Connected Rule 'Will Reverberate' for Years, Automakers Say
Automakers, chipmakers and broad business groups asked the Bureau of Industry and Security to give their industries more time to adjust to new requirements to move supply chains out of China and report on what companies are in their connected vehicle supply chains.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
While all commenters agreed on the need to protect modern cars from malicious interference, dozens of comments asked BIS to define software and hardware more definitively, to limit restrictions to the most risky categories, and to treat software designers or hardware manufacturers operating in allied countries similarly to those operating in the U.S. Many also asked the bill of materials, that BIS proposes be submitted annually, be available on request instead, in the case of an audit or investigation. Nearly all said legacy software should be outside the scope of the rule.
A few commenters asked BIS to expand the scope of its ruling, either going beyond cars and heavy trucks, or to include more kinds of hardware, such as radar and lidar.
Comments on the Commerce Department's Connected Vehicle proposed rule closed Oct. 28 -- nearly 100 comments were received, many with pages and pages of technical details.
One of the most common requests from the automotive industry was to change the word "support" to "directly enable," to describe the kinds of hardware or software covered by the restrictions.
As the Autonomous Vehicle Industry Association put it, "the use of the word 'supports' could extend the rule’s application to a wide array of devices and equipment, which would complicate compliance efforts."
Although the Commerce Department framed the rule as applying to self-driving cars and electric cars, AVIA said BIS itself said "it believes that all new vehicles sold in the U.S. would likely be subject to the rule if enacted."
AVIA noted that BIS estimated compliance would cost about $31,000 to $39,000 initially, with annual costs after that of somewhere between $16,000 and $81,000. The group said that's a significant underestimate.
Compliance wouldn't just be documenting the supply chain for the software or hardware; it would force supply chain restructuring, the group said. "These shifts will incur significant costs, as the expansive and novel prohibitions will likely require sourcing components from new suppliers -- potentially at higher per unit costs than current suppliers -- and possibly redesigning vehicles that are already deep within the development process, increasing development and tooling costs."
The auto industry commenters said "vehicle connectivity systems" should not include systems that are only connected internally -- such as Bluetooth that connects a car's systems to an occupant's cell phone -- or that do not communicate beyond the car, such as GPS and lidar or radar.
Most auto industry commenters also said middleware software, not just firmware, should be outside the scope. AVIA said the fact that BIS said firmware won't be covered but was silent on middleware "underscores the need for greater specificity on precisely which software BIS intends to regulate."
The Alliance for Automotive Innovation, which represents nearly all U.S. automakers, said it's critical that BIS develops a reasonable final rule "that does not disrupt the auto industry in a way that is unnecessary for or disproportionate to its important national security goals."
Like nearly all automotive commenters, it asked that legacy software not be affected by the restrictions; that submissions on supply chains be private so that industrial espionage is not encouraged; that there be clearer definitions of what constitutes Chinese or Russian control of a company or employee, and what forms of minority ownership fall into the prohibited category.
AAI, again, like nearly all automotive commenters, asked that BIS commit to responding to special authorization requests within 45 days, and grant those authorizations for at least one year.
Nearly all the automotive comments said the timeline for cutting Chinese software out of supply chains -- proposed to begin in model year 2027 -- is too aggressive. Many asked for one additional year. Some asked for two additional years. Some said both the software and hardware restrictions should begin in model year 2030, because much of the software is tied to specific hardware.
AAI said BIS should allow companies "to rely on statements, attestations, or affirmations from suppliers regarding the origins of components and software, thus alleviating the need to conduct full examinations of a supplier’s operations," so that manufacturers would not be asking suppliers to expose trade secrets.
Polestar Automotive,an electric vehicle brand owned by China's Geely Holding, is one of the companies that could be most affected by the rule. Polestar, a spin-off from Volvo cars, which is also a Geely subsidiary, told BIS: "Ultimate ownership of an entity should not be the determinative factor for control."
Polestar called itself a Swedish car brand, and noted that its headquarters is in Sweden, and seven of its 10 board members are European or American citizens. It said its R&D is in England and Sweden, and the only Chinese engineering is done for the Chinese market.
"BIS should consider whether a rule that effectively shuts down the operations of a lawfully organized U.S. company with substantial U.S. investments and so many personnel and key decision-making units in friendly nations and the United States is appropriately tailored to address the stated national security concerns," the company wrote. It noted that U.S. production of the Polestar 3 began in August at Volvo Cars' Ridgeville, S.C. plant, where the company has invested $1.2 billion, and employs about 2,434 workers. It said it will produce the Polestar 4 in South Korea for the U.S. market.
The Commerce Department previously told International Trade Today that it would not necessarily ban the sale of Volvo and Polestar cars made in the U.S., as the companies could ask for authorization to continue sales.
Polestar said that by forbidding Chinese companies to supply software, even if that software is completely designed in the U.S., "BIS unnecessarily captures a larger set of potential transactions without a correspondingly proportional national security benefit. It also misses an opportunity to incentivize the development and production of covered software or VCS hardware ... outside of 'foreign adversary' countries."
Polestar was the only company with U.S. operations that suggested Chinese ownership wasn't the best way to restrict components. It said BIS should use other government lists of sanctioned firms.
However, the Japan Auto Parts Industries Association also said scope of which companies and people were prohibited was too broad, and they wrote: "we request that consideration be given to establishing a negative list or entity list."
The Japanese trade group represents 434 Japanese auto parts manufacturers, with 150,000 U.S. employees. It, like many automotive commenters, said an annual Declaration of Conformity for each model year is too onerous.
Autos Drive America, which represents 12 international automakers with U.S. assembly plants, including Volvo, asked BIS to allow less than 5% of software code to come from prohibited foreign entities.
It, like several commenters, asked BIS to clarify whether U.S.-assembled vehicles destined for export would be covered by the rule.
"In such situations where an automaker has purchased software that would be prohibited under the rule, we request that BIS allow a regulatory pathway for an OEM to demonstrate that they fully own the code, the prohibited vendor no longer has access to the systems, and the automaker has vetted the code for vulnerabilities," the trade group suggested for authorizations.
"Rather than making it untenable for some automakers to continue their normal operations in the United States, we request additional flexibility around the incorporation of thresholds and allowances for the use of company-owned subsidiaries based in foreign adversaries," the group wrote.
Ford said it is concerned that if its Chinese affiliate assembled a car, even if U.S. Ford employees designed and developed all the covered components, that car could not be imported.
It suggested that depending on how the rule is constructed, it could be overturned in the courts.
American Honda Motor wrote that it appreciates that BIS has tried to tailor the rule to real national security concerns. "At the same time, this rulemaking represents a new area of regulation for the automotive industry and will create changes that will reverberate throughout our industry for years to come. Even small details will have major impacts on vehicle design," it wrote.
Honda, like a number of commenters, suggested specific items that should be excluded, such as an antenna and GPS. It said a two-year-longer compliance date would allow carmakers "to conduct crucial testing, validations," and to update contracts.
Volkswagen Group of America,along with several other commenters, said the model year 2027 deadline to cut out adversary countries' software is workable as long as the software restriction only applies to the application layer, and not operating systems, middleware and firmware. BIS has said it will not include firmware, but has not said OS and middleware can come from China.
However, it said it cannot shift hardware suppliers in the four years BIS is proposing. It also asked that if Model Year 2027 is the last model year for a particular vehicle, the rule should not apply.
Tesla wrote: "We urge BIS to explicitly carve out those items that it does not intend to capture within the scope of the rule. For example, even though the preamble indicates that ADAS is not covered, one could argue, for example, that ADAS software “supports the function” of an ADS." Tesla, like many of the European stakeholders, said requiring Declaration of Conformity for firms writing software in ally countries "creates a massive, and ultimately unnecessary regulatory reporting regime for U.S. and non-U.S. OEMs, Tier 1, and Tier 2 suppliers ... ."
Hyundai Motor Group asked BIS to clarify that printed circuit boards aren't in scope. It also asked that BIS standardize the Software Bill of Materials format to simplify compliance. When CBP allowed companies to write their own originating certificates when NAFTA switched over to USMCA, companies said that was worse than having a standard certificate.
MEMA, the Vehicle Suppliers' Association, said its companies are strongly opposed to having to submit software and hardware bills of material, which they say are business critical. If HBOM are required, "subcomponent" should not be in the language, because that information may not be attainable. However, it said subcomponents from China and Russia could be restricted.
“If BIS cannot remove 'and subcomponents' from the definition of VCS hardware, MEMA recommends adopting a version of the 'second incorporation principle' from the Export Administration Regulations for de minimis calculations,” MEMA wrote.
MEMA said satellite radio, diodes, key fobs, FETs and BJTs should not be restricted, nor should hardware that only communicates to the manufacturer's server.
Many automotive commenters, including MEMA, asked BIS to explicitly say autonomous driving only covers Level 3 and above standards. MEMA said the way the proposed rule is written, it would apply to cars that can automatically parallel park, but that shouldn't be covered, as it is Level 2 autonomous operation.
"MEMA urges BIS to consider the tremendous administrative burdens that the proposed requirements would impose on suppliers," the group wrote.
Nissan North America said that it's already three years into the design process for model year 2027, and its software has already been procured, so changing now would be "extremely costly." The company asked that BIS target high-risk components and systems and phase in other restrictions.
Lucid, a new U.S. electric car company, said it is already trying to locate alternatives to China, but wrote, "unfortunately, many supply chains aren’t agile or able to change quickly." It said the deadlines are a significant burden.
Unlike most commenters, Lucid argued for including firmware, which it says is a potential vulnerability. "For clarity at the technical level, we recommend BIS be more explicit in defining the characteristics of the software it intends to exclude and provide more explicit examples, particularly using terms like “drivers” in common use in software programming. This will eliminate ambiguity for engineering and supply chain associates."
Porsche,like many in the industry, asked BIS to allow companies to repair models on the road with replacement components, even if those are from companies that are restricted or new cars.
The German Association of the Automotive Industry said BIS's examples of what companies are too closely connected to China or Russia "fall short of providing the clear and detailed guidance necessary for automakers and their supply chains to assess whether certain suppliers fall under the rule’s scope. Establishing a bright-line definition would greatly enhance automakers’ ability to efficiently implement the rule’s objectives."
Waymo,the Google subsidiary that operates self-driving cars, explained that it buys cars from Stellantis and Jaguar Land Rover, and will be buying from Geely and Hyundai, but that all of its automated driving systems are its own.
It said BIS's description of what it wants in a hardware bill of materials -- including drawings and non-defined “documents” -- would expose intellectual property and would not be attainable from suppliers.
“Instead, Waymo urges BIS to adopt a definition for HBOM which is much closer to how this term is actually used by industry. Namely, HBOMs typically include a list of part names or other information identifying a part (e.g., part SKU number); the name of each part’s manufacturer; a general description of each part (e.g., 'a microcontroller'); a link to each part’s public datasheet, which is customarily found on a manufacturer’s website and which often includes further technical data about the part.”
Truck and Engine Manufacturers, a trade association representing heavy truck manufacturers, noted that the way the rule is written doesn't fit the way heavy trucks are sold, as engines or motors and bodies are often made by different companies, so they are not sold as "complete vehicles."
"It is important to note that the regulatory requirements proposed in the NPRM are entirely new. They prohibit targeted transactions that could occur at any stage in the elaborate and deep manufacturing supply chains. To achieve compliance, heavy-duty vehicle manufacturers may need to conduct extensive investigations to identify the first, second, third, and even more distant tiered suppliers that may need to be involved," the group wrote.
Heavy truck engine maker Cummins noted that the rule's language was ambiguous when it said that a Chinese or Russian citizen, working outside the country of their birth, does not alone trigger the restrictions.
If citizenship is not a trigger, that should be stated clearly "to prevent the rule from prescribing discriminatory hiring practices that would be in conflict with other U.S. laws and regulations."
Cummins argued that a Chinese subsidiary of a U.S. company should not trigger the prohibitions. "Walling off employees and not relying on their expertise and skill simply because they are located in the PRC or Russia could hurt the competitiveness of U.S. businesses and create unnecessary burden to track individual employees’ work years before their work products would be available on the market."
The National Foreign Trade Council wrote that BIS should be aware that transmitters could be imported that could be used in a car, or in a home stereo system. "In either case, the involvement of PRC and/or Russian nationals in the development of source code and the development of firmware (including over-the-air updates that have not yet occurred) are almost unknowable to the level of certainty that seems to be envisioned by the Declaration of Conformity," they wrote, referring to the People's Republic of China.
Like Ford and Cummins, NFTC asked that American firms' subsidiaries not be covered.
It said one of the most important questions is: "How will the U.S. government address the leakage of ICTS-controlled items described in this proposed rule into the U.S. market, whether intentionally or unintentionally? What mechanisms are being set up to detect this, and how will this be enforced?"
The Semiconductor Industry Association noted that microelectronics components in connected vehicle systems could be used in infotainment, vehicle charging or products that will be exported.
Qualcomm wrote that the proposed rule could harm the safety of U.S. cars, and damage innovation.
The chip company makes telematics units and components covered by the rule.
It suggested that Commerce provide pre-clearance of hardware and software early in vehicles' development lifecycles.
Like many commenters, it asked that software developed before the rule goes into effect not be covered, but said if it has to be, software with links to China or Russia should be allowed with "appropriate mitigating security controls."
"Qualcomm recommends that BIS clarify or otherwise adjust certain key terms in the Proposed Rule to help prevent any final rule from being overbroad or ambiguous. To that end, Qualcomm recommends that BIS (1) clarify and refine the scope of “covered software”; (2) exclude embedded software in the same manner that “firmware” is excluded under the Proposed Rule; and (3) narrow the definition of 'foreign interest.'"
"BIS relies upon an inaccurate “simplifying assumption” of the provenance of relevant components. That assumption is simply incorrect. This flawed analysis, in turn, leads to a significant understatement of the costs of disruption the Proposed Rule would cause as drafted. Once fully and accurately considered, these costs make clear the importance of making the targeted amendments Qualcomm proposes in any final rule."
The Coalition for a Prosperous America argued for a broader rule, covering cameras, radar, lidar, Time of Flight (TOFL) internal sensors, ultrasonic sensors, and microphones.
Chargepoint asked that these restrictions be extended to charging infrastructure.
The Coalition for Safe and Secure Technology also asked for broader coverage, including that lidar and firmware for sensors fall in the scope. It noted that BIS said in its last refinement of the rule that commenters disagreed on how vulnerable lidar is. The Coalition said a malfunctioning Lidar system will shut down autonomous driving capability. It asked BIS to "Include perception software developed by lidar companies in the scope of its upcoming rulemaking, given that the software performs [Advanced Design Systems] ADS functions, including object detection and classification, which are covered under the definition of ADS software in the proposed NPRM, and because multiple global OEMs integrate this software developed by lidar manufacturers directly into their ADS.
"Many American autonomous vehicle companies have chosen to integrate lidar technology from China into their vehicles," the group wrote. But, it argued, there is a strong supply of lidar from Europe and the U.S.
Mexico told Commerce that it believes such a rule would be inconsistent with U.S. commitments in USMCA.
It said Mexico's "automotive sector will face disruptions in supply chains from China, as auto parts and components integrated into vehicles -- given that assembly is a predominant activity in our country -- could impact economic growth within this sector," and it would raise costs.
The China Chamber of Commerce for Import and Export of Machinery and Electronic Products said it was shocked by the rule and said it is "not conducive to the development and progress of related technologies."
It said the U.S. cannot achieve its goal of "absolute security," and its restrictions would "forcibly sever" trade.
"CCCME urges the US to abandon the Cold War mentality in a pragmatic and cooperative spirit, work together with most countries in the world to promote the development of connected vehicle VCS and autonomous driving ADS technology," the group wrote.