S 680 Introduced – Automotive Cybersecurity

Last month Sen. Markey (D,MA) introduced S 680, the Security and Privacy in Your Car (SPY Car) Act of 2017. The bill is essentially identical to S 1806 that was introduced in the 114^th Congress. That earlier bill saw no action.

Moving Forward

Markey is a member of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. This means that it is possible that may have the political influence necessary to have the Committee consider the bill.

The multiple requirements for new regulations included in the bill, however, make it almost certain that neither the Committee nor the Senate as a whole will consider the bill. The anti-regulatory movement in the current Congress ensures that bills requiring major new regulations will have a difficult time being considered.

Commentary

As I noted in my earlier post on S 1806, this bill is a good first attempt at writing a comprehensive automotive cybersecurity bill. It is evident, however, that Markey and his staff (while being the closest thing to being cybersecurity policy wonks in the current congress) have some serious short comings in their knowledge of cybersecurity issues, particularly when it comes to control system security issues.

The other thing about this bill is that it points out a basic cybersecurity legislative problem, the need for sharing responsibility for cybersecurity between different agencies in the Federal government. In this case there are various requirements for the DOT’s National Highway Transportation Safety Administration (NHTSA) and the Federal Trade Commission work together on issuing the required regulations; with each taking the lead on different regulatory requirements.

While getting the two agencies to work together will prove to be difficult (bureaucratic silos have thick walls), ensuring that congressional committees with oversight over those agencies work well together may be even more difficult. For instance, with this bill, if Markey had included requirements that addressed the actions of the ICS-CERT (arguably the control system security experts within the Federal government) then the bill would have also been referred to the Homeland Security and Governmental Affairs Committee.

Curiously missing from this bill is any reference to Commerce Department’s National Institute of Standards and Technology (NIST). Surely in establishing any cybersecurity regulatory requirements one would expect the use of any of a number of areas NIST expertise in establishing technical standards would be helpful, particularly when many of those standards already exist.