S 1885 – Introduced – Automated Vehicles

Last week Sen. Thune (R,SD) introduced S 1885, the American Vision for Safer Transportation through Advancement of Revolutionary Technologies (AV START) Act. As I mentioned in an earlier post I am writing this analysis based, not upon the official GPO version of the bill (not yet released), but a committee draft because the bill will be marked up in the Senate Commerce, Science, and Transportation Committee on Wednesday.

While this bill is, according to the Thune press release, based upon the “bipartisan provisions from the SELF-DRIVE Act (H.R. 3388) [link added]”, it is actually a fairly comprehensive rewrite of the provisions of that bill.

Definitions

The bill does not use many of the definitions provided in HR 3388, preferring instead to us technical definitions from the Society of Automotive Engineers (SAE J3016A) for most of the automated vehicle terminology. It does add some definitions {new §30108(a)} missing from the house bill concerning cybersecurity. Those definitions are based upon exiting definitions in US law:

• ‘Cybersecurity incident’ – 6 USC 148(a)(3);

• ‘Cybersecurity risk’ – 6 USC 148(a)(1); and

• ‘Cybersecurity vulnerability’ – 6 USC 1501(17).

Actually, there is no term ‘cybersecurity vulnerability’ in §1501, the term used there is ‘security vulnerability’. All three of these terms are based upon the IT-centric security concern with the confidentiality, integrity, and availability of an information system or its information. Section 1501(9) does, however, specifically include control systems in its definition of ‘information system’.

Cybersecurity Provisions

Section 14 of the bill adds a new §30108 to 49 USC Chapter 301. This new section specifically addresses cybersecurity issues with automated vehicles. In addition to adding the definitions describe above, it requires each manufacturer to “develop, maintain, and execute a written plan for identifying and reducing cybersecurity risks [emphasis added] to the motor vehicle safety of such vehicles and systems” {new §30108(b)(1)}. That plan would include process to address {new §30108(b)(2)}:

• The risk-based prioritized identification and protection of safety-critical vehicle control systems and the broader transportation ecosystem, as applicable;

• The efficient detection and response to potential vehicle cybersecurity incidents [emphasis added] in the field;

• Facilitating expeditious recovery from incidents as they occur;

• The institutionalization of methods for the accelerated adoption of lessons learned across industry through voluntary exchange of information pertaining to cybersecurity incidents, threats, and vulnerabilities [emphasis added], including the consideration of a coordinated cybersecurity vulnerability disclosure policy or other related practices for collaboration with third-party cybersecurity researchers;

• The identification of the point of contact of the manufacturer with responsibility for the management of cybersecurity;

• The use of segmentation and isolation techniques in vehicle architecture design, as appropriate; and

• Supporting voluntary efforts by industry and standards-setting organizations to develop and identify consistent standards and guidelines relating to vehicle cybersecurity, consistent, and to the extent appropriate, with the cybersecurity risk management activities described in section 15 USC 272(e).

Paragraph (c) broadly address the issue of coordinated disclosure. It requires DOT “to incentivize manufacturers to voluntarily adopt a coordinated vulnerability disclosure policy and practice in which a security researcher privately discloses information related to a discovered vulnerability to a manufacturer and allows the manufacturer time to confirm and remediate the vulnerability”.

Moving Forward

As I mentioned earlier this bill is being marked up this week. With the support of both Chairman Thune and the two Detroit (er… Michigan) senators (Democrats Peters and Stabenow), I suspect that this bill will fly through Committee with no significant opposition (and probably no amendments). The question then will be, if the Senate leadership decides to take up automated vehicle legislation this session (an open question), whether it will move this bill or HR 3388 to the floor. I suspect that the House bill will be considered and then this bill will be used as substitute language.

Commentary

First off, the cybersecurity provisions of this bill are going to be affected by the existing cybersecurity definitions adopted by the bill. Attacks on the vehicle control systems could cause death and destruction without ever having any effect on “confidentiality, integrity, and availability of an information system”. The sooner politicians begin to realize that information systems and operations systems are inherently different and require different security approaches the better.

In an earlier blog post on a port cybersecurity bill, I attempted to provide a useful series of definitions that could be used to address both information security and control system security in instances where both could be considered at risk. I included the existing definition of ‘information system’ and provided a very broad definition for ‘control system’. Then I provided the following definition of ‘cybersecurity risk’:

The term ‘cybersecurity risk’ means:

(A) threats to, and vulnerabilities of, information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

The next problem with this bill is that it only requires DOT to provide incentives for manufacturers to establish a coordinated disclosure policy. This is keeping with the Republican abhorrence of regulations, but it is demonstrably ineffective in this instance. Without an outside referee between the security researcher and the manufacturer there is nothing to stop manufacturers from attempting to quash any inconvenient vulnerability disclosure. This is especially true with automotive manufacturers who have already attempted to stop automotive hobbyists from hacking their cars control systems to improve or modify performance.

The bill should have established the National Highway Transportation Safety Administration (NHTSA) as the clearing house for reporting automotive cybersecurity vulnerabilities. This easily could have been incorporated in the existing safety defects reporting systems under 49 USC 30118. Security researchers could then have been required to report vulnerabilities to NHTSA, who would then investigate/coordinate with the manufacturer to ensure that the vulnerabilities are corrected.

Finally, the bill is missing the ultimate measure to protect the cybersecurity of automated vehicles. There are no provisions that specifically make it a crime to hack a motor vehicle control system in a manner that jeopardizes the life or safety of the vehicle occupants, endanger people outside of the affected vehicle, or damage property.