With heavy liabilities for the auto industry at stake, U.S. senators are investigating whether federal cybersecurity requirements for self-driving vehicles are necessary.
The Senate Committee on Commerce, Science, and Transportation held a hearing Wednesday to investigate this issue and others as lawmakers consider regulatory guidelines for self-driving vehicles. The discussion covered concerns about new infrastructure for the vehicles, how the U.S. industry hopes to compete against economic rivals like China, and most notably, how to sidestep potential safety and security problems ahead. This ended in a debate between Democratic Sen. Ed Markey of Massachusetts and the entire panel of auto industry lobbyists.
Arguing for minimum cybersecurity standards, a set of basic manufacturing requirements to protect consumer’s safety and privacy, Markey said that while he supported self-driving technology he didn’t believe the government should allow companies to decide which cybersecurity features are included in their vehicles. Such a practice, he said, would likely lead to safety challenges if companies favor profit margins over the personal security of their customers.
“Rather than addressing the cybersecurity problems after a hack has occurred, we must ensure that robust cybersecurity protections are built into the design, the construction, and operation of these transportation technologies,” Markey said. “We should not have to choose, as Americans, from being connected and being protected.”
Acting on this stance, Markey and Sen. Richard Blumenthal, a Democrat from Connecticut, reintroduced the Security and Privacy in Your Car Act (SPY Act) last March to compel the automobile and tech sectors to invest in security protections for consumers. Key tenets of the proposed bill directs the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to design cybersecurity standards that could be enforced through heavy fines. The bill, which would apply to both traditional and self-driving vehicles if passed, would require that software used to drive a vehicle be separated from non-critical systems like the radio. Such a separation is hoped to prevent hackers from finding dangerous back doors. The SPY Act also requires vehicles to have software installed that could detect, report and mitigate cyber intrusions to prevent the vehicle from being controlled remotely.
When questioned whether they supported such minimum security regulations, industry representatives unanimously told Markey they opposed mandatory cybersecurity standards.
“I know that we don’t know what we don’t know, and cybersecurity isn’t something that we fix once and then it’s done. It’s something that you’re battling continuously,” said Rob Csongor, Insignia’s vice president and general manager for automotive business.
Csonger said that Insignia, a tech company that supplies more than 225 automotive companies with software, reported that there is no way to predict how threats will evolve in the future and this may burden manufactures with an impossible task.
John Maddox, president and CEO of the American Center for Mobility, a research and lobbying group, and Mitch Bainwol, president and CEO of the Alliance of Automobile Manufacturers, both suggested that forcing the industry to comply to any standard may hamper development and innovation. They suggested instead that the federal government offer only voluntary guidelines for manufacturers, recommendations that could be updated and used as a reference point for vehicle designers.
Markey was not convinced, comparing the need for strong cybersecurity and privacy protections to the need for airbags and seatbelts, safety measure that were not always put in place until they were required by federal standards. While claiming to be in favor of the development of self-driving vehicles, the senator said the industry talks too much about the benefits of new technologies and not enough about how to protect passengers from the dangerous, and even deadly hazards that might result if strong security standards are not applied.
“What I would want to hear in the weeks, months and years to come is that any standard would require computers on wheels to constantly update and patch itself for any vulnerabilities,” he said. “But that has to be mandatory, you can’t just leave it up to one auto manufacturer to do it, you have to have all of the players accepting it as their responsibility otherwise the streets won’t be safer.”
Markey also dismissed the argument that a law would be broad enough to drive constant improvements in cybersecurity. He said minimum standards could adapt to the changing levels of threats by calling on manufacturers to upgrade and improve their threat detection systems continuously.
“The standard could get constantly raised, but to have no standard could be extremely dangerous,” Markey said. “That’s the world I grew up in — with no seat belts, no airbags, steering wheels made out of medal — so that can’t be the standard as we move into this computer world.”
As the senators decide how to proceed, there is movement by the Trump administration to update an initial set of guidelines published by NHTSA under President Obama. U.S. Transportation Secretary Elaine Chao said these revisions are likely to be announced in the next few months.
Meanwhile, states and cities are racing to investigate how self-driving vehicles will operate via pilot projects on public roads across the country. The fear from the auto industry is that a patchwork of regulations will arrive at the state and local levels before there is consistent direction nationally, thereby increasing production costs or limiting where and how self-driving vehicles could operate.