Cybersecurity for the Self-Driving Vehicle
Industry is firing on all cylinders to develop highly automated vehicles, including cars that will drive themselves. Partial driving automation such as lane centering, adaptive cruise control, highway assist, and park assist technology is already available to consumers. And fully automated, self-driving vehicles—which manufacturers are testing on public roads in Arizona, California, Michigan, Pennsylvania, Texas, and Washington—are expected to come to market by 2025 or sooner. For consumers, this means fewer traffic-related injuries and deaths, increased efficiency and convenience, and new mobility opportunities for the disabled and elderly. As explained below, cybersecurity in automated cars is high on policy-makers’ minds. As they consider how to promote industry security work, they should consider incentives and preserve flexibility.
Advancements in self-driving vehicle technology have captured Congress’s attention, and lawmakers are poised to pass legislation intended to ease barriers to testing and deployment of self-driving vehicles. Both the Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution Act (SELF DRIVE Act) (H.R.3388), which the House passed in September, and the American Vision for Safer Transportation Through Advancement of Revolutionary Technologies (AV START Act) (S.1885), which has advanced to the Senate floor for consideration, would exempt automakers from certain federal safety standards, as well as pre-empt state laws on self-driving vehicles—saving manufacturers from having to navigate a patchwork of regulations that could delay autonomous vehicle testing and deployment.
The SELF DRIVE Act and AV START Act would also require manufacturers to consider cybersecurity in the development of self-driving vehicles. Under the SELF DRIVE Act, manufacturers would be required to have a written cybersecurity policy containing a process for “identifying, assessing, and mitigating reasonably foreseeable vulnerabilities” and a process for “taking preventative and corrective action to mitigate against vulnerabilities.” The AV START Act, in addition to a cybersecurity plan, would require manufacturers to submit a safety evaluation report to the Department of Transportation describing how the manufacturer is minimizing cybersecurity risks and sharing vulnerability information discovered through field incidents, internal testing, or external security research. Both bills would also require manufacturers to identify a point of contact responsible for cybersecurity management.
Outside of Capitol Hill, the Department of Transportation’s National Highway Traffic Safety Administration (NHTSA) recently released new federal guidance for automated vehicles: Automated Driving Systems 2.0—A Vision for Safety. With respect to cybersecurity, NHTSA encourages the automotive industry to:
- Implement voluntary guidance, best practices, and design principles published by the Alliance of Automobile Manufacturers, the Automotive Information Sharing and Analysis Center (Auto-ISAC), the National Institute of Standards and Technology (NIST), NHTSA, SAE International, and other relevant organizations;
- Conduct systematic and ongoing vehicle safety risk assessments;
- Document how they incorporate vehicle cybersecurity considerations;
- Share vulnerability information with other automakers and report cyber threats, vulnerabilities, and incidents to the Auto-ISAC;
- Establish cyber incident response plans; and
- Adopt a vulnerability reporting and disclosure policy.
NHTSA’s guidance replaces the agency’s 2016 Federal Automated Vehicle Policy. Public comment on the updated policy framework is due November 14, 2017.
Cybersecurity is at the forefront of the conversation on self-driving vehicles. Enhancing cybersecurity will be critically important to the success and safety of self-driving vehicles. However, policymakers must be careful not to impede progress with unnecessary or unintended barriers to innovation, such as one-size-fits all policies or technical mandates that become outdated quickly. Some vulnerability disclosure programs, for example, can be complex and require companies to waive legal rights, inviting further hacking and intrusions. Information sharing initiatives—without adequate liability protections—present legal and practical challenges as well, because companies are rightly concerned about dissemination of sensitive and proprietary information. Government should proceed with caution, creating incentives for the private sector to be proactive, and ensuring that industry has the flexibility needed to adopt effective, risk-based cybersecurity measures for self-driving vehicles.