Cybersecurity for Today’s (& Tomorrow’s) Vehicles

Watching the World Series on live TV over the last two weeks (congrats to the World Champion Chicago Cubs!), I was struck by the number of car commercials that air during prime time events.  I also noticed that these commercials were featuring more and more technological integration into the vehicles—from automated driving capabilities to Internet connectivity.  Interestingly, at least to an IoT lawyer, the commercials did not address the cybersecurity of these features.  In the wake of the October 21 DDoS malware attack, regulators and consumers are increasingly thinking about the security of connected systems such as those on vehicles.     

The National Highway Traffic Safety Administration (NHTSA) recently took action to explore vehicle cybersecurity issues.  On October 28, 2016, NHTSA released a Request for Comment on its Cybersecurity Best Practices for Modern Vehicles report.  NHTSA seeks comment on all aspects of the Best Practices, including how to make them more robust, what gaps remain, and whether there is sufficient research and/or practices to address those gaps.  Comments are due by November 28, 2016. 

NHTSA has identified enhancing vehicle cybersecurity to mitigate cyber threats that could result in safety risks to the public or compromise sensitive data as a top priority.  NHTSA has been considering these issues by convening stakeholder groups and holding meetings with government agencies.  As a result of this outreach, NHTSA has developed its set of Best Practices.  In addition to participating in NHTSA’s stakeholder events, industry has also been leading efforts to study cybersecurity issues related to vehicles.  The Alliance of Automobile Manufacturers and the Association of Global Automakers, through the Auto Information Sharing and Analysis Center (Auto ISAC), released a Framework for Automotive Cybersecurity Best Practices this summer.

The NHTSA Best Practices are intended to support such ongoing industry efforts and provide the agency’s views on how the broader automotive industry can develop and apply sound risk-based cybersecurity management practices to their product development processes.  The Best Practices are also intended to help the automotive sector organizations effectively demonstrate and communicate their cybersecurity risk management approach to both the public and internal and external stakeholders.  NHTSA expects that the Best Practices will be updated fairly frequently as new information, research, and practices become available. 

Looking forward, it will be interesting to see how NHTSA—and other actors—use these Best Practices.  It may be helpful to the industry for the federal government to promote a clear, pro-innovation approach to vehicle cybersecurity and caution against fragmented approaches or premature regulations by the states.  In the absence of federal guidance on important regulatory issues, we have seen states rush in to regulate, which can lead to a patchwork of approaches across the country.  Managing divergent state laws can distract innovators from meaningful improvements in technology and security.   As noted in a recent Wiley Connect blog post, the threat of class action, case-by-case litigation—with high expenses and the risk of crushing liability—can undermine IoT innovation.  So too can divergent state approaches to regulation.  As NHTSA develops its position on vehicular cybersecurity, it should continue to promote public private partnerships and consider how to reduce barriers to innovation by limiting uncertainty and risk associated with litigation and divergent state models.   

Tags

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek