As automakers race toward a future of Web-connected and self-driving vehicles, federal regulators on Monday issued proposed guidelines for guarding cars from hackers.
Coming just days after a massive Internet attack knocked several popular websites offline, the proposal reflects increasing concern among government regulators and auto industry executives alike.
Many cars already connect to the Internet, a trend that will accelerate in coming years. And hackers have demonstrated their ability to seize control of a car through the limited connectivity now available.
In response, the National Highway Traffic Safety Administration, part of the U.S. Department of Transportation, has been meeting with automakers to develop guidelines for shielding cars from hackers and limiting the damage cyberattacks can cause.
Some of the ideas focus on the way automakers approach the issue, with the administration suggesting that each company place a top executive in charge of cybersecurity and give that person a dedicated staff and resources.
Other proposals target the architecture of the cars themselves. For example, the administration recommends limiting the number of systems and components that can communicate directly with any electronic unit that controls one of the car’s critical functions, such as brakes or steering.
“In the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient,” said Mark Rosekind, administrator of the NHTSA, in a prepared statement. “Everyone involved must keep moving, adapting, and improving to stay ahead of the bad guys.”
The administration will now solicit public comment on the proposed guidelines for 30 days.
But even when the guidelines are formally adopted, they won’t force automakers to take specific steps. Instead, they represent suggestions and best practices for the industry, with the administration trying to avoid set rules that could stifle innovation.
That troubles John Simpson, a privacy advocate with the Consumer Watchdog nonprofit group. The cybersecurity of cars, he argues, is too important to leave to voluntary guidelines alone.
“It’s ‘Pretty please, manufacturers, do the right thing,’ and then they give some examples of what the right thing might be,” Simpson said. “It’s great that we’re finally recognizing that these cars are rolling computers, and all the hacking concerns we have with desktops are critically important for cars. But we need to have enforceable standards.”
The guidelines recommend that automakers guard not just a car’s control systems but also any personal data it may generate or store related to its driver. They should bring in teams of engineers not involved in the car’s design or software development to try to hack the cars, probing for weaknesses.
They should also share with the administration and each other information on vulnerabilities they find or cyberattacks they encounter. The administration and several automakers last year set up the Automotive Information Sharing and Analysis Center to facilitate such exchanges.
The proposals also delve into more specific strategies that could help shield cars. For example, the proposed guidelines recommend making the software that runs vital car functions harder to modify.
The guidelines also suggest limiting the ability of outside software developers to access some of the car’s key systems. Such limits, however, may run counter to the efforts of automakers to court Silicon Valley app developers.
David R. Baker is a San Francisco Chronicle staff writer. Email: [email protected] Twitter: @DavidBakerSF
