Cybersecurity for the Self-Driving Vehicle

October 11, 2017

Industry is firing on all cylinders to develop highly automated vehicles, including cars that will drive themselves.  Partial driving automation such as lane centering, adaptive cruise control, highway assist, and park assist technology is already available to consumers.  And fully automated, self-driving vehicles—which manufacturers are testing on public roads in Arizona, California, Michigan, Pennsylvania, Texas, and Washington—are expected to come to market by 2025 or sooner.  For consumers, this means fewer traffic-related injuries and deaths, increased efficiency and convenience, and new mobility opportunities for the disabled and elderly.  As explained below, cybersecurity in automated cars is high on policy-makers’ minds.  As they consider how to promote industry security work, they should consider incentives and preserve flexibility.

Advancements in self-driving vehicle technology have captured Congress’s attention, and lawmakers are poised to pass legislation intended to ease barriers to testing and deployment of self-driving vehicles.  Both the Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution Act (SELF DRIVE Act) (H.R.3388), which the House passed in September, and the American Vision for Safer Transportation Through Advancement of Revolutionary Technologies (AV START Act) (S.1885), which has advanced to the Senate floor for consideration, would exempt automakers from certain federal safety standards, as well as pre-empt state laws on self-driving vehicles—saving manufacturers from having to navigate a patchwork of regulations that could delay autonomous vehicle testing and deployment. 

The SELF DRIVE Act and AV START Act would also require manufacturers to consider cybersecurity in the development of self-driving vehicles.  Under the SELF DRIVE Act, manufacturers would be required to have a written cybersecurity policy containing a process for “identifying, assessing, and mitigating reasonably foreseeable vulnerabilities” and a process for “taking preventative and corrective action to mitigate against vulnerabilities.”  The AV START Act, in addition to a cybersecurity plan, would require manufacturers to submit a safety evaluation report to the Department of Transportation describing how the manufacturer is minimizing cybersecurity risks and sharing vulnerability information discovered through field incidents, internal testing, or external security research.  Both bills would also require manufacturers to identify a point of contact responsible for cybersecurity management.          

Outside of Capitol Hill, the Department of Transportation’s National Highway Traffic Safety Administration (NHTSA) recently released new federal guidance for automated vehicles: Automated Driving Systems 2.0—A Vision for SafetyWith respect to cybersecurity, NHTSA encourages the automotive industry to:

  • Implement voluntary guidance, best practices, and design principles published by the Alliance of Automobile Manufacturers, the Automotive Information Sharing and Analysis Center (Auto-ISAC), the National Institute of Standards and Technology (NIST), NHTSA, SAE International, and other relevant organizations;
  • Conduct systematic and ongoing vehicle safety risk assessments;
  • Document how they incorporate vehicle cybersecurity considerations;
  • Share vulnerability information with other automakers and report cyber threats, vulnerabilities, and incidents to the Auto-ISAC;
  • Establish cyber incident response plans; and
  • Adopt a vulnerability reporting and disclosure policy.

NHTSA’s guidance replaces the agency’s 2016 Federal Automated Vehicle Policy.  Public comment on the updated policy framework is due November 14, 2017. 

Cybersecurity is at the forefront of the conversation on self-driving vehicles.  Enhancing cybersecurity will be critically important to the success and safety of self-driving vehicles.  However, policymakers must be careful not to impede progress with unnecessary or unintended barriers to innovation, such as one-size-fits all policies or technical mandates that become outdated quickly.  Some vulnerability disclosure programs, for example, can be complex and require companies to waive legal rights, inviting further hacking and intrusions.  Information sharing initiatives—without adequate liability protections—present legal and practical challenges as well, because companies are rightly concerned about dissemination of sensitive and proprietary information.  Government should proceed with caution, creating incentives for the private sector to be proactive, and ensuring that industry has the flexibility needed to adopt effective, risk-based cybersecurity measures for self-driving vehicles. 

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek