United States: Reducing Cybersecurity Risks To Autonomous Vehicles

In June 2017, U.S. Secretary of Transportation Elaine Chao announced that her department is revising autonomous vehicle guidelines issued in September 2016. The new guidelines—which will be released later this year—are expected to address state deference to federal regulations, reporting requirements for accidents and other incidents involving test and production vehicles, human-machine interfaces, consumer education and training, post-crash behavior and crashworthiness.

According to "Chao Ponders Fed Role in Regulating Driverless Tech," a June 2017 Detroit News article, Secretary Chao met with auto executives and noted that while the future of autonomous vehicles is bright, "We have a responsibility to ensure that the new technology is safe and secure." Secretary Chao's emphasis on "safe and secure" hints that, in addition to the topics mentioned above, the 2017 Guidelines may improve existing guidance by addressing safety issues peculiar to autonomous vehicles. This includes the standardization of road markings and identifying conditions under which autonomous vehicles are not permitted to operate, such as weather restrictions.

Cybersecurity Breaches and Other Risks

It is critical that the security issues covered in the 2017 Guidelines meaningfully address autonomous vehicle data recording and sharing, privacy and cybersecurity. Cybersecurity issues are especially significant. Any software that connects to the internet is susceptible to a cybersecurity attack, and autonomous vehicles will have at least one internet connection. Exacerbating this inherent risk is the fact that some autonomous vehicles are developed by companies that are not original equipment manufacturers. These companies modify a vehicle developed by an OEM by introducing software, sensors and other devices that enable the vehicle to perform autonomous functions. As a result, the autonomous operations are being built using software and hardware that is separate from, or in addition to, software and hardware designed by the OEM. The autonomous functions also use computer networks that were not designed for a high level of automation and remote access. This development bifurcation is a prescription for cybersecurity gaps.

There have been several high-profile automotive cybersecurity breaches in recent years. In one breach, German researchers spoofed a cell phone station and sent fake messages to a SIM card used by a vehicle's telematics system (the system enabling the long-distance transmission of computerized information). This gave the researchers access to remote convenience features of the vehicle, allowing them to remotely unlock the vehicle's doors. Several other cybersecurity breaches involved remotely taking control of essential features of a car; one such breach enabled an unauthorized party to take control of various functions of the vehicle by plugging a device into a vehicle's on-board diagnostic port, where that pugged-in device was able to receive instructions remotely. In addition, in 2015, two unauthorized individuals hacked into a vehicle using its internet connection, and remotely stopped the vehicle on a highway. And in 2016, another vehicle's WiFi connection was breached, enabling an unauthorized party to take control of its driving systems.

Any type of malware that can put a home computer or smartphone at risk can similarly threaten autonomous vehicles. For example, ransomware attacks that encrypt all of the data on a computing device can be modified to take control of or stop the operation of a vehicle unless payment is made. A user of an autonomous vehicle might not have the luxury of time to figure out a solution to a vehicle that is not operational due to ransomware. These cybersecurity breaches can result in intentional damage to people, the vehicle and other property.

Weaknesses of the 2016 Guidelines

The automated vehicle guidelines issued by the Department of Transportation last year identified cybersecurity as one area of concern, but did not go far enough in addressing cybersecurity risks. National Highway Traffic Safety Administration (2016), Federal Automated Vehicles Policy, Washington, D.C. (2016 Guidelines).

The authors of the 2016 Guidelines did understand the cyberattack cat-and-mouse game in which hackers exploit weaknesses in networks as long as they remain unfixed, and then identify and exploit other weaknesses in a serial manner. Accordingly, those guidelines provide a framework for companies to approach cybersecurity problems. They do not propose specific technological solutions, however. Rather, the 2016 Guidelines rely on platitudes and are too tentative. For example, they suggest that manufacturers "follow a robust product development process based on a systems-engineering approach to minimize risks to safety" and employ "established best practices for cyber physical vehicle systems," but do not provide any meaningful guidance.

A separate report in October 2016 focuses on cybersecurity and provides additional suggestions, such as layered solutions to ensure that vehicles systems are designed to take appropriate and safe actions, even when an attack is successful. National Highway Traffic Safety Administration (2016, October), Cybersecurity best practices for modern vehicles, (Report No. DOT HS 812 333), §5. Washington, D.C. While this report provides additional guidance, it is still too tentative to meaningfully assure an adequate level of attention to the cybersecurity risk.

What Kinds of Solutions Should the 2017 Guidelines Identify?

The 2017 Guidelines should more forcefully propose a collaboration among autonomous vehicle manufacturers to address cybersecurity risks. They should also mandate the reporting of any cybersecurity attack to both the collaborative body and the government, to better share and address cybersecurity risks and solutions. In 2015, the automobile industry took a first step in this direction with the formation of the Automotive Information Sharing and Analysis Center, whose charter includes the transparent sharing of vulnerability detection and best practices. However, participation in the Auto ISAC is voluntary, and its recommendations are not binding, even on its members.

The 2017 Guidelines should also require isolated networks: one network for non-essential vehicle operations such as infotainment and telematics functions, and another network for essential vehicle operations. They should also restrict or prevent direct communications between these networks, to make it more difficult for hackers to take control of essential vehicle operations—such as steering and braking—merely by penetrating internet facing software and data—such as a vehicle's browser, map or traffic data. Isolation may be achieved by implementing a separate physical network, or by using software that effectively isolates the network that controls essential vehicle operations from non-essential vehicle operations.

For software and firmware updates, which are already commonplace in electric vehicles, code signing using secure cryptographic keys—already in use by one vehicle manufacturer—should be required by the 2017 Guidelines.

Other possible cybersecurity solutions include requiring real-time attack detection and a real-time response. For example, when an attack is detected, the vehicle could be safely stopped and a clean version of the software or firmware could be reinstalled. Another solution would be to severely limit access to the internal control/diagnostic bus of the vehicle, which currently provides hackers with direct and easy access to the internal networks of vehicles.

Note to the Industry: Take More Forceful Action or Face Congressional Intervention

Autonomous vehicles are enticing targets for those carrying out cybersecurity attacks. Although the automotive industry has taken some voluntary action, it must take more meaningful steps to adopt cybersecurity measures; otherwise, the industry will face congressionally mandated cybersecurity protections.

For example, in March, the U.S. Senate introduced the Security and Privacy in Your Car (SPY Car) Act of 2017 (S.680, 115th Congress (2017)), a bill designed to improve vehicle security and privacy. If passed, the legislation will require, inter alia, the isolation of critical software systems, i.e., those required for the operation of the vehicle, from noncritical systems.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
20 Sep 2018, Other, California, United States

CoinAlts is designed to bring together the thought leaders in the cryptocurrency investment space to discuss the investment, legal and operational is​sues for cryptocurrencies as a new asset class.

25 Sep 2018, Conference, California, United States

We're excited to introduce Women's IP Strategy, a 2-day conference that tackles both the IP, legal as well as broader career development obstacles, risks and rewards for women lawyers working in male-dominant industries.

2 Oct 2018, Webinar, California, United States

This CLE webinar will offer suggestions to litigators to help them comply with the new GDPR during e-discovery.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions