New Language for S 1885 Considered – Automated Vehicles

There is an interesting article over on Wired.com about a last minute effort to get S 1885, the American Vision for Safer Transportation through Advancement of Revolutionary Technologies (AV START) Act, through the Senate. Apparently a key to that effort is revised language (not taken from an official Senate site) for that bill with provisions to appease various critics of the bill. That proposed revision includes changes to the cybersecurity provisions in the bill and a new section that would require an additional study of the cybersecurity tools implemented by the automotive industries in support of this new technology.

Changes in Cybersecurity Language

The version of S 1885 reported in the Senate includes three sections that address with varying effectiveness cybersecurity issues.

§14. Cybersecurity.

§16. Cybersecurity consumer education information.

§17. Provision of cybersecurity resource information.

Sections 16 and 17 of the draft currently circulating are essentially identical to those sections in the reported version of the bill. Section 14 is where we see the changes being made.

The most obvious change is found in paragraph (a) of the newly proposed 49 USC 30108, the definition paragraph. All of the definitions in the reported version have been removed and a ‘new definition’ has been provided for the single remaining term ‘cybersecurity incident’. The definition now refers to the term ‘significant cybersecurity incident’ in Presidential Policy Directive 4. The previous definition referred to the term ‘incident’ in 6 USC 148(a)(3). This change restricts covered incidents to those that “result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people”. In practice the last two targets (‘public health and safety of the American people’) are what would most likely apply to the automated driving systems covered in this bill.

The second and final change to §14 is also a subtle change. In paragraph (b) of the new §30108 description of the written ‘cybersecurity plan’ manufacturers will be required to “develop, maintain, and execute” {new §30108(b)(1)”}, the new language for subparagraph (b)(2)(I) requirements to align the cybersecurity plan with requirements of 15 USC 272(e), removes the requirement for the alignment to be supportive of “voluntary efforts by industry and standards-setting organizations to develop and identify consistent standards and guidelines relating to vehicle cybersecurity, consistent, and to the extent appropriate with…”. Instead it replaces that language with the slightly more directive “considering consistency and alignment with” the cybersecurity risk management approach of §272(e).

New Cybersecurity Provision

The substitute language would add a new §24, Cybersecurity Tools Study. This would require DOT to conduct a study and submit a report to Congress within 2 years of the passage of this bill. The report would identify existing “measures, guidelines, or practices used to identify, protect, detect, respond to, or recover from cybersecurity incidents affecting the safety of a passenger motor vehicle” {§24(b)(1)(A)}, and the extent to which those measures are being used. The report would also be required to describe the susceptibility of passenger motor vehicles to cybersecurity incidents and the “degree of cybersecurity risk to the safety of a passenger motor vehicle” {§24(b)(1)(B)(iii)}.

Moving Forward

Two different blogs (here and here) are reporting that Sen. Feinstein (D,CA) and Sen. Markey (D,MA) will object to this draft language if it were offered in the Senate. At this late date, it would almost certainly be offered under the unanimous consent process and the objection of either Feinstein or Markey would kill that consideration.

If this bill were passed in the Senate (and it probably would if there were time for it to be considered under regular order) it would also have to be taken up by the House before the end of the month. While there was bipartisan support for a similar bill (HR 3388) in the House last year, it is unlikely that the House would be able to fit this bill into their limited schedule.

There are some indications that some version of this bill could be added to the final spending bill that is supposed to be considered by December 21^st. 2018. The inclusion of such language is unlikely to affect the passage of that bill.

Senate Committee Amends/Approves S 1885 – Automated Vehicles

Yesterday the Senate Commerce, Science, and Transportation Committee adopted 26 amendments to S 1885, the AV START Act and then passed the bill on a voice vote. Only 7 of the 26 amendments dealt with cybersecurity measures in the bill.

Minor Changes

Most of the cybersecurity related amendments made minor changes or additions to the current language of the bill. These included:

Hassan 4 – Added supply chain concerns to definition of ‘cybersecurity’ and to the requirements for the cybersecurity plan in §14;

Klobuchar 2 – Added informing driver of cyber vulnerabilities to definition of ‘cybersecurity’;

Schatz 2 – Added requirement for manufacturers to make a summary of the cybersecurity plan available to public;

Gardner 2 – Added requirement for manufacturers to provide employee training on their cybersecurity plan;

Klobuchar 1 – Added requirement for the Technical Committee to review vehicle communications with ‘roadway and infrastructure assets’.

Major Additions

The two remaining amendments added new sections to the bill.

Wicker 2 addressed consumer cybersecurity education in two new sections. First it added requirements for DOT to “develop educational cybersecurity resources to assist consumers in maintaining awareness of and minimizing potential motor vehicle cybersecurity risks” {new §15(a)(1)}. Those resources would be made available on the National Highway Traffic Safety Administration (NHTSA) web site. It would then require manufacturers to direct consumers to those resources.

Inhofe 2 provided requirements for the establishment of an HAV [Highly Automated Vehicle] Data Access Advisory Committee. This Committee would be tasked with making policy recommendations to Congress about “the ownership of, the control of, or access to information or data that vehicles collect generate, record or store” {new §15(d)(1)}. It also prohibits the Federal Government from making any rules on the regulation of such data until the Committee makes its recommendations.

In making its recommendations that Committee will consider the following factors {new §15(d)(4)(B)}:

• Motor vehicle safety;

• Intellectual property protections;

• Compliance with the Motor Vehicle Safety Act;

• Customer privacy;

• Cybersecurity;

• Confidential business information;

• Public safety; and

• Transportation planning.

 Moving Forward

The voice vote approval of this bill in Committee is indicative of the expected broad bipartisan support for this bill. If this bill makes it to the floor of the Senate, I would expect that support to continue.

Commentary

My concerns about the conflicting and inadequate cybersecurity related definitions included in this bill were not addressed. In fact, the changes to the specific definition of ‘cybersecurity’ {new §30107(b)(4)} made by Hassan 4 and Klobuchar 2 described above only make things more confusing. The revised definition reads:

CYBERSECURITY. The minimization of cybersecurity risks to safety including evaluation of elements of the supply chain to identify and address cybersecurity vulnerabilities and the exchange of information about any vulnerabilities discovered from field incidents, internal testing, or external security research and mechanisms for alerting the human driver or operator about cyber vulnerabilities.

The use of this definition is limited to the requirements for the safety evaluation report to be prepared by vehicle manufacturers introducing new HAV’s, but it still reflects congressional technology confusion and a tendency to glop together fad terminology rather than understand complex concepts.

Committee Hearings – Week of 10-01-17

This week with the House and Senate both in session in the first day of the new fiscal year, the lawmakers’ focus expands. We have four hearings of potential interest, two markup hearings and two cybersecurity hearings.

Markup Hearings

As I mentioned earlier, the Senate Commerce, Science, and Transportation Committee will hold their markup hearing on Wednesday. In addition to the markup of S 1885, the Committee will also take-up S 1872 [note: this is a link to the committee draft], the TSA Modernization Act. I mentioned this briefly when it was introduced last week, but I will not really cover this bill since it has little to do with surface transportation security. I will note that it is attempting to finally reword the current DOT referenced authorization of the TSA {49 USC 114} to move it to where it actually resides in DHS.

Also on Wednesday, the Senate Homeland Security and Governmental Affairs Committee will hold a markup hearing that will cover a number of bills (many that have yet to have been introduced). It will specifically include S 1281, the HACK DHS Act of 2017. I would like to note that in my post on the bill, I made the statement that Sen. Hassan (D,NH) was not a member of the Homeland Security Committee, but she is currently a member.

Cybersecurity Hearings

The Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee will hold a hearing on Tuesday on “Examining DHS’s Cybersecurity Mission”. The witness list includes:

• Patricia Hoffman, DOE;
• Christopher Krebs, DHS; and

• Jeanette Manfra, DHS

It will be interesting to see if this hearing addresses the reorganization of DHS cyber activities that includes the move of ICS-CERT to NCCIC.

On Tuesday the Information Technology Subcommittee of the House Oversight and Government Reform Committee will hold a hearing on “Cybersecurity of the Internet of Things”. This hearing was originally scheduled for 09-27-17. The witness list includes:

• Matthew J. Eggers, US Chamber of Commerce;

• Josh Corman, Atlantic Council;

• Tommy Ross, The Software Alliance (BSA); and

• Ray O’Farrell, VMware

According to the hearing website the purpose of the hearing is:

• To examine the use of devices that comprise the Internet of Things (IoT) and their current and potential uses in federal government.

• To explore potential cyber threats posed by the use of IoT devices.

• To review private sector recommendations for securing the IoT, and explore potential legislative solutions. 

S 1885 – Introduced – Automated Vehicles

Last week Sen. Thune (R,SD) introduced S 1885, the American Vision for Safer Transportation through Advancement of Revolutionary Technologies (AV START) Act. As I mentioned in an earlier post I am writing this analysis based, not upon the official GPO version of the bill (not yet released), but a committee draft because the bill will be marked up in the Senate Commerce, Science, and Transportation Committee on Wednesday.

While this bill is, according to the Thune press release, based upon the “bipartisan provisions from the SELF-DRIVE Act (H.R. 3388) [link added]”, it is actually a fairly comprehensive rewrite of the provisions of that bill.

Definitions

The bill does not use many of the definitions provided in HR 3388, preferring instead to us technical definitions from the Society of Automotive Engineers (SAE J3016A) for most of the automated vehicle terminology. It does add some definitions {new §30108(a)} missing from the house bill concerning cybersecurity. Those definitions are based upon exiting definitions in US law:

• ‘Cybersecurity incident’ – 6 USC 148(a)(3);

• ‘Cybersecurity risk’ – 6 USC 148(a)(1); and

• ‘Cybersecurity vulnerability’ – 6 USC 1501(17).

Actually, there is no term ‘cybersecurity vulnerability’ in §1501, the term used there is ‘security vulnerability’. All three of these terms are based upon the IT-centric security concern with the confidentiality, integrity, and availability of an information system or its information. Section 1501(9) does, however, specifically include control systems in its definition of ‘information system’.

Cybersecurity Provisions

Section 14 of the bill adds a new §30108 to 49 USC Chapter 301. This new section specifically addresses cybersecurity issues with automated vehicles. In addition to adding the definitions describe above, it requires each manufacturer to “develop, maintain, and execute a written plan for identifying and reducing cybersecurity risks [emphasis added] to the motor vehicle safety of such vehicles and systems” {new §30108(b)(1)}. That plan would include process to address {new §30108(b)(2)}:

• The risk-based prioritized identification and protection of safety-critical vehicle control systems and the broader transportation ecosystem, as applicable;

• The efficient detection and response to potential vehicle cybersecurity incidents [emphasis added] in the field;

• Facilitating expeditious recovery from incidents as they occur;

• The institutionalization of methods for the accelerated adoption of lessons learned across industry through voluntary exchange of information pertaining to cybersecurity incidents, threats, and vulnerabilities [emphasis added], including the consideration of a coordinated cybersecurity vulnerability disclosure policy or other related practices for collaboration with third-party cybersecurity researchers;

• The identification of the point of contact of the manufacturer with responsibility for the management of cybersecurity;

• The use of segmentation and isolation techniques in vehicle architecture design, as appropriate; and

• Supporting voluntary efforts by industry and standards-setting organizations to develop and identify consistent standards and guidelines relating to vehicle cybersecurity, consistent, and to the extent appropriate, with the cybersecurity risk management activities described in section 15 USC 272(e).

Paragraph (c) broadly address the issue of coordinated disclosure. It requires DOT “to incentivize manufacturers to voluntarily adopt a coordinated vulnerability disclosure policy and practice in which a security researcher privately discloses information related to a discovered vulnerability to a manufacturer and allows the manufacturer time to confirm and remediate the vulnerability”.

Moving Forward

As I mentioned earlier this bill is being marked up this week. With the support of both Chairman Thune and the two Detroit (er… Michigan) senators (Democrats Peters and Stabenow), I suspect that this bill will fly through Committee with no significant opposition (and probably no amendments). The question then will be, if the Senate leadership decides to take up automated vehicle legislation this session (an open question), whether it will move this bill or HR 3388 to the floor. I suspect that the House bill will be considered and then this bill will be used as substitute language.

Commentary

First off, the cybersecurity provisions of this bill are going to be affected by the existing cybersecurity definitions adopted by the bill. Attacks on the vehicle control systems could cause death and destruction without ever having any effect on “confidentiality, integrity, and availability of an information system”. The sooner politicians begin to realize that information systems and operations systems are inherently different and require different security approaches the better.

In an earlier blog post on a port cybersecurity bill, I attempted to provide a useful series of definitions that could be used to address both information security and control system security in instances where both could be considered at risk. I included the existing definition of ‘information system’ and provided a very broad definition for ‘control system’. Then I provided the following definition of ‘cybersecurity risk’:

The term ‘cybersecurity risk’ means:

(A) threats to, and vulnerabilities of, information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

The next problem with this bill is that it only requires DOT to provide incentives for manufacturers to establish a coordinated disclosure policy. This is keeping with the Republican abhorrence of regulations, but it is demonstrably ineffective in this instance. Without an outside referee between the security researcher and the manufacturer there is nothing to stop manufacturers from attempting to quash any inconvenient vulnerability disclosure. This is especially true with automotive manufacturers who have already attempted to stop automotive hobbyists from hacking their cars control systems to improve or modify performance.

The bill should have established the National Highway Transportation Safety Administration (NHTSA) as the clearing house for reporting automotive cybersecurity vulnerabilities. This easily could have been incorporated in the existing safety defects reporting systems under 49 USC 30118. Security researchers could then have been required to report vulnerabilities to NHTSA, who would then investigate/coordinate with the manufacturer to ensure that the vulnerabilities are corrected.

Finally, the bill is missing the ultimate measure to protect the cybersecurity of automated vehicles. There are no provisions that specifically make it a crime to hack a motor vehicle control system in a manner that jeopardizes the life or safety of the vehicle occupants, endanger people outside of the affected vehicle, or damage property.

Bills Introduced – 09-28-17

Yesterday, with both the House and Senate preparing to leave for the weekend, there were 68 bills introduced. Of these, two may be of specific interest to readers of this blog:

S 1885 A bill to support the development of highly automated vehicle safety technologies, and for other purposes. Sen. Thune, John [R-SD]

S 1900 A bill to require all persons who acquire, maintain, or use personal information to have in effect reasonable cybersecurity protections and practices whenever acquiring, maintaining, or using personal information in commerce, and for other purposes. Sen. Blumenthal, Richard [D-CT]

S 1885 was introduced with a fair amount of fanfare and media buzz (see here for example). Thune’s press release includes links to a copy of the bill and a summary of its provisions. That summary explains the cybersecurity provisions this way:

“This section [§14] would require manufacturers of HAVs [Highly Automated Vehicles] and ADS [Automated Driving Systems] to develop and execute a written plan for identifying and reducing cybersecurity risks to the motor vehicle safety of such vehicles and systems. This section would also authorize the Secretary to work cooperatively with manufacturers to develop a policy for coordinated disclosure of cybersecurity vulnerabilities (such as bug bounty programs), and it would direct other federal agencies researching cybersecurity risks associated with HAVs to coordinate with the Secretary on their findings.”

The GPO version of the bill has not been published, but I will probably be reviewing the bill this weekend since it is scheduled for consideration in Thune’s Commerce, Science, and Transportation Committee on Wednesday.

S 1900 will probably not be covered here since there are almost certainly no control system issues involved (I hope) but I am including it today as an example of potential congressional overreaction to cybersecurity incidents (almost certainly the Equifax fiasco here). If the bill does, in fact (and it probably does not) provide for cybersecurity standards for “all persons [emphasis added] who acquire, maintain, or use personal information” then we have a sweeping piece of cybersecurity legislation that would create more problems than it solves.