Cybersecurity push may tie up autonomous-car legislation

WASHINGTON — Consensus is growing on the need for national legislation to govern autonomous-vehicle development, but cybersecurity protection for connected vehicles looms as a potential area of conflict.

High-profile Democrats on the Senate Commerce Committee are pushing for mandatory federal standards to defend against hackers taking control of vehicles or interrupting wireless communications and deliberately causing accidents.

Automakers say they share the objective of keeping malware out of self-driving vehicles but need a more flexible approach to deal with the risk.

"We think the best way to realize your objective is to have a dynamic approach," Mitch Bainwol, president of the Alliance of Automotive Manufacturers, testified at a Commerce Committee hearing this month. "Our fear is that standards would become obsolete very quickly."

Millions of vehicles on the road today are already vulnerable to hacks by virtue of their connectivity technology, but the huge number of interconnected components in autonomous vehicles could offer bad actors many more opportunities to infiltrate driving systems. Self-piloting cars will wirelessly exchange information among themselves, with cloud-based computers and with public infrastructure, such as traffic lights, to sense their environment and determine how to navigate.

"Once a vehicle connects to the Internet, it is hackable," Yoni Heilbronn, chief marketing officer for Argus Cyber Security in Israel, said in a phone interview. "A vehicle has multiple penetration vectors, with 100 million lines of software code and an average of 10,000 known software bugs in it when it rolls out of Detroit or Stuttgart."

An additional concern is that cybercriminals may try to penetrate a vehicle system to steal personal information or determine a driver's location, technology experts say.

Cybersecurity was one of the principles for autonomous vehicle legislation announced two weeks ago by Commerce Committee leaders, who said protections must be an integral feature of self-driving vehicles from the inception of development. A comprehensive bill is expected to be introduced this summer.

Last fall, the National Highway Traffic Safety Administration released voluntary recommendations for developers to focus on during the design process, such as secure development practices, information sharing, disclosure of vulnerabilities, incident response and self-auditing.

During the hearing this month, John Maddox, president of the American Center for Mobility, a federally designated autonomous vehicle proving ground in Ypsilanti, Mich., said voluntary industry standards would likely be more effective at keeping up with rapidly changing risks than a federal standard.

Sen. Edward Markey, D-Mass., made clear during the hearing he doesn't see a middle ground when it comes to cyberdefense for autonomous vehicles.

"We should not have to choose between being connected and being protected," he said, adding the federal standard should be dynamic and keep being raised.

In March, Markey and Sen. Richard Blumenthal, D-Conn., reintroduced the Security and Privacy in Your Car Act to establish federal standards for securing cars, protecting driver privacy and instituting a rating system that informs consumers about how well the vehicle protects drivers beyond those minimum standards. The bill would require technology to be engineered into the design, allowing the vehicle to detect, report and thwart attempts to intercept driving data or control the vehicle itself.

Markey challenged Bainwol and Maddox over voluntary standards, saying strict rules are needed to account for industry laggards.

"History shows that with airbags and with seat belts, unless there's a mandate it's just not [happening]," Markey said. "Unfortunately, the industry moves slowly. The best players move voluntarily, the worst players don't. And the worst players are the ones that cause all the damage out on the highways."

"You can't just leave it up to any one manufacturer to do it," Markey added. "You need to have every one of the players accepting that as a responsibility. Otherwise the streets won't be safer. These vehicles will be hacked."

To highlight that risk, the senator cited the pair of "white hat" hackers who were able to remotely take control of a Jeep Cherokee by exploiting a software flaw and shut down its engine on the highway. The 2015 incident led Fiat Chrysler to recall 1.4 million vehicles.

A better approach, according to the Eno Center for Transportation, is to combine voluntary standards with limited liability requirements for automakers in the event of an accident caused by a security breach.

"This should help provide that a minimum standard is met and that the tech firms self-police," the think tank said in an autonomous-vehicle action plan for governments published in May. "As new updates to software become available, manufacturers should be allowed to update over the air or require vehicles to be serviced immediately for safety concerns, or they could disable the semi- or fully automated features until the consumer updates or fixes the vehicle."

Automakers contend they already take cybersecurity seriously, pointing to the January 2016 establishment of an Information Sharing and Analysis Center for the auto industry, where cybersecurity experts run simulations against hypothetical threats and serve as a clearinghouse for threat information, as well as security best practices.