The federal government regulates safety standards for vehicles. Should cybersecurity standards be treated differently?
As vehicles become increasingly high-tech and connected, should cybersecurity standards be set by the same federal agencies that regulate safety? While recently reintroduced legislation would put that responsibility on the National Highway Traffic Safety Administration and the Federal Trade Commission, one expert on the topic would like to see a different approach.
“If hackers access the critical systems of a car or plane, disaster could ensue and our public safety could be compromised,” Sen. Ed Markey, D-Mass., said in a release while reintroducing the Security and Privacy in Your Car (SPY Car) Act. “We must ensure that as technologies change, our safety and privacy is maintained.”
While introducing the legislation for the second time, Markey argued that the act is needed now more than ever. With an increasing number of cars being outfitted with connected capabilities, the ability for a malicious actor to hijack the controls has been proven possible.
As more sensors and devices for vehicle-to-vehicle (V2V) or vehicle-to-infrastructure (V2I) communication are added, they all “add another attack vector,” said Sam Lauzon, a senior engineer at the University of Michigan’s Transportation Research Institute. “Security was, at one point, an afterthought.”
Lauzon previously worked with Harman International, which created infotainment systems for vehicles. The company's system was installed in the Jeep Cherokee that Charlie Miller and Chris Valasek were able to hack into and remotely control in 2015. After that event, said Lauzon, things on the cybersecurity front really began to pick up. Auto manufacturers began to understand that the “level of security is now needing to increase,” he said.
The public has also mirrored this growing concern over cybersecurity in connected vehicles. In a study released in February, researchers at the University of Michigan’s Sustainable Worldwide Transportation program found that conventional vehicle hacking is of concern: 49 to 68 percent of respondents expressed "some concern" depending on the specific cybersecurity aspect, whether it be stealing personal data or remotely disabling a moving vehicle.
The concern grows significantly when taking into consideration an autonomous vehicle. Responses for being extremely concerned about hacking self-driving vehicles without controls nearly tripled those of conventional vehicles.
As vehicle safety standards are generally regulated by the federal government, the National Highway Traffic Safety Administration (NHTSA) released a set of cybersecurity guidelines for modern vehicles in October 2016. The guidance outlines layered solutions to ensure vehicle systems are designed with security features outright and is equipped with multiple redundancies to ensure the safety of a vehicle when one system is compromised.
The guidance recommends risk-based prioritized identification and protection of critical vehicle controls and consumers' personal data. Further, it recommends that companies should consider the full life cycle of their vehicles and facilitate rapid response and recovery from cybersecurity incidents.
The SPY Car Act, which was also sponsored by Sen. Richard Blumenthal, D-Conn., would establish federal standards to secure vehicles while adding in privacy protections for drivers’ data. If passed, the agency would also need to create a rating system — or “cyber dashboard” — in order to inform the public on how well the vehicle protects drivers’ security and privacy beyond the minimum standards.
Lauzon along with other researchers remains skeptical that federal regulations are the best way to ensure safety. “To have regulation that chases down cybersecurity is very difficult because the law generally does not keep up with technology very well,” he said. “No automotive company wants to make a car that is hackable.”
One option that could gain support would be to follow suit with the federal automated vehicle guidance released in September 2016. The guidance, which was intended to serve as a living document, laid out several best practices, specified what separate jurisdictions are responsible for regulating, and set up a 15-point self-check safety assessment letter.
“I like the way NHTSA approaches it now and says, ‘Here are guidelines you should follow,'” said Lauzon. “With security, you don't usually know there is a problem until it's too late.”