Public comments on the proposal are due by November 28; guidance will influence automotive cybersecurity practices.
Increasingly “connected” automobiles bring convenience and other benefits to drivers and passengers, but at the same time raise concerns about safety and privacy. In response to this trend in automobile technology, members of the US Congress, along with others, have been asking what the US Department of Transportation’s (DOT’s) National Highway Traffic Safety Administration (NHTSA) will do to promote effective cybersecurity for automobiles.
Last year, members of the House Energy and Commerce Committee wrote to the NHTSA Administrator, noting that as new “technologies are incorporated into automobiles to improve safety, convenience, and performance, they also create the unavoidable potential for cyber threats.”[1] This issue arose again in September, when members of the same committee identified security and safety concerns with the On-Board Diagnostic (OBD-II) ports within vehicles. The members of Congress suggested an industrywide effort to develop a plan of action to address these risks.[2] On October 14, NHTSA responded, noting that it would soon issue best practices concerning cybersecurity.[3]
On October 24, NHTSA issued proposed federal guidance[4] to the automotive industry for improving motor vehicle cybersecurity.[5] The draft DOT guidance remains subject to public comment by November 28.[6] The final guidance will establish a baseline for automotive cybersecurity standards for the foreseeable future.
This LawFlash provides a brief overview of this new development on vehicle cybersecurity.
The proposed cybersecurity guidance, which is voluntary and nonbinding, is intended to “provide a solid foundation for developing a risk-based approach and important processes that can be maintained, refreshed and updated effectively over time to serve the needs of the automotive industry.”[7] The guidance notes that there is no current Federal Motor Vehicle Safety Standard covering vehicle cybersecurity.[8]
The guidance uses a layered approach “to ensure vehicle systems are designed to take appropriate and safe actions, even when an attack is successful.”[9] According to the draft guidance, this approach would include the following aspects:
The current draft contains several recommendations that draw upon industry and other best practices and internal applied research. Some of the recommendations include the following:
After the public comment period has concluded, DOT will issue final guidance. As noted, members of Congress are also reviewing this issue. It remains to be seen whether the voluntary standards may ultimately prove to be the basis for mandatory standards or legislation. The issue of automobile cybersecurity is likely to remain active on the legislative and regulatory fronts as vehicle technology continues to develop and automotive companies (and others) work to protect vehicles from cybersecurity and other threats.
Interested parties can submit comments on or before November 28 by visiting the Request for Comments on Federal Cybersecurity Best Practices page on the regulations.gov website.
If you have any questions or would like more information on the issues discussed in this LawFlash, including on the submission of comments to NHTSA, please contact any of the following Morgan Lewis lawyers:
Washington, DC
Ron Del Sesto
Timothy L. Bransford
Boston
Daniel Savrin
Philadelphia
Greg Parks
San Francisco
Reece Hirsch
[1] Letter to Mark R. Rosekind, NHTSA Administrator (May 28, 2015)
[2] Letter to Mark R. Rosekind, NHTSA Administrator (Sept. 12, 2016).
[3] Letter of Mark R. Rosekind, NHTSA Administrator, to House Committee on Energy and Commerce Chairman Fred Upton (Oct. 14, 2016)
[4] Proposed Cybersecurity Best Practices for Modern Vehicles (Oct. 24, 2016)
[5] Press Release, US Dep’t of Transportation, US DOT issues Federal guidance to the automotive industry for improving motor vehicle cybersecurity (Oct. 24, 2016)
[6] Public Comment for Agency Information Collection Activities; Proposals, Submissions, and Approvals: Cybersecurity Best Practices for Modern Vehicles
[7] Proposed DOT Cybersecurity Vehicle Guidance, at 5.
[8] Id. at 5.
[9] Id. at 10.
[10] Id. § 6.2.
[11] Id. § 6.6.1.
[12] Id. § 6.5.
[13] Id. § 6.6.2.
[14] Id. § 6.6.
[15] Id. § 6.3.
[16] Id. § 8.
[17] Id. § 6.7.6.
[18] Id. § 6.7.1.
[19] Id. § 6.7.4.
[20] Id. § 6.7.9.
[21] Id. § 7.
[22] Id. § 9.