by Associate Christopher Achatz and Summer Associate Ashlee Difuntorum
In the next five years we will see more and more self-driving vehicles, or autonomous vehicles, hit the market. An “autonomous vehicle” is a vehicle capable of navigating roadways and interpreting traffic-control devices without a driver actively operating any of the vehicle’s control systems. Although self-driving vehicles have the potential to drastically reduce accidents, travel time, and the environmental impact of road travel, concerns remain that could delay widespread adoption. Of particular concern are data privacy and security risks. This article addresses the cybersecurity issues of self-driving vehicles. We have also published an article discussing privacy issues of self-driving vehicles, which can be found here.
The numerous points of entry into a self-driving vehicle’s computer system give clever thieves and cyber terrorists multiple opportunities to take control of vehicles. For example, in 2010, one man in Austin, Texas triggered horns and disabled the ignition systems in more than 100 non-autonomous vehicles by hacking into an auto dealer’s computer system.1 Additionally, in 2015, two cybersecurity researches hacked into a vehicle’s internal network and paralyzed it on a highway.2 While hackers like these can control non-autonomous vehicles through entry points like internal network systems, entertainment systems, hand-free cell-phone operations, and satellite radio, self-driving vehicles are even more vulnerable to attacks, because they have all of those entry points plus many more.
The automotive industry has addressed the issue of cybersecurity of self-driving vehicles by creating a series of Automotive Cybersecurity Best Practices (“Automotive Best Practices”).3 The Automotive Information Sharing and Analysis Center (“Auto-ISAC”) issued the Automotive Best Practices, which guide how individual companies can implement the previously released “Enhance Automotive Cybersecurity” Principle. The Automotive Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response training, and collaboration with appropriate third parties. In effect, the Automotive Best Practices prompt participating members to enhance the security of self-driving vehicles by managing cybersecurity at the product level. The Automotive Best Practices are listed below.
In addition to the automotive industry, the federal government has also issued non-binding guidance to the motor vehicle industry for improving cybersecurity issues of autonomous vehicles. Specifically, in an effort to reduce the probability of a successful cybersecurity attack, the National Highway Traffic Safety Administration (“NHTSA”) issued cybersecurity best practices that promote a layered approach to vehicle cybersecurity (“NHTSA Best Practices”).4 For example, the NHTSA’s guidelines suggest that the automotive industry creates a culture of leadership where they can handle increasing cybersecurity challenges, mechanisms for information sharing, a documented process for responding to incidents, and more. Furthermore, the NHTSA has warned that if the industry does not follow the guidelines, cybersecurity vulnerabilities will likely occur, and that such vulnerabilities may be considered safety defects compelling a recall.5 The NHTSA Best Practices have been listed below.
The estimated amount of years until hackers will only need a laptop and code to control self-driving vehicles.6
The number of vehicles NHTSA’s enforcement authority recalled in July 2015 due to cybersecurity vulnerabilities.7
The number of states to date that have introduced and passed legislation relating to self-driving vehicles.8
The percentage of fatalities on U.S. roads in 2014 that were caused by human error or faulty decision-making.9
1. Wired, Hacker Disables More Than 100 Cars Remotely (Mar. 17, 2010), https://www.wired.com/2010/03/hacker-bricks-cars/.
2. Wired, The Jeep Hackers Are Back to Prove Car Hacking Can Get Much Worse (Aug. 1, 2016), https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-acceleration-hacks/.
3. Automotive Information Sharing and Analysis Center, Automotive Cybersecurity Best Practices Executive Summary (July 21, 2016), https://www.automotiveisac.com/best-practices/.
4. National Highway Traffic Safety Administration, Cybersecurity Best Practices for Modern Vehicles (Oct. 2016), https://www.nhtsa.gov/staticfiles/nvs/pdf/812333_CybersecurityForModernVehicles.pdf.
5. Federal Register, Request for Public Comments on NHTSA Enforcement Guidance Bulletin 2016-02: Safety-Related Defects and Emerging Automotive Technologies (April 1, 2016), https://www.federal register.gov/documents/2016/04/01/2016-07353/request-for-public-comments-on-nhtsa-enforcement-guidance-bulletin-2016-02-safety-related-defects.
6. New York Times, Why Car Companies Are Hiring Computer Security Experts (June 7, 2017), https://www.nytimes.com/2017/06/07/technology/why-car-companies-are-hiring-computer-security-experts.html?mcubz=1.
7. National Highway Traffic Safety Administration, Cybersecurity Best Practices for Modern Vehicles (Oct. 2016), https://www.nhtsa.gov/staticfiles/nvs/pdf/812333_CybersecurityForModernVehicles.pdf..
8. National Conference of State Legislatures, Autonomous Vehicles: Self-Driving Vehicles Enacted Legislation (June 26, 2017), http://www.ncsl.org/research/transportation/autonomous-vehicles-self-driving-vehicles-enacted-legislation.aspx.
9. ABA Section of Administrative Law, The Fast Lane: Autonomous Vehicles and the Liability Landscape (Spring 2016, https://www.americanbar.org/content/dam/aba/publications/administrative_regulatory_law_newsletters/tq_spring_ 2016. authcheckdam.pdf.