Administration officials and a senior Democratic senator renewed calls Thursday for new security standards to protect drivers, as cars become increasingly connected with the advent of the Internet of Things.
At the “Connected Cars USA” conference in Washington, D.C. Thursday, Sen. Ed Markey, D-Mass., touted his legislation establishing cybersecurity and privacy standards for connected cars. Markey introduced a bill last July that would require federal regulators to set rules for how carmakers restrict unauthorized access to their vehicles’ controls and the driving data stored within them, and he implored lawmakers and industry representatives to unite behind his effort.
“Drivers shouldn’t have to choose between being connected and being protected,” Markey said. “We need the electronic equivalent of seat belts and airbags to keep drivers and their information safe.”
Terrell McSweeny, commissioner of the Federal Trade Commission, agreed that there’s a real need for those sorts of regulations, given the effective dearth of consumer knowledge about how vehicles are changing.
“Everybody in the industry, and policymakers and senators, need to be thinking about it,” McSweeny said. “As we start driving computers instead of machines, what’re the expectations around those?”
Transportation Secretary Anthony Foxx added that he’s actively “asking lawmakers for more regulatory interpretation requests” in this area, as the National Highway Traffic Safety Administration works to develop vehicle safety standards for automated vehicles in the coming months.
But Markey believes that federal legislation is the surest step toward codifying concrete standards for cybersecurity and privacy. While he noted that many automakers have already taken steps to establish their own, voluntary standards in those areas, he added that “these are not the kind of enforceable rules of road that we need to protect driver privacy and safety.”
Markey feels that the threat of hackers surreptitiously seizing control of vehicles is already evident, as demonstrated by Chrysler’s recall of 1.4 million vehicles in July due to security concerns, and he only sees the area becoming more important in the coming years.
“Thieves no longer need a crowbar to break into your car, they just need an iPhone,” Markey said. “They can do much worse than open the door. It’s possible for wireless hackers to control the steering and acceleration and even cut the breaks.”
But he also warned that protecting drivers’ data is equally important. He notes that many automakers already store “sensitive” data on the vehicles themselves, such as the car’s current location and past driving history, and they fail to communicate how they subsequently share that information.
“Driver should not simply hand it over to automakers, insurance companies or third-party data brokers without their knowledge or consent,” Markey said.
Accordingly, his bill would instruct the NHTSA and FTC to issue regulations in these areas, akin to the standards that currently exist for crash safety or fuel economy. Markey hopes this would lead to the creation of a sort of “cyber dashboard” that would let consumers “comparison shop” among connected vehicles to find the most secure option available, encouraging automakers to go beyond minimum federal standards.
But with Markey’s bill unlikely to find favor in a GOP-controlled Congress generally hostile to more regulation, McSweeny sees room for the auto industry to act on its own to start addressing these concerns, without waiting for legislators.
“I think the industry really does need to benefit from crowdsourcing around security in order to make sure that it stays ahead of cyber threats,” McSweeny said.
She cautioned that automakers shouldn’t look to encryption as a silver bullet to solve these security conundrums, as she warns that it could create an array of unintended consequences.
“All the technical experts will tell you that there’s no way to undertake that kind of project without creating vulnerabilities,” McSweeny said. “Unfortunately when you create vulnerabilities, especially with connected cars, you create huge public safety issues, along with the security of the information that’s being collected, so I would think very carefully about the cost associated with creating vulnerabilities and having backdoors.”
Regardless of how automakers end up handling the question of security, Markey hopes to see action sooner rather than later.
“Innovation is at the heart of this new era of the Internet of Things, and if we can make the driverless car a reality, then we must commit unequivocally to its safety,” Markey said.