New SPY Bill Aims to Improve Connected Car Security
Proposed legislation has been introduced to the US House of Representatives designed to improve security and privacy in an increasingly digital car industry.
The bipartisan Security and Privacy in Your Car (SPY) Study Act of 2017 was introduced by Republican Joe Wilson and Democrat Ted Lieu – apparently the only representative of his party in the House with a computer science degree.
It will require the National Highway Traffic Safety Administration (NHTSA), the Federal Trade Commission, the National Institute of Standards and Technology (NIST), the Department of Defense, the Automotive Information Sharing and Analysis Center (ISAC), SAE International, car manufacturers, OEM players, and “relevant academic institutions” to conduct a study into new security standards for cars.
Specifically, it states the study should cover what measures are needed to: separate critical systems from each other; minimize code bugs; “detect and prevent, discourage, or mitigate” hacking efforts and ensure any collected car data is secured at rest and in transit.
Isolation of critical elements is particularly important as lateral movement inside a connected car systems allowed researchers Miller and Valasek to perform their famous Jeep Cherokee hack in 2015, which enabled them to remotely control a vehicle.
It’s this potential physical danger to drivers and passengers that seems to have informed the drawing up of the bill.
Lieu argued in a statement that without good security a hacker could turn a car into a weapon.
“The SPY Car Study Act builds on important work undertaken by the National Highway Traffic Safety Administration by emphasizing the protection of users’ personal data, and developing clear timelines for implementing these standards,” he claimed.
“We need to know that our navigation, entertainment, and operating systems are safe—and that our data is kept private. We must be proactive about our privacy and security, now more than ever.”
Yoni Heilbronn, vice-president at security firm Argus, welcomed the proposed legislation, but questioned whether regulation was coming fast enough.
“In 2015, the SPY Car Act was introduced in the Senate which called for NHTSA to issue specific cybersecurity regulations to protect against intrusions. This new Act only asks NHTSA to conduct a study to determine appropriate standards for the regulation of vehicle cybersecurity,” he added.
“Automakers are well aware of the risks cyber threats pose to drivers, vehicles and fleets and should be actively working with policymakers to shape appropriate regulations to keep our roads cyber safe.”
Source: Information Security Magazine