Last week, CDT responded to the Federal Trade Commission (FTC) and National Highway Traffic Safety Administration’s (NHTSA) call for public input on the the benefits and privacy and security issues associated with current and future motor vehicles. This call for input will feed into a workshop on the issues in June 2017.
Connected vehicles have tremendous potential to reshape the transportation landscape – bringing important safety and efficiency benefits but also creating new security and privacy risks. In addition, there are long-standing security and privacy issues that, if not resolved, will be compounded with the continued trends towards greater use of software and connectivity in motor vehicles. Our comments focus on three main issues: the need for secure software, the increasing dependence on critical information infrastructures, and the need for greater transparency around data privacy.
1. The Need for Secure Software
As CDT has previously noted, motor vehicle security research is in its infancy, and public information about the state of automotive security is lacking in general. This is a concern given the very high likelihood of extensive bugs in existing motor vehicle software. If the best companies can push the number of bugs down to 0.5 per 1,000 lines of code, the typical motor vehicle on the road already has perhaps 50,000 bugs in its software. In a GAO report in 2014, one expert was quoted as saying, “there are no widely accepted cybersecurity performance metrics, and it is difficult to prove that a vehicle with up to 100 million lines of code is secure… testing every line of code in a vehicle would take several months, which is not feasible or practical.”
Now is an ideal time to begin considering how a body of safety rules and regulations might be developed for software in connected vehicles. The consequences of neglect in this area – for drivers and the automakers alike – are already becoming obvious: in 2015, Fiat-Chrysler recalled 1.4 million Chrysler, Dodge and Jeep vehicles due to a serious security vulnerability. CDT recommends that discussion on measures to address and reduce these security issues/risks be undertaken through a collaborative industry entity with cybersecurity experience such as the Automotive Information Sharing and Analysis Center (Auto-ISAC). Specific areas for consideration include, but are not limited to: development of minimum ‘safe’ software development standards, development of agreed upon software testing standards, and allocation of liability to developers of ‘faulty’ or ‘defective’ software.
2. Risks of Critical Information Infrastructures Reliance
As software and connectivity continue to be integrated into motor vehicles, these vehicles will become subsequently dependent on critical information infrastructures, which include network-level connectivity (e.g., internet service providers, wireless providers, and IP protocol), transport-level connectivity (e.g., protocols such as TCP/UDP and the Domain Name System), and application-level connectivity (e.g., protocols such as SSL/TLS, HTTP/HTTPS, etc.). This connectivity creates dependency, and associated risks of cascading failure.
Consider the consequences on connected vehicles if the Domain Name System were to be disrupted as it was on Oct. 21, 2016, when DNS provider, Dyn, was subject to two unprecedentedly high-powered distributed denial of service (DDoS) attacks. Once down, an estimated 1,200 websites could no longer be accessed by end users on both sides of the Atlantic. Were such an incident to occur, with connected vehicles relying on the DNS, the outcome would result in severe disruption of connected vehicles themselves and possible damage or injury to individuals. This is but one of many potential, systemic risks that connected vehicles will face.
Moreover, connected vehicles will have to have some capability to communicate with other vehicles and infrastructure without global network connectivity. This communication capability will also create additional systemic risks. In an example from the adjacent ‘Internet of Things’ field, security researchers were able to bypass security measures, like encryption, and exploit the Zigbee protocol, which is a radio link between many IoT devices, in a way that could reset and potentially ‘brick’ (render inoperable) thousands of Philips Hue smart lamps. Connected vehicles are one such example where such large-scale problems might emerge for similar reasons.
Given that this is an emerging phenomenon, a framework for crisis planning and response does not currently exist for critical information infrastructures with relation to connected vehicles. CDT suggests that the FTC and NHTSA convene relevant stakeholders (e.g., DOT, automotive companies, critical information infrastructure operators, software developers, etc.) to develop such a crisis framework based on a discussion of: the probability of certain incidents; measures to mitigate these incidents and, in instances where mitigation is deemed infeasible or excessively costly, development of crisis response measures to be taken once an incident occurs.
3. The Need for Additional Transparency into Data Privacy
Connectivity significantly impacts privacy. Forty-five percent of new car buyers are concerned about the privacy impacts of new in-car technologies. Responding to these concerns, nineteen automakers adopted in 2014 a set of “Privacy Principles for Vehicle Technology and Services” that went into effect for model year 2017. When announced, CDT was supportive of the principles, while noting that further steps could be taken to improve the framework. Two-and-a-half years later, it continues to be unclear what precisely the principles require of automakers. Now is the time to resolve this and a slew of other issues related to the principles.
First, it is not at all clear what constitutes effective notice and transparency about how vehicle connectivity impacts driver privacy. Second, it is worth exploring how vehicle owners are offered controls over the use and sharing of vehicular data. Third, given the serious privacy risks inherent to vehicular data, we need to know more about how automakers are operationalizing the data minimization, de-identification, and retention principles. Finally, further clarification is needed as to which entities and services are outside the scope of the Privacy Principles.
* * *
The net benefits from connected vehicles will only be maximized if measures are put in place to manage both the new and the old security and privacy risks that connectivity create. At this point in the technology life-cycle, it is essential to put in place such risk management measures given that the cost of retrofitting measures only increases over time. CDT applauds the FTC and NHTSA for engaging these critical issues at this point in time. We look forward to the joint workshop on ‘connected vehicles,’ which will take place during June 2017, and making further progress on these pressing issues.