In just the past few years, the technology in our cars and trucks has improved considerably. Features like forward-collision warning and automatic emergency braking, enabled by advances in sensors and real-time data analytics, have made our vehicles, and us, safer.
Autonomous vehicles, already in use in some cities, have the potential to further improve driver safety, by reducing the risk of human error. But with these new technologies come new risks—ones we must ensure are accounted for and minimized as vehicles are manufactured.
Recently, the Department of Transportation (DOT) took a significant first step toward addressing these new risks by releasing draft cybersecurity guidelines for vehicles. They include a number of recommended practices, like limiting the ability to modify vehicle firmware and segmenting control systems, that should become standard for vehicle manufacturers. But while these guidelines provide a strong foundation, since they are voluntary, consumers still have no way of knowing how seriously a manufacturer adhered to the guidelines, if at all.
The government should provide consumers this transparency, just as they have required automakers to publicly display other safety features, like crash test ratings. With human lives at stake, cybersecurity cannot be considered separate than physical security.
DOT can address the issue by creating a security label for vehicles—akin to the MPG ratings required by EPA—which would display the results of a comprehensive security assessment. The guidelines recommend a similar test, but, again without requiring disclosure of its results, consumers have no way of knowing how safe–or not–their vehicle truly is. These assessments should be mandatory, and should be conducted by a government-certified third party, examining the overall architecture of the vehicle, the critical components within the underlying code, the custom communications protocols, and how well the vehicle reacts to active or passive attacks on sensors.
To establish the specific criteria for these assessments, DOT should convene a working group of automotive manufacturers and cybersecurity experts. This group can decide who should certify vendors as qualified to conduct these assessments, when, and what information will be most useful for consumers.
Having helped many customers comply with cybersecurity regulations, including large U.S. vehicle manufacturers, I am especially conscious of regulatory burden and know that too much or the wrong type of regulation can distract from, rather than enhance, security. Requiring a security assessment is not over burdensome. It does not dictate the methodology manufacturers use to secure their vehicles and does not impose costly requirements; it does give consumers the transparency they deserve to understand how safe their vehicle is.
DOT first issued Federal Motor Vehicle Safety Standards in 1967, to ensure that “the public is protected against unreasonable risk of crashes occurring as a result of the design, construction, or performance of motor vehicles and is also protected against unreasonable risk of death or injury in the event crashes do occur.”
Cybersecurity should eventually fit in this same purview—on equal footing with seat belts and airbags. But for now, the government should take this short-term, intermediate step of giving consumers the accurate, verified information they need to make informed decisions. It’s one of the most effective measures they can take to improve vehicle safety across the board while having a relatively minimal impact on manufacturers’ bottom line.