Modern field guide to security and privacy
A group of self-driving Uber vehicles at the company's Advanced Technologies Center in Pittsburgh.
Gene J. Puskar/AP | Caption

As self-driving cars hit the road, cybersecurity takes a back seat

While consumers and industry experts worry about cybersecurity in autonomous vehicles, government regulators are still struggling to respond to digital risks in driverless cars.

The US is on the verge of a driverless revolution.

Uber has started to test self-driving cars on public roads in Pittsburgh, and the National Highway Traffic Safety Administration (NHTSA) released new guidelines for the vehicles in September, setting the stage for other companies to deploy autonomous vehicles en masse.

But one key question looms large over the rush to disrupt transportation: How will carmakers and tech companies keep their connected vehicles safe from malicious hackers?

"The No. 1 reason why people say they are unlikely to buy an autonomous vehicle is that they don't feel that they're safe," says Moe Kelley, director of the consulting firm Altman Vilandrie and Company, who adds that many people worry they might be vulnerable to cyberattacks.

In a recent survey, the firm found that 64 percent of consumers would not purchase an automated vehicle, and 57 percent wouldn't even consider riding one.

"The worst case scenario is that a hacker will be able to drive someone off the road," said Mr. Kelley. "People also fear for their privacy with automated vehicles. Even minor hacks that allow someone’s movements to be tracked over the internet are scary to many consumers as well."

The German insurance company Munich Re said in July that 55 percent of the corporate risk managers it surveyed view cybersecurity as the biggest problem with driverless vehicles.

Taken together, these findings indicate that both consumers and experts worry that digital intruders will be able to compromise an autonomous car's systems to cause injury or steal private data. Companies and regulators alike must respond to these concerns to sell the public on self-driving cars.

The White House said in a fact sheet about the NHTSA guidelines published in September that the US Department of Transportation (DOT) plans to outline best practices for vehicle cybersecurity. NHTSA communications director Bryan Thomas told Passcode that there isn't a firm deadline for the publication of those best practices.

"While advanced vehicle technologies offer significant safety improvements, there is no denying that they can present new opportunities for bad actors," Mr. Thomas said in an emailed statement.

"DOT maintains its strong defects enforcement authority to protect road users, so that if cyber vulnerabilities are exposed, DOT can and will act quickly to make sure they are addressed," he said. "It is important to note that similar vulnerabilities already exist in non-automated vehicles, and the USDOT is focused on ensuring all vehicles are protected."

NHTSA was more specific in the guidelines published in September, but it still didn't offer concrete examples of how exactly autonomous vehicles should be secured.

"Manufacturers and other entities should follow a robust product development process based on a systems-engineering approach to minimize risks to safety," the agency said. "Including those due to cybersecurity threats and vulnerabilities." 

But these guidelines aren't legally binding, and even the 15-point safety assessment NHTSA wants auto companies to complete before putting self-driving cars on the streets is voluntary. NHTSA hasn't created rules about the cybersecurity of driverless cars so much as it's asked companies to take the issue seriously and police themselves.

John Simpson, a privacy-focused member of the Consumer Watchdog advocacy group, says that's not enough.

"What we're talking about essentially is manufacturers saying, 'Oh, yes, cybersecurity is important, and here are the steps we've taken to address it,'" he says. "I don't think that's adequate."

There are other concerns about NHTSA’s ability to regulate vehicle cybersecurity. The Government Accountability Office (GAO) said in a March 2016 report that while NHTSA is "examining the need for government standards or regulations regarding vehicle cybersecurity," officials "estimated that the agency will not make a final determination on this need until at least 2018." That’s at least two more years before it decides if regulations are even necessary.

GAO also said the agency isn't ready for cyberattacks.

"Although NHTSA's stated goal is to stay ahead of potential vehicle-cybersecurity challenges, NHTSA has not yet formally defined and documented its roles and responsibilities in the event of a real-world cyberattack," it said. "Until it develops such a plan, in the event of a cyberattack, the agency’s response efforts could be slowed as agency staff may not be able to quickly identify the appropriate actions to take."

NHTSA is expected to respond to the GAO’s concerns by the spring of 2017. Mr. Simpson says the agency needs to move faster than that if it’s going to keep vehicles safe from cyberattacks.

"As we move increasingly to things that are controlled electronically so we end up driving around in what are basically rolling computers, there's been a growing awareness on everyone's part that cybersecurity is a very real threat,” he says. "My concern is that being aware of the problem is not enough."