To handle driverless cars, cybersecurity regulation needs a software update

Automobiles are increasingly beginning to act feel, and look like computers. With a proliferation of onboard sensors and screens, they navigate, communicate, entertain, brake, and even steer. Yet while driverless cars offer an opportunity to save tens of thousands of lives each year, they also carry with them risks that the cars of yesteryear do not: namely, the risk of cyberattack.

Cyberattacks often take the form of data breaches, but a compromised brake or steering system in a hacked vehicle could also turn deadly. To realize the benefits of driverless cars—and minimize the potential dangers —our inflexible regulatory framework must adapt to new cybersecurity challenges.

In a new paper for the R Street Institute, my co-author Cyril Draffin and I examine these issues and suggest a more flexible regulatory model that aligns competitive incentives with security, promotes the development of cybersecurity best practices, proactively tests industry commitments and capabilities, and ultimately holds companies accountable to their promises.

Regulating cybersecurity poses a serious challenge in any context, and for automobiles in particular. As the regulator in charge of motor vehicles, the National Highway Traffic Safety Administration (NHTSA) has traditionally used a post-market, self-certification method of oversight executed through a combination of Federal Motor Vehicle Safety Standards (FMVSS) and recall authority. To date, the system has generally worked well. But cybersecurity is a different beast, and trying to address these threats through the FMVSS system presents some fundamental challenges.

First, while cybersecurity moves at the speed of code, issuing new standards or updating old ones through FMVSS frequently takes years due to the length of the standard notice-and-comment rulemaking process. The slow FMVSS update process would be ill-equipped to respond to a new vulnerability that requires an immediate change in cybersecurity standards.

Second, we could inadvertently create a security monoculture, where defensive capabilities and vehicle architectures become too standardized across the industry. If manufacturers must meet some set of specific, technical, cybersecurity requirements, the likelihood increases that a discovered vulnerability affects all manufacturers simultaneously. The sheer number of vehicles affected heightens the severity of a cyberattack, and a scenario that potentially compromises every single car is dire indeed.

Third, formal regulatory standards can crowd out successful efforts of industry cybersecurity organizations. For instance, the Automotive Information Sharing and Analysis Center (ISAC) currently issues cybersecurity best practices and serves as a private clearinghouse for information on cyber vulnerabilities. If manufacturers know they only need to pay attention to the single set of ex-ante standards issued by NHTSA, they have less incentive to work through organizations like the ISAC and other private standard-setting organizations.

A better regulatory approach needs to move much faster, encourage a variety of approaches to cybersecurity, and work with industry mechanisms for private regulation. As we suggest in the paper, NHTSA can learn from the FTC’s enforcement of ‘unfair and deceptive practices,’ already applied to cybersecurity challenges in other industries, to derive a workable model of automotive cybersecurity oversight.

Concretely, NHTSA should:

  1. Require manufacturers to provide the agency with detailed cybersecurity plans, including information about the types of attacks they can thwart, the various levels of redundancy within their systems, the layered defenses they have installed, and any cybersecurity best practices they agree to follow.
  2. Make the non-sensitive answers public. This will allow intra-industry competition for developing more comprehensive and more effective cybersecurity plans.
  3. Contract with independent cybersecurity experts and white-hat hackers to test the promises and capabilities of manufacturers proactively.
  4. Hold companies accountable to their promises through NHTSA’s robust recall authority.

There are several advantages to such an approach. First, a familiar enforcement process reduces regulatory uncertainty for complying industry groups and manufacturers. Second, the standard of cybersecurity enforcement will evolve over time as companies update their publicly available cybersecurity plans. Manufacturers have an incentive to release a more rigorous cybersecurity plan than their competitors, but also to honestly advertise their current level of security so they can pass external penetration testing by NHTSA contractors. The desired result is that manufacturers meet or exceed current “best practices” of cybersecurity enforcement in order to stay competitive.

This significantly more flexible approach avoids the notice-and-comment rulemaking process of NHTSA’s FMVSS in favor of manufacturers setting the bar for enforcement of new cybersecurity standards themselves. Additionally, manufacturers may reduce security homogeneity in vehicle architecture and defensive strategies by basing their cybersecurity plans on a wide selection of available best practice strategies. Finally, manufacturers can apply specialized knowledge about cybersecurity capabilities of their vehicles and consumer price sensitivity to balance sufficient cybersecurity defenses with a speedy deployment process.

While potential cyber risks warrant vigilance, too much caution could be even more dangerous. If cumbersome regulation slows the deployment timeline of driverless vehicles, people will drive on the road unaided for longer. This delay could be deadly given that  humans are likely to be worse drivers than autonomous and connected driving systems.

Driverless cars are already here. But as their numbers grow and their capabilities become more sophisticated, we must secure their future. Accomplishing this will require a new approach to managing risks and diligence in identifying and mitigating potential cyber threats. Most importantly, it will require a flexible regulatory model that allows best practices to evolve and adapt.