As part of a federal investigation into cybersecurity risks of Chinese-made connected vehicles, public comment is being sought by April 30.

The Department of Commerce’s Bureau of Industry and Security (BIS) is investigating Chinese-made connected vehicles (CVs).

“BIS is considering proposing rules that would prohibit certain ICTS transactions or classes of ICTS transactions by or with persons who design, develop, manufacture, or supply ICTS integral to CVs and are owned by, controlled by, or subject to the jurisdiction or direction of foreign governments or foreign non-government persons

The department is seeking feedback on “definitions; how potential classes of ICTS [Information and Communications Technology and Services] transactions integral to CVs may present undue or unacceptable risks to U.S. national security; implementation mechanisms to address these risks through potential prohibitions or, where feasible, mitigation measures; and whether to create a process for the public to request approval to engage in an otherwise prohibited transaction by demonstrating that the risk to U.S. national security is sufficiently mitigated in the context of a particular transaction,” according to a news release from the department.

In February, President Joe Biden issued an executive order that expanded the scope of the national emergency declared in Executive Order 13873, issued in May 2019, and the measures within his June 2021 Executive Order 14034.

The February executive order states, in part, “The continuing effort of certain countries of concern to access Americans’ sensitive personal data and United States government-related data constitutes an unusual and extraordinary threat, which has its source in whole or substantial part outside the United States, to the national security and foreign policy of the United States.

“Access to Americans’ bulk sensitive personal data or United States government-related data increases the ability of countries of concern to engage in a wide range of malicious activities. Countries of concern can rely on advanced technologies, including artificial intelligence (AI), to analyze and manipulate bulk sensitive personal data to engage in espionage, influence, kinetic, or cyber operations or to identify other potential strategic advantages over the United States.”

U.S. Secretary of Commerce Gina Raimondo previously said, “It doesn’t take a lot of imagination to think of how foreign government with access to connected vehicles could pose a serious risk to both our national security and the personal privacy of U.S. citizens. To assess these national security concerns, we are issuing an Advance Notice of Proposed Rulemaking to investigate the national security risks of connected vehicles, specifically PRC-manufactured technology in the vehicles. We need to understand the extent of the technology in these cars that can capture wide swaths of data or remotely disable or manipulate connected vehicles, so we are soliciting information to determine whether to take action under our ICTS authorities.”

Last week, the People’s Republic of China began disputing U.S. electric vehicle subsidies to the World Trade Organization (WTO), challenging elements of Biden’s 2022 Inflation Reduction Act, which includes clean energy actions.

According to the Associated Press, China filed a WTO complaint over alleged discriminatory EV subsidy requirements.

The Chinese Commerce Ministry didn’t say what prompted the move, AP wrote. Under a new U.S. rule that took effect Jan. 1, EV buyers aren’t eligible for tax credits of $3,750-$7,500 if critical minerals or other battery components were made by Chinese, Russian, North Korean, or Iranian companies.

A Chinese Commerce Ministry statement reportedly said the U.S. move excluded Chinese products, distorted fair competition, and disrupted the global supply chain for new energy vehicles, according to AP.

On Wednesday, Argus Cyber Security announced it has opened a new testing lab in Detroit, Michigan to help vehicle manufacturers and Tier 1 suppliers meet regional regulation requirements and ensure protection from cyber threats with their connected and software-dependent vehicles. 

Penetration testing is a common technique for identifying vulnerabilities in software and hardware throughout the development lifecycle, according to Argus, and is what the company will conduct at its Detroit lab. U.S. vehicle manufacturers conduct penetration testing to validate and verify that their vehicles and components meet automotive cybersecurity regulations and standards, such ISO 21434 and UNR 155, Argus said.

At the component level, penetration testing detects and reports vulnerabilities in an ECU’s interfaces, communications channels, and security measures. Argus’ fuzz testing tool enables automated and scalable penetration testing of ECUs and other systems, helping Argus researchers find zero-day vulnerabilities and configuration errors quickly and efficiently, according to a news release from the company.

Images

Featured image credit: KanawatTH/iStock