Energy and Commerce Amends and Passes HR 3388 – DECAL Act

Last month the House Energy and Commerce Committee amended and passed HR 3388, the Designating Each Car’s Automation Level (DECAL) Act, by a strongly bipartisan 54 to 0 vote. The adopted bill was a complete re-write of the original that had been little more than a truth in labeling bill that did not even mention cybersecurity. The new version of the bill establishes cybersecurity requirements for highly-automated vehicles as well as requiring DOT’s National Highway and Traffic Safety Administration to establish new safety standards for the same.

Cybersecurity Requirements

Section 5 of the bill would amend 49 USC by adding a new section, §30130; Cybersecurity of automated driving systems. The new section would require manufacturers to establish cybersecurity plan for ‘highly automated vehicles’ [which “means a motor vehicle equipped with an automated driving system” {revised 49 USC 30102(a)(7)}, see §13(a) of the revised bill]. That plan would include {new §30130(a)}:

• A written cybersecurity policy with respect to the practices of the manufacturer for detecting and responding to cyber-attacks, unauthorized intrusions, and false and spurious messages or vehicle control commands;

• The identification of an officer or other individual of the manufacturer as the point of contact with responsibility for the management of cybersecurity;

• A process for limiting access to automated driving systems; and

• A process for employee training and supervision for implementation and maintenance of the policies and procedures required by this section, including controls on employee access to automated driving systems.

That ‘written cybersecurity policy’ would include {new §30130(a)(1)}:

• A process for identifying, assessing, and mitigating reasonably foreseeable vulnerabilities from cyber-attacks or unauthorized intrusions, including false and spurious messages and malicious vehicle control commands; and

• A process for taking preventive and corrective action to mitigate against vulnerabilities in a highly automated vehicle or a vehicle that performs partial driving automation, including incident response plans, intrusion detection and prevention systems that safeguard key controls, systems, and procedures through testing or monitoring, and updates to such process based on changed circumstances.

Moving Forward

The fact that this bill passed out of committee with unanimous support clearly indicates that the bill is prepared to move forward to the floor of the House for consideration. Typically, I would suggest that it would be considered under the suspension of rules provision allowing limited debate and no amendments. In this case, however, the fact that Committee members also submitted at least nine other bills on the same day that potentially (I have only seen the language on one of those) addressed additional cybersecurity requirements, there may be some resistance to the bill being considered in such a cavalier fashion.

I suspect that the House leadership will come up with one of two solutions to this potential problem. The easiest (politically) would be for the Rules Committee to draft a structured rule that would allow the consideration of amendments based mainly on these other bills to be offered in a limited floor debate. This process, however, would take up substantial floor time, making it unlikely that the bill would be considered before October 1^st. It also might result in some amendments being approved that are not supported by the leadership.

If there is substantial political support for moving this forward quickly (and that is unclear at this time), then an alternative scenario would be to include a carefully (read politically) selected number of the additional bills to also be considered under the suspension of the rules process and let their sponsors worry about if there are enough votes to meet the supermajority requirements of that process.

Commentary

First, I would like to note that the bill completely separates the cybersecurity provisions of §5 from the privacy protection provisions of §12. This is very unusual in that Congress has a long history of equating cybersecurity and privacy protection. What is more interesting is that the privacy protection provisions do not include any mention of using the cybersecurity protections of vehicle systems to protect the privacy of information stored on or developed by those automated driving systems.

To my mind, there are two major cybersecurity shortcomings in this bill; the lack of information sharing provisions and the failure to address vulnerability reporting and coordination.

Given the automotive industry’s history of sharing components between vehicle lines of multiple manufacturers (most recently see the Takata air bag controversy) it would seem very likely that there will be instances where a cybersecurity vulnerability will occur in a device which is found in multiple vehicle lines. Failing to share that information between manufacturers will leave a large number of vehicles vulnerable to known vulnerabilities. I would prefer to see NHTSA as the designated information sharing agency there should be at least a requirement to share information with the Automotive ISAC.

Similarly, given the reality that most cybersecurity vulnerabilities seem to be found by independent security researchers or outside cybersecurity firms, there should be language in this bill providing for an agency to act as a receiver and coordinator of cybersecurity vulnerability information. Again, I would prefer to see NHTSA be given this role, but ICS-CERT would be an acceptable alternative (with information coordination requirements with NHTSA being specified). Using the Automotive ISAC would be a poor choice, since they are likely to take the manufacturers side in any dispute between researchers and vendors.

There is another cybersecurity related provision that I am surprised to see missing from this revised bill, a measure to address recall authority and recall mitigation measures for cybersecurity related problems with the highly automated vehicles. While the requirement for establishing a new safety standard for highly automated vehicles in §4 of the bill would provide general recall authority for cybersecurity related vulnerabilities under existing rules, it would not specifically authorize NHTSA to address cybersecurity vulnerabilities that have not actually resulted in problems in vehicle operations. It also would not provide NHTSA authority to require recalls for purely privacy related cybersecurity issues. To ease industry concerns about cybersecurity recalls, a specific provision allowing for remote updates of cyber systems as a cyber recall measure would need to be included in the bill.

Finally, the bill specifically excludes commercial vehicles from the requirements of the bill. There are significant and very advanced programs to automate commercial trucks. I understand that safety standards for those vehicles are separate from standard automotive safety standards. That means that coverage of those vehicles in this bill would probably be inappropriate from a regulatory standpoint, but I have seen no other attempt to regulate the cybersecurity of those heavier vehicles.

It will be interesting to see if any of these issues are addressed in the nine other bills pending publication by the GPO.

BTW: The revised language approved by the Committee will change the name of the bill from the DECAL Act to the Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution (SAFTE DRIVE) Act. That will take effect when the Committee Report on the bill is published.