SPY Car Act Aims to Raise Security Standards in Auto Tech
The typical approach in cybersecurity regulation has historically been similar to other legislation: restriction and punishment. The advent of the new “SPY” bill takes the exact opposite approach, and it’s one that veteran security professionals might find refreshing. Rather than invent ever harsher “dissuasive” penalties for criminal hacker elements, the Security and Privacy in Your Car (SPY Car) Act – sponsored by Senators Ed Markey and Richard Blumenthal – seeks to put the onus of safe smart cars on those who produce them.
The Act calls for reasonable measures of cybersecurity to be implemented before cars with increasingly advanced technological capabilities ever hit the market. Such regulation is the logical extension of numerous existing precedents that govern things like tires, suspension systems, and exhaust. In particular, the bill advocates for the use of encryption to be used in the case that data is captured by a future vehicles’ system. Particularly interesting to network security professionals, SPY Car wants manufacturers to penetration-test any wireless networking utilized in the vehicle.
Privacy concerns are also on the menu. Should the bill become law, an interesting feature is a banishment of tracking technologies to be used for the purpose of advertising, with healthy opt-in and opt-out options for any data collection a vendor may conduct. On top of all this, what amounts to a 21st-century version of the Monroney Sticker is required – a “cyber dashboard” which plainly states the vehicle’s qualities in comparison to other consumer options.
The SPY Car Act would go into effect for all models made two years after its passage, a standard practice in auto regulation, according to the legislation. The last most important thing that the bill requires is that if, despite all the innovation poured into cybersecurity, a breach is attempted or successful, the computer must have adequate means of detection and reporting. Somewhat onerously it requires the vehicle to have “capabilities to stop” intrusion and given all we know about computers and security as a society, this could be asking too much.
For Senator Markey’s part, his office interfaced with numerous interests in the auto industry, including foreign companies and domestic electric-car manufacturer Tesla. Should the bill make it through the congressional process, the Federal Trade Commission and the National Highway Traffic Safety Administration will handle creation and enforcement of regulations corresponding to SPY Car. In a statement, Senator Markey said:
This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles.
Introduced on Tuesday, the bill has a long way to go before it becomes law, due process for legislation in the United States sometimes taking decades over numerous attempts. Read Senator Markey’s official report here, and the current iteration of the legislation here.
Featured image from Shutterstock.