On June 14, 2017, the US Senate Committee on Commerce, Science, and Transportation convened a hearing titled "Paving the Way for Self-Driving Vehicles." During the nearly 2.5-hour session, senators and expert witnesses discussed a wide-range of topics regarding autonomous vehicles, including insurance, access for the disabled, impact on safety and drunk driving, etc. The hearing consisted of several polite exchanges of ideas and plans, until Senator Ed Markey pressed the witnesses on their thoughts on mandatory Federal Cyber Security regulations in automotive.
The witnesses and Sen. Markey all agreed that the expectation is that cars shouldn't be hacked, but views diverged on the questions of whether cyber security protections should be voluntary standards or mandatory regulations.
The witnesses, including the Presidents of the Alliance of Automobile Manufacturers and the American Center for Mobility, were all in strong agreement that they fear mandatory regulations on cyber security would be obsolete quickly, resulting in cars being less secure than if car makers were just given guidelines.
Senator Markey dismissed that concern, concluding that "we need dynamic mandatory guidelines." Markey remarked that the car makers' history predicts problems with voluntary cyber security guidelines. He cited the roll-out of safety items (seatbelts, airbags, etc.), noting that good companies added safety features on their own while the bad ones lagged behind and caused a lot of damage until the features became mandatory.
Which side is correct? Would mandatory regulations stifle innovation and force automakers to focus on outdated attacks while remaining vulnerable to the newest threats? Or would voluntary guidelines lead to wide-spread hacks, needless loss of life, and an erosion of public trust in autonomous vehicles and of all the other benefits they could bring to society?
I think there is enough historical evidence supporting each side to say that the truth is likely in between. A good compromise may be to require some fundamental security building blocks that don't lock manufacturers into specific technologies. These mandatory items should minimally include:
- Over-the-Air Updates for both software and firmware.
It is impossible to catch every vulnerability and protect against every threat at the time of manufacture. It is also not realistic to expect every car will be brought in for servicing on a regular basis so that patches can be deployed. OTA updates are the only sure-fire way to make sure that every car has as up-to-date software as possible.
- Data/Event logger.
You'll often hear people say that there has never been a cyber security event on a car, outside of a white hat research project. However, without a data logger on ALL connected vehicles that allows security and auditing personnel to review and identify suspicious activities, nobody really knows this for certain.
- Encrypted data (at rest and in motion).
Despite everyone's best efforts, data will undoubtably be obtained from cars by hackers. The IT world hasn't prevented every data breach after decades of effort, so it is not reasonable to assume car makers will do much better. However, by requiring encryption at every stage, the government can reduce the damage caused by breaches. Of course, there are ways around cryptography, but having encrypted data is a good first step.
- Fix vulnerabilities and deploy patches in a timely fashion.
There have been numerous stories of companies knowing about vulnerabilities but not addressing them in a timely manner. With IT companies, this lack of urgency can lead to loss of credit card numbers and other personally identifiable information. With cars, the failure to fix a vulnerability could potentially lead to injury or even death. This requirement would be the trickiest to define, as the time it takes to fix a bug will vary drastically depending on the complexity of the code and the number of development teams involved. Having some type of requirement though could reduce the chances of a car maker ignoring a potential threat due to cost or time pressures.
These recommendations will in no way prevent all potential cyber security threats on automobiles -- no set of recommendations could. However, by coupling these fundamental requirements with a comprehensive set of voluntary guidelines, the automotive industry would advance the state of their current cyber security posture immensely. Car makers must be willing to learn from the IT world's years of experience in cyber security and not start from square one.
One of the witnesses, Rob Csongor, VP and GM of Automotive Business at NVIDIA Corp. summed things up well when he said, "This is not the world's first computer. I believe that there is a lot of knowledge on cyber security. It just needs to be applied to cars."