The United States Congress may be the only thing in Washington more gridlocked than the city's notoriously packed roads, but last week, the town saw a rare moment of unity: the House of Representatives passed a bipartisan bill.
The unlikely subject gaining the support of both Rs and Ds? Autonomous vehicles.
The lawmaking body passed the SELF DRIVE Act, a piece of legislation laying out the basic framework for federal agencies to regulate driverless cars.
Partly a response to the worrying rise of roadway fatalities—which reached 40,200 in 2016, marking the deadliest year on American roads since 2007—the bill aims to expedite self-driving technology onto the streets, where it's estimated to bring down motor vehicle accidents by as much as 90%.
But where autonomous autos solve one problem, they create another: the potential for car-based cyber attacks.
And while the bill has yet to become law (a twin Senate effort still needs to be worked out), it points to a future where automotive control will literally be out of our hands—and open to the new-age threat.
In blazing the technological trail forward, does the legislation do enough to ensure we're all safe for the ride?
What's at Stake?
As cars become more plugged in, they also become increasingly vulnerable to widespread attacks.
In a recent report on the subject, the FBI forecasted that autonomous technology would make cars "more of a potential lethal weapon than [they are] today," and warned that driverless vehicles could be used in a wide range of terrorism tactics, from acting as self-driving bombs to holding passengers hostage if hackers remotely seize control of a vehicle.
In fact, demonstrations performed in 2014 showed that computer whizzes could already take over certain systems in modern-day models.
A growing reliance on connectivity in our vehicles only perpetuates the issue, said Monique Lance, a representative for Argus, a cybersecurity firm focusing on self-driving cars.
Self-driving cars could be used to deliver bombs or hold passengers hostage at the behest of hackers, the FBI warns.
"It doesn't matter if it's your vehicle or your phone or your company: cyber threats are here, and they're here to stay," she said. "We currently have a wide network of connected devices; when everything gets connected, it's going to be a huge network. There's no question that it's going to be vulnerable to attack. You're only as secure as your weakest link."
Aside from opening the possibility for civilian interference, the technology could also put fleets of vehicles at risk, Lance said. Autonomous semi-trucks could be especially attractive targets, with the lucrative goods they deliver held for ransom from large transportation companies—who are likely to pay out.
"We're not just talking about lives," Lance said. "We're talking about business and business continuity."
This conversation—and House bill, should it be made into law—will soon encompass nearly every vehicle, passenger, and commodity on the road. By 2020, Lance predicted "literally hundreds of millions" of connected cars could be on the streets.
But despite the digital explosion in the automotive world, government regulations have remained steadfastly analog.
Nearly half of the 73 official safety standards overseen by the National Highway Traffic Safety Administration (NHTSA) refer to the concept of "human drivers," according to a 2016 report by the Volpe National Transportation Systems Center, a research wing of the Department of Transportation.
Of the policies earmarked for their anachronism, at least 30 leave no room for new-age car configurations, such as interiors that don't include steering wheels and pedals, the report states.
But the reinterpreted rules will need to consider more than the changing insides of our vehicles—they'll have to take into account the dangers of the outside world.
How Do We Stay Safe?
To stay one step ahead of the hackers, the government must pull off the tricky act of remaining strong while becoming nimbler, said Elena Hernandez, a spokesperson for the Congressional Energy & Commerce Committee, where the bill originated in the House of Representatives.
“As technology continues to develop, the SELF DRIVE Act is about striking the balance between ensuring consumer safety while still allowing for the flexibility needed to innovate," she said.
Such balance is achieved by offering wide berths of freedom to tech and car companies—and allowing them to develop the vehicles unfettered by state lines or “normal” car regulations.
Specifically, the measure allows the NHTSA to be more proactive about adapting security standards for self-driving cars, Hernandez said. Among other measures, the bill lets the agency exempt up to 275,000 vehicles from federal safety rules over the course of 4 years, in order to facilitate more testing.
That parceled-out approach to finding what works could be a good thing when it comes to fighting cyber threats, Lance said.
“On the bright side, we’re introducing cybersecurity into the vehicles sometime after we’ve already become acquainted with how threats propagate and mutate within the IT network,” she said. “We may never see quite the havoc created on computer networks, because we’re already seeing how to prevent them.”
Still, she said, a number of precautions must be taken to ensure the cars are safe, including intrusion protection systems; technology that allows real-time interaction with—and updates to—individual cars and the network as a whole; and programs that detect illogical or unusual driving behavior. She also said a suite of ongoing monitoring tools were key to remaining vigilant of any new threats.
“You can never be 100% sure with cyber attacks, and there’s no silver bullet against them,” she said. “So you need multiple layers of security to make it as hard as possible for hackers to attack a car. It’s not enough to have one static solution. You need many dynamic solutions in place.”
To Lance, the SELF DRIVE Act encompasses enough of those solutions, or the freedom to create and test more of them, to feel the burgeoning technology is safe.
“The bill really provides a rather wide scope and touches on looking for vehicle vulnerability,” she said. “It’s covers detect and protect and recover and respond.”
Still, in exchange for the security of autonomous cars, many states in the country must first give up their autonomy.
A central aspect of the SELF DRIVE Act moves all driverless car regulations under the NHTSA. The measure would give the agency and its policies precedence over any rules hammered out by the 33 states with autonomous legislation on the books.
The process helps clarify the difference between federal and state roles in creating policy, said Hernandez. (The bill leaves licensing and registration regulation to the states, although in an age where driving and car ownership will likely be obsolete, those practices won’t yield much power.)
And Lance said the process could make things more streamlined, helping to ensure speed and flexibility when responding to a constantly-adapting threat.
“There are changes in circumstances, in the landscape’s dynamic,” she said. “There needs to be the ability to keep up with those changes.”
Preparing to stay fluid means hitting some rigid deadlines. The House bill gives the NHTSA 24 months to come up with the regulations, and a year to determine any performance standards the cars must meet. It also extends an 18-month schedule for the Department of Transportation to create privacy-related rules for the cars.
Those deadlines are pending any changes made in the Senate’s version, and even if they’re left intact, there’s still likely some time before they’ll come into play—and plenty of time for hackers to adapt.
But to truly prepare for the new world of driving, we must accept that there will always be potential attackers looking for new virtual targets, Lance said.
“Cybersecurity’s a mindset,” she said. “Organizations need to understand they’re implementing cybersecurity in the vehicle throughout its lifespan. It needs to be part of the strategy process of future planning, well embedded in every stage of the organizations.”
Still, she remained optimistic about what the SELF DRIVE Act could achieve, looking ahead to the date by which most manufactures say they’ll have commercial self-driving vehicles ready.
“If vehicle manufacturers comply with this bill, their cars will be cybersecure by 2021.”