Virtually every new car sold today has some sort of network connection. Most of us are aware of these connections because of the remarkable capabilities they place at our fingertips—things like hands-free communication, streaming music, advanced safety features, and navigation. Today’s cars are a rolling network of small computers that control the drivetrain, braking, and other systems. And just like the entertainment and navigation systems, these computers are “connected,” too.
This connectivity within—and between—vehicles will allow transformative innovations like self-driving cars. But it also will make our cars targets for hackers. The security research community can play a valuable role in helping the auto industry stay ahead of these threats. But rather than encouraging collaboration, Congress is discussing legislation that would make illegal the kind of research that already has helped improve the industry’s approach to security.
Today, the House Energy and Commerce Committee begins a hearing on a bill to reform the National Highway Traffic Safety Administration. In the wake of many notable recalls this is a well-intentioned idea. However, tucked into a section concerning the cybersecurity and data collection of automobiles is language that unintentionally could create greater risks for American drivers.
The bill follows several vulnerabilities uncovered by white-hat researchers. Last summer, security researchers Charlie Miller and Chris Valasek demonstrated how they could wirelessly take over the connected entertainment system in a Jeep Cherokee to take control of the car’s steering, brakes and transmission. As a result of this research, Chrysler created a security patch and issued a recall for 1.4 million vehicles.
Some dismissed the exploit as a stunt to gain notoriety. But Miller and Valasek identified a legitimate security and safety issue. And it was neither the first or last such attack. Earlier this year, security researchers revealed similar vulnerabilities in the Tesla Model S dashboard system, and a University of California-San Diego research team took control of a Corvette by manipulating an Internet-connected dongle often used by ride-hailing services and insurance companies. These revelations provide a much needed wake-up call to the auto industry. Indeed, even before these flaws were made public, a Senate report found a wide range of security practices in the auto industry. For example, some used third-party testing to check vehicle security, others did not. Most did not have technology to monitor a car’s systems for malicious activity.
Tying the hands of white hat researchers will do nothing to prevent bad actors from finding vulnerabilities and exploiting them.
Now the industry has established an Intelligence Sharing and Analysis Center (ISAC) to exchange cyber threat information. This initiative is a good start. It would provide a central point of contact and collaboration about what threats are out there and how automakers can respond to them. If done well, the ISAC also could improve security standards among auto manufacturers, benefitting all consumers. (More on that here and here.)
The auto industry is taking promising steps toward better security, but the bill before the Energy and Commerce Committee would be a setback. It would make it illegal for security researchers to examine the code written into today’s cars and identify security vulnerabilities or manipulations designed to thwart environmental regulations. This will make our cars more vulnerable by discouraging responsible research and chilling innovation in car security at a critical time. Moreover, tying the hands of white hat researchers will do nothing to prevent bad actors from finding the same vulnerabilities and exploiting them in potentially harmful ways.
The auto industry would be better served by following the lead of information technology industry which has developed ways to work with responsible security researchers instead of against them. For years technology companies fought a losing battle on security by threatening hackers, and now many firms have established bounty programs and conferences where researchers are invited to find and report flaws in programs and products. They recognize that bringing researchers to the table and crowd sourcing solutions can be effective in staying ahead of cyber threats. Stopping research before it can start sets a terrible precedent. Rather than make it illegal, Congress should try to spur collaboration between the automakers and the increasingly valuable research community.