Secretary of Transportation Elaine Chao signaled earlier this year that although the U.S. Department of Transportation may make some changes to the previous administration’s approach to autonomous vehicles, she supports a regulatory environment that fosters their testing and deployment. This is good news for automakers and other companies that develop products and services that are part of the autonomous vehicles ecosystem. They need a champion at the federal level who can provide a legal and policy framework to supplant the numerous state laws and regulations that have sprung up in the absence of federal legislation. A uniform national framework for the cybersecurity issues implicated by autonomous vehicles is particularly important. Both Secretary Chao and Congress have an opportunity to provide just that.
The cybersecurity risks of connected cars first garnered national attention in 2015 when a reporter for Wired described how two cybersecurity researchers hacked a Jeep Cherokee that he was driving (with his knowledge and permission) and took control of the vehicle. In response, Sens. Edward Markey, DMass., and Richard Blumenthal, D-Ct., introduced a bill, the Security and Privacy in Your Car Act of 2015 (“SPY Car Act”), that would have established cybersecurity standards for automakers. Although the Senate never took action on the bill, deployment of self-driving car technology has accelerated since then, and policymakers at both the federal and state level have become increasingly engaged on the issue.
Indeed, members of Congress have introduced new versions of the SPY Car Act this year in both the Senate and the House. The Senate bill, called the SPY Act of 2017, would, among other things, require motor vehicle manufacturers in the United States to comply with certain cybersecurity standards to protect against, detect, report and respond to hacking, and to protect against unauthorized access to driving data. It also would direct the Department of Transportation, through the National Highway Traffic Safety Administration, to issue regulations to implement these requirements. The House bill, which is called the Security and Privacy in Your Car Study Act of 2017 (“SPY Car Study Act”), is bipartisan but less ambitious. It would direct NHTSA to work with other relevant agencies, manufacturers of motor vehicles and motor vehicle equipment, and academics to conduct a study to determine the appropriate standards to regulate the cybersecurity of automobiles manufactured or imported for sale in the United States.
In addition, Senate Commerce Committee Chairman John Thune, R-S.D., Senate Commerce Committee Ranking Member Bill Nelson, D-Fla., and Sen. Gary Peters, D-Mich., recently announced that they would release their own bipartisan draft bill by August of this year. Because this bill has bipartisan support and is co-sponsored by the chairman and ranking member of the Senate Commerce Committee and Sen. Peters from Michigan (home of the biggest automakers), it will carry significant weight. The senators announced that their bill will reflect six principles, including the importance of providing strong protection against cybersecurity threats.
Automakers are likely to support reasonable federal legislation so that they can avoid having to comply with a patchwork of disparate requirements in every state. Eighteen states have passed laws related to autonomous vehicles, and 33 states have introduced such laws so far this year. Although most of these laws focus on autonomous vehicle testing and safety, members of the Massachusetts and Pennsylvania Legislatures have introduced bills that address cybersecurity. The cybersecurity of autonomous vehicles is not an appropriate issue for the states, however. Indeed, the National Traffic and Motor Vehicle Safety Act, which requires manufacturers of automobiles and automobile equipment to ensure the safety of the systems that they design, designates NHTSA — not state agencies — as the entity responsible for issuing motor vehicle safety standards. Issues regarding cybersecurity risks related to network access or software flaws implicate safety and for that reason fall squarely within NHTSA’s purview. Therefore, NHTSA — and perhaps also the Federal Trade Commission — likely will be involved in whatever emerges regarding the cybersecurity of autonomous vehicles.
Until one of the many bills in Congress emerges as the preferred vehicle for federal regulation of driverless cars, manufacturers and service providers in the ecosystem can look to the following sources for guidance regarding cybersecurity:
First, the NHTSA last fall issued both the Federal Automated Vehicles Policy, which lists cybersecurity among the critical issues that manufacturers must address and provides general recommendations for how to do so, and guidance titled "Cybersecurity Best Practices for Modern Vehicles," which provides more detailed information about the issue. Secretary Chao has said that the NHTSA may revise and update the Federal Automated Vehicles Policy. Notwithstanding any revisions that the new administration may make, cybersecurity is likely to remain a top priority. Moreover, Cybersecurity Best Practices for Modern Vehicles offers manufacturers sound guidance and a window into what Federal Motor Vehicle Safety Standards in the cybersecurity space ultimately might look like.
Second, the National Institute for Standards and Technology Cybersecurity Framework provides a flexible, voluntary set of risk-based cybersecurity guidelines for companies in all industry sectors. As the NHTSA noted in its Cybersecurity Best Practices for Modern Vehicles, the NIST Cybersecurity Framework can be adapted to apply to the automotive industry and other companies providing products and services that are part of the driverless car ecosystem.
Third, other entities, such as the Cloud Security Alliance (“CSA”) and the Automotive Information Sharing and Analysis Center (“Auto ISAC”), also have published guidance for automakers and others in the driverless car ecosystem. The Auto ISAC best practices leverage various frameworks and standards previously developed by NIST, the International Organization for Standardization, and other organizations, while the CSA’s "Observations and Recommendations on Connected Vehicle Security" offers advice about cybersecurity issues affecting the full range of relevant entities, including original equipment manufacturers, service providers, and application developers. The CSA white paper also emphasizes the importance of coordinating with companies across the entire autonomous vehicles ecosystem to address these matters.