Last week, the United States House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade released a number of staff drafted proposals, a few of which addressed automotive cybersecurity and privacy. On the privacy side, the proposal calls for car makers to establish a privacy policy regarding the collection, use, and sharing of customer data. Car manufacturers will also have to commit to implementing reasonable measures to protect covered information against loss and unauthorized access or use. It is unfortunate that all automakers don’t already provide clear privacy policies to their customers regarding the vast amount of data collected by connected cars. This proposal would force the car makers to do what should be standard practice.
The more controversial proposal is that it “shall be unlawful for any person to access, without authorization, an electronic control unit or critical system of a motor vehicle, or other system containing driving data for such motor vehicle, either wirelessly or through a wired connection,” with fines of up to $100,000 per violation. On face value, this appears to be a solid proposal. Malicious hackers should be punished for hacking into your vehicle. But should consumers be able to modify code in their own vehicles? There is a balance that needs to be struck between consumers’ right to modify their property and public safety. Nobody wants a hobbyist to cause an accident because they inadvertently disabled their anti-lock braking system. Nor should emissions standards be thwarted by consumers wanting to enable more horsepower via a software hack. I believe the law could be crafted in such a way to manage this balance.
The larger problem with this proposal is that it will make it illegal for security companies and academics to research security flaws in vehicles without the car maker’s authorization. In the IT space, many of the most critical vulnerabilities have been discovered by external researchers. Automotive cybersecurity, still in its infancy, could surely benefit by having more experts scouring the applications for weaknesses, rather than leaving it solely to the automakers.
In a recent survey of car makers by the Ponemon Institute, less than half said that security was a
priority for them. The reasons for the lack of priority are shown in the pie chart below.
This is troubling because this proposal from the US House Committee would turn over all responsibility for cybersecurity to the car manufacturers who seem to be either unwilling or unable to give security the attention it requires. There will always be time and cost pressures associated with the next new car release. If researchers are allowed to continue uncovering vulnerabilities outside of this process, the net result is a safer vehicle for everyone. Hopefully modifications will be made to this proposal to allow researchers to continue their efforts, perhaps under a reasonable responsible disclosure framework. Hackers can be a tenacious and creative force, so lawmakers and carmakers alike should welcome any help they can get to protect their customers’ safety and privacy.
If you would like to see more results from the Ponemon Institute survey on automotive cybersecurity, register for the November 12th webinar Car Cybersecurity: What do Automakers Really Think?