Modern field guide to security and privacy

As self-driving cars hit the road, cybersecurity takes a back seat

While consumers and industry experts worry about cybersecurity in autonomous vehicles, government regulators are still struggling to respond to digital risks in driverless cars.

Gene J. Puskar/AP
A group of self-driving Uber vehicles at the company's Advanced Technologies Center in Pittsburgh.

The US is on the verge of a driverless revolution.

Uber has started to test self-driving cars on public roads in Pittsburgh, and the National Highway Traffic Safety Administration (NHTSA) released new guidelines for the vehicles in September, setting the stage for other companies to deploy autonomous vehicles en masse.

But one key question looms large over the rush to disrupt transportation: How will carmakers and tech companies keep their connected vehicles safe from malicious hackers?

"The No. 1 reason why people say they are unlikely to buy an autonomous vehicle is that they don't feel that they're safe," says Moe Kelley, director of the consulting firm Altman Vilandrie and Company, who adds that many people worry they might be vulnerable to cyberattacks.

In a recent survey, the firm found that 64 percent of consumers would not purchase an automated vehicle, and 57 percent wouldn't even consider riding one.

"The worst case scenario is that a hacker will be able to drive someone off the road," said Mr. Kelley. "People also fear for their privacy with automated vehicles. Even minor hacks that allow someone’s movements to be tracked over the internet are scary to many consumers as well."

The German insurance company Munich Re said in July that 55 percent of the corporate risk managers it surveyed view cybersecurity as the biggest problem with driverless vehicles.

Taken together, these findings indicate that both consumers and experts worry that digital intruders will be able to compromise an autonomous car's systems to cause injury or steal private data. Companies and regulators alike must respond to these concerns to sell the public on self-driving cars.

The White House said in a fact sheet about the NHTSA guidelines published in September that the US Department of Transportation (DOT) plans to outline best practices for vehicle cybersecurity. NHTSA communications director Bryan Thomas told Passcode that there isn't a firm deadline for the publication of those best practices.

"While advanced vehicle technologies offer significant safety improvements, there is no denying that they can present new opportunities for bad actors," Mr. Thomas said in an emailed statement.

"DOT maintains its strong defects enforcement authority to protect road users, so that if cyber vulnerabilities are exposed, DOT can and will act quickly to make sure they are addressed," he said. "It is important to note that similar vulnerabilities already exist in non-automated vehicles, and the USDOT is focused on ensuring all vehicles are protected."

NHTSA was more specific in the guidelines published in September, but it still didn't offer concrete examples of how exactly autonomous vehicles should be secured.

"Manufacturers and other entities should follow a robust product development process based on a systems-engineering approach to minimize risks to safety," the agency said. "Including those due to cybersecurity threats and vulnerabilities." 

But these guidelines aren't legally binding, and even the 15-point safety assessment NHTSA wants auto companies to complete before putting self-driving cars on the streets is voluntary. NHTSA hasn't created rules about the cybersecurity of driverless cars so much as it's asked companies to take the issue seriously and police themselves.

John Simpson, a privacy-focused member of the Consumer Watchdog advocacy group, says that's not enough.

"What we're talking about essentially is manufacturers saying, 'Oh, yes, cybersecurity is important, and here are the steps we've taken to address it,'" he says. "I don't think that's adequate."

There are other concerns about NHTSA’s ability to regulate vehicle cybersecurity. The Government Accountability Office (GAO) said in a March 2016 report that while NHTSA is "examining the need for government standards or regulations regarding vehicle cybersecurity," officials "estimated that the agency will not make a final determination on this need until at least 2018." That’s at least two more years before it decides if regulations are even necessary.

GAO also said the agency isn't ready for cyberattacks.

"Although NHTSA's stated goal is to stay ahead of potential vehicle-cybersecurity challenges, NHTSA has not yet formally defined and documented its roles and responsibilities in the event of a real-world cyberattack," it said. "Until it develops such a plan, in the event of a cyberattack, the agency’s response efforts could be slowed as agency staff may not be able to quickly identify the appropriate actions to take."

NHTSA is expected to respond to the GAO’s concerns by the spring of 2017. Mr. Simpson says the agency needs to move faster than that if it’s going to keep vehicles safe from cyberattacks.

"As we move increasingly to things that are controlled electronically so we end up driving around in what are basically rolling computers, there's been a growing awareness on everyone's part that cybersecurity is a very real threat,” he says. "My concern is that being aware of the problem is not enough."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.