Weekly Brief: US Complacency Over Growing Connected Car Cyber Threat

Commentary By Andrew Tolve

---

15th June 2020

Two US senators sent an open letter to the National Highway Traffic Safety Administration (NHTSA) last week calling out the agency for “its dangerously reactive approach to cyber-security”.

The letter was written by Democratic senators Edward Markey and Richard Blumenthal, who are members of the Commerce, Science and Transportation Committee. They share the belief that the federal government is failing to monitor and protect against the rising specter of hackers breaking into Internet-connected cars. Potential dangers include hackers stealing personal data and committing acts of domestic terrorism.

Markey and Blumenthal have proposed a new piece of legislation to deal with the threat. Called The Security and Privacy in Your Car (SPY Car) Act, the legislation would direct NHTSA and the Federal Trade Commission to establish federal standards to ensure cyber-security in increasingly computerized vehicles and to protect drivers’ privacy. NHTSA says the legislation is unnecessary.

The agency claims that it already has a protocol in place to respond whenever a cyber-security issue is brought forward. Given that the agency is “not aware of any malicious hacking attempts that have created safety concerns for the motoring public”, it sees no need to go further. “We are deeply troubled by NHTSA’s deafening silence in response to the repeated reports of vulnerabilities and risks of hacking of internet-connected cars,” write Senators Markey and Blumenthal in their joint letter.

In NHTSA’s defense, there have been no acts of domestic terrorism committed with hijacked connected cars on US soil, nor have there been any broadly publicized examples of hackers stealing users’ personal data from their vehicles. Then again, as we have seen with the coronavirus pandemic, sometimes taking a reactive approach can backfire spectacularly, as opposed to being proactive and well prepared for a threat that experts agree looms large on the horizon.

In the UK, insurance data reveals that the number of attacks on connected vehicles has increased sevenfold since 2016, and they spiked 99% in the past year alone. That’s according to the 2020 Global Automotive Cyber-security Report from Upstream Security. This is set against a backdrop of an automotive market that is only getting more connected. In 2019 two out of three new cars in the UK were internet-connected, a number that’s expected to reach 100% by 2026, according to The Society of Motor Manufacturers and Traders.

Hackers target every type of digital platform out there and reap billions of dollars in stolen data each year, turning lives upside down and creating headaches for corporations in the process. If NHTSA doesn’t think automobiles are coming next, it’s got a blind spot as large as a rear view mirror’s.

Last week our Paul Myles explored how the self-driving revolution won’t just be about autonomous Ubers and contact-less delivery vehicles bringing groceries to your door. It also will include autonomous heavy industry vehicles, such as driverless road rollers and robotic mining equipment. As connectivity and autonomy pervade automobiles of all stripes, the threat of hacking will only become greater and the case for rigorously enforced automotive cyber-security standards that much stronger.