The U.S. government’s latest efforts to protect internet-connected cars and their passengers from hackers is being criticized by two senators who say the new voluntary guidelines don’t go nearly far enough.
The National Highway Traffic Safety Administration released voluntary best practices on cybersecurity for automakers Monday, pressing manufacturers to make the issue a top priority so that drivers are not at risk from hackers. The guidelines encourage well documented penetration testing, encryption on all communication between the car and manufacturer, and limited access to Engine Control Units. Several major American automakers have already signed on in support.
However, the new guidelines are far too loose, according to Sens. Ed Markey, D-Mass, and Richard Blumenthal, D-Conn., who first released a study criticizing flawed automobile cybersecurity in 2015.
The new debate flared up just days after massive denial-of-service attacks hit American targets on Friday, focusing an intense new spotlight on cybersecurity issues surrounding the Internet of Things. Like televisions and refrigerators, cars are relatively newly connected devices that have exhibited significant vulnerabilities to hackers. The difference, of course, is that a hacked car is a bit more dangerous than a hacked fridge.
Markey and Blumenthal are behind the Security and Privacy in Your Car, or SPY Car, Act designed to establish firm federal standards for security and privacy in vehicles.
“This new cybersecurity guidance from the Department of Transportation is like giving a take-home exam on the honor code to failing students,” Sens. Markey and Blumenthal wrote in a joint statement.
“If modern day cars are computers on wheels, we need mandatory standards, not voluntary guidance, to ensure that our vehicles cannot be hacked and lives and information put in danger,” they wrote. “In this new Internet of Things era, we cannot let safety, cybersecurity, and privacy be an afterthought. We must pass our legislation, the SPY Car Act, that puts the protections in place to ensure auto safety and security in the 21st century.”
In addition to security against hackers, the SPY Car Act aims to protect consumer privacy from data trackers. The proposed legislation mandates transparency on how car owners’ data is collected, transmitted, kept and used. The bill demands the ability for consumers to opt out of such data tracking and prohibits the use of personal driving information in advertising unless the consumer opts in.
The bill also establishes a “cyber dashboard” showing consumers how their cars perform on security and privacy beyond minimum standards.
The NHTSA’s voluntary guidelines are the result of a nearly year-long process that began in January with a 300-person “cybersecurity roundtable” including manufacturers, government entities and industry associations.
NHTSA has pushed for automaker cybersecurity standards since they published a 2015 report for Congress on the subject.
Car hacking has become a high-profile affair in recent years. Hackers exposed flaws Jeep Cherokees and Tesla vehicles in 2015, resulting in new attention on the topic. Chrysler recalled 1.4 million vehicles as a result.