HR 3994 Introduced – SPY Car Study Act of 2015

Earlier this month, Rep. Wilson (R,SC) introduced HR 3994, the Security and Privacy in Your (SPY) Car Study Act of 2015. The bill would require the Administrator of the National Highway Traffic Safety Administration (NHTSA) to report to Congress on potential cybersecurity standards for automobiles made and/or sold in the United States.

A Study and Report to Congress

Section 2(a) of the bill would require the NHTSA Administrator to conduct a study “to determine appropriate standards for the regulation of the cybersecurity of motor vehicles manufactured or imported for sale in the United States that should be adopted by the Administration and any other appropriate Federal agencies”. The study would be conducted in consultation with:

• The Federal Trade Commission;

• The Director of the National Institute of Standards and Technology;

• The Secretary of Defense;

• The Automotive Information Sharing and Analysis Center;

• SAE International;

• Manufacturers of motor vehicles and original motor vehicle equipment; and

• Relevant academic institutions.

The study would be designed to identify:

• The isolation measures that are necessary to separate critical software systems from other software systems;

• The measures that are necessary to detect and prevent or minimize the effects of anomalous code associated with malicious behavior;

• The techniques that are necessary to detect and prevent, discourage, or mitigate intrusions into the software systems of motor vehicles and other cybersecurity risks in motor vehicles; and

• Best practices to secure driving data collected by the electronic systems of motor vehicles while such data are stored onboard the vehicle, in transit from the vehicle to another location, and in off-vehicle storage.

Interestingly the term ‘critical software system’ is specifically defined in the bill. It describes “a software system of a motor vehicle that can affect the driver’s control of the movement of the vehicle” {§2(c)(2)}. Driving data is also defined to include vehicle status information and personal information about the owner, driver or passengers.

NHTSA would have one year to complete the study and then six months more to present a report to Congress about the results of the study. The report to Congress would be unclassified and would include recommendations for “any legislation that may be necessary to authorize the adoption of such standards [recommended in the study]” {§2(b)(2)}.

Moving Forward

Neither Wilson nor his cosponsor {Rep. Lieu (D,CA)} are members of the House Energy and Commerce Committee to which this bill was referred. Thus it is unlikely that there is the political pull to get this bill considered by the Committee. If the bill were to make it to the floor it would likely pass since it just requires a study and report. The automotive industry would almost certainly object to any regulation of automotive cybersecurity, but would probably hold-off opposing the bill since they would be able to influence the results of the study.

Commentary

I certainly can’t fault Wilson for trying to get a group of experts to determine what cybersecurity regulations might be necessary to ensure that automotive control systems are reasonably safe from cyber-attacks. And I agree that NHTSA, the government agency responsible for automotive safety, should probably be the agency to regulate that security; the Transportation Security Administration certainly is not a viable alternative. Having said that, I do think that there is a DHS agency that should be included in the study effort and that is ICS-CERT. They have the most knowledge of control systems within the government.

There are two agencies that I’m not sure that I agree should have anything to do with this study; the FTC and the DOD. The FTC’s cybersecurity knowledge is pretty limited and certainly does not include control systems. While they do have some regulatory experience, NHTSA already has a great deal of experience in dealing with automotive safety regulations. DOD certainly is developing cybersecurity expertise, but little of it has to do with protecting control systems. They certainly do not have the level of expertise in that arena that the ICS-CERT would have.

I’ll give Wilson’s staff credit for addressing the main areas of interest with automotive control systems, but some of their attempts at ‘technical language’ should not have been attempted. In §2(a)(2) for instance they attempt to describe preventing hacking as “prevent or minimize in the software systems of motor vehicles anomalous codes associated with malicious behavior”; close but not quite there.  Then in §2(a)(2) in describing potential security techniques they suggest “continuous penetration testing and on-demand risk assessments”. Congress should leave as much of the technical language as possible to the folks in the Executive Branch that actually work with the technology.

Two things are missing from the study and report requirements. First is a failure to address how cybersecurity deficiencies interface with the current recall process including a definition of how software updates fit into that process. And second, is the failure to establish software/firmware vulnerability disclosures, including allowing legitimate security researchers to legally test automotive cybersecurity systems without falling afoul of the Digital Millennium Copyright Act

(DMCA). Both of these will have to be addressed in any legislation authorizing regulation of automotive cybersecurity.