by Chinese manufacturers, no matter where they are made. They also asked the government to reinstate the Section 421 import surge protection safeguard against China’s automotive sector and related industries. They said car parts from Chinese companies should not be allowed USMCA or Generalized System of Preferences benefits program treatment, even if they're made in Mexico or a GSP beneficiary country. The group asked that the Uyghur Forced Labor Prevention Act place more "emphasis on metals, automotive parts, and battery content and raw materials utilized in EVs."

AAM and the United Steelworkers, in its comment, said all rolling stock by Chinese companies -- including buses, rail cars, monorails -- should be banned, even if they are made in the U.S.

Sen. Sherrod Brown, D-Ohio, asked the agency to prohibit vehicles and technology "that is designed, developed, manufactured, or supplied from the People’s Republic of China. Given China’s civil-military fusion, it is inevitable that both finished vehicles and technology would enable the Chinese Communist Party to access sensitive personal data of Americans and of critical U.S. infrastructure."

The Coalition for Safe and Secure Technology said lidar by Chinese companies is a national security threat, as it could be a vector for malware. Chinese lidar "is rapidly dominating the global market and expanding its presence in the U.S. It is already in use in sensitive U.S. applications, including traffic intersections, major transit hubs like train stations and airports, maximum security prisons, commercial self-driving trucks, and in AV 'robotaxi' fleets testing in numerous cities across the U.S.," the group said. It said all Chinese lidar should be banned, and vehicles that already contain it should get replacements.

Enterprise, which owns more than 2.3 million vehicles, encouraged BIS to take a broad approach, citing examples of hacks by security consultants on EV battery management software, a hack by professors to drain a parked vehicle battery, and the hack of EV charging stations in Russia by a Ukrainian company that had supplied a data controller in those chargers. "These vulnerabilities will only become more salient as electrification of the vehicle fleet expands. Improving the security of electric vehicle technology is therefore imperative now, before they are adopted at scale," the company wrote.

"Foreign governments -- or malicious non-government actors -- could disable entire charging networks, disrupting medical and emergency services, stalling transport of critical supplies, impeding law enforcement and defense operations, and leaving thousands or millions of U.S. residents stranded."

The rental car company said all companies controlled by or manufacturing in China should be subject to mitigation measures.

Enterprise noted that back-up cameras, blind-spot detection sensors, parking assistance and the like will continue to become more common. Occupant data, often through drivers' cell phones, and GPS data can compromise personal information, such as where you've gone and who you called or texted. "In the wrong hands, the location data collected and transmitted by vehicles could be used to track the movements of thousands to millions of U.S. citizens, including U.S. government officials," Enterprise wrote.

It argued that it should have access to data -- not just the vehicle manufacturers.

Manufacturers of cars, heavy trucks, electronics and other components, however, argued for a narrower scope, often arguing that components are not the problem, only entire systems with the ability to communicate remotely.

The Alliance for Automotive Innovation said that limiting the restrictions to Information Communication Technology Systems, rather than individual components, "should limit adverse impact on U.S. businesses or the public."

The Alliance said it doesn't know of any ICTS systems that are only available from China, but said there are instances where a component is only available from China. "Becoming less reliant on Chinese supply chains in these areas is a top priority of the auto industry in the United States. Efforts to reimagine and restructure supply chains are currently underway, but will require further collaboration between industry and government," the group wrote. Many individual automakers, and a parts supplier group, also made the point that supply chains are shifting out of China, but it takes time.

The Alliance also said vehicle ICTS systems, including their hardware and software components, undergo extensive pre-production engineering, testing and validation processes and, in general, cannot be easily swapped with systems or components from a different supplier. As BIS proceeds with this rulemaking, it will need to carefully consider these realities."

The group said it doesn't know how much Chinese involvement there is in EV battery management systems, but said that it expects "that electric vehicle tax-related provisions in the Inflation Reduction Act and subsequent regulatory guidance may also contribute to fewer battery management systems or components of battery management systems being designed, developed, manufactured, or supplied by [Chinese] entities ... than there might otherwise have been."

To minimize the costs of restrictions, it asked BIS to focus on highest-risk transactions, provide enough lead time to automakers, and to establish a predictable process for temporary authorizations to purchase otherwise prohibited items.

"There will almost certainly be compliance costs and burdens to automotive manufacturers and automotive suppliers for instituting due diligence, compliance and recordkeeping associated with any new supply chain requirements for ICTS systems in vehicles. However, auto manufacturers have already instituted significant supply chain compliance programs for a variety of business, due diligence, recordkeeping, and other compliance reasons that Auto Innovators suspect will be leveraged for these new requirements," the group wrote.

The Consumer Technology Association said BIS is grappling with the national security risk of China's access to sensitive data: the risk of remote manipulation of the car or its battery or a combination of the two.

The group said many components, "such as cameras, Light Detection and Ranging (LiDAR), and radar sensors, do not have connectivity capabilities (e.g. Bluetooth or Wi-Fi) and therefore should not be included in the scope of the final rule."

It also said individual components in any system are low risk, but allowed "such risk may be elevated depending on how they are integrated and operated within systems on the connected vehicle." U.S.-built cars include Chinese components in these systems, it warned.

Hyundai Motor Group said BIS should limit its restrictions to modems, gateways, cellular networks, wi-fi, bluetooth, radio frequency and low frequency, satellite navigation, PnC (Plug and Charge) and PLCs (Programmable Logic Controllers), and software installed to operate those systems.

Hyundai warned if the most cost-efficient products are not allowed in the U.S., it could leave U.S. automakers behind other countries.

BIS asked for insight into the supply chain, and Hyundai responded: "We have experienced difficulties in conducting due diligence for all entities in our supply chain because we do not have a direct relationship beyond the first-tier suppliers and vendors. It is very difficult from their subordinates, and almost impossible if we go deeper than 3rd or 4th tier vendors. We ask the BIS to consider these challenges when crafting the New Rule. Also, it would be helpful if the New Rule is clear about what documentation must be shown to demonstrate that OEMs have complied with the New Rule."

Ford said the primary focus of the rule should be automakers, suppliers of key ICTS systems and companies that provide ongoing ICTS services that are Chinese.

The company said while "full software stack (operating system, board support, middleware, runtime, and applications), telematics systems, infotainment, sensors, advanced driver assistance systems (ADAS), keying, anti-theft, security systems, service systems, satellite or cellular telecommunication systems, and automated driving systems" are the highest-risk, other components like brake controls and wiper controls are not risky.

"An overly broad focus on connected vehicle components and hardware, which pose minimal national security risk, could unintentionally disrupt U.S. global automotive supply chains with harmful consequences to the industry while not adequately addressing the primary sources of potential national security risk contemplated by the Administration," Ford argued. It noted that updates to software are controlled by automakers, so if it's an American automaker, there's no threat.

Volkswagen asked that BIS avoid a licensing approach, but instead, use a Trusted Automotive Partner Program, similar to CBP's Customs Trade Partnership Against Terrorism (CTPAT) Trade Compliance Program. "If mitigation measures are insufficient for long-term risk reduction, TAPP members shall consult with Commerce to pair mitigation measures with an appropriate phase out for such ICTS supply chain risks," the company wrote.

It said a wholesale ban against ICTS with any Chinese components would be "exceedingly difficult" to comply with, and would hike the cost of cars.

The German Association of the Automotive Industry (VDA) said it is worried the rulemaking could have a high impact on operations in the U.S., and encouraged BIS to limit its scope. "Not all ICTS components from countries of concern pose a threat to national security. A ban on components from countries of concern could have grave economic consequences as well as slow down technological development. Bans only make sense where there is no other way to mitigate verified risks," it wrote. [Bolding in original]

"VDA members recommend that any potential rulemaking should not be focusing on banning a class of transactions but rather bringing attention to the risk which needs mitigation and allowing industry to determine the best tools and pathway for mitigating the risk."

MEMA, The Vehicle Suppliers Association, asked BIS to narrow the scope of technology, arguing that some advanced driver assistance systems, such as lane keeping assistance, do not collect sensitive data.

"MEMA believes that the BIS proposed definition of “connected vehicle” as included in the ANPRM is extremely broad," the group wrote, and argued that telematics, vehicle operating systems, ADAS and other systems listed by BIS "capture a suite of technologies with differing capabilities and data collection protocols. It subsequently ascribes an inappropriate level of risk to many technologies (and thereby to their specific components)."

MEMA said companies that are not Chinese have appropriate controls, and should not have to change their supply chains.

Autos Drive America said BIS should work with automakers to discuss how threats can be mitigated "without the need for a complete supply chain overhaul that may set back U.S. leadership in advanced vehicle technologies." The group added, "Given the global nature of automotive supply chains, it would be exceedingly difficult for OEMs to fully ensure the absence of any foreign adversary-based suppliers in all ICTS parts or components."

ACEA, the European Automotive Manufacturers’ Association, wrote that BIS should not focus on the origin of components, but on carmakers' "compliance with the strongest possible standards of cybersecurity and the targeting of the connected components of the vehicle."

ACEA said that how fast the government acts should be in proportion to the seriousness "and immediacy of any related risk. Ideally it should be done in a collaborative approach with industry to assist it in managing such a potentially profound transition in a well managed [and] carefully calibrated process."

It said it couldn't estimate how disruptive rulemaking would be, without knowing "the scope and timing of any restriction on the use of certain components as well as the availability of suitable alternatives."

ACEA said China is a leader in certain technologies, and ACEA wrote that it doesn't see equivalent options outside China.

Waymo, which is owned by Google's parent company, wrote as if BIS had already decided to narrowly scope its rules -- and it said it agrees.

The company said it is buying its next-generation autonomous taxis from Geely, a Chinese company, but said that when it purchases them, they "have no driving automation or telematics capabilities built into them. At a factory in the United States, only Waymo authorized personnel are responsible for installing the Waymo Driver onto the autonomous-vehicle-ready base vehicles, turning them into Waymo AVs, a process that requires no involvement of the base vehicle OEM at all."

BIS said stakeholders will need time to adjust, and a proposed rule should be the next step. "Given the potentially significant disruption that any implementing regulations would likely have on affected stakeholders, we strongly discourage BIS from changing course and proceeding instead with an interim final rule as the next step of the rulemaking process."

The Autonomous Vehicle Industry Association wrote that the U.S. is the leader in autonomous vehicle development, but that position "cannot be assumed, and will require ongoing coordinated efforts between industry and government to ensure the U.S. remains at the head of a market potentially worth multiple trillions of dollars." The association said that if there are to be regulations, they should be as narrow as possible, so there are no unnecessary costs for innovators. "BIS regulation risks ceding America’s leadership on AV technologies to the very countries of concern identified by 15 CFR 7.4," the association wrote. Prohibitions should only be imposed if there are no mitigation measures, it argued.

It said for parts used by AV companies, no vendors outside China "provide components that meet performance requirements and commercially viable prices."

Cummins, a heavy truck manufacturer, said it wants the government to define "connected vehicle" better.

"Are service tools that plug into a vehicle when in a service bay or pull data for service purposes in scope for ICTS for connected vehicles?" The company also asked if refrigerated trailers or other equipment connected to a vehicle are covered in this definition.

Cummins told BIS that it develops software in the U.S., India, the U.K., China, Mexico and Germany, and sources hardware from Singapore. "It is important to note that when software and hardware are purchased today there is no disclosure, nor is it apparent the country in which the product is designed, developed, manufactured, or if any of those entities in the supply chain are subject to the foreign entities’ jurisdiction," Cummins wrote.

The company said it buys "engine controllers and engines that are only made in China. These engines are not in passenger or commercial connected vehicles." The company said that if a future rule limited its ability to buy from China, it would create duplicated efforts for the U.S. market.

"It is our perception that China may have some costs advantages in electronics manufacturing. However, it is very difficult to know the full extent of all ICTS elements inside of the components we purchase as inputs into our manufacturing processes and how any evolution of this ANPRM or other Executive Orders, tariffs, or the decision of technology companies, would affect regional costs in the coming years," Cummins wrote. It added that there could be shortages if there isn't enough lead time to plan, test and recertify components that replace Chinese components in the supply chain.

"Ultimately, it is possible that this approach if too stringent could make it difficult to achieve other national goals around decarbonization and adoption of new technologies as those are tied to more advanced and connected solutions," the company wrote. It also warned that when the U.S. has prohibited items from a country, often the affected country reciprocates.

If BIS is going to require changes in the supply chain, it "should include subsidies and incentives for companies to adopt, invest and replace the technology. Also supporting companies, manufacturers to scale and develop more capacity to off-set costs that will be passed on to consumers. Cummins recognizes the challenge to balance industry standards and regulations in this space. We encourage BIS to provide clarity so that organizations can achieve proper outcomes."

South Korea wrote that its auto industry is concerned about how broad the investigation is, and how broad the regulation might be, and asked the administration to exclude components and software that pose minimal risk.

Several drone trade groups also commented that they're not sure if their vehicles are covered by "connected vehicle."

The Commercial Drone Alliance said it doesn't take a position on whether uncrewed aircraft systems should be included, but said if they are, the final rule should provide enough lead time to find alternative components. "Depending on the components covered in a final rule, this process could take several years. Therefore, the final rule should provide either a phased implementation or a temporary exemption or reporting requirement that allows the industry sufficient time to adjust its supply chain."

The Association for Uncrewed Vehicle Systems International argued that drones don't generally communicate to transportation networks or critical infrastructure, and therefore, it doesn't think drones belong in the rule.

But, if they are covered, the definition "should be precisely and narrowly tailored to address the threats posed by the use of drones from countries listed as foreign adversaries while avoiding unintended consequences that could hurt domestic companies."

What is covered requires stakeholder engagement, the association said. "Even small changes from foreign to domestically manufactured components could change type certification processes with the Federal Aviation Administration (FAA) and cause significant disruptions."