This week the Biden administration officially published a much-anticipated proposed rule on connected vehicle security in the Federal Register, a move that has garnered widespread attention due to its potential impact on the automotive and advanced vehicle technology industries. The proposal has been framed as a national security measure, with Avery Ash, Executive Director of the Coalition for Reimagined Mobility, highlighting its importance in a New York Times interview. Ash explained, “Foreign adversaries are cornering and leveraging key supply chains for geopolitical and economic gains.” 

This proposed rule targets hardware and software integrated into Vehicle Connectivity Systems (VCS) and Automated Driving Systems (ADS). It would apply to all road vehicles, including cars, trucks, and buses, while excluding non-road vehicles, such as those used in agriculture or mining. 

Key Components Under Scrutiny 

The rule focuses on VCS components like telematics control units (TCUs), cellular modems, antennas, and other automotive parts that use radio frequency communication technologies. These systems allow Connected Vehicles to access external data sources, communicate with other vehicles, and offer enhanced services through Wi-Fi, Bluetooth, cellular, or satellite connectivity. 

ADS, which relies on a network of interconnected information sources for decision-making, is similarly vulnerable. The interconnected nature of these systems exposes them to potential threats, including malicious attacks aimed at compromising vehicle safety and security. 

Cybersecurity Threats Identified 

Several software-based threats to Connected Vehicles equipped with ADS were outlined in the proposed rule. These threats include manipulating sensors to create false data, tampering with ADS software to gather sensitive geographic information, and unauthorized access to internal vehicle networks, which could lead to data theft or even direct vehicle manipulation. 

The proposed rule also includes a ban on VCS and ADS components sourced from manufacturers with ties to China or Russia. This would apply even if the vehicles were manufactured in the U.S. Automakers would be given one year to ensure their connected vehicle software is free from any links to these countries, and four years to phase out certain hardware from Chinese-affiliated suppliers, such as sensors, Bluetooth devices, antennas and chipsets that allow or provide connectivity in the vehicle.  

For the past two decades, the U.S. has been a leader in the connected vehicle industry, with 70% of the 283 million vehicles on American roads potentially considered Connected Vehicles (CVs). Projections estimate that 49% of Europe’s vehicle fleet will be CVs by 2024, with this figure growing to over 90% by 2035. In 2023 alone, the U.S. sold around 16 million vehicles, nearly all of which featured built-in connectivity. 

The Risks of Inaction 

Failure to act on these security concerns could have serious consequences. U.S. automotive systems face a range of national security risks, from cyberattacks to the gathering of sensitive information, including the movements of citizens and the military. Disruptions to critical infrastructure, such as the electric grid, and other critical infrastructure could also result. 

Additionally, relying on a single, potentially adversarial source for critical components leaves U.S. manufacturers vulnerable to disruptions from geopolitical tensions and trade policies, as well as issues like the recent semiconductor shortage that severely impacted the auto industry during the pandemic. 

Timeline and Next Steps 

The prohibitions on software would take effect with Model Year 2027 vehicles, while hardware restrictions would apply to Model Year 2030 vehicles or those sold after January 1, 2029, without a specific model year. Public comments on the proposed rule are due by October 28, 2024. 

The Coalition for Reimagined Mobility previously filed comments in response to the Advanced Notice of Proposed Rulemaking (ANPRM) issued in April, calling for immediate action to address the national security risks posed by connected vehicles. This new proposed rule represents a significant step toward that goal. 

A Broader Shift in Transportation Technology 

The timing of this proposed rule coincides with a transformational period for the automotive industry, as emerging transportation technologies promise to shape the future of mobility. Earlier this year, ReMo published its flagship report, Unlocking a 21st Century Mobility System: How to Rethink the Future of Mobility and Restore Leadership in Transportation Innovation. The report highlights the risks outlined in the proposed rule and emphasizes the need for the U.S. to remain both globally competitive and secure and outlines a strategy for policymakers. 

ReMo is committed to working with the Department of Commerce to finalize rules that strengthen the U.S. and its allies’ leadership in automotive innovation while protecting national security. The most effective strategy for mitigating these risks is a collaborative effort between governments, industries, and cybersecurity experts. By bolstering domestic capabilities and diversifying supply chains in partnership with allies, the U.S. can reduce vulnerabilities and secure its leadership in the future of transportation. 

Ashley Simmons is the Deputy Director at SAFE’s Coalition for Reimagined Mobility.