The road to our connected future may be paved with good intentions, but it may not be secure enough to drive on.
As reporter Andy Greenberg recently detailed in Wired, hackers were able to remotely disable a Jeep while he was driving it. In a country where car ownership and the freedom of the open road are closely tied to individual and national identity, losing control over any vehicle you're driving is a nightmarish scenario. Connecting more devices and vehicles to the Internet has immense economic potential but carries both security and privacy risks. The number of ways cars and trucks can be hacked has grown quickly, as automakers roll out new vehicles more screens and navigation, entertainment and communications systems in response to consumer demand.
Concern about the lack of security in vehicles led Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) to introduce on Tuesday the Security and Privacy in Your Car Act, or the "SPY Act," which would require automobile manufacturers to build IT security standards into connected cars.
Critical navigation systems would need to be isolated from these access points, reducing the possibility of remote operation that the Wired reporter experienced. The SPY Act also would require connected vehicles to have technology that could "detect, report and stop hacking attempts in real-time."
The act is a concrete follow-up to a report that Markey's office published in June detailing the security and privacy gaps it found in vehicle IT systems.
“Drivers shouldn’t have to choose between being connected and being protected,” Markey said in a statement. “We need clear rules of the road that protect cars from hackers and American families from data trackers.”
The bill would also require the FTC and NHTSA to develop privacy standards for the data collection in automobiles. Automakers would need to be more transparent about how driving data is being gathered, transmitted, stored or used. Consumers would gain the ability to opt out of the collection or storage of such data without losing access to navigational capabilities "when technically feasible," except where such data collection is relevant to safety or regulatory systems. The SPY Act would also prevent driving data from being used for advertising or marketing, unless the car owner opted in.
"Ride data includes where do you go for ice cream, or take your kids to school, or shopping," said Blumenthal. "That information could be bought and sold on the market. There has to be stronger safety standards, with the FTC safeguarding privacy."
Those standards would come into force two years after a public rule-making, however, which means the auto industry wouldn't face binding standards until 2018. It's not going to sit still in the meantime.
On Tuesday, an alliance of 12 major carmakers announced that they have formed an "information sharing and analysis center" that would begin exchanging data about emerging threats later this year. The center would "more effectively counter cyber threats in real time and further enhance the industry’s on-going efforts to safeguard vehicle electronic systems and networks," according to a statement by Robert Strassburger, the vice president for vehicle safety at the Alliance of Automobile Manufacturers.
While data sharing may help, it's not the same as building security or privacy in by design. I Am the Cavalry, an IT security industry group that advocates for protecting connected medical devices, cars, homes and public infrastructure, has been pushing automakers to adopt better security standards on their own, Wired reported.
It's more than likely that vehicle manufacturers and their allies in Congress will resist making such standards mandatory, or use more subtle approaches to prevent them from coming into force. For instance, if a massive transportation bill included provisions that removed the ability of NHTSA to regulate software and network connectivity in vehicles, it would significantly undermine the power of the federal government to standardize connected cars.
If that happened, it would be more than a little regressive. In response to safety concerns raised in Ralph Nader's Unsafe at Any Speed and determined consumer advocacy, Congress passed the Highway Safety Act and the National Traffic and Motor Vehicle Safety Act in 1966 -- facing auto industry resistance but paving the way for the federal government to create and regulate safety standards for motor vehicles and roads.
Cars in the United States were subsequently manufactured with headrests, shatter-resistant windshields and mandatory seat belts. Consumers driving connected cars are now facing new kinds of safety and security risks. Although there are no ready digital analogues to a seat belt or an air bag, it's safe to say that any hacking incidents on the highways are going to lead more of us to ask for better protections.
"If there are accidents, then there will be hearings," said Blumenthal. "The way to look at this issue is like safety with air bags or car seats. At first, there was industry pushback, with the costs cited as to high. Consumers wouldn't understand or use them. Then, magically, movement happens."
This article has been updated to include Blumenthal's comments.