On July 21, 2015, Sens. Edward Markey (D-MA) and Richard Blumenthal (D-CT) introduced legislation directing the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to promulgate federal regulations setting minimum cybersecurity and privacy standards for all motor vehicles manufactured for sale in the United States.1 The Security and Privacy in Your Car Act (the SPY Car Act) specifies that the NHTSA and FTC together issue Notices of Proposed Rulemaking within 18 months, and final regulations within three years of the act’s enactment.2 The SPY Car Act will apply to vehicles made two years after final cybersecurity and privacy regulations are issued.3
While it is unlikely that the SPY Car Act will be enacted soon or in its current form, it is an indication of concern about these issues by the bill’s sponsors, well-known consumer advocates. Absent other proposals, the bill may become the focus of attention as news stories highlight automotive security and privacy issues.
Background: Security Researchers Make New Claims
Earlier this month, WIRED magazine reported that cybersecurity researchers remotely gained access to a car as it was being driven by a reporter who had agreed to participate in a test of the researchers’ latest car hacking technique.4 According to the driver, as he drove 70 miles per hour on a highway 10 miles from where the researchers were stationed, the researchers used their laptop to change the car’s air conditioning settings, switch the volume and station on the radio, turn on the windshield wipers, and display a picture of the researchers on the digital dashboard screen. The researchers then allegedly cut the car’s transmission, leaving the car stopped at a long overpass with traffic bearing down on it. The researchers claim that they are also able to remotely kill the engine completely at lower speeds, disable and engage the brakes, control the steering wheel when the vehicle is in reverse, and track a car’s GPS coordinates, including measuring its speed and dropping pins on a map to trace its route.
The researchers, Charlie Miller and Chris Valasek, have researched car hacking together since 2012, when they received a US$80,000 research grant from the Defense Advanced Research Projects Agency (DARPA). In 2013, they demonstrated an attack on two different motor vehicles at the DefCon hacker conference by hard wiring their computer into the vehicle’s onboard diagnostic port. They plan to publish updated research and present their new findings on remote hacking at the Black Hat security convention in Las Vegas on August 5, 2015. Miller and Valasek are expected to demonstrate how a wireless attack works against a vehicle that they have not modified or wired into in advance. Starting with remote exploitation, the researchers intend to show how to “pivot through” different pieces of the car’s hardware to send messages on the Controller Area Network (CAN) bus to critical electronic control units, and will share several CAN messages that can affect the car’s physical systems.5
Congressional Concern About Automotive Cybersecurity
Concerns about automotive cyber hacking had also attracted Congressional attention before the recent legislative proposal. In December 2013, Sen. Markey sent 19 automakers an inquiry about potential cybersecurity threats to automobile safety and the automakers’ collection and storage of driving data (such as location, driving history, and user data) through navigation systems and other technologies.6
In February 2015, Markey published a report based on the responses of the 16 manufacturers who replied to the inquiry.7 According to Markey’s report, nearly 100% of cars on the market have wireless technologies that could be vulnerable to hacking, manufacturers collect vast amounts of driving data from connected cars, and security measures to prevent unauthorized intrusions and protect driving data vary widely across manufacturers. Markey recommended that the NHTSA, in consultation with the FTC, publish cybersecurity standards to protect drivers.
Separately, in May 2015, the House of Representatives’ Committee on Energy and Commerce wrote to 17 automakers and the NHTSA to ask how they are addressing cybersecurity challenges, including how they evaluate, test, and monitor for potential cyber vulnerabilities, and what the federal government should do to address cybersecurity issues.8 The committee’s inquiry is ongoing.
The SPY Car Act Explained
The SPY Car Act, the legislation introduced by Markey and Blumenthal, requires the NHTSA and FTC to promulgate regulations that will implement the following:
- Vehicle System Security. All entry points to a vehicle’s electronic systems must be equipped with reasonable measures to protect against cyberattacks, including isolation measures to separate critical and non-critical software systems;
- Vulnerability Testing and Remediation. Such reasonable security measures shall be evaluated for vulnerabilities following best security practices, including appropriate applications of techniques such as penetration testing, and must be adjusted and updated based on the results of such evaluation;
- Data Security. All driving data9 collected by a vehicle’s electronic systems must be reasonably secured from unauthorized access while data is stored onboard the vehicle, in transit from the vehicle to another location, and in any offboard storage or use; and
- Real-Time Attack Mitigation. All entry points to a vehicle’s electronic systems must be equipped with capabilities to immediately detect, report, and stop unauthorized attempts to intercept driving data or control the vehicle.
Violation of such cybersecurity standards would result in liability to the federal government for civil penalties of no more than US$5,000 per violation.10
Cyber Dashboard Disclosures
- Cybersecurity and Privacy Labeling. Motor vehicles shall display a “cyber dashboard” that informs consumers, through an easy-to-understand, standardized graphic affixed to each vehicle as a component of existing label requirements, about the extent to which the vehicle protects the cybersecurity and privacy of vehicle owners, lessees, drivers, and passengers beyond the minimum requirements set forth in the SPY Car Act.11
- Transparency. Foreclosing other notice mechanisms as legally viable, the act would require that each vehicle provide clear and conspicuous notice, in clear and plain language, to owners or lessees of a vehicle of the collection, transmission, retention, and use of any driving data collected;
- Consumer Control. Owners or lessees must be given the option to terminate the collection and retention of driving data without losing access to navigation tools or other features or capabilities, to the extent technically possible (with the exception of driving data stored as part of the electronic data recorder system or other safety systems required for post-incident investigations, emissions history checks, crash avoidance or mitigation, or other regulatory compliance); and
- Limitations on Driving Data Use. Manufacturers may not use any driving data collected by a vehicle for advertising or marketing purposes without the affirmative and express consent of the owner or lessee, which must be obtained using a clear and conspicuous consent request in clear and plain language that does not make use of the driving data a condition for the consumer’s use of any nonmarketing feature, capability, or functionality of the vehicle.
Violations of the SPY Car Act’s privacy standards would be treated as unfair and deceptive acts or practices under the Federal Trade Commission Act (the FTC Act).12
Implications of the SPY Act Provisions
While the SPY Car Act as proposed is unlikely to move towards enactment in this Congress, it presents for public debate a set of regulatory requirements that may be used as a model for other legislative proposals. Therefore, it is important to understand the potential impact of the legislation.
- The SPY Car Act imposes new regulatory requirements and potential liability. The SPY Car Act overlooks existing automotive safety requirements enforced by regulation and common law.
- The SPY Car Act gives regulators nearly unlimited power. The SPY Car Act uses ambiguous terms that leave the NHTSA and FTC with very significant power to define what constitutes “reasonable measures” and “best practices” to protect against hacking and to define what will be considered a “violation” of the statute.
- The SPY Car Act does not consider existing industry intiatives to address both privacy and security concerns. Existing provisions of the FTC Act are effective at providing privacy protections to consumers. Indeed, the automotive industry in the United States has already adopted privacy principles for connected cars – and automakers are implementing them.13 Additionally, the Alliance of Automobile Manufacturers and the Association of Global Automakers recently announced the upcoming launch of a new intelligence sharing and analysis center (ISAC), which will serve as a central hub through which auto manufacturers can disseminate and exchange cyber threat information.14 The ISAC initiative complements other ongoing efforts by automakers to research and develop security features through hack-a-thons, a cybersecurity task force, and work with the National Institute of Standards and Technology (NIST).15 These industry-led self-regulatory programs will result in faster and more dynamic privacy and security protections for consumers, making the additional layer of regulations unnecessary. More regulations may, instead, deter dynamic innovation in the manner in which security and privacy-related information is communicated to consumers.
- The SPY Car Act burdens the victim of cyberattacks. In an environment increasingly characterized by cyber threats from sophisticated criminals and nation-state-affiliated actors, the SPY Car Act would create further liability for institutional targets of sophisticated cyberattacks who are victimized despite having implemented reasonable protections, as the reputational and financial cost of defending regulatory enforcement and litigation can be significant. Instead of adding to cyberattack victims’ burden, public policy mechanisms in this area should incent and support the adoption of security measures without imposing punitive regulatory requirements. This position is espoused by the Obama Administration itself, which in lieu of regulation has instead supported the development and adoption of voluntary frameworks such as the NIST Cybersecurity Framework.
Special thanks to Elizabeth DiSciullo for her contribution to this update.