Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
In addition to opportunities for convenience and entertainment, connected cars raise several significant privacy and security issues. Mandatory legislative or regulatory standards could put U.S. automakers at a disadvantage on the world market, but auto manufacturers may not be properly incentivized to adequately address cybersecurity on their own, the author writes.
By Mark L. Krotoski and Ellie F. Chapman
Mark Krotoski is a litigation partner in the Privacy and Cybersecurity and Antitrust Practice Groups of the Morgan, Lewis & Bockius Silicon Valley office in Palo Alto, Calif. He previously served as the national coordinator of the Computer Hacking and Intellectual Property Program in the Criminal Division of the U.S. Department of Justice and as an instructor on foreign economic espionage and trade secret cases and other law enforcement issues at the DOJ National Advocacy Center.
Ellie Chapman is an associate at Morgan, Lewis & Bockius in San Francisco where she advises clients on technology, cybersecurity, and privacy. She also serves on Morgan Lewis’s Data Breach team.
The automotive industry is rapidly transforming with the development and evolution of “connected cars,” which can not only operate as navigators, personal assistants and personalized on-demand entertainment systems, but also may soon be able to monitor and help safeguard the safety, health and well-being of drivers, passengers and others. The benefits of connected cars appear endless, and consumer demand for new and innovative automobile features remains strong.
However, in addition to opportunities, this “connectiveness” raises several significant privacy and security issues. One of the primary challenges in vehicle cybersecurity is that the various electrical components in a car (known as electronic control units, or ECUs) are connected via an internal network. Thus, if hackers gain access to vulnerable, peripheral ECUs—for instance, a car's Bluetooth—from there they may be able to take control of safety-critical ECUs such as the brakes or steering. Modern vehicles have up to 100 ECUs and more than 100 million lines of code—a colossal attack surface.
In fact, in July 2015 security researchers demonstrated their ability to remotely “hack into” motor vehicles, gaining significant control over vehicle functions remotely by exploiting wireless communications vulnerabilities. In a vehicle moving at low speeds (5-10 mph), the researchers were able to hack into the automobile to turn off the engine, disable the brakes and affect the steering. In a vehicle moving at any speed, the researchers were able to manipulate door locks, turn signals, the tachometer and the radio/heating, ventilation and air conditioning/GPS. As a result, the National Highway Traffic Safety Administration (NHTSA) used its authority to recall nearly one and a half million vehicles (NHTSA Recall Campaign Number: 15V461000). This recall highlighted the significant safety concerns based on inadequate cybersecurity protections in our connected vehicles.
Another issue concerns the impact of aftermarket devices on vehicle cybersecurity. The introduction of cell phones and insurance dongles, for example, establishes other potential cybersecurity risks that must be considered.
In addition to safety issues, there are privacy concerns as well. Consider that our automobiles are collecting, storing and transmitting more data about us than ever before, whether via telematics systems, electronic device recorders, or other internet of things (IoT)/connected devices. This data often involves “personal information” about individuals' activities, characteristics and preferences. While this information can be extremely useful for marketing, research and development, and other purposes to generate revenue, it is also extremely sensitive information that many agree requires some sort of privacy protection. While different stakeholders may have varying opinions regarding the level of privacy protection this information should be afforded when used for legitimate business purposes, most would agree that personal information should not be available, or at risk, to cybercriminals for illegitimate or unsafe purposes.
Against this background, the government is considering steps to promote effective vehicle cybersecurity. On Oct. 24, the Department of Transportation (DOT) issued federal guidance to the automotive industry for improving motor vehicle cybersecurity. The proposed cybersecurity guidance, which is voluntary and nonbinding, focuses on layered solutions to ensure that vehicle systems are designed to take appropriate and safe actions, even when an attack is successful. Specifically, the guidance makes the following recommendations, among others, to the auto industry:
The guidance is current under public comment which ended on Nov. 28. The guidance raises important questions about the role of government in promoting effective vehicle cybersecurity. Many recognize that there is no one-size-fits-all approach and that standards must be tailored and flexible to address identified cyber risks. Moreover, standards mandated today may soon be outdated given the pace of technological change.
Sens. Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) have criticized the voluntary standards and have drafted legislation, known as the Security and Privacy in Your Car (SPY Car) Act, that would direct the NHTSA and the Federal Trade Commission (FTC) to set mandatory cybersecurity and privacy standards, and create a system to rate cars based on the strength of their cybersecurity and privacy features.
The ramifications of such mandatory automobile cybersecurity rules are currently uncertain. On the one hand, some question whether general legislative standards can effectively promote cybersecurity for automobiles—a common criticism of government intervention in a society where technology is ever changing. For example, the legislation provides that “[a]ll entry points to the electronic systems of each motor vehicle manufactured for sale in the United States shall be equipped with reasonable measures to protect against hacking attacks.” What constitutes “reasonable measures” is unclear.
Moreover, mandatory legislative or regulatory standards may have costs of compliance. For example, mandatory cybersecurity standards that impose burdens without benefits could mean fewer resources for other important aspects of product design. In a day and age where consumers readily trade privacy and safety features for entertainment and convenience, this sort of mandatory resource allocation could put U.S. automakers at a disadvantage on the world market.
On the other hand, for this very same reason, auto manufacturers may not be properly incentivized to adequately address cybersecurity on their own. Many observers believe that private industry so far has not taken the threat seriously or invested enough time or money to proactively address it.
In some respects, the debate on automobile cybersecurity is just beginning. Given the stakes, it is one we should be engaged in.
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)