Cybersecurity Questions Swirl Around Autonomous Vehicle Bills

Keep up with the latest developments and legal issues in the telecommunications and emerging technology sectors, with exclusive access to a comprehensive collection of telecommunications law news,...

By Michaela Ross

The House Energy and Commerce Committee plans to mark up a bill July 27 that would regulate autonomous vehicles, amid questions about whether lawmakers should set cybersecurity standards for the emerging technology.

U.S. drivers may be slow to adopt autonomous vehicles being developed by companies such as Ford Motor Co. and Tesla Inc. because of worries about hacks that could result in vehicle theft or harm to occupants, consumer surveys have shown. Cybersecurity fears are second only to worries about perceived higher vehicle expenses among barriers to consumer adoption, according to a September 2016 survey by Kelley Blue Book, a vehicle research and valuation company.

“I think every single member up here is worried about cybersecurity and privacy,” Rep. Debbie Dingell (D-Mich.) told Bloomberg BNA recently. “How do you make sure you’re moving fast enough with the speed at which technology is changing, but at the same time not moving so fast as for somebody to get hurt?”

Lawmakers, autonomous vehicle industry groups and consumer and safety advocacy groups agree that a cybersecurity framework is needed to spur consumer adoption. But they disagree on whether the government should establish the framework, leave it to the private sector, or find a compromise between the approaches.

“Even with a multi-layer defense against cyber threats, automakers must be nimble and adaptive because the cyber world is always changing,” Gloria Bergquist, vice president at the trade group Alliance of Automobile Manufacturers, told Bloomberg BNA. “Locking in what seems proactive now may not be so effective when the future demands another approach.”

Up to the Task?

There is also widespread concern among lawmakers, autonomous vehicle industry groups and consumer and safety advocacy groups that the Department of Transportation’s National Highway Traffic Safety Administration (NHTSA), the federal government agency that would be in charge of implementing a vehicle cybersecurity plan, does not have sufficient expertise or resources to handle the task. A NHTSA spokesperson did not immediately respond to a Bloomberg BNA request for comment.

Marc Scribner, a fellow at the Competitive Enterprise Institute, said the gaps in cybersecurity policy in an agency draft rule issued on connected cars in 2016 is cause for concern that NHTSA won’t be able to meet the challenge of writing autonomous vehicle cybersecurity standards.

“I think it’s very naive of Congress to think that they can just fix this with more legislation, especially charging an agency to do more, when it’s proven that it can’t do what it’s supposed to be doing right now,” Scribner told Bloomberg BNA.

Dingell told Bloomberg BNA July 19 that lawmakers are aware that NHTSA does not currently have the resources or staff to address autonomous vehicle issues.

“NHTSA doesn’t have money it needs,” Dingell said. “We are not funding these kinds of agencies at the levels they need to be funded to do what they’ve got to do.”

Congress Tackles Cyber

House and Senate lawmakers have taken different approaches to autonomous vehicle cybersecurity so far. The House committee is taking up a bill (H.R. 3388) by Rep. Bob Latta (R-Ohio). The panel’s Digital Commerce and Consumer Protection Subcommittee approved a draft of the bill July 19 that called for autonomous vehicle companies to develop a cybersecurity plan.

Lawmakers have since been negotiating over language that may mandate that NHTSA approve the industry plan. It was unclear July 26 whether those negotiations were successful, but the full committee said late July 25 it would consider a substitute amendment to the bill during its markup.

Senate lawmakers, including Commerce, Science and Transportation Committee Chairman John Thune (R-S.D.) circulated a legislative proposal earlier this month that took a more expansive approach in its cybersecurity section, according to several industry stakeholders who viewed the proposal.

The Senate proposal called for partnering NHTSA with the Auto-ISAC , an industry-led group created in 2015 through a presidential directive to share cybersecurity vulnerabilities and threat information, the industry sources said. The proposal appeared to direct the Department of Transportation to use enforcement authorities and publish guidelines for when cyber vulnerabilities constitute a safety defect, the sources said.

Shifting Standards

Cybersecurity researchers and industry groups are concerned that mandating particular security standards may make technologies more vulnerable by feeding hackers information about a company’s plans or creating a rigid framework that can’t easily be adapted for fast-moving threats.

There are also gaps and conflicts in federal agency jurisdiction over cybersecurity standard-setting. Acting Federal Trade Commission Chairman Maureen Ohlhausen said during a June workshop that the FTC should address consumer privacy and data security issues around connected cars, but should avoid conflicting with NHTSA’s oversight of vehicles.

NHTSA’ September 2016 guidelines for autonomous vehicles nodded to the need to assess cyber threats and vulnerabilities, but stopped short of mandating standards, stating cybersecurity is an “evolving area” and “more research is necessary before proposing a regulatory standard.” In October, the agency released a series of best practices for cybersecurity in all vehicles.

Some lawmakers, cybersecurity researchers and industry officials say that cybersecurity measures are best left to the private sector, because it has a strong incentive to avoid the litigation and bad publicity that likely would follow an autonomous vehicle hack.

Still, consumer advocacy groups say industry promises aren’t enough. In a July 18 letter to lawmakers, groups including Citizens for Reliable and Safe Highways and Advocates for Highway and Auto Safety called for NHTSA to issue cybersecurity standards within three years after Congress passes an autonomous vehicle bill.

With assistance from Jimmy H. Koo

To contact the reporter on this story: Michaela Ross in Washington at mross@bna.com

To contact the editor responsible for this story: Keith Perine at kperine@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Tech & Telecom on Bloomberg Law