Cybersecurity for Today’s (& Tomorrow’s) Vehicles
Watching the World Series on live TV over the last two weeks (congrats to the World Champion Chicago Cubs!), I was struck by the number of car commercials that air during prime time events. I also noticed that these commercials were featuring more and more technological integration into the vehicles—from automated driving capabilities to Internet connectivity. Interestingly, at least to an IoT lawyer, the commercials did not address the cybersecurity of these features. In the wake of the October 21 DDoS malware attack, regulators and consumers are increasingly thinking about the security of connected systems such as those on vehicles.
The National Highway Traffic Safety Administration (NHTSA) recently took action to explore vehicle cybersecurity issues. On October 28, 2016, NHTSA released a Request for Comment on its Cybersecurity Best Practices for Modern Vehicles report. NHTSA seeks comment on all aspects of the Best Practices, including how to make them more robust, what gaps remain, and whether there is sufficient research and/or practices to address those gaps. Comments are due by November 28, 2016.
NHTSA has identified enhancing vehicle cybersecurity to mitigate cyber threats that could result in safety risks to the public or compromise sensitive data as a top priority. NHTSA has been considering these issues by convening stakeholder groups and holding meetings with government agencies. As a result of this outreach, NHTSA has developed its set of Best Practices. In addition to participating in NHTSA’s stakeholder events, industry has also been leading efforts to study cybersecurity issues related to vehicles. The Alliance of Automobile Manufacturers and the Association of Global Automakers, through the Auto Information Sharing and Analysis Center (Auto ISAC), released a Framework for Automotive Cybersecurity Best Practices this summer.
The NHTSA Best Practices are intended to support such ongoing industry efforts and provide the agency’s views on how the broader automotive industry can develop and apply sound risk-based cybersecurity management practices to their product development processes. The Best Practices are also intended to help the automotive sector organizations effectively demonstrate and communicate their cybersecurity risk management approach to both the public and internal and external stakeholders. NHTSA expects that the Best Practices will be updated fairly frequently as new information, research, and practices become available.
Looking forward, it will be interesting to see how NHTSA—and other actors—use these Best Practices. It may be helpful to the industry for the federal government to promote a clear, pro-innovation approach to vehicle cybersecurity and caution against fragmented approaches or premature regulations by the states. In the absence of federal guidance on important regulatory issues, we have seen states rush in to regulate, which can lead to a patchwork of approaches across the country. Managing divergent state laws can distract innovators from meaningful improvements in technology and security. As noted in a recent Wiley Connect blog post, the threat of class action, case-by-case litigation—with high expenses and the risk of crushing liability—can undermine IoT innovation. So too can divergent state approaches to regulation. As NHTSA develops its position on vehicular cybersecurity, it should continue to promote public private partnerships and consider how to reduce barriers to innovation by limiting uncertainty and risk associated with litigation and divergent state models.