Coming to Terms With Meaningful Automotive Cybersecurity

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Connected Cars

In addition to opportunities for convenience and entertainment, connected cars raise several significant privacy and security issues. Mandatory legislative or regulatory standards could put U.S. automakers at a disadvantage on the world market, but auto manufacturers may not be properly incentivized to adequately address cybersecurity on their own, the author writes.

Mark L. Krotoski Ellie F. Chapman

By Mark L. Krotoski and Ellie F. Chapman

Mark Krotoski is a litigation partner in the Privacy and Cybersecurity and Antitrust Practice Groups of the Morgan, Lewis & Bockius Silicon Valley office in Palo Alto, Calif. He previously served as the national coordinator of the Computer Hacking and Intellectual Property Program in the Criminal Division of the U.S. Department of Justice and as an instructor on foreign economic espionage and trade secret cases and other law enforcement issues at the DOJ National Advocacy Center.

Ellie Chapman is an associate at Morgan, Lewis & Bockius in San Francisco where she advises clients on technology, cybersecurity, and privacy. She also serves on Morgan Lewis’s Data Breach team.

The automotive industry is rapidly transforming with the development and evolution of “connected cars,” which can not only operate as navigators, personal assistants and personalized on-demand entertainment systems, but also may soon be able to monitor and help safeguard the safety, health and well-being of drivers, passengers and others. The benefits of connected cars appear endless, and consumer demand for new and innovative automobile features remains strong.

However, in addition to opportunities, this “connectiveness” raises several significant privacy and security issues. One of the primary challenges in vehicle cybersecurity is that the various electrical components in a car (known as electronic control units, or ECUs) are connected via an internal network. Thus, if hackers gain access to vulnerable, peripheral ECUs—for instance, a car's Bluetooth—from there they may be able to take control of safety-critical ECUs such as the brakes or steering. Modern vehicles have up to 100 ECUs and more than 100 million lines of code—a colossal attack surface.

In fact, in July 2015 security researchers demonstrated their ability to remotely “hack into” motor vehicles, gaining significant control over vehicle functions remotely by exploiting wireless communications vulnerabilities. In a vehicle moving at low speeds (5-10 mph), the researchers were able to hack into the automobile to turn off the engine, disable the brakes and affect the steering. In a vehicle moving at any speed, the researchers were able to manipulate door locks, turn signals, the tachometer and the radio/heating, ventilation and air conditioning/GPS. As a result, the National Highway Traffic Safety Administration (NHTSA) used its authority to recall nearly one and a half million vehicles (NHTSA Recall Campaign Number: 15V461000). This recall highlighted the significant safety concerns based on inadequate cybersecurity protections in our connected vehicles.

Another issue concerns the impact of aftermarket devices on vehicle cybersecurity. The introduction of cell phones and insurance dongles, for example, establishes other potential cybersecurity risks that must be considered.

In addition to safety issues, there are privacy concerns as well. Consider that our automobiles are collecting, storing and transmitting more data about us than ever before, whether via telematics systems, electronic device recorders, or other internet of things (IoT)/connected devices. This data often involves “personal information” about individuals' activities, characteristics and preferences. While this information can be extremely useful for marketing, research and development, and other purposes to generate revenue, it is also extremely sensitive information that many agree requires some sort of privacy protection. While different stakeholders may have varying opinions regarding the level of privacy protection this information should be afforded when used for legitimate business purposes, most would agree that personal information should not be available, or at risk, to cybercriminals for illegitimate or unsafe purposes.

Against this background, the government is considering steps to promote effective vehicle cybersecurity. On Oct. 24, the Department of Transportation (DOT) issued federal guidance to the automotive industry for improving motor vehicle cybersecurity. The proposed cybersecurity guidance, which is voluntary and nonbinding, focuses on layered solutions to ensure that vehicle systems are designed to take appropriate and safe actions, even when an attack is successful. Specifically, the guidance makes the following recommendations, among others, to the auto industry:

  •   promote “cybersecurity oriented leadership within the organization,” including over the product development cycle;
  •   in “an ongoing risk management framework” assess vulnerabilities at each stage in the process, including “the entire supply-chain of operations;”
  •   implement “a documented process for responding to incidents, vulnerabilities, and exploits” that clearly delineates roles and responsibilities for each responsible group within the organization;
  •   conduct cybersecurity testing, including penetration testing, by “qualified testers who have not been part of the development team, and who are highly incentivized to identify vulnerabilities;”
  •   adopt self-auditing programs that include periodic risk assessments and review of organizational decisions;
  •   encourage information sharing about cybersecurity risks and incidents including through the Auto Automotive Information Sharing and Analysis Center (ISAC);
  •   consider the role of aftermarket devices (such as cell phones and insurance dongles);
  •   remove unnecessary network services to control the proliferation of network ports and limit attack vectors;
  •   limit software developer access to ECUs where “no foreseeable operational reason” exists;
  •   maintain sufficient log records to identify how the cyber attacks occurred or detect trends;
  •   implement employee training to educate the entire automotive workforce on new cybersecurity practices, and share lessons learned; and
  •   address serviceability issues by providing “strong vehicle cybersecurity protections that do not unduly restrict access by authorized alternative third-party repair services.”

The guidance is current under public comment which ended on Nov. 28. The guidance raises important questions about the role of government in promoting effective vehicle cybersecurity. Many recognize that there is no one-size-fits-all approach and that standards must be tailored and flexible to address identified cyber risks. Moreover, standards mandated today may soon be outdated given the pace of technological change.

Sens. Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) have criticized the voluntary standards and have drafted legislation, known as the Security and Privacy in Your Car (SPY Car) Act, that would direct the NHTSA and the Federal Trade Commission (FTC) to set mandatory cybersecurity and privacy standards, and create a system to rate cars based on the strength of their cybersecurity and privacy features.

The ramifications of such mandatory automobile cybersecurity rules are currently uncertain. On the one hand, some question whether general legislative standards can effectively promote cybersecurity for automobiles—a common criticism of government intervention in a society where technology is ever changing. For example, the legislation provides that “[a]ll entry points to the electronic systems of each motor vehicle manufactured for sale in the United States shall be equipped with reasonable measures to protect against hacking attacks.” What constitutes “reasonable measures” is unclear.

Moreover, mandatory legislative or regulatory standards may have costs of compliance. For example, mandatory cybersecurity standards that impose burdens without benefits could mean fewer resources for other important aspects of product design. In a day and age where consumers readily trade privacy and safety features for entertainment and convenience, this sort of mandatory resource allocation could put U.S. automakers at a disadvantage on the world market.

On the other hand, for this very same reason, auto manufacturers may not be properly incentivized to adequately address cybersecurity on their own. Many observers believe that private industry so far has not taken the threat seriously or invested enough time or money to proactively address it.

In some respects, the debate on automobile cybersecurity is just beginning. Given the stakes, it is one we should be engaged in.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security