New Bipartisan SPY Act Pushes NHTSA on Automotive Cyberthreats
In our politically toxic capital, there’s a bipartisan effort underway to better protect motorists in a world increasingly aware that automobiles are vulnerable to cyberattacks. Two members of the U.S. House of Representatives introduced legislation Wednesday called the Security and Privacy in Your Car Study Act of 2017, or the SPY Act. It would direct federal regulators to conduct a study that would determine the best cyber standards and defenses for motor vehicles.
“Cars don’t necessarily come to mind when most of us think about cybersecurity,” said Rep. Ted Lieu (D-CA), who co-sponsored the bill along with Rep. Joe Wilson (R-SC). “But the Internet of Things is bringing technology and connectivity into every part of our lives—including our motor vehicles. Without good cyber hygiene, a hacker could easily turn a car into a weapon.”
Terrorists in Berlin and in Nice, France, have shown in recent months that advanced computer skills aren’t necessarily needed to kill with vehicles. But in an era of heightened attention to cyberattacks of any stripe, there’s concern that vehicles—and fleets of vehicles—could be an attractive target for adversaries.
In July 2015, two security researchers demonstrated the capability to commandeer remote control of a Jeep Cherokee from hundreds of miles away, a disclosure that rattled regulators and brought greater scrutiny to an issue the auto industry has been slow to address.
Automakers formed their own Information Sharing and Analysis Center (Auto-ISAC) last year to gather threat intelligence. The National Highway Traffic Safety Administration (NHTSA) proffered cybersecurity guidance in October 2016 in view of the fact that, according to global consulting firm Gartner, 250 million connected vehicles are projected to be on roads across the world by 2020.
Those efforts are not nearly enough, says Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council, a nonprofit that promotes leadership and engagement in international affairs, and co-founder of I Am the Cavalry, a grassroots organization that focuses on issues where computer safety intersects with public safety. Given the years-long automotive development cycle and the similarly long rulemaking cycle in Washington, Corman fears the industry and regulators have left motorists vulnerable to an attack that could span across a connected network of vehicles.
“Even as we are more connected than ever in our cars
and trucks, our technology systems and data security
remain largely unprotected.”
— Sen. Ed Markey (D-MA)
“Even if they started tomorrow, we would be behind,” he said. “And that’s if we decided right now that we’re going to go implement what NHTSA has already put forth. By dragging our feet, we are wasting years of potential exposure.”
In some sense, the three-month-old NHTSA guidance makes the proposed SPY Act redundant. It essentially asks the agency to study cybersecurity problems and report back to Congress in a year.
On one hand, the clock is ticking. On the other, Corman says there may be a benefit if the additional study encourages NHTSA to fix what he sees as the shortcomings in the October guidance rather than merely repeating what it has already delivered. He says the agency needs to push for faster adoption of over-the-air software update capabilities, which may allow for fast fixes of vulnerabilities that surface.
Further, Corman, whose Five Star Automotive Cyber Safety Program has been used as the basis for some of the Auto-ISAC and NHTSA best practices, says that NHTSA needs to mandate the inclusion of black boxes that capture evidence of cyber anomalies or attacks in all new vehicles.
“We have no such capacity in vehicles right now,” he said. “As we see high-profile attacks on vehicles that shatter public confidence, the inability to harvest data from that black box will have a material impact on important parts of our economy. We need the data, and we need to see that data is being processed. We will regret not having it when we need it.”
This isn’t the first time Congress has tried to spur greater action on automotive cybersecurity. Within days after the Jeep breach became public, Sen. Ed Markey (D-MA) introduced a bill by a similar name – the Security and Privacy in Your Car Act of 2015, also known as the SPY Act. That bill never made it out of a Senate subcommittee.
“By dragging our feet, we are wasting years of
potential exposure.” — Josh Corman,
Cyber Statecraft Initiative
While the nearly identical names may suggest the bills are intended to be reconciled at some point, there are substantial differences between them, chiefly that Markey’s version would charge NHTSA with initiating formal rulemaking that requires automakers to isolate sensitive systems, while the newer House version would only compel a study of cyber best practices.
Further, the Senate version would require carmakers to create a “cyber dashboard” that informs consumers about the security measures installed in their vehicles and the extent to which their personal data is protected.
- Ransomware: The Next Big Automotive Security Threat?
- How the Connected Car Might Protect against Hacking
- Fiat Chrysler Starts Bug Bounty Program, But There’s A Catch
Markey has been perhaps the most ardent Congressional proponent of stronger automotive security measures in Congress. In 2015, he authored a report called Tracking and Hacking: Security and Privacy Gaps Put American Drivers at Risk, and in 2016, he pressed the Federal Communications Commission to consider protections for consumer information as vehicle-to-vehicle and vehicle-to-infrastructure communications systems develop for cars.
“Even as we are more connected than ever in our cars and trucks,” he said, “our technology systems and data security remain largely unprotected.”