A House bill was introduced Tuesday that could accelerate the federal government’s involvement in regulating automobile cybersecurity.
The Security and Privacy in Your Car Study Act of 2017, authored by Reps. Ted Lieu (D-Calif.) and Joe Wilson (R-SC), calls on the National Highway Traffic Safety Administration to lead a study of necessary security standards that could be included in a law governing cars built in the U.S. or imported for sale.
A similar SPY Car Act of 2015 introduced by Sen. Edward Markey (D-MA) was much more prescriptive of the NHTSA in securing electronic controls and driving data collected by vehicle systems. This week’s bill calls for the NHTSA to study the issue alongside the Federal Trade Commission, NIST and other stakeholders. They have a year to produce a preliminary report, and another six months beyond that to draft a final report that includes dates for adoption and recommendations that would be included in legislation.
“Every American has a right to drive cars that are safe and secure. Cars don’t necessarily come to mind when most of us think about cybersecurity. But the Internet of Things (IoT) is bringing technology and connectivity into every part of our lives—including our motor vehicles,” Lieu said. “Without good cyber hygiene, a hacker could easily turn a car into a weapon.”
Yoni Heilbronn, an executive with Argus Cyber Security, a company specializing in automotive cybersecurity, said he had mixed feelings about the bipartisan bill. He acknowledged that while the proposal could bring some positives to the conversation, he wonders whether legislators believe the automotive industry is moving too slowly toward progress. He recalled a panel he attended last year with Sen. Gary Peters, a Michigan Democrat who urged industry to be more responsive and proactive.
“I heard him pleading with the industry to do things on its own, and not wait for the U.S. government to regulate,” Heilbronn said. “If regulation comes, it could be even more strict than what industry would do to itself.” The current bill asks NHTSA to identify a number of critical areas that could be exploited by hackers; researchers Charlie Miller and Chris Valasek, as well as researchers from the University of California at San Diego, have already demonstrated a number of high-profile hacks exploiting vulnerabilities in electronic communications systems in a number of vehicles.
Specifically, the SPY Car Study Act of 2017 asks officials to examine how to best isolate critical software from other code running inside a motor vehicle, and identify measures to detect vulnerabilities and code anomalies associated with malicious behavior. They’re also tasked with identifying how to best implement on-demand risk assessments and continuous penetration-testing of critical systems. Finally, they are asked to determine best practices to secure driving data as it’s collected and stored on board, in transit, and stored off-board.
Heilbronn said some in industry are more vigilant about cybersecurity than others; Jeep, for example, quickly patched vulnerabilities in its UConnect entertainment systems exploited by Miller and Valasek, and instituted an unprecedented vehicle recall. “If you ask Senators Markey and Peters, industry is not moving quickly,” Heilbronn said. “Theirs was a clear message to industry to start doing things, don’t wait.”
Last March, the FBI and NHTSA teamed up on a formal warning to the auto industry about vulnerabilities that leave cars exposed to internet-based attacks. The FBI warned that vulnerabilities in features such as UConnect and aftermarket devices pose an “unreasonable risk to safety.”
“I’ve never seen such a statement before,” Heilbronn said. “It’s unheard of. It also gives you a good idea of the way of thinking inside the US government, that these risks need to be addressed. If there is regulation some day, there will be enforcement. The question is, how long does industry wait before it does something.”