In Internet of Things Era Cybersecurity for Autonomous Vehicles Will Require Restraint

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

IoT Cars

In the rapidly evolving internet of things environment, federal regulators must be flexible to accommodate change, the authors write, and they must resist the urge to ensconce autonomous vehicle cybersecurity guidance in law.

Darren Teshima Ian Adams

By Darren Teshima and Ian Adams

Darren Teshima is a litigation partner at Orrick, Herrington & Sutcliffe LLP in San Francisco. He advises leading financial institutions and tech companies in a variety of commercial disputes, including cybersecurity and data breach insurance matters.

Ian Adams is a public policy associate in Orrick's Sacramento, Calif. office and a senior fellow with the R Street Institute.

Concerns about the vulnerability of America's physical infrastructure have long been at the top of mind for national security officials. But the growing threat of cyberattacks, both state sponsored and criminal, have led state and federal officialdom to take note. Their concern has been magnified by the increasing number of significant cybercrime targets in the nation, including key infrastructure. In particular, the rapid expansion of the internet of Things (IoT)—reports estimate that by 2020, there will be 30 billion connected things and 40 percent of all data generated will come from connected sensors—has increased the risk that this age's technological wonders may be vulnerable to unfriendly manipulation. This IoT cybersecurity risk was highlighted by the recent distributed denial of service (DDoS) attack that shut down sites like Twitter Inc., Spotify Ltd. and Netflix Inc. due to an overflow of online traffic from thousands of hacked IoT devices.

Motor vehicles, which have been incorporating IoT devices and technologies for years and will be incorporating autonomous technologies in the coming years, might prove a particularly tempting target to would-be malefactors. The scale and scope of the risk to autonomous vehicles isn't yet well understood, in part because the approach to attacking the technology is still unclear. Yet, worst case scenarios involving hijacked vehicle control are not difficult to imagine. To that end, in part to allay popular discomfort of the poorly-defined threat, the federal regulator charged with vehicle safety, the National Highway Traffic Safety Administration (NHTSA), has worked closely with industry stakeholders to develop a framework to enshrine best cybersecurity defense practices into administrative guidance. Two recent developments in that space, in particular, bear noting.

First, at the end of September, NHTSA released the Federal Automated Vehicle Policy (FAVP). The policy is intended as a non-binding and evolutionary document around which stakeholders from all interested industries (OEM, component, insurance, etc.) will be able to gather annually to submit commentary and refine the suggestions embodied therein. Included in the FAVP is a 15-point safety checklist which contains specific cybersecurity recommendations.

Second, in October, NHTSA released another guidance document concerning cybersecurity: “ Cybersecurity Best Practices for Modern Vehicles” (Best Practices). That document, which is the result of a multi-year development process, is incorporated by reference into the FAVP and is, similarly, intended to be nonbinding. However, unlike the FAVP's treatment of cybersecurity, the Best Practices document offers more concrete recommendations for manufacturers to follow as they develop their vehicles.

Both of NHTSA's cybersecurity guidance documents are susceptible to interpretation, which is by design. The guidelines they embody did not go through notice-and-comment rule making and are intended to be predisposed to rapid change. That said, it is of note—and concern—that NHTSA's “ Model State Policy,” another section of the FAVP, currently suggests that state regulators adopt a regulatory posture which, as a condition of obtaining a permit for testing, requires a manufacturer to certify “accordance” with the 15-point checklist. In practice, it is unclear, both, how manufacturers will accord with NHTSA's vague cybersecurity guidance and which regulator, state or federal, will actually evaluate accordance for the purpose of obtaining testing permits. What's more, it is unclear if separate consideration to all of the detailed recommendations in Best Practices will be necessary for a manufacturer to certify their accordance with the FAVP's cybersecurity safety checklist item.

There are three principal cybersecurity related recommendations in the FAVP, none of which are technical. First, manufacturers and other entities are told to incorporate cybersecurity best practices from a collection of organizations (the National Institute for Standards and Technology, NHTSA, SAE International, the Alliance of Automobile Manufacturers, the Association of Global Automakers and the Automotive Information Sharing and Analysis Center); second, the guidelines suggest that the incorporation of all cybersecurity considerations should be well documented. Or, in NHTSA speak, “traceable within a robust document version control environment.” Third, the guidelines emphasize that information concerning cybersecurity threats should be shared between industry members and that manufacturers and other entities should consider adopting a “vulnerability disclosure policy.”

The global recommendations of the FAVP are refined in the Best Practices. NHTSA recommends a taxonomy of five distinct cybersecurity periods in the Best Practices guidance. Companies should: (1) identify risks and analyze threats; (2) protect against those threats; (3) detect attacks; (4) respond to attacks; and, (5) recover from attacks. Methodologies for each of the periods are covered in depth in the guidance, but a theme that runs through all of them is the notion of a “layered approach.” The notion of such an approach is that vehicle security begins with limiting the likelihood of an attack and runs all the way through after a vehicle is hit, at which time the attacked vehicle will still need to be able to perform vital functions. Especially in the context of autonomous vehicles, such an ability will be crucial.

In terms of demands on automakers which are more expansive than the FAVP, the Best Practices recommend that firms create an executive leadership position dedicated to cybersecurity and explicitly calls for manufacturers to account for future uses of vehicles, the instillation of aftermarket devices, and the serviceability of systems.

In response to both documents, some critics, include sitting Sens. Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) have called for binding standards to be set for both cybersecurity and for autonomous vehicle regulation. U.S. Department of Transportation (DOT) Secretary Anthony Foxx has signaled that DOT will pursue such action in the context of autonomous vehicles, but will wait for the next administration to begin the process. Given that recent Federal Motor Vehicle Safety Standards (FMVSS) have taken between six and ten years to adopt, according to NHTSA Administrator Mark Rosekind, it is unclear what form any such standards would take.

The near-term future of both documents is clearer. Both are currently undergoing revision and were open for comment, the FAVP through Nov. 22 and the Cybersecurity Best Practices through Nov. 28. For the manufacturers and other entities whose cybersecurity activities are implicated by the guidance in both documents, the message from the federal government under the Obama administration was straightforward. They were in a flexible “fact finding” mood, but the period of voluntary compliance and permissive standards will, sooner or later, come to an end. The prospective impact of a surprise Trump administration on this process remains to be seen. However, if that administration takes a typically Republican policy approach, moving forward, it is likely that the DOT will not seek to make cybersecurity guidance mandatory. Rather, as has been articulated by Trump's transition team, the administration will convene a “Cyber Review Team” to provide specific recommendations to vulnerable entities.

Like autonomous vehicle technology itself, cybersecurity guidance will change rapidly in the years to come. To ensure the flexibility necessary to accommodate that change federal regulators should both resist the urge to ensconce guidance in law and should, at minimum, clarify what “accordance” with the FAVP involves. Though perhaps counterintuitive, the strength to exercise regulatory restraint will be a crucial component of bolstering both the nation's cybersecurity and the development of autonomous vehicles.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security