Lawmakers Push Bill to Study Vehicle Software Security
A new bill introduced in the House of Representatives Tuesday would force the federal government to perform a long-term study of the security and privacy controls of the software running in vehicles, including their navigation, entertainment and other systems.
The bill is sponsored by Rep. Ted Lieu (D-Calif.) and Rep. Joe Wilson (R-S.C.), and it’s another indication that federal regulators are taking a hard look at the security of a wide range of devices, including vehicles, medical devices, and IoT gear. The main thrust of the bill is to require the National Highway Traffic Safety Administration, along with NIST, the FTC and the Secretary of Defense, to produce a study on the necessary standards for regulating the cybersecurity of vehicles.
“Every American has a right to drive cars that are safe and secure. Cars don’t necessarily come to mind when most of us think about cybersecurity. But the Internet of Things (IoT) is bringing technology and connectivity into every part of our lives—including our motor vehicles. Without good cyber hygiene, a hacker could easily turn a car into a weapon,” Lieu said in a statement.
“The SPY Car Study Act builds on important work undertaken by the National Highway Traffic Safety Administration by emphasizing the protection of users’ personal data, and developing clear timelines for implementing these standards. We need to know that our navigation, entertainment, and operating systems are safe—and that our data is kept private. We must be proactive about our privacy and security, now more than ever.”
Known as the SPY Car Study Act, the bill asks NHTSA and the other agencies–in cooperation with manufacturers–to identify a number of key items, including:
(1) the isolation measures that are necessary to separate critical software systems from other software systems; (2) the measures that are necessary to detect 21 and prevent or minimize in the software systems of motor vehicles anomalous codes associated with malicious behavior; (3) the techniques that are necessary to detect and prevent, discourage, or mitigate intrusions into the software systems of motor vehicles and other cybersecurity risks in motor vehicles, such as continuous penetration testing and on-demand risk assessments.
The bill would give the agencies a year after its ratification to deliver a preliminary report and then six more months to hand in a final version. Vehicle software systems have come under scrutiny in the last couple of years as researchers have shown methods for attacking them remotely and disabling key systems, including the brakes and engine. Last September, researcher’s at China’s Keen Lab published research showing they could take control of a Tesla from several miles away.
Regulators and industry groups have begun to take notice. In July, the Auto-ISAC published a set of best practices for vehicle software security.