The U.S. says it’s the first country to come up with “comprehensive guidance” on autonomous car technology. 

You look at price and gas mileage when you buy a new car.

Soon, that new car catching your eye may be driverless. And soon, you may be looking over its 15-point safety checklist as well before laying down your money. 

The federal government has announced new rules for autonomous and semi-autonomous cars—rules that could keep you alive in case of crash or cyber attack.

The new U.S. Department of Transportation rules are just guidelines for now, but some security experts applaud the move, especially after researchers have shown over and over again that connected cars can be hacked.

“Such policies will help the AV [autonomous vehicle] to be more secure from the ground up and not an afterthought anymore,” said Jonathan Petit, senior director of research at Security Innovation, who works on the security and privacy of connected cars.

An Uber self-driving car in Pittsburgh. Photo credit: iwasaround via Foter.com / CC BY

Unsecure cars

Right now, companies are racing to get driverless cars onto the roads. But some cybersecurity experts say car and technology makers are skipping over important security steps to keep you safe.

Chinese researchers just showed how they could hack into a Tesla Model S from afar and control the brakes. Others took over a Jeep Cherokee remotely and brought it to a halt in traffic. Researchers successfully hijacked the heating system of a Nissan Leaf and found a way to remotely unlock millions of Volkswagen cars.

The new guidelines don’t force autonomous car companies to fix all of their cybersecurity problems.

Instead, they urge companies to follow best practices, test their technology, document their work, and write up a public safety checklist showing whether the car meets best practices or fails.

“…[W]e’re asking them to sign a 15-point safety checklist showing not just the government, but every interested American, how they’re doing it,” wrote President Barack Obama in an opinion piece in the Pittsburgh Post-Gazette. 

 If you and millions of other people shopping for cars pay attention to that safety checklist, it could put pressure on driverless car companies to step up their security.

“Governmental guidelines signal intent and focus on a segment, which forces players in that field to respond in some form,” said ESET security researcher Cameron Camp. “It remains to be seen whether the corresponding responses are only symbolic, or signal real substantive change.”

Inside the Tesla Model S. Photo credit: jurvetson via Foter.com / CC BY

Accountability

What do the guidelines mean for your safety?

 “Accountability. Manufacturers will have to face issues head on from here on,” said Daniel Lance with Archer Security Group. Archer Security Group is the parent company of Archer News.

 Lance warned last month that some driverless cars sensors—called LIDAR, for ‘light detection and ranging’—are not using encryption, which could potentially allow attackers to change what the driverless cars “sees” and cause crashes.

He contacted the maker, Velodyne, but the company said it did not consider the issue to be a security problem, according to the Industrial Control Systems Cyber Emergency Response Team.

One of Veldoyne’s big customers, Ford, refused to comment on the issue.

Now, the government has “set clear expectations for manufacturers developing and deploying automated vehicle technologies,” USDOT said in a bulletin.

“This will help generations to come understand how intertwined security and safety really are,” Lance said. “This is just a policy today, but should help put in perspective how harmful poor security can be, and have physical impact that is life changing.”

Trust 

Other security experts see benefits as well.

“A process for verifying the security of autonomous vehicles, or any vehicle, is a good thing,” said Craig Smith, author of The Car Hacker’s Handbook and transportation security director for Rapid7. 

“Without a certification process we are left to simply trust the vendor,” Smith said. “A certification process will not catch everything but it is a useful part of a defense in depth strategy.”

Who is responsible?

In his opinion piece, President Obama said driverless cars could save lives. More than 35,000 people died last year in car crashes, and almost all of the crashes—94%—happen because of human choice or human error, he said.

Soon, your car will be making the choices—and the errors. Who is responsible for a crash then? 

Some say the new guidelines could shift liability for cybersecurity problems toward driverless car companies.

“This policy is acceptance that we have moved from an age where not only can we commit a crime without the risk of violence, but we can also kill without intent,” said Lance. “When a technology is meant to serve as a life safety appliance, the risks go way up.”

“Policies will help frame the challenges and encourage suppliers to consider security-by-design, even more when they could be held accountable in case of security breaches,” said Petit.

Google self-driving car. Photo credit: smoothgroover22 via Foter.com / CC BY-SA

Not mandatory

 For now, the guidelines are just recommendations, though they could become mandatory in the future. That brings praise from some in the industry. 

“The Administration showed itself to be both industry supportive and tech savvy by choosing guidance over regulation,” said Steve Grobman, chief technology officer for Intel Security.

“There’s always a concern that government regulations may stifle the ability of innovators to innovate, whereas guidance tends to create an ongoing, constructive, even progressive dialogue between stakeholders,” he said.

“One of the greatest challenges of cybersecurity is that a regulation-based approach to protection never keeps up with the rapid pace of a changing cyber-threat landscape,” Grobman added.

Your chance to speak

The first country to come up with “comprehensive guidance” on autonomous car technology, as USDOT describes it, is still asking for your comments on the new guidelines.

 You can find out how to give your thoughts through this page on the USDOT website.

The agency plans to do public outreach to get more input as well, which will help create the next policy update within the next year.

The first country to come up with “comprehensive guidance” on autonomous car technology, as USDOT describes it, is asking for your comments.

“We expect vigorous input and welcome it,” the guidelines document says. “We very much look forward to the dialogues that will emerge in the coming weeks and months and thank you in advance for helping us.”

Headline photo: Uber self-driving car in Pittsburgh. Photo credit: iwasaround via Foter.com / CC BY