On January 15, 2016, the National Highway Traffic Safety Administration (NHTSA) and 18 automakers pledged to work together to enhance safety and improve recalls. In addition, the automakers agreed to voluntarily work with the government to identify cybersecurity threats to cars and light trucks.

The “Proactive Safety Principles” reaffirm government and industry’s commitment to work collaboratively to improve vehicle safety. It was signed by the Department of Transportation (DOT), NHTSA, American Honda, BMW, Fiat Chrysler, Ford, GM, Hyundai, Jaguar Land Rover, Kia, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Tesla, Toyota, Volkswagen, and Volvo.

The Principles cover four distinct areas:

  1. Efforts to work proactively to enhance safety and quality through better communication among NHTSA, vehicle manufacturers, and suppliers on emerging safety issues and trends; sharing information about recall-related decision making processes; and consideration of the safety approaches currently used in the aviation industry.
  2. Industry cooperation in the area of data analytics with the objective of examining whether early warning reporting (EWR) data can be better analyzed using advanced analytical tools to identify potential safety trends.
  3. Industry collaboration to achieve higher recall completion rates by sharing best practices and engaging other stakeholders in the process.
  4. Industry collaboration to mitigate cyber threats that present unreasonable safety risks by developing best practices, engaging with cybersecurity researchers, and supporting the Automotive Industry Sharing and Analysis Center (Auto-ISAC).

Background

Despite the fact fatalities as a share of miles travelled are down 80 percent since the passage of the National Traffic and Motor Vehicle Safety Act in 1966, the number of automotive recalls reached record levels in both 2014 and 2015. While NHTSA imposed historic fines on automakers for failure to disclose defects, the agency also was faulted for an inability to identify safety problems and take action. In addition, several highly-publicized examples of cybersecurity researchers hacking into passenger vehicles brought new security vulnerabilities to light.

In 2014, the auto industry released Privacy Principles governing data retrieved from vehicles. Companies adopting the principles committed to notifying consumers about the kinds of data that may be collected from vehicles and providing heightened protection for the most sensitive types of consumer information, such as geolocation.

During 2014 and 2015, congressional hearings and investigations focused on recalls blamed both manufacturers and NHTSA for not acting quickly enough to identify and recall defective components. Additional reports of vehicle cyber vulnerabilities prompted the introduction of legislation in the House and Senate to force manufacturers to improve cybersecurity.

In 2015, the auto manufacturers created an Automotive Information Sharing Analysis Center (ISAC) in an effort to provide greater cyber protections. The ISAC allows automakers to share threat information and vulnerabilities, identify trends and common cyber threats more quickly, and enhance the industry’s efforts to remediate threats to vehicle electronic systems and networks.

Next Steps

OEMs and their trade associations intend to build off the Proactive Safety Principles with a series of white papers addressing each of the subcategories listed in the document. We expect at least two papers to be released in the first half of 2016, most likely addressing ways to maximize recall repair rates and to improve information sharing among stakeholders. Additional papers and guidance will be developed over the following months.

Options for increasing recall completion rates may include recommending the use of new methods to notify owners by adding emails, telephone calls, smartphone applications and social media contact in addition to the usual recall letters or legislative solutions such as recommending statutory authority for NHTSA to notify potential used car buyers of recalls, mandates on insurance companies to work with NHTSA to identify vehicles covered by the insurer that currently have open safety recalls, or state legislation making vehicle registration dependent on the resolution of outstanding safety recalls. Options for improving information sharing may include efforts to engage more with suppliers, third-party security technologists, non-profit organizations, universities and government programs and working groups through forums and trade association events.

Beginning in 2016, the industry also intends the Auto ISAC to serve as a central hub for intelligence and analysis of cyber threat information and potential vulnerabilities in motor vehicle electronics and associated networks. The structure, membership, and operating rules for the ISAC have yet to be determined but active participation by all industry stakeholders is recommended. In addition to vehicle manufacturers, dealers and original equipment suppliers, independent parts manufacturers and repair establishments are likely to need access to security protocols to effectively service and repair the increasingly technology-laden vehicles.