The US Senate is busy with automotive cybersecurity legislation these days, and the UK government just recently introduced 8 guiding principles of vehicle cybersecurity. This is a big step: it clearly marks the growing importance of the issue – especially after the recent ransomware attacks doing a great job in positioning cybersecurity as a hot topic in the mainstream media.
But how do you formulate laws about something that evolves as quickly as the Internet of Things? What can governments do to ensure security without creating an extremely prescriptive set of regulations that cripple innovation? On the other hand, are mere guidelines enough in such a sensitive topic? When talking about the automotive industry, such decisions not only affect log files that only system administrators will see, but human lives. And throughout the history of motorization, whatever helped save human lives, was bound to be a mandatory part of the car sooner or later – just take the seatbelt as an example.
As automotive cybersecurity is still in its infancy, so is the related legislation. We’ll probably have to wait more until we see an elaborate list of cybersecurity requirements for new cars.
However, what we can already see is that some factors that are already affecting the forming of the answer some of the above questions.
- Long processes – legislative processes are, well, not the ones that you’d describe as “superfast”. To hammer out a draft bill, conduct the necessary debate, to have it take into effect, and ensure time for the industry to adapt can take years. Voluntary industry standards are likely to form sooner and unite OEMs and their suppliers in tackling these issues.
- Liability questions – a party having even stronger driving role than the government in clarification of responsibilities is the insurance industry. This is actively supporting the legislation process as well.
- “Seal of approval” – the value of the different cyber security systems is sometimes hard to assess. For any sort of specification requirement on tools, firewalls, etc, there are several options to choose from, and sometimes hundreds of vendors that need to be evaluated. A whole new set of standards needs to be formed.
Obviously legislation will not solve the issue, we all know there is no such thing as “perfectly secure software” and the cat-and-mouse game will just get more intense. So what can be a real, achievable target?
Generally speaking, I believe the real value lies in the legislative process itself. Nothing supports awareness as much as governments making new legislation about it (at least nothing that is not catastrophic, like a massive attack event), and this is the key. It needs to make people aware of the threat, and require solutions from the industry. The industry, just at the beginning of the evolution, needs to commit to include cybersecurity measures as a built-in and inherent part of the end product. Legislation will speed this process, and will also make sure that all players are relatively aligned, and invest more or less the same basic efforts on the matter. That will be beneficial for all parties – especially the ones driving the car, but also the industry who will be able to accelerate the adoption of new technologies without being worried about disastrous consequences.