July 10, 2018
The Honorable John Thune, Chairman
The Honorable Bill Nelson, Ranking Member
Committee on Commerce, Science, and Transportation
United States Senate
Washington, DC 20510
Dear Chairman Thune and Ranking Member Nelson:
In preparation for tomorrow’s hearing “Complex Cybersecurity Vulnerabilities: Lessons Learned from Spectre and Meltdown,” we write to highlight the critical problems related to the cybersecurity of connected and autonomous vehicles (AVs). As these cars will be “computers on wheels,” it is absolutely essential that strong protections be in place to safeguard against potentially catastrophic instances of vehicle hacking. We respectfully request that this letter be included in the hearing record.
Given recent high-profile cyberattacks and the tremendous threat that hacking will pose to connected and automated cars, we are very concerned that these potential risks are not being adequately addressed. In 2015, hackers demonstrated their ability to take over the controls of a sport utility vehicle (SUV) that was traveling 70 miles-per-hour on an Interstate outside of St. Louis, MO. By accessing the vehicle’s entertainment system using a laptop computer, hackers located miles away from the vehicle were able to send disruptive commands to the SUV’s dashboard functions, steering, brakes, and transmission. This incident is likely just a preview of the types of hacking that will be possible as vehicles become even more reliant on complex electronic systems and outside communications.
Moreover, there is a very real and dangerous possibility that instances of hacking will not only affect one individual vehicle, but could very well impact entire fleets or model lines – posing a severe risk to occupants of the hacked vehicles as well as other road users. These attacks could also clog roads, stop the movement of goods and hinder the response of emergency vehicles. Of additional concern, there are a number of tragic examples of conventional vehicles being used as weapons by terrorists. The potential for remote hacking of connected and automated vehicles by these malicious actors could have unimaginable implications for our national security. Moreover, these risks will only be exacerbated as commercial motor vehicles, specifically large trucks and buses, become more reliant on autonomous systems and are used in platoons.
Currently, Section 14 of the American Vision for Safer Transportation through Advancement of Revolutionary Technologies (AV START) Act (S. 1885), only requires manufacturers to have a cybersecurity plan in place. This is woefully inadequate and has no requirements that any protections be implemented. Instead, the legislation should be improved to direct the National Highway Traffic Safety Administration (NHTSA) to issue a minimum performance standard for all AVs (including SAE Level 2 vehicles). The agency should be required to issue this final rule within a reasonable deadline of three years after enactment. In fact, the July 6, 2018 edition of Science Magazine included an article penned by Joan Claybrook and Shaun Kildare which called for a cyber standard and suggested that regulators “look across industries and adapt standards from other modes and fields (banking, military, aviation, etc.) to ensure that AVs have a means for detecting and responding to an attack appropriately and preventing a widespread threat to safety.”
Further, we support the establishment of a method for sharing cybersecurity problems and vulnerabilities among manufacturers so that all systems can be updated accordingly. To mitigate against widespread impacts, establishing a method of quickly identifying issues and disseminating that information across all participants is critical.
The public recognizes the acute threat of cybersecurity attacks on vehicles, and for good reason. A poll conducted by Morning Consult earlier this year showed that 67 percent of adults responded that they were somewhat or very concerned about cyber threats to driverless cars. An ORC International poll from January 2018 showed that 81 percent of respondents supported the United States Department of Transportation issuing rules to protect against hacking of cars that are being operated by a computer.
We urge you to include the need for robust protections against vehicle hacking in tomorrow’s timely discussion. Furthermore, the pending AV START Act should not be enacted into law without requirements that sufficiently account for the reality of cybersecurity threats, including hacking into driverless cars. Thank you for your consideration of our position. We look forward to continuing to work with you to ensure the safety of all road users.
Sincerely,
Catherine Chase, President
Advocates for Highway and Auto Safety
Joan Claybrook, President Emeritus
Public Citizen and Former NHTSA Administrator
Jason Levine, Executive Director
Center for Auto Safety
Jack Gillis, Executive Director
Consumer Federation of America
Rosemary Shahan, President
Consumers for Auto Reliability and Safety
John M. Simpson, Privacy and Technology
Project Director, Consumer Watchdog
cc: Members of the Committee on Commerce, Science, and Transportation