HR 701 Introduced – NHTSA Cybersecurity

Last month Rep. Wilson (R,SC) introduced HR 701, the Security and Privacy in Your (SPY) Car Study Act of 2017. The bill would require DOT’s National Highway Transportation Safety Administration (NHTSA) to conduct a study to determine appropriate standards for the regulation of the cybersecurity of motor vehicles.

The Study

The study would be required to address {§2(a)}:

• The isolation measures that are necessary to separate critical software systems from other software systems;

• The measures that are necessary to detect and prevent or minimize in the software systems of motor vehicles anomalous codes associated with malicious behavior;

• The techniques that are necessary to detect and prevent, discourage, or mitigate intrusions into the software systems of motor vehicles and other cybersecurity risks in motor vehicles, such as continuous penetration testing and on-demand risk assessments;

• Best practices to secure driving data collected by the electronic systems of motor vehicles;

• A timeline for implementing systems and software that reflect the measures, techniques, and best practices identified.

The bill requires a report to Congress within one year of passage of this bill. Presumably, then Congress would take necessary actions to pass legislation requiring implementation of the suggested program.

Moving Forward

Neither Wilson nor his co-sponsor {Rep. Lieu (D,CA)} are members of the House Energy and Commerce Committee, the committee to which this bill was referred for consideration. This means that the bill is unlikely to be considered by that Committee.

There is nothing in the bill that would draw substantial ire of any group. Since only a study is being required (with no spending to support the study) that could only serve to pass the buck to a future Congress, this bill would be adopted in committee if it was considered and subsequently passed if it made it to the floor of the House.

Commentary

The first major problem with this bill is that it fails to include the DHS ICS-CERT in the list of organizations with which NHTSA is required to consult in the conduct of the study. In fact, there is no mention of DHS, the agency designated by Congress to be responsible for cybersecurity matters, in the bill. This was almost certainly done to avoid the inevitable inter-committee conflicts that affect most homeland security legislation.

The major technical issue with this bill (other than the complete misuse/misunderstanding of technical terminology – ‘continuous penetration testing’???) is that it completely fails to address the communications issues that are an integral part of most any cyber threat. The current existence of in-car Wi-Fi nodes and the imminent future impact of vehicle-to-vehicle and vehicle-to-infrastructure communications systems cannot be overlooked in any study of automotive cybersecurity issues.

Finally, the bill overlooks the role of the independent security researcher in identification of cybersecurity vulnerabilities. Any cybersecurity study that fails to look at the relationships between such researchers, vendors and regulators is missing an important component of identifying and fixing cybersecurity vulnerabilities.