Regulators: Bill Could Make Cars More Vulnerable to Hackers

House Re­pub­lic­ans are work­ing on le­gis­la­tion that aims to make cars and trucks more se­cure from hack­ers. But fed­er­al reg­u­lat­ors warned at a hear­ing Wed­nes­day that the bill could have the ex­act op­pos­ite ef­fect.

“The pro­posed le­gis­la­tion, as draf­ted, could sub­stan­tially weak­en the se­cur­ity and pri­vacy pro­tec­tions that con­sumers have today,” test­i­fied Manee­sha Mith­al, the head of the Fed­er­al Trade Com­mis­sion’s Di­vi­sion of Pri­vacy and Iden­tity Pro­tec­tion.

In­ter­net-con­nec­ted cars can provide ex­cit­ing new fea­tures for drivers, but they can also be sus­cept­ible to cy­ber­at­tacks. Fi­at Chrysler had to re­call more than a mil­lion vehicles earli­er this year after the com­pany dis­covered a soft­ware flaw that could al­low hack­ers to gain re­mote con­trol over the en­gine and steer­ing. Pri­vacy ad­voc­ates have also ex­pressed alarm about the amount of per­son­al in­form­a­tion that car com­pan­ies can col­lect.

A draft bill re­leased last week by the Re­pub­lic­an lead­ers of the House En­ergy and Com­merce Com­mit­tee aims to im­prove vehicle se­cur­ity and give con­sumers more con­trol over their per­son­al in­form­a­tion. The bill would dir­ect the Na­tion­al High­way Traffic Safety Ad­min­is­tra­tion to cre­ate an ad­vis­ory coun­cil to craft cy­ber­se­cur­ity stand­ards for car com­pan­ies. Any­one who ac­cesses a car’s elec­tron­ic sys­tems “without au­thor­iz­a­tion” could face a $100,000 fine un­der the le­gis­la­tion. And the bill would re­quire car com­pan­ies to cre­ate pri­vacy policies and file them with the Trans­port­a­tion De­part­ment.

But the reg­u­lat­ors warned that the bill would gut ex­ist­ing con­sumer pro­tec­tions. Un­der the le­gis­la­tion, com­pan­ies with pri­vacy policies that meet min­im­um stand­ards would be im­mune from FTC pri­vacy law­suits. “Un­der this pro­pos­al, man­u­fac­tur­ers can sat­is­fy the re­quire­ments of this sec­tion without provid­ing any sub­stant­ive pro­tec­tions for con­sumer data,” Mith­al ar­gued at the hear­ing of the Com­merce, Man­u­fac­tur­ing, and Trade Sub­com­mit­tee. “For ex­ample, a man­u­fac­turer’s policy could qual­i­fy for a safe har­bor even if it states that the man­u­fac­turer col­lects nu­mer­ous types of per­son­al in­form­a­tion, sells the in­form­a­tion to third parties, and of­fers no choices to opt out of such col­lec­tion or sale.”

She also warned that the sec­tion au­thor­iz­ing fines for car hack­ers could pen­al­ize re­search­ers who are just test­ing a car for se­cur­ity holes. The vul­ner­ab­il­ity of the Fi­at Chrysler cars, for ex­ample, was first ex­posed by cy­ber­se­cur­ity re­search­ers. “By pro­hib­it­ing such ac­cess even for re­search pur­poses, this pro­vi­sion would likely dis­in­centiv­ize such re­search, to the det­ri­ment of con­sumers’ pri­vacy, se­cur­ity, and safety,” Mith­al said.

Mark Rose­kind, the ad­min­is­trat­or of the NHTSA, ar­gued the bill would al­low in­dustry lob­by­ists to dom­in­ate the coun­cil in charge of cy­ber­se­cur­ity stand­ards. “Ul­ti­mately, the pub­lic ex­pects NHTSA, not in­dustry, to set safety stand­ards,” he said.

Demo­crats also blas­ted the bill, claim­ing it would only weak­en con­sumer pro­tec­tions. “In­stead of pur­su­ing a bi­par­tis­an ap­proach, the ma­jor­ity chose to pre­pare this le­gis­la­tion be­hind closed doors,” said Rep. Frank Pal­lone, the En­ergy and Com­merce Com­mit­tee’s top Demo­crat.

Re­pub­lic­ans de­fen­ded their le­gis­la­tion, but also ac­know­ledged that it is a work in pro­gress.

“The staff dis­cus­sion draft that we will re­view today is a start­ing point,” said En­ergy and Com­merce Chair­man Fred Up­ton, a Michigan Re­pub­lic­an. “It in­cludes pro­pos­als in­ten­ded to foster great­er vehicle and road­way safety for mo­tor­ists now and in the years to come. Some pieces, like hav­ing a cor­por­ate of­ficer re­spons­ible for safety com­pli­ance, aren’t new. Oth­er ideas, like how to best en­sure cy­ber­se­cur­ity, may need to fur­ther evolve.”