Senate Committee Amends/Approves S 1885 – Automated Vehicles

Yesterday the Senate Commerce, Science, and Transportation Committee adopted 26 amendments to S 1885, the AV START Act and then passed the bill on a voice vote. Only 7 of the 26 amendments dealt with cybersecurity measures in the bill.

Minor Changes

Most of the cybersecurity related amendments made minor changes or additions to the current language of the bill. These included:

Hassan 4 – Added supply chain concerns to definition of ‘cybersecurity’ and to the requirements for the cybersecurity plan in §14;

Klobuchar 2 – Added informing driver of cyber vulnerabilities to definition of ‘cybersecurity’;

Schatz 2 – Added requirement for manufacturers to make a summary of the cybersecurity plan available to public;

Gardner 2 – Added requirement for manufacturers to provide employee training on their cybersecurity plan;

Klobuchar 1 – Added requirement for the Technical Committee to review vehicle communications with ‘roadway and infrastructure assets’.

Major Additions

The two remaining amendments added new sections to the bill.

Wicker 2 addressed consumer cybersecurity education in two new sections. First it added requirements for DOT to “develop educational cybersecurity resources to assist consumers in maintaining awareness of and minimizing potential motor vehicle cybersecurity risks” {new §15(a)(1)}. Those resources would be made available on the National Highway Traffic Safety Administration (NHTSA) web site. It would then require manufacturers to direct consumers to those resources.

Inhofe 2 provided requirements for the establishment of an HAV [Highly Automated Vehicle] Data Access Advisory Committee. This Committee would be tasked with making policy recommendations to Congress about “the ownership of, the control of, or access to information or data that vehicles collect generate, record or store” {new §15(d)(1)}. It also prohibits the Federal Government from making any rules on the regulation of such data until the Committee makes its recommendations.

In making its recommendations that Committee will consider the following factors {new §15(d)(4)(B)}:

• Motor vehicle safety;

• Intellectual property protections;

• Compliance with the Motor Vehicle Safety Act;

• Customer privacy;

• Cybersecurity;

• Confidential business information;

• Public safety; and

• Transportation planning.

 Moving Forward

The voice vote approval of this bill in Committee is indicative of the expected broad bipartisan support for this bill. If this bill makes it to the floor of the Senate, I would expect that support to continue.

Commentary

My concerns about the conflicting and inadequate cybersecurity related definitions included in this bill were not addressed. In fact, the changes to the specific definition of ‘cybersecurity’ {new §30107(b)(4)} made by Hassan 4 and Klobuchar 2 described above only make things more confusing. The revised definition reads:

CYBERSECURITY. The minimization of cybersecurity risks to safety including evaluation of elements of the supply chain to identify and address cybersecurity vulnerabilities and the exchange of information about any vulnerabilities discovered from field incidents, internal testing, or external security research and mechanisms for alerting the human driver or operator about cyber vulnerabilities.

The use of this definition is limited to the requirements for the safety evaluation report to be prepared by vehicle manufacturers introducing new HAV’s, but it still reflects congressional technology confusion and a tendency to glop together fad terminology rather than understand complex concepts.