Law Comes to Self-Driving Wild West

Legislation has begun focusing on the security needs of self-driving cars. Part one of a two-part article.

Simon Marshall, Technology Journalist

September 22, 2017

4 Min Read

Earlier this month, bill number H.R.3388 passed the House, and now awaits comment from the Senate Committee on Commerce, Science, and Transportation, having already been read twice. Better known as the Self Drive Act, it seeks to define of a set of safety standards for autonomous vehicles (AVs) that can be administered by the Department of Transportation (DOT).

The bill is seen by onlookers as a push by the government to encourage the commercial development of the autonomous car sector. According to them the aim, quite literally, is to help sector stakeholders get rubber on the road. Car developers and manufacturers stand to benefit, but so should consumers, as this legislation is also credited as a lynchpin in reducing vehicular accidents caused by human inattention or negligence on the road.

When it comes to state-level laws and their enforcement, the picture is more fragmented. The National Conference of State Legislatures (NCST) just published an update showing how rapidly individual states are independently beginning to enact legislature focused on AVs. But it also illustrates to what degree policy is open to interpretation depending -- frankly -- on who should control what.

The way in which vehicle control is handed over to a computer -- whether as assistance to drivers or as a complete substitute for drivers -- is a simpler concept and it deserves utmost scrutiny. The Self Drive Act specifies that car developers and manufacturers may not introduce a vehicle to the road unless there's a comprehensive cybersecurity plan in place for intrusion detection and mitigation. What that consists of today is squidgy, because every manufacturer will have their own performance standards that they are willing to hold themselves accountable for.

Human drivers are theoretically seen as incompetent drivers compared to computer control systems, and so the belief is that computer assistance will cut the accident rate. And, the construction and mechanics of automobiles, trucks and semis, across fuel delivery, infrastructure, traction and steering systems that runs today's vehicles are the peak of about 125 years of engineering. We know computers are smart, but the big question is what happens when the computer is no longer in control?

AV security issues
Observers have been warning for some time that potential security weaknesses could jeopardize vehicle integrity. Tony Lock, distinguished analyst at Freeform Dynamics, has been studying this area. "There are few standards for securing cars, so in a Darwinian way, I guess we'll find out what works best," he told Security Now with a chuckle.

"The security industry is well aware that it's high time to fix this issue," he said. "But it snuck up on them [car manufacturers], and during the design process, security was not their first thought. Arguably, it's still not really crossed their minds."

With some manufacturers thus seen as back-filling on security -- but trying to improve systems before launch -- and yet the government pushing legislation forward, we may have an explosive situation in the making.

Malcolm Harkins, chief security and trust officer at Cylance, a firm that develops AI-based threat intelligence, is worried about how this dynamic looks. "This is a time-to-market issue and there is pressure on the car manufacturers to bring things to market in order to ensure profit, so that safety can sometimes, unfortunately, become a secondary priority," he said.

There's consensus that, if not the government, then manufacturer engineers and lawyers won't allow unsafe vehicles to be launched at all, despite encouragement for manufacturers to do that. A popular view is that 2020 will see the first vehicles hitting the road, since this would comfortably give the DOT the two years specified in the Self Drive act to define standards and get them in place beforehand.

But that assumes that the DOT can rely on manufacturers who themselves, because of the mutating nature of IT security threats, will have a hard time preparing for every such threat and exploit. We can assume, given a hacker mentality, that AVs will be a choice target for disruption. So it's hard to see right now if AVs can ever hit the road and really be perfectly safe.

Renaud DeRaison, CTO and co-founder of Tenable, a company that provides cyber risk management services, says that the regulatory balance is one-sided. "We live in an interesting world with over-regulation on one side and under-regulation on the other. For example, it takes months for the FCC to approve a firmware update to a smart smoke alarm. On the other hand, we could be in a situation where car manufacturers can push an update overnight. The gap between these two extremes is astounding."

The second part of this article will be published on Monday, September 25. Check back then for the conclusion.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Read more about:

Security Now

About the Author(s)

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights