Congress wants to know more about how federal regulators and major car manufacturers plan to protect drivers from automotive cyber attacks.
Lawmakers from the House Committee on Energy and Commerce wrote letters to 17 automakers and the National Highway Traffic Safety Administration on Thursday, asking each about their readiness to thwart car hackers.
“The explosion of new, connected devices and services is exacerbating existing cyber-security challenges and has introduced another potential consequence – the threat of physical harm,” the committee wrote.
After a slow start, auto industry executives have taken steps in recent years to secure vulnerable parts of their vehicles. But as the number of connected cars on the road mushrooms and development of vehicle-to-infrastructure communication progresses, threats are multiplying as quickly as automakers can address concerns.
Written questions from the subcommittee members hint at the scope of the challenge. Vulnerabilities exist in the smartphones drivers bring into cars, in third-party diagnostic devices plugged into OBD-II ports, in the automotive supply chain, in over-the-air software updates, and elsewhere. Lawmakers seems to acknowledge the enormity of the potential pitfalls, writing to NHTSA that, “threats and vulnerabilities in vehicle systems may be inevitable.” But the committee wants to know how industry leaders and regulators intend to keep pace with the concerns.
This isn’t the first Congressional foray into the automotive cyber-security realm. US Senator Ed Markey (D-Massachusetts) proposed legislation in February that would compel automakers to fix security holes and strengthen privacy protection for driving data.
In the House, cyber security and privacy concerns have piqued the interest of the Energy and Commerce subcommittee on Oversight and Investigations, which held a hearing on the impact of the Internet of Things on the health-care industry several weeks ago. With an influx of connected systems in vehicles making news and privacy concerns surfacing, leaders say there is bipartisan interest in automotive cyber security.
NHTSA established an office of about a dozen employees to handle cyber-security concerns about three years ago, and late last year, the agency compiled a 40-page report on best practices in the industry for dealing with cyber threats.
But some of the more interesting questions the House has for automakers aren’t as much about internal procedures as they are external relations.
One of the more interesting questions asked in the letters is how both NHTSA and major OEMs interact with third-party security researchers. This is a timely point, because industry leaders are currently seeking to block cyber researchers from accessing their vehicles by fighting a proposed exemption in copyright law that would ensure continued outside analysis.
Security experts told a US Copyright Office panel last week their research in this fledgling field has been hindered because they feared prosecution for possible violations of the Digital Millennium Copyright Act.
In today’s letter, Congressional leaders ask how NHTSA coordinates with the research community. If it’s not yet doing so, the letter asks NHTSA administrator Mark Rosekind to “please explain why not.”
Another area where the lawmakers have shown interest is in how car companies are using over-the-air updates to patch security flaws, and whether NHTSA has evaluated those efforts. Other than Tesla, many OEMs have been tight-lipped about their use of over-the-air updates to fix existing security concerns.
Wireless software updates hold great promise, in that cars could be updated with stronger security measures without mechanics needing physical access to provide the latest updates. BMW showcased this earlier this year, when it provided over-the-air security updates to 2.2 million cars that outside researchers had determined were vulnerable to remote hacks.
But these over-the-air updates also are potentially perilous – should a malicious attacker to infiltrate them, they potentially allow millions of cars to be exploited in a single instance.
The letters ask NHTSA and automakers to respond to those questions and others by June 11.