By Lauren Reynolds, Rose Law Group attorney focusing her practice on cyber security and Dan Gauthier, law clerk
The potential consequences from lax cybersecurity have been well documented. One hypothetical scenario garnering specific attention is a hacker being able to remotely control a “smart” vehicle. In 2015, for example, a pair of “white hat” hackers – or ethical hackers – remotely controlled a Jeep Cherokee as it drove down the highway.[1] They disabled the accelerator, brakes, and even controlled the steering wheel. This exploit originated through the vehicle’s entertainment system and once inside, the hackers moved laterally to other connected systems such as steering, braking, and air conditioning. Experts warn that this simulated attack is not an anomaly.[2] Rather, as vehicles become more interconnected, the likelihood and potential severity of these attacks will increase.
Congress is considering self-driving car legislation that could significantly impact the testing and deployment of autonomous vehicle (AV) technology. In mid-June, draft bills were introduced by the House Digital Commerce and Consumer Protection subcommittee of the Energy and Commerce committee. The proposed legislation would allow automakers to put autonomous vehicles on the road by exempting up to 100,000 autonomous vehicles per manufacturer from existing vehicle safety standards. It would also broadly prevent states from enacting their own driverless car laws. The legislation would require manufacturers to develop cybersecurity plans and submit safety reports to the National Highway Traffic Safety Administration (NHTSA), but would not require pre-market approval of autonomous technologies. On June 27, the same subcommittee held a hearing on the AV legislation, and on July 17, the subcommittee advanced the bill to full committee. The House Energy and Commerce Committee is expected to vote on the legislation this week. Meanwhile, 19 states have passed their own AV legislation and governors in four states issued executive orders related to AVs.[3]
The pending AV legislation raises questions about the balance between public-private regulation. On the one hand, some do not believe car manufacturers can or will adequately address privacy and security issues without direction. Bruce Schneier, a cybersecurity and privacy expert, advocated this position in a recent New York Times article. Schneier’s vision is a future with billions of devices – including cars – made by companies that no longer support them or no longer exist. With nobody to patch the software, devices will be vulnerable to exploitation. The solution, Schneier argues, is to create a framework to block future attacks before they get to the devices, which must be forced by government intervention because, he argues, car manufacturers have no incentive to maintain good security and privacy practices.
Others say automakers should and will handle privacy and security issues. Contrary to Schneier’s argument, many believe market competition is incentive enough to providing good security and privacy practices. In addition, they point to proactive steps the auto industry has taken, like creating the Automotive Information Sharing and Analysis Center (Auto-ISAC), which compiles and shares cybersecurity risks. In large part, the draft legislation sides against Schneier by allowing automakers to take the driver’s seat on privacy and cybersecurity issues.
Autonomous vehicle technology can undoubtedly save lives and forever change the transportation industry. But the technology is not without risks, of which cybersecurity and privacy are at the forefront.
[1] Andy Greenberg, Hackers Remotely Kill a Jeep on the Highway – With Me in It, Wired (July 21, 2015, 6:00 a.m.), https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/.
[2] See Will Knight, Carmakers Accelerate Security Efforts After Hacking Stunts, MIT Tech. Rev. (Aug. 14, 2015), https://www.technologyreview.com/s/540441/carmakers-accelerate-security-efforts-after-hacking-stunts/.
[3] Autonomous Vehicles: Self-Driving Vehicles Enacted Legislation, Nat’l Conf. St. Legis. (last updated June 26, 2017), http://www.ncsl.org/research/transportation/autonomous-vehicles-self-driving-vehicles-enacted-legislation.aspx#Enacted%20Autonomous%20Vehicle%20Legislation.