Unregulated at Any Speed: DoT’s Cybersecurity Policy for Self-Driving Cars

Despite headlines, hype, and hysteria, US government rightly chooses cybersecurity guidance over regulation.

The Obama administration today unveiled its long-awaited safety policy for self-driving or automated vehicles (AVs). Despite the recent tragic death of a passenger travelling in a Tesla-built AV, and persistent discussions of spectacular cyber-sabotage scenarios, the government chose a wise, sober course in regard to cybersecurity.

The US Department of Transportation and National Highway Traffic and Safety Administration (NHTSA) opted to work with industry to drive AV innovation, rather than propose regulations that could restrict such innovation, and even potentially undermine the cybersecurity of such vehicles.

DoT’s four-point policy seeks to lay “a path for the safe testing and deployment of new auto technologies” with life-preserving and resource-conserving potential for the American people. Specifically, the policy presents a model for federal and state regulatory responsibilities, outlines NHTSA’s AV regulatory tools, and proposes new regulatory tools and statutory authorities.

In the area of safety, however, the government presents a 15-Point Safety Assessment Guidance, including everything from consumer education, to data recording and privacy, to human machine interfaces, to crashworthiness, to our primary concern: vehicle cybersecurity.

This afternoon, McAfee CTO Steve Grobman commented that the choice of cybersecurity guidance reveals an Obama administration “highly-supportive” of AV technology and the cybersecurity innovation required to protect it:

“In choosing guidance over regulation, the administration showed itself to be both industry supportive and tech savvy. They’ve focused on best practices and the Auto-ISAC threat analysis and vulnerability sharing between automakers and component manufacturers.

They clearly understand that the critical cybersecurity challenge in self-driving vehicles will be tackling the threats of today and tomorrow—versus the threats of five years ago.

There’s always a concern that government regulations may stifle the ability of innovators to innovate, whereas guidance tends to create an ongoing, constructive, even progressive dialog between stakeholders.

But one of the greatest challenges of cybersecurity is that a regulation-based approach to protection never keeps up with the rapid pace of a changing cyberthreat landscape. New threats and vulnerabilities come to light each month.

Well-meaning regulatory regimes can force an opportunity cost upon manufacturers, as limited resources best applied to address today’s most critical threats can be spent wrestling with restrictions meant to address older issues long after they are critical security concerns.”

For more on McAfee’s perspectives on and technology commitments to vehicle cybersecurity, please see our recent whitepaper and announcements around the Automotive Security Review Board (ASRB).

To learn what everyone should know about the cybersecurity of connected cars and driverless vehicles, please see Gary Davis’ blog “From the Ground Up: How the Cars of the Future Will Be Secured.”

 

Members of the press interested in speaking to Mr. Grobman on this topic may do so by contacting chris_palm@mcafee.com.