The bill would require the National Highway Traffic Safety Administration, together with the Federal Trade Commission, the National Institutes of Standards and Technology, the Department of Defense, OEMs and suppliers, SAE international, and academics and other experts to come up with a set of appropriate cybersecurity standards for new vehicles.
This bill emerges as auto and tech industries floor the accelerator pedal with regard to connecting new vehicles to the Internet, citing benefits such as safety or driver convenience. Yet as we've seen repeatedly, not every automaker is taking the problem of cybersecurity as seriously as they ought to. Plus, the network architecture of our vehicles is still based on the Controller Area Network (CAN) bus, which wasn't ever envisioned as something that would be permanently networked to the wider digital world.
The SPY Car Study Act would require the participating groups to identify what's necessary to isolate critical systems in a vehicle from the rest of its software, relevant standards for firewalls and anomaly detection systems, techniques to prevent or discourage malicious intrusions, best practices for storing the data generated by connected cars, and a timeline for implementing all of the above. A preliminary report would be due to Congress within a year of the act passing into law.
"Without good cyber hygiene, a hacker could easily turn a car into a weapon," Rep. Lieu said. "The SPY Car Study Act builds on important work undertaken by the National Highway Traffic Safety Administration by emphasizing the protection of users' personal data, and developing clear timelines for implementing these standards. We need to know that our navigation, entertainment, and operating systems are safe—and that our data is kept private. We must be proactive about our privacy and security, now more than ever."
His co-sponsor, Rep. Wilson, struck a similar tone: "Cyber threats have the potential to threaten the safety of American families. In the past few months, we’ve seen widespread reports of how cyber vulnerabilities in vehicles allow hackers to access a vehicle and take control from the driver... By conducting a thorough study of isolation measures, detection protocol, and other best practices, we can bring industry, advocates, and government together to encourage innovation while ensuring consumer protection."