New Language for S 1885 Considered – Automated Vehicles

There is an interesting article over on Wired.com about a last minute effort to get S 1885, the American Vision for Safer Transportation through Advancement of Revolutionary Technologies (AV START) Act, through the Senate. Apparently a key to that effort is revised language (not taken from an official Senate site) for that bill with provisions to appease various critics of the bill. That proposed revision includes changes to the cybersecurity provisions in the bill and a new section that would require an additional study of the cybersecurity tools implemented by the automotive industries in support of this new technology.

Changes in Cybersecurity Language

The version of S 1885 reported in the Senate includes three sections that address with varying effectiveness cybersecurity issues.

§14. Cybersecurity.

§16. Cybersecurity consumer education information.

§17. Provision of cybersecurity resource information.

Sections 16 and 17 of the draft currently circulating are essentially identical to those sections in the reported version of the bill. Section 14 is where we see the changes being made.

The most obvious change is found in paragraph (a) of the newly proposed 49 USC 30108, the definition paragraph. All of the definitions in the reported version have been removed and a ‘new definition’ has been provided for the single remaining term ‘cybersecurity incident’. The definition now refers to the term ‘significant cybersecurity incident’ in Presidential Policy Directive 4. The previous definition referred to the term ‘incident’ in 6 USC 148(a)(3). This change restricts covered incidents to those that “result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people”. In practice the last two targets (‘public health and safety of the American people’) are what would most likely apply to the automated driving systems covered in this bill.

The second and final change to §14 is also a subtle change. In paragraph (b) of the new §30108 description of the written ‘cybersecurity plan’ manufacturers will be required to “develop, maintain, and execute” {new §30108(b)(1)”}, the new language for subparagraph (b)(2)(I) requirements to align the cybersecurity plan with requirements of 15 USC 272(e), removes the requirement for the alignment to be supportive of “voluntary efforts by industry and standards-setting organizations to develop and identify consistent standards and guidelines relating to vehicle cybersecurity, consistent, and to the extent appropriate with…”. Instead it replaces that language with the slightly more directive “considering consistency and alignment with” the cybersecurity risk management approach of §272(e).

New Cybersecurity Provision

The substitute language would add a new §24, Cybersecurity Tools Study. This would require DOT to conduct a study and submit a report to Congress within 2 years of the passage of this bill. The report would identify existing “measures, guidelines, or practices used to identify, protect, detect, respond to, or recover from cybersecurity incidents affecting the safety of a passenger motor vehicle” {§24(b)(1)(A)}, and the extent to which those measures are being used. The report would also be required to describe the susceptibility of passenger motor vehicles to cybersecurity incidents and the “degree of cybersecurity risk to the safety of a passenger motor vehicle” {§24(b)(1)(B)(iii)}.

Moving Forward

Two different blogs (here and here) are reporting that Sen. Feinstein (D,CA) and Sen. Markey (D,MA) will object to this draft language if it were offered in the Senate. At this late date, it would almost certainly be offered under the unanimous consent process and the objection of either Feinstein or Markey would kill that consideration.

If this bill were passed in the Senate (and it probably would if there were time for it to be considered under regular order) it would also have to be taken up by the House before the end of the month. While there was bipartisan support for a similar bill (HR 3388) in the House last year, it is unlikely that the House would be able to fit this bill into their limited schedule.

There are some indications that some version of this bill could be added to the final spending bill that is supposed to be considered by December 21^st. 2018. The inclusion of such language is unlikely to affect the passage of that bill.