House NHTSA Oversight Hearing

Today the Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee held an oversight hearing looking at the DOT’s National Highway Transportation Safety Administration (NHTSA). The sole witness at the hearing was Heidi King, the Deputy Administrator (the de facto Administrator since no one has yet been nominated to that position) for NHTSA.

There was no mention of cybersecurity in any of the statements published on the Committee’s web site (Committee Chair Latta, Subcommittee Chair Walden, and Ms King), but the Committee Staff background memo does include (pg 6) a brief, 3-paragraph, summary of cybersecurity issues related to automated driving systems.

Watching the video of the hearing it is clear that this was intended to be a wide ranging oversight hearing that touched on a number of issues. Unfortunately, few of the congress critters asking questions had much interest in cybersecurity issues. There were only three cybersecurity related question (at 1 hour 10 minutes, at 1 hour 20 minutes and at 2 hours 30 minutes into the video). King’s responses to the questions were very generic with the one strong point being made that she appreciated the formation of the Automotive ISAC.

King did make a very interesting point in her response to the last question, from Rep. Costello (R,PA). She noted that vehicle owners had a very important role to play in regard to vehicle cybersecurity. After once again praising the formation of the Auto ISAC, she said:

“Cybersecurity is not the domain of highly technical experts alone, but in fact cybersecurity is a concern to all of us. We see from our own experience, whether it be in our home computers or in our phones, there may be vulnerabilities that are driven by users, and so part of the cybersecurity journey will be to educate all of us to be thoughtful about how we use our devices or our cars, and make sure that we are all partners in our cybersecurity journey.”

It will be interesting to see if the auto industry actually attempts to try to make autonomous vehicle cybersecurity inherently secure, or whether they will follow the model of the computer and smart phone manufacturers and make security a feature that must be selected by the owner, often without specifically notifying the owner of the security options available.