THE INSTITUTEAlthough the market for self-driving cars holds vast potential for growth, many consumers are not quite ready to hand over the keys. Nearly three-quarters of U.S. drivers surveyed by AAA last year reported that they would be too afraid to ride in a fully autonomous vehicle. The report noted that consumers have become more concerned about the technology’s potential safety risks, partly in response to media coverage of accidents involving driverless cars.
But this is not just a public relations problem. To build trust and clear the path to widespread adoption, automakers, technology firms, and regulators must address a variety of concerns. Among the most difficult threats to address will be those related to cybersecurity. As self-driving cars go mainstream, hackers will be working to steal data that could compromise drivers’ privacy by revealing their driving routes and destinations. Even more disturbing is the possibility of hackers taking control of vehicles.
Auto manufacturers have begun taking steps to mitigate cybersecurity risks in their autonomous vehicles. They have implemented cybersecurity reviews, built detection and prevention software into cars, and improved capabilities for monitoring and responding to intrusion incidents.
Those precautions should help address some vulnerabilities in the short term. Meanwhile, individual car companies are following their own internal protocols rather than formally agreeing upon a set of universal, reliable security standards. This lack of consensus creates an elevated risk of exploitable security gaps.
Automakers might be hard-pressed to adapt to ever-evolving threats if they take on the challenge alone. Without a clear, uniform objective for shoring up vehicle cyberdefenses in the long term, the industry faces an uphill battle in easing consumers’ safety concerns.
LACK OF CONSENSUS
There has been little pressure or incentive from outside the car industry to work toward a consensus. The conversation that is currently occurring between U.S. regulators and automakers is still in the early stages, and thus far the government has issued only voluntary guidelines. The Department of Transportation’s latest report on automated vehicles, published in October, promotes a patchwork of informal best practices previously published by other agencies rather than laying out a clear plan to formalize automotive cybersecurity regulations.
Congress has shown some interest in imposing more concrete regulations, but its efforts have stalled. In September 2017 the House of Representatives unanimously passed the SELF DRIVE Act, which would give the National Highway Traffic Safety Administration the authority to regulate safety measures for automated vehicles. The law would require manufacturers to develop formal cybersecurity plans that outline how they will protect their vehicles from cyberattacks, screen for vulnerabilities in digital systems, and respond to intrusions. The companion Senate bill, the AV START Act, was approved in committee two months later but has not moved to the full Senate.
In the meantime, the industry is navigating inconsistent state laws.
The federal government’s slow progress in standardizing automotive cybersecurity practices might be a signal that its initial attempts at regulations, whenever they ultimately arrive, will not go far enough to protect consumers. Without decisive action from federal agencies and lawmakers, it is incumbent upon automakers to take responsibility for preventing hackers from compromising autonomous vehicles.
Two respected standards-setting organizations, the International Organization for Standardization and SAE International, are making progress toward creating uniform guidelines to improve the safety of autonomous vehicles on a global scale. Cybersecurity is an important focus in ISO and SAE’s collaborative initiative to issue international safety standards for self-driving cars by 2020. The proposed standards can provide a well-defined framework to help vehicle manufacturers achieve three key objectives: foster a cybersecurity culture, adapt to a continually changing threat landscape, and institute a cybersecurity management system. The standards include directives for prioritizing cybersecurity protections throughout the cycle of engineering, production, operation, maintenance, and decommissioning road vehicles.
Focusing on security from the very beginning is a crucial step toward reassuring consumers that self-driving cars are safe. And although the industry is unlikely to agree on uniform security standards before 2020, there are several steps that car companies can take now to improve consumer confidence.
First, automakers should conduct frequent internal security testing, such as simulating cyberattacks on their own products. To do so, they should employ “white hat” hackers—security specialists who break into computer systems to expose vulnerabilities before malicious hackers do. Some companies, including GM, have already begun enlisting the help of white-hat researchers, but there should be a more concerted effort.
Second, car companies need to demonstrate a commitment to transparency and improve their processes for notifying customers immediately when security intrusions occur. Manufacturers should create rapid-response teams composed of people from departments across the company, combining the expertise of engineering, communication, and legal personnel. The multidisciplinary teams could analyze threats from multiple perspectives, effectively share information throughout the organization, and provide helpful briefings to the public. Standards developers also need to think creatively to anticipate future risks, as security issues surely will multiply as the technology evolves.
The wheels are in motion for a future filled with autonomous vehicles, but it will be a bumpy road toward mass adoption until more consumers are confident that their cars are adequately protected from cyberattacks. It is imperative that all players in the sector come together to provide reassurance in the form of standards and regulations that protect against cyberthreats.
Tamir Bechor is a clinical associate professor in Claremont Graduate University’s Center for Information Systems and Technology and is a cofounder of automotive cybersecurity company Cymotive Technologies.