Connect with us

Hi, what are you looking for?



Senators Say Cybersecurity Should be Top Priority for Autonomous Vehicles

Self-Driving Cars Need Regulations, But Commercial Priorities May Prevail Over Consumer Privacy

Self-Driving Cars Need Regulations, But Commercial Priorities May Prevail Over Consumer Privacy

The arrival of autonomous vehicles (AV, or self-driving vehicles) on the public highways is getting closer. Just this month (June 2017), Nutonomy announced a partnership with Lyft for R&D on its existing AV testing on the streets of Boston. Lyft announced yesterday that by 2025 it will provide “at least 1 billion rides per year using electric autonomous vehicles.” Also this week, Japanese robotics firm ZMP announced its plan to have an AV taxi on the streets of Tokyo in time for the 2020 Olympics. The need for AV regulation is pressing.

The U.S. Senate Commerce, Science, and Transportation Committee responded Tuesday by releasing bipartisan principles for AV legislation ahead of a Wednesday hearing titled ‘Paving the way for self-driving vehicles.’ The authors of the principles, U.S. Sens. John Thune (R-S.D.), Gary Peters (D-Mich.), and Bill Nelson (D-Fla.), plan to introduce legislation, but have so far set neither a date nor deadline for this.

The principles focus on safety, promoting innovation, tech-neutral legislation, clarification over federal and state responsibilities, public education, and — of course — cybersecurity. The last is minimal. The document states that cybersecurity must be included ‘from the very beginning of their development,’ and that “Legislation must address the connectivity of self-driving vehicles and potential cybersecurity vulnerabilities before they compromise safety.”

In short, it addresses cyber vulnerabilities, but not user privacy. The former is necessary. Researchers have shown for years that the onboard computer systems of existing non-autonomous vehicles are vulnerable to hacking, from the Vlasek/Miller research in 2010 to the Tesla hack late last year.

But user privacy is also important. In March this year, Sens Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.), members of the same committee, re-introduced their own SPY Car Act— which specifically requires a dashboard to inform consumers “about the extent to which the motor vehicle protects the cybersecurity and privacy of motor vehicle owners, lessees, drivers, and passengers beyond the minimum requirements.”

The lack of privacy conditions in this week’s bipartisan principles would suggest two camps within the Commerce, Science, and Transportation Committee: one that seeks to prioritize the commercial value of AV, while the other seeks to also protect the privacy of AV users. The reality of modern business is that you cannot maximize both simultaneously.

Advertisement. Scroll to continue reading.

The dearth of security priority in this week’s approach also shows itself in the currently available details of Wednesday’s hearing. The introductory remarks from Chairman John Thune talk about the expected benefits from AVs, but never once mention security nor privacy. 

There are four published statements for the hearing: The Alliance of Automobile Manufacturers, The American Center for Mobility (ACM), Mothers Against Drunk Driving, and Nvidia. Three of these statements never mention security nor privacy. 

Only ACM broaches these subjects, but specifically calls for ‘voluntary standards’. “Additional voluntary standards are needed immediately to ensure that these new approaches in testing, validation, data collection, data-sharing, privacy, cybersecurity, and other areas are developed to ensure safety, while not inhibiting or stalling the technology development.”

Most security professionals believe that voluntary privacy standards simply do not work — they need to be backed by strict legislation with strong sanctions (see, for example, GDPR). ACM’s declaration that it “will fully protect consumer and public privacy and security, and will take steps to ensure that any data or information sharing activities do not violate, hinder, or compromise integrity of any consumer privacy/security agreements or arrangements put in place by manufacturers, testers, agencies, public entities, or by ACM itself” is welcome, but simply continues the concept of self-regulation.

The size, reach and monetary value of the consumer data industry makes it unlikely that user privacy can be maintained voluntarily — and it is improbable that many people fully understand the extent to which they are currently profiled. A new and detailed analysis (PDF) published this month by Cracked Labs (Vienna) analyzes ‘how companies collect, combine, analyze, trade, and use personal data on billions.’ It concludes, “we might soon end up in a society of pervasive digital social control, where privacy becomes — if it remains at all — a luxury commodity for the rich. The building blocks are already in place.”

In the coming mass market of self-driving vehicles, only time will tell whether the privacy-protecting proposals of the CAR Spy Act, or the commerce promoting stance of this week’s new proposals will prevail.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.