Download:
pdf |
pdf15066
Federal Register / Vol. 89, No. 42 / Friday, March 1, 2024 / Proposed Rules
to amend the current version of that
order, FAA Order JO 7400.11H, dated
August 11, 2023, and effective
September 15, 2023. These updates
would be published subsequently in the
next update to FAA Order JO 7400.11.
That order is publicly available as listed
in the ADDRESSES section of this
document.
FAA Order JO 7400.11H lists Class A,
B, C, D, and E airspace areas, air traffic
service routes, and reporting points.
The Proposal
The FAA is proposing to amend 14
CFR part 71 by establishing Class E
airspace extending upward from 700
feet above the surface to within a 6.4mile radius of The Sigurd Anderson
Airport, Webster, SD.
The FAA is proposing this action due
to the development of new public
instrument procedures at this airport
and to support IFR operations.
Regulatory Notices and Analyses
The FAA has determined that this
proposed regulation only involves an
established body of technical
regulations for which frequent and
routine amendments are necessary to
keep them operationally current. It,
therefore: (1) is not a ‘‘significant
regulatory action’’ under Executive
Order 12866; (2) is not a ‘‘significant
rule’’ under DOT Regulatory Policies
and Procedures (44 FR 11034; February
26, 1979); and (3) does not warrant
preparation of a regulatory evaluation as
the anticipated impact is so minimal.
Since this is a routine matter that will
only affect air traffic procedures and air
navigation, it is certified that this
proposed rule, when promulgated, will
not have a significant economic impact
on a substantial number of small entities
under the criteria of the Regulatory
Flexibility Act.
Environmental Review
ddrumheller on DSK120RN23PROD with PROPOSALS1
This proposal will be subject to an
environmental analysis in accordance
with FAA Order 1050.1F,
‘‘Environmental Impacts: Policies and
Procedures’’ prior to any FAA final
regulatory action.
§ 71.1
[Amended]
2. The incorporation by reference in
14 CFR 71.1 of FAA Order JO 7400.11H,
Airspace Designations and Reporting
Points, dated August 11, 2023, and
effective September 15, 2023, is
amended as follows:
■
Paragraph 6005 Class E Airspace Areas
Extending Upward From 700 Feet or More
Above the Surface of the Earth.
*
*
*
*
*
AGL SD E5 Webster, SD [Establish]
The Sigurd Anderson Airport, SD
(Lat 45°17′35″ N, long 94°30′49″ W)
That airspace extending upward from 700
feet above the surface within a 6.4-mile
radius of The Sigurd Anderson Airport.
*
*
*
*
*
Issued in Fort Worth, Texas, on February
27, 2024.
Martin A. Skinner,
Acting Manager, Operations Support Group,
ATO Central Service Center.
[FR Doc. 2024–04317 Filed 2–29–24; 8:45 am]
BILLING CODE 4910–13–P
DEPARTMENT OF COMMERCE
Bureau of Industry and Security
15 CFR Part 7
[Docket No. 240227–0060]
RIN 0694–AJ56
Securing the Information and
Communications Technology and
Services Supply Chain: Connected
Vehicles
In this advance notice of
proposed rulemaking (ANPRM), the
Department of Commerce’s
(Department) Bureau of Industry and
Security (BIS) seeks public comment on
issues and questions related to
transactions involving information and
communications technology and
services (ICTS) that are designed,
developed, manufactured, or supplied
by persons owned by, controlled by, or
SUMMARY:
The Proposed Amendment
In consideration of the foregoing, the
Federal Aviation Administration
proposes to amend 14 CFR part 71 as
follows:
Jkt 262001
Authority: 49 U.S.C. 106(f), 106(g); 40103,
40113, 40120; E.O. 10854, 24 FR 9565, 3 CFR,
1959–1963 Comp., p. 389.
Bureau of Industry and
Security, U.S. Department of Commerce.
ACTION: Advance notice of proposed
rulemaking.
Airspace, Incorporation by reference,
Navigation (air).
17:53 Feb 29, 2024
1. The authority citation for 14 CFR
part 71 continues to read as follows:
■
AGENCY:
List of Subjects in 14 CFR Part 71
VerDate Sep<11>2014
PART 71—DESIGNATION OF CLASS A,
B, C, D, AND E AIRSPACE AREAS; AIR
TRAFFIC SERVICE ROUTES; AND
REPORTING POINTS
PO 00000
Frm 00002
Fmt 4702
Sfmt 4702
subject to the jurisdiction or direction of
foreign countries or foreign nongovernment persons identified in the
Department’s regulations, pursuant to
the Executive Order (E.O.) entitled
‘‘Securing the Information and
Communications Technology and
Services Supply Chain,’’ and that are
integral to connected vehicles (CVs), as
defined herein. This ANPRM will assist
BIS in determining the technologies and
market participants that may be most
appropriate for regulation pursuant to
the E.O.
DATES: Comments must be received on
or before April 30, 2024.
ADDRESSES: All comments must be
submitted by one of the following
methods:
• The Federal eRulemaking Portal:
https://www.regulations.gov at docket
number BIS–2024–0005.
• Email directly to: connected
[email protected]. Include ‘‘RIN
0694–AJ56’’ in the subject line.
• Instructions: Comments sent by any
other method, to any other address or
individual, or received after the end of
the comment period, may not be
considered. For those seeking to submit
confidential business information (CBI),
please clearly mark such submissions as
CBI and submit by email, as instructed
above. Each CBI submission must also
contain a summary of the CBI, clearly
marked as public, in sufficient detail to
permit a reasonable understanding of
the substance of the information for
public consumption. Such summary
information will be posted on
regulations.gov.
FOR FURTHER INFORMATION CONTACT:
Marc Coldiron, U.S. Department of
Commerce, telephone: 202–482–3678.
For media inquiries: Jeremy Horan,
Office of Congressional and Public
Affairs, Bureau of Industry and Security,
U.S. Department of Commerce: OCPA@
bis.doc.gov.
SUPPLEMENTARY INFORMATION:
I. Authorities
On May 15, 2019, the President issued
E.O. 13873, ‘‘Securing the Information
and Communications Technology and
Services Supply Chain,’’ pursuant to the
President’s authority under the
Constitution and the laws of the United
States, including the International
Emergency Economic Powers Act
(IEEPA), the National Emergencies Act
(50 U.S.C. 1601, et seq.), and Section
301 of Title 3, United States Code. E.O.
13873 declares a national emergency
regarding the ICTS supply chain,
finding that ‘‘the unrestricted
acquisition or use in the United States
of information and communications
E:\FR\FM\01MRP1.SGM
01MRP1
�ddrumheller on DSK120RN23PROD with PROPOSALS1
Federal Register / Vol. 89, No. 42 / Friday, March 1, 2024 / Proposed Rules
technology or services designed,
developed, manufactured, or supplied
by persons owned by, controlled by, or
subject to the jurisdiction or direction of
foreign adversaries augments the ability
of foreign adversaries to create and
exploit vulnerabilities in information
and communications technology or
services, with potentially catastrophic
effects, and thereby constitutes an
unusual and extraordinary threat to the
national security, foreign policy, and
economy of the United States.’’ The E.O.
further notes that ‘‘[t]his threat exists
both in the case of individual
acquisitions or uses of such technology
or services, and when acquisitions or
uses of such technologies are considered
as a class.’’
In accordance with the National
Emergencies Act, the President has
declared each year since E.O. 13873 was
published that the national emergency
continues in effect. Continuation of the
National Emergency With Respect to
Securing the Information and
Communications Technology and
Services Supply Chain, 85 FR 29321
(May 14, 2020); Continuation of the
National Emergency With Respect to
Securing the Information and
Communications Technology and
Services Supply Chain, 86 FR 26339
(May 13, 2021); Continuation of the
National Emergency With Respect to
Securing the Information and
Communications Technology and
Services Supply Chain, 87 FR 29645
(May 13, 2022); Continuation of the
National Emergency With Respect to
Securing the Information and
Communications Technology and
Services Supply Chain, 88 FR 30635
(May 11, 2023).
To address identified risks to national
security from ICTS transactions, E.O.
13873 grants the Secretary of Commerce
(Secretary) (in consultation with other
agency heads identified in the E.O.) the
authority to review and, if necessary,
impose mitigation measures on or
prohibit any ICTS transaction, which
includes any acquisition, importation,
transfer, installation, dealing in, or use
of any ICTS by any person, or with
respect to any property, subject to
United States jurisdiction, when the
transaction involves any property in
which a foreign country or national has
any interest. In order to require
mitigation for or to prohibit an ICTS
transaction or class of transactions, the
Secretary, in consultation with other
agency heads, must first determine that
the ICTS transaction or class of
transactions at issue: (1) involves ICTS
designed, developed, manufactured, or
supplied by persons owned by,
controlled by, or subject to the
VerDate Sep<11>2014
17:53 Feb 29, 2024
Jkt 262001
jurisdiction or direction of a foreign
adversary, which the E.O. defines as
‘‘any foreign government or foreign nongovernment person engaged in a longterm pattern or serious instances of
conduct significantly adverse to the
national security of the United States or
security and safety of United States
persons;’’ and (2) poses:
A. an undue risk of sabotage to or
subversion of the design, integrity,
manufacturing, production, distribution,
installation, operation, or maintenance
of information and communications
technology or services in the United
States;
B. an undue risk of catastrophic
effects on the security or resiliency of
United States critical infrastructure or
the digital economy of the United
States; or
C. otherwise poses an unacceptable
risk to the national security of the
United States or the security and safety
of United States persons.
These factors are collectively referred
to as ‘‘undue or unacceptable risks.’’
E.O. 13873 additionally provides the
Secretary with the authority to issue
rules establishing criteria by which
particular technologies or market
participants may be categorically
included in or categorically excluded
from prohibitions established pursuant
to the E.O. To date, the Department has
not pursued or used this authority to
regulate ICTS transactions on a
category- or class-wide basis.
Furthermore, E.O. 13873 grants the
Secretary the authority to identify a
mechanism and relevant factors for the
negotiation of mitigation measures that
would allow approval of an otherwise
prohibited transaction.
II. Background
a. Purpose
Pursuant to the authority delegated to
the Secretary under E.O. 13873, BIS is
considering proposing rules that would
prohibit certain ICTS transactions or
classes of ICTS transactions by or with
persons who design, develop,
manufacture, or supply ICTS integral to
CVs and are owned by, controlled by, or
subject to the jurisdiction or direction of
foreign governments or foreign nongovernment persons identified at 15
CFR 7.4 (hereinafter referred to as ‘‘15
CFR 7.4 entities’’). BIS is also
considering proposing measures that
would allow market participants to
engage in otherwise prohibited
transactions or classes of transactions if
the undue or unacceptable risks of those
ICTS transactions can be sufficiently
mitigated using measures that are
monitorable.
PO 00000
Frm 00003
Fmt 4702
Sfmt 4702
15067
The purpose of this ANPRM is to
gather information to support BIS’s
potential development of a rule
regarding ICTS integral to CVs. In
particular, BIS seeks public input on
certain definitions and its assessment of
how a class of transactions involving
ICTS integral to CVs, when designed,
developed, manufactured, or supplied
by persons owned by, controlled by, or
subject to the jurisdiction or direction of
a 15 CFR 7.4 entity, could present
undue or unacceptable risks to U.S.
national security. These include risks
related to threats from 15 CFR 7.4
entities, capabilities of CVs that may
increase the likelihood of
vulnerabilities, and consequences to
U.S. persons and critical infrastructure
if these vulnerabilities are exploited or
intentionally inserted by 15 CFR 7.4
entities. BIS solicits input on the ICTS
most integral to CVs and most
vulnerable to compromise, as well as
input on mechanisms to address
identified risks through potential
design, implementation standards and
protocols, manufacturing integrity
protection systems and procedures, or
prohibitions.
BIS recognizes the benefits of CV
technologies and does not imply
through this ANPRM that technologies
such as vehicle-to-everything (V2X)
communications are generally unsafe for
use in the United States. Indeed, these
new vehicles often provide safer, more
fuel-efficient travel. However, E.O.
13873 is focused on risks that ICTS
transactions might present to national
security. Therefore, this ANPRM, which
is being issued pursuant to the
authorities granted under E.O. 13873,
seeks public comment on potential
means to narrowly address involvement
by persons owned by, controlled by, or
subject to the jurisdiction or direction of
15 CFR 7.4 entities in the design,
development, manufacture, or supply of
ICTS integral to CVs where that
involvement may create undue or
unacceptable risk to U.S. national
security.
Additionally, BIS seeks comment on
whether to create a process for the
public to request approval to engage in
an otherwise prohibited transaction by
demonstrating that a particular
transaction adequately addresses the
risk to U.S. national security. BIS
encourages public feedback to help
inform the rulemaking process,
particularly regarding transactions
where ICTS supply chains may be
impacted by any proposed rule.
b. Definitions
As an initial matter, BIS is interested
in receiving comments on the applicable
E:\FR\FM\01MRP1.SGM
01MRP1
�ddrumheller on DSK120RN23PROD with PROPOSALS1
15068
Federal Register / Vol. 89, No. 42 / Friday, March 1, 2024 / Proposed Rules
definition for connected vehicle or CV
within the context of transactions
involving ICTS incorporated into such
vehicles. BIS could define a connected
vehicle as an automotive vehicle that
integrates onboard networked hardware
with automotive software systems to
communicate via dedicated short-range
communication, cellular
telecommunications connectivity,
satellite communication, or other
wireless spectrum connectivity with any
other network or device. Such a
definition would likely include
automotive vehicles, whether personal
or commercial, capable of global
navigation satellite system (GNSS)
communication for geolocation;
communication with intelligent
transportation systems; remote access or
control; wireless software or firmware
updates; or on-device roadside
assistance.
CVs also integrate hardware that
enables connectivity within the vehicle
and/or external connectivity with
devices, networks, applications, and
services outside the vehicle. CV safety
applications are designed to increase
situational awareness and reduce traffic
accidents through vehicle-to-vehicle
(V2V), vehicle-to-infrastructure (V2I),
and increasingly, V2X communications,
as contemplated in a series of
Department of Transportation
workshops focusing on V2X
communications titled ‘‘Saving Lives
with Connectivity.’’ See Bill Canis,
Cong. Research Serv., R46398, Motor
Vehicle Safety: Issues for Congress 8
(2021), https://sgp.fas.org/crs/misc/
R46398.pdf; U.S. Dep’t of Transp., ITS
V2X Communications Summit (2023),
https://www.its.dot.gov/research_areas/
emerging_tech/htm/ITS_V2X_
CommunicationSummit.htm.
BIS arrived at this definition by
reviewing existing definitions for
connected vehicles from trade
associations and leading research
publications including the Connected
Vehicle Reference Implementation
Architecture, U.S. Department of
Transportation’s Intelligent
Transportation Systems Joint Program
Office, Institute of Electrical and
Electronics Engineers research, and
Society of Automotive Engineers
standards.
Various terms exist across industry
and the U.S. Government to refer to
vehicles that exhibit the connected
features explained above. In addition to
input on the term connected vehicle,
BIS is seeking comment on alternative
terminology that might better
correspond to the definition of
connected vehicle discussed above.
Such terminology could include
VerDate Sep<11>2014
17:53 Feb 29, 2024
Jkt 262001
‘‘networked vehicles,’’ ‘‘intelligent
connected vehicles,’’ ‘‘software-defined
vehicles,’’ or ‘‘connected autonomous
vehicles.’’
This ANPRM seeks comment on the
definitions to use for a rule regarding
transactions involving ICTS integral to
CVs, and specifically:
1. In what ways, if any, should BIS
elaborate on or amend the potential
definition of connected vehicle stated
above? If amended, how will the revised
definition enable BIS to better address
national security risks arising from
classes of transactions involving ICTS
integral to CVs?
2. Is the term connected vehicles
broad enough to include autonomous
vehicles and related equipment, electric
vehicles, or other alternative power
sources and related technologies? Does
a better term exist to describe the
broader scope?
3. Are there other commonly used
definitions for CVs that BIS should
consider when defining a class of ICTS
transactions, including definitions from
industry, civil society, and foreign
entities? If so, why would those
definitions be more appropriate for the
purposes of a rule?
c. Risks Associated With Connected
Vehicles
The automotive industry is constantly
undergoing innovation and change, and
as communications and broadband
technology advance, so do the
technologies used in automobiles.
Particularly relevant for the purposes of
this ANPRM, new technology has fueled
a rise in interconnectivity and
autonomous capabilities in new
vehicles. An automobile’s value is no
longer determined only by the engine,
steering system, and other traditional
automotive parts. Increasingly, an
automobile is a compilation of on-board
computers; sensors; cameras; batteries;
and various other categories of ICTS
software or hardware tied together
through automotive software systems.
Over time, vehicle connections to the
internet will evolve even further and
new communication technology will
advance vehicle capabilities. These
technological advances will continue to
rely on significant data collection not
only about the vehicle and its myriad
components, but also the driver, the
occupants, the vehicle’s surroundings,
and nearby infrastructure. Moreover,
CVs allow for information to be gathered
and shared to address both individual
and societal transportation needs. These
technologies may expose the vehicles,
and the sectors they support, to new
cyber-enabled attack vectors and
vulnerabilities, with the potential to
PO 00000
Frm 00004
Fmt 4702
Sfmt 4702
create novel and potentially profound
risks to national security and public
safety. Cyber-enabled vulnerabilities can
be exacerbated if the ICTS integral to
CVs is designed, developed,
manufactured, or supplied, by persons
owned by, controlled by, or subject to
the jurisdiction or direction of a 15 CFR
7.4 entity.
i. Threat From 15 CFR 7.4 Entities
E.O. 13873 defines the term ‘‘foreign
adversary’’ to mean any foreign
government or foreign non-government
person engaged in a long-term pattern or
serious instances of conduct
significantly adverse to the national
security of the United States or security
and safety of U.S. persons. In the rules
implementing the E.O. at 15 CFR 7.4(a),
the Secretary has identified the
following as foreign adversaries: the
People’s Republic of China, including
the Hong Kong Special Administrative
Region (PRC); Republic of Cuba; Islamic
Republic of Iran; Democratic People’s
Republic of Korea; Russian Federation;
and Venezuelan politician Nicola´s
Maduro (Maduro Regime).
The incorporation of ICTS products
and services used in the United States
from persons owned by, controlled by,
or subject to the jurisdiction or direction
of 15 CFR 7.4 entities’ can offer a direct
entry point to sensitive U.S. technology
and data and bypass measures intended
to protect U.S. persons’ safety and
security. This may allow actors with
insider access to gain entry to the
systems the ICTS connects to and
ultimately engage in malicious cyber
activity. Consequently, this exploitation
may result in undue risks to ICTS and
critical infrastructure in the United
States and unacceptable risks to
national security.
The PRC presents a particularly acute
and persistent threat to the United
States ICTS supply chain. According to
the Office of the Director of National
Intelligence, the PRC likely represents
the broadest, most active, and persistent
cyber espionage threat to U.S.
Government and private-sector
networks. See Off. Of the Director of
Nat’l Intelligence, Annual Threat
Assessment of the U.S. Intelligence
Community 10 (2023), https://
www.dni.gov/files/ODNI/documents/
assessments/ATA-2023-UnclassifiedReport.pdf. The PRC is almost certainly
capable of launching cyber-attacks that
could disrupt critical infrastructure
services within the United States and
has conducted cyber espionage
operations that have compromised
telecommunications firms, providers of
managed services, and broadly used
software. Id. At 10. In short, the PRC has
E:\FR\FM\01MRP1.SGM
01MRP1
�ddrumheller on DSK120RN23PROD with PROPOSALS1
Federal Register / Vol. 89, No. 42 / Friday, March 1, 2024 / Proposed Rules
engaged in a pattern of hacking and
cyber intrusion that demonstrates the
PRC’s intent to compromise and exploit
U.S. ICTS supply chains and critical
infrastructure, threatening U.S. national
security.
The PRC’s legal structure also gives
broad authority to the state to co-opt
private companies to pursue its
objectives. A host of laws give the PRC
government the authority to compel
companies located in the PRC,
including automakers and their
suppliers, to cooperate with PRC
intelligence and security services. The
PRC’s 2021 Data Security Law, for
example, makes all private data
available to the PRC state when it is
needed for ‘‘national security.’’ See
National People’s Congress, Data
Security Law of the People’s Republic of
China, Art. 35, http://www.npc.gov.cn/
englishnpc/c2759/c23934/202112/
t20211209_385109.html. The PRC’s
2017 National Intelligence Law imposes
affirmative obligations on entities and
persons subject to the PRC’s jurisdiction
to cooperate with intelligence
agencies—Article 17 allows PRC
intelligence officials to take control of a
private organization’s facilities,
including its communications
equipment. See National People’s
Congress, National Intelligence Law (as
amended, 2018), http://
www.npc.gov.cn/npc/c2/c30834/
201905/t20190521_281475.html. The
PRC’s 2015 National Security Law
obliges citizens and private companies
to provide security and military
agencies with all ‘‘necessary support
and assistance.’’ See State Council of the
People’s Republic of China, National
Security Law, Art. 77(5), https://
www.gov.cn/zhengce/2015-07/01/
content_2893902.htm. Beyond legal
obligations, companies established in
the PRC may be required to create
internal Chinese Communist Party
(CCP) committees that can exercise
influence over corporate decisions. See
National People’s Congress, Company
Law of the People’s Republic of China,
Art. 19, https://www.npc.gov.cn/zgrdw/
npc/xinwen/2018-11/05/content_
2065671.htm.
The combination of legal authorities
and opaque CCP influence make private
companies that are subject to the PRC’s
jurisdiction susceptible to requests from
intelligence and military officials. PRC
officials can compel PRC firms to
provide the PRC government with data,
logical access, encryption keys, and
other vital technical information, as
well as to install backdoors or bugs in
equipment which create security flaws
easily exploitable by PRC authorities.
U.S. Dep’t of Homeland Security, Data
VerDate Sep<11>2014
17:53 Feb 29, 2024
Jkt 262001
Security Business Advisory: Risks and
Considerations for Businesses Using
Data Services and Equipment from
Firms Linked to the Peoples Republic of
China 2 (2020), https://www.dhs.gov/
sites/default/files/publications/20_
1222_data-security-businessadvisory.pdf. Original equipment
manufacturers (OEMs) for vehicles in
the PRC, due to the vast amounts of data
generated by their products, are notable
targets for government access.
According to open-source reporting,
over 200 automakers that operate in the
PRC are legally obligated to transmit
real-time vehicle data, including
geolocation information, to government
monitoring centers. See Erika Kinetz, In
China Your Car Could Be Talking To
The Government, Associated Press
News (Nov. 29, 2018), https://apnews.
com/article/4a749a42119047848
26b45e812cff4ca. This pervasive data
sharing, which provides the PRC
government with detailed information
on the behaviors and habits of
individuals, is indicative of a broader
approach to co-opting private
companies—one that raises significant
concerns about how the PRC
government might exploit the growing
presence of PRC OEMs and
manufacturers of ICTS integral to CVs in
foreign markets. The combination of
these factors uniquely elevates BIS’s
concern regarding PRC participation in
the ICTS supply chain for CVs in the
United States.
BIS seeks to better understand the role
of persons owned by, controlled by, or
subject to the jurisdiction or direction of
15 CFR 7.4 entities, particularly the
PRC, in the ICTS supply chain for CVs,
and the leverage these entities might
exert as a result. In particular, the
ANPRM seeks comments on the
following issues:
4. Please describe the ICTS supply
chain for CVs in the United States.
Particularly useful responses may
include information regarding:
a. categories of ICTS, such as software
or hardware, that are integral to CVs
operating in the United States;
b. market leaders for each distinct
phase of the supply chain for ICTS
integral to CVs (such as design,
development, manufacturing, or supply)
including, but not limited to: OEMs, tier
one, tier two, and tier three suppliers,
and service providers;
c. geographic locations where
software (such as the vehicle operating
system), hardware (such as light
detection and ranging (LiDAR) sensors),
or other ICTS components integral to
CVs in use in the United States are
designed, developed, manufactured, or
supplied;
PO 00000
Frm 00005
Fmt 4702
Sfmt 4702
15069
d. involvement in any sector or subsector of the U.S. ICTS supply chain for
CVs by persons owned by, controlled
by, or subject to the jurisdiction or
direction of a 15 CFR 7.4 entity; and
e. geographic locations where data
from CVs in use in the United States is
transmitted, stored, or analyzed.
5. Are there ICTS integral to CVs for
which persons owned by, controlled by,
or subject to the jurisdiction or direction
of a 15 CFR 7.4 entity are sole source
suppliers? To what extent do OEMs of
CVs in use in the United States rely
upon suppliers wholly or partially
owned by a company based in or under
the control of a 15 CFR 7.4 entity?
6. In what ICTS hardware or software
for CVs do persons owned by,
controlled by, or subject to the
jurisdiction or direction of a 15 CFR 7.4
entity maintain a technological
advantage over U.S. and other foreign
counterparts and how may this dynamic
evolve in the coming years?
7. How, and to what degree, does CV
automotive software connect to GNSS
systems that are designed, developed,
manufactured, or supplied by persons
owned by, controlled by, or subject to
the jurisdiction or direction of a 15 CFR
7.4 entity? for geolocation and other
functions?
8. How might a disruption to the
supply of ICTS components for CVs in
use in the United States, including
hardware and software, from persons
owned by, controlled by, or subject to
the jurisdiction or direction of a 15 CFR
7.4 entity affect OEMs of CVs in use in
the United States and ICTS suppliers?
Where possible, please specify which
disruptions to component supply would
be particularly detrimental.
9. To what extent can OEMs procure
alternative sources of ICTS integral to
CVs that do not constitute ICTS from
persons owned by, controlled by, or
subject to the jurisdiction or direction of
15 CFR 7.4 entities?
10. Please describe the relationship
between OEMs of CVs in use in the
United States and their ICTS suppliers.
Particularly useful responses may
include the type of information that is
shared between OEMs of CVs in use in
the United States and their ICTS
suppliers in the normal course of
business, how this information is
shared, what access or administrative
privileges are typically granted, and if
suppliers have any capability for remote
access or ability to provide firmware or
software updates.
11. What risks might be posed by
aftermarket ICTS integrated onboard
CVs and interfaced with vehicle
systems, such as tracking devices,
cameras, and wireless-enabled
E:\FR\FM\01MRP1.SGM
01MRP1
�15070
Federal Register / Vol. 89, No. 42 / Friday, March 1, 2024 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS1
diagnostic interfaces? Should
aftermarket automotive systems or
components be considered integral to
CV operation?
12. To what extent are ICTS
components of CVs designed,
developed, manufactured, or supplied
by persons owned by, controlled by, or
subject to the jurisdiction or direction of
a 15 CFR 7.4 entity present in critical
infrastructure sectors? Are there
instances of municipal, state, or federal
funding for procurement of such 15 CFR
7.4 entities’ ICTS integral to CVs for use
in critical infrastructure sectors?
13. What other instances exist where
persons owned by, controlled by, or
subject to the jurisdiction or direction of
a 15 CFR 7.4 entity, are integrated into
the ICTS supply chain for CVs?
ii. Capabilities of Connected Vehicles
May Increase the Likelihood of
Vulnerabilities 15 CFR 7.4 Entities
Could Exploit
CVs and the components that enable
their functionality present opportunities
for exploitation by 15 CFR 7.4 entities
via insider access, which could
potentially result in severe
consequences to U.S. persons and
critical infrastructure. Increasing the
number and scope of wireless connected
components in a vehicle also increases
the attack surfaces through which a
malicious actor can gain initial entry. As
CVs gain new and different connectivity
capabilities, design, implementation,
and operational protocols need to be
added to address new attack surfaces
and maintain the confidentiality,
integrity, and availability of the data
that traverse any one functional system.
As demonstrated in controlled
environments, attack vectors can be
exploited and may provide access to
other functional systems within a CV.
Moreover, once one subsystem has been
compromised, depending on the nature
of the vulnerability and the design of
the vehicle network architecture, the
attacker might have the ability to move
laterally and eventually gain access to
other functional automotive systems.
While integrated functionality may
provide seamless communication,
comfort, and operability for the
consumer, it is possible that
unauthorized remote access to a
particular sensor system could be
escalated to vehicle systems and
operations, potentially resulting in
injury, loss of life, and disruption to
critical infrastructure networks.
Preliminarily, BIS has identified the
following capabilities associated with
CVs that may increase the likelihood of
vulnerabilities that 15 CFR 7.4 entities
could exploit:
VerDate Sep<11>2014
17:53 Feb 29, 2024
Jkt 262001
Data Collection: CVs rely on the
collection and integration of broad and
varied data to improve the vehicle’s
functionality and safety. This data,
which can encompass vehicle-level data
(e.g., driver behavior, vehicle status,
geolocation, biometrics, driver mobile
phone data) and environmental-level
data (e.g., detailed mapping data, object
detection, traffic patterns), are extracted
through various onboard systems and
sensors. The Advanced DriverAssistance System (ADAS) of a CV, for
example, typically relies on a
combination of sensors—radar, LiDAR,
ultrasonic, audio, and video—that are
constantly collecting and processing
data. CVs now collect data inside the
cockpit as well. Consumer and
commercial CVs increasingly
incorporate driver monitoring systems
(DMS) to ensure the driver remains alert
and fully able to take control of the car
should autonomous systems fail, and to
ensure commercial truck drivers remain
on schedule. More sophisticated DMS
feature driver-facing cameras—
including eye tracking, facial
recognition, and microphones—collect
potentially sensitive information about
drivers and passengers. This increases
the sensitivity of the data that CVs
collect, potentially providing 15 CFR 7.4
entities with access to biometric
information in addition to
environmental data.
Connectivity: CVs are connected to
and can communicate with a range of
external sources, including the OEM
and third-party service providers, as
well as in-car devices like smart phones.
In an increasing subset of vehicles,
telematics systems connect the vehicle
with cloud-based services to provide
onboard systems with external data
streams (e.g., geolocation, streaming
service, assistance service, emergency
notification) and underlie many of a
CV’s core functionalities. V2X systems,
when widely implemented, will support
the broadcast and reception of messages
that enable safety alerts and mobility
advisories. Providing broadcast (radio)
communication capabilities that
facilitate driver assistance capabilities
may open cybersecurity vectors that
need to be addressed to ensure
broadcast message integrity and
authenticity through design, standards,
implementation and manufacturing
protocols, and to prevent possible
message and transmission misbehavior.
Further, interconnectivity in the
software or hardware components may
amplify risks posed by ICTS integral to
CVs that are designed, developed,
manufactured, or supplied by persons
owned by, controlled by, or subject to
the jurisdiction or direction of a 15 CFR
PO 00000
Frm 00006
Fmt 4702
Sfmt 4702
7.4 entity. For example, OEMs enable
communication with their vehicle after
sale even when a customer does not
subscribe to services, including by
providing software updates and
refinements, as well as by enabling or
disabling subscription-based features.
This access by the OEM to the CV
provides numerous opportunities for 15
CFR 7.4 entities that own, control, or
have the ability to exert jurisdiction or
direction over the OEM, to insert
vulnerabilities allowing for future
backdoor attacks and other malicious
behavior. Additionally, individually
connected components and sensors are
capable of transmitting data separately
from the vehicle’s broader
communications suite, including
receiving over the air (OTA) updates
without the knowledge or consent of the
vehicle owner or OEM. BIS seeks to
better understand the capabilities
associated with technical trends—both
current and future—in CV design and
the ICTS components therein. In
particular, the ANPRM seeks further
comment on the following:
14. What is the full scope of data
collection capabilities in CVs and the
aggregation and scale of data that CVs
could collect on U.S persons, entities,
geography, and infrastructure? Who has
authorized access to, or control of, data
collected by CVs?
15. What types of remote access or
control do OEMs have over their CVs?
Please describe what software or other
mechanisms allow for such remote
access or control by the OEM to occur.
16. What cybersecurity concerns may
arise from linkages between sensors in
CVs? To what extent can individual
sensors and components communicate
OTA independently from the CV’s
Operating System (OS)?
17. What standards, best practices,
and industry norms are used to secure
the interconnection between vehicles
and charging infrastructure? How are
battery management systems (BMS)
integrated into a vehicle’s automotive
software systems, and how are they
protected from malware?
18. How do manufacturers
supplement existing cybersecurity
standards and best practices such as the
National Highway Traffic Safety
Administration’s Cybersecurity Best
Practices for the Safety of Modern
Vehicles at each step of the CV supply
chain, including design, manufacturing,
and operation?
a. Particularly useful responses will
be specific about the types of programs
and practices used such as test and
verification, bug bounties, white hat
programs, or end-to-end encryption to
secure the link between vehicle and
E:\FR\FM\01MRP1.SGM
01MRP1
�ddrumheller on DSK120RN23PROD with PROPOSALS1
Federal Register / Vol. 89, No. 42 / Friday, March 1, 2024 / Proposed Rules
server. See Nat’l Highway Traffic Safety
Admin., Cybersecurity Best Practices for
the Safety of Modern Vehicles (2022),
https://www.nhtsa.gov/sites/nhtsa.gov/
files/2022-09/cybersecurity-bestpractices-safety-modern-vehicles-2022tag.pdf; see also Cybersecurity and
Infrastructure Security Agency,
Autonomous Ground Vehicle Security
Guide: Transportation Systems Sector
(2021), https://www.cisa.gov/resourcestools/resources/autonomous-groundvehicle-security-guide.
19. Please describe the automotive
software development cycle. BIS is
particularly interested in learning:
a. The degree to which OEMs license
software, as opposed to developing it
internally;
b. The extent to which software is
developed outside the United States
and, if so, where;
c. What measures are taken to ensure
software security and integrity during
the development cycle;
d. If OEMs partner or co-develop
automotive software with any persons
owned by, controlled by, or subject to
the jurisdiction or direction of a 15 CFR
7.4 entity; and
e. The extent to which software that
is embedded in hardware (e.g.,
firmware) is subject to the development
cycle described above.
20. Please describe the relationship
between CV OEMs and cloud service
providers (CSPs). Particularly useful
responses may describe what access
privileges, controls, and remote
capabilities with respect to CV OEM
systems are afforded to the CSP.
Additionally, what are the common
shared responsibility models between a
CSP and a CV OEM and how are the
communication and systems protected?
21. How do CV OEMs verify the bill
of materials and software bill of
materials as authentic for vendors and
suppliers, specifically regarding OS,
telematic systems, ADAS, Automated
Driving Systems (ADS), satellite or
cellular telecommunication systems,
and BMS? If a software bill of materials
is required, to what extent does it
provide information regarding software
vulnerabilities, and how is this
information used, stored, and protected?
22. To what extent is software from
vendors and suppliers tested and
verified to comply with OEM
requirements?
23. What vendor-vetting and supply
chain security practices do OEMs
employ when procuring ICTS integral to
CVs?
iii. Consequences
The ability of a 15 CFR 7.4 entity to
compel private companies through
VerDate Sep<11>2014
17:53 Feb 29, 2024
Jkt 262001
applicable legal frameworks, combined
with the exploitation of vulnerabilities
created by the increase in capabilities of
the ICTS integral to CVs, has the
potential to create severe and, in certain
instances, catastrophic consequences for
U.S. persons and critical infrastructure.
Through ICTS designed, developed,
manufactured, or supplied by persons
subject to the ownership, control,
jurisdiction, or direction of a 15 CFR 7.4
entity, the intelligence agencies of that
entity could obtain access to a wide
range of information from companies in
the CV ICTS supply chain to exfiltrate,
collect, and aggregate sensitive data on
U.S. persons. These data include
location, traffic patterns, audio and
video recordings of the inside and
outside of the car, as well as information
about the driver’s identity, finances,
contacts, and home address, which can
be collected by CVs themselves or by a
passenger’s mobile device connected to
a CV.
In addition, backdoors embedded in a
CV’s software could enable a 15 CFR 7.4
entity under certain conditions to obtain
control over various vehicle functions
that could include the ability to disable
the vehicle completely. A group of
researchers were able to demonstrate a
vulnerability in an OEM’s Bluetooth
software that allowed access to some
vehicle control systems, initiating
remote actions such as activating the
brakes and turning the steering wheel.
See Consumer Watchdog, Kill Switch:
Why Connected Cars Can Be Killing
Machines and How to Turn Them Off
37–40 (2019), https://consumer
watchdog.org/sites/default/files/201907/KILL%20SWITCH%20%207-2919.pdf. A similar ability in the hands of
a 15 CFR 7.4 entity that can control or
direct an OEM could allow that entity
to disable the controls on an individual
vehicle while it was being driven or to
sabotage entire fleets without having
physical access to the vehicles. Finally,
because of CVs’ connectivity, they could
be used to access multiple critical
infrastructure systems with which they
interact, including telecommunications
networks, transportation systems, and
the electrical grid. As CV technology
advances, vehicles and charging
infrastructure may increasingly
communicate with these systems to
manage traffic flows and grid load. As
such, the proliferation of CVs containing
vulnerable ICTS from persons owned
by, controlled by, or subject to the
jurisdiction or direction of a 15 CFR 7.4
entity could provide that entity with a
platform for launching distributed
denial of service attacks against
intelligent transportation systems,
PO 00000
Frm 00007
Fmt 4702
Sfmt 4702
15071
satellite or cellular communications
hardware, or other critical
infrastructure. See Mohammad Ali
Sayed, et al., Electric Vehicle Attack
Impact on Power Grid Operation, 137
Int’l J. Electrical Power & Energy Sys.
107784 (2022), https://www.science
direct.com/science/article/abs/pii/
S0142061521010048; Numaan Huq, et
al., Cybersecurity for Connected Cars:
Exploring Risks in 5G, Cloud, and Other
Connected Technologies, Trend Micro
Res. (2021), https://documents.trend
micro.com/assets/white_papers/wpcybersecurity-for-connected-carsexploring-risks-in-5g-cloud-and-otherconnected-technologies.pdf; Anastasios
Giannaros, et al., Autonomous Vehicles:
Sophisticated Attacks, Safety Issues,
Challenges, Open Topics, Blockchain,
and Future Directions, 3 J. of
Cybersecurity and Privacy 493 (2023).
Given these threats, vulnerabilities, and
potential consequences, BIS is
considering identifying the following
automotive software systems as the
ICTS integral to CVs most likely to
present undue or unacceptable risks if
exploited by 15 CFR 7.4 entities: (i)
vehicle OS; (ii) telematics systems; (iii)
ADAS; (iv) ADS; (v) satellite or cellular
telecommunication systems; and (vi)
BMS.
As BIS considers whether and how to
regulate these software systems, it seeks
additional information, including:
24. Are there ICTS integral to CVs
other than those identified in this
ANPRM that could present material
risks if they were designed, developed,
manufactured, or supplied by persons
owned by, controlled by, or subject to
the jurisdiction of a 15 CFR 7.4 entity?
If so, please discuss how the ICTS could
be exploited to pose such a risk.
25. Of the ICTS integral to CVs
identified in this ANPRM, which
present the greatest risk to safety or
security if they are designed, developed,
manufactured, or supplied by persons
owned by, controlled by, or subject to
the jurisdiction or direction of a 15 CFR
7.4 entity?
26. As ADS systems evolve and
developers rely on cellular systems to
communicate with ADS-enabled
vehicles to support overall operational
capability (e.g., communications to a
fleet management office), what should
the U.S. government consider in order
to support the development of this
technology securely from 15 CFR 7.4
entity malign activity?
III. Additional Questions for Comment
This ANPRM seeks comment on
processes and mechanisms that BIS
could implement in a potential rule to
authorize an otherwise prohibited ICTS
E:\FR\FM\01MRP1.SGM
01MRP1
�15072
Federal Register / Vol. 89, No. 42 / Friday, March 1, 2024 / Proposed Rules
transaction with the adoption of
mitigation measures.
ddrumheller on DSK120RN23PROD with PROPOSALS1
Authorizations and Mitigations
27. In what instances would granting
a temporary authorization to engage in
an otherwise prohibited transaction
under a proposed rule be necessary and
in the interest of the United States to
avoid supply chain disruptions or other
unintended consequences?
28. What review criteria should BIS
implement when considering an
application for a temporary
authorization?
29. What specific standards,
mitigation measures, or cybersecurity
best practices should BIS consider when
evaluating the appropriateness of a
requested authorization?
30. Are there any U.S. government
models, such as the Office of Foreign
Assets Control’s sanctions programs or
the Export Administration Regulations,
that this program should consider
emulating in granting authorizations?
Economic Impact
31. What economic impacts to U.S.
businesses or the public, if any, might
be associated with the regulation of
ICTS integral to CVs contemplated by
this ANPRM? If responding from
outside the United States, what
economic impacts to local businesses
and the public, if any, might be
associated with regulations of ICTS
integral to CVs?
32. What, if any, anticompetitive
effects may result from regulation of
ICTS that is integral to CVs as
contemplated by this ANPRM? And
what, if anything, can be done to
mitigate the anticompetitive effects of
regulation of ICTS?
33. What types of U.S. businesses or
firms (e.g., small businesses) would
likely be most impacted by the program
contemplated in this ANPRM? If
responding from outside the United
States, what types of local businesses or
firms (e.g., small businesses) would
likely be most impacted by the program
contemplated in this ANPRM?
34. What actions can BIS take, or
provisions could it add to any proposed
regulations, to minimize potential costs
borne by U.S. businesses or the public?
If responding from outside the United
States, what actions can BIS take, or
what provisions could it add to any
proposed regulations, to minimize
potential costs borne by local businesses
or the public?
35. What new due diligence,
compliance, and recordkeeping controls
will U.S. persons anticipate needing to
undertake to comply with any proposed
regulations regarding ICTS integral to
VerDate Sep<11>2014
17:53 Feb 29, 2024
Jkt 262001
CVs that are designed, developed,
manufactured, or supplied by persons
owned by, controlled by, or subject to
the jurisdiction or direction of 15 CFR
7.4 entities?
Elizabeth L.D. Cannon,
Executive Director, Office of Information and
Communications Technology and Services.
[FR Doc. 2024–04382 Filed 2–29–24; 8:45 am]
BILLING CODE 3510–33–P
FEDERAL TRADE COMMISSION
16 CFR Part 461
RIN 3084–AB71
Trade Regulation Rule on
Impersonation of Government and
Businesses
Federal Trade Commission.
Supplemental notice of
proposed rulemaking; request for public
comment.
AGENCY:
ACTION:
The Federal Trade
Commission (FTC or Commission)
requests public comment on its proposal
to amend the trade regulation rule
entitled Rule on Impersonation of
Government and Businesses
(Impersonation Rule or Rule) to revise
the title of the Rule, add a prohibition
on the impersonation of individuals,
and extend liability for violations of the
Rule to parties who provide goods and
services with knowledge or reason to
know that those goods or services will
be used in impersonations of the kind
that are themselves unlawful under the
Rule. The Commission believes these
changes are necessary and such
impersonation is prevalent, based on all
comments it received on the Rule and
other information discussed in this
document. The Commission now
solicits written comment, data, and
arguments concerning the utility and
scope of the proposed revisions to the
Impersonation Rule.
DATES: Comments must be received on
or before April 30, 2024.
ADDRESSES: Interested parties may file a
comment online or on paper by
following the instructions in the
Comment Submissions part of the
SUPPLEMENTARY INFORMATION section
below. Write ‘‘Impersonation SNPRM,
R207000’’ on your comment and file
your comment online at https://
www.regulations.gov. If you prefer to
file your comment on paper, mail your
comment to the following address:
Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue
NW, Mail Stop H–144 (Annex I),
Washington, DC 20580.
SUMMARY:
PO 00000
Frm 00008
Fmt 4702
Sfmt 4702
FOR FURTHER INFORMATION CONTACT:
Claire Wack, [email protected], (202–326–
2836).
SUPPLEMENTARY INFORMATION: The
Commission invites interested parties to
submit data, views, and arguments on
the proposed amendments to the
Impersonation Rule and, specifically, on
the questions set forth in Section VIII of
this supplementary notice of proposed
rulemaking (‘‘SNPRM’’). The comment
period will remain open until April 30,
2024. To the extent practicable, all
comments will be available on the
public record and posted at the docket
for this rulemaking on https://
www.regulations.gov. If interested
parties request to present their position
orally, the Commission will hold an
informal hearing, as specified in section
18(c) of the FTC Act, 15 U.S.C. 57a(c).
Any request for an informal hearing
must be submitted as a written comment
within the comment period and must
include: (1) a request to make an oral
submission, if desired; (2) a statement
identifying the person’s interests in the
proceeding; and (3) any proposals to
add disputed issues of material fact that
need to be resolved during the hearing.
See 16 CFR 1.11(e). Any comment
requesting an informal hearing should
also include a statement explaining why
an informal hearing is warranted and a
summary of any anticipated oral or
documentary testimony. If the comment
identifies disputed issues of material
fact, the comment should include
evidence supporting such assertions. If
the Commission schedules an informal
hearing, either on its own initiative or
in response to request by an interested
party, the FTC will publish a separate
document notifying the public pursuant
to 16 CFR 1.12(a) (‘‘initial notice of
informal hearing’’).
I. Background
A. Trade Regulation Rule on
Impersonation of Government and
Business
Published elsewhere in this issue of
the Federal Register is the
Commission’s final Trade Regulation
Rule entitled ‘‘Rule on Impersonation of
Government and Business,’’
promulgated under the authority of
section 18 of the FTC Act, 15 U.S.C.
57a(b)(2); the provisions of Part 1,
Subpart B, of the Commission’s Rules of
Practice, 16 CFR 1.7–1.20; and the
Administrative Procedure Act
(‘‘Impersonation Rule’’ or ‘‘Rule’’). This
authority permits the Commission to
promulgate, modify, or repeal trade
regulation rules that define with
specificity acts or practices that are
unfair or deceptive in or affecting
E:\FR\FM\01MRP1.SGM
01MRP1
�
| File Type | application/pdf |
| File Modified | 2024-05-28 |
| File Created | 2024-05-28 |