Just a month after releasing its long-awaited Federal Automated Vehicles Policy, on Monday NHTSA followed up with "Cybersecurity Best Practices for Modern Vehicles." While these Best Practices are similarly non-binding/de facto standards, they set forth NHTSA's present plans to regulate and monitor vehicle cybersecurity and data integrity.
Like the Automated Vehicle Policy, the Best Practices show a clear trend towards mandatory documentation, retention, and potential sharing of design choices and analysis throughout the vehicle lifespan and across the industry. As discussed below, these Best Practices will surely be characterized as the minimum "standard of care" (by plaintiffs and plaintiffs' experts) for vehicle cybersecurity, even if never fully adopted by NHTSA. Therefore, failing to adopt the Best Practices creates significant risks in the event a cybersecurity breach occurs, even if following the Best Practices would not have prevented the attack.
Over the last several years, a growing concern of regulators, consumer watchdog groups, and the public is that adequate safeguards are not in place to protect motor vehicles (and an owner's personal information) from cyberattacks. In large part, these concerns have been spurred by a well-publicized hacking of a Jeep Grand Cherokee vehicle, where the hackers gained access to the vehicle through the navigation system and remotely took control of the vehicle brakes and throttle. While this isolated event was the product of years of intensive research, there is a real concern that similar attacks are inevitable as more connected vehicles enter the marketplace.
Federal legislators are also concerned. In 2015, two U.S. Senators introduced a bill dubbed the "SPY Car Act" that would direct NHTSA and the FTC to develop and enforce federal standards to secure and protect motor vehicles from cyberattacks. Independently, OEMs and the industry at large have undertaken additional efforts to better understand (and in turn prevent) these potential vulnerabilities, giving rise to organizations such as the Automotive Information Sharing and Analysis Center (AUTO-ISAC).
Consistent with its stance on autonomous vehicles, the Best Practices affirm that despite no current FMVSS standards on cybersecurity, NHTSA’s regulatory authority empowers it to ensure that vehicles are safe and free from cybersecurity “Vulnerabilities” that hackers would exploit to create unreasonable safety-related risks. The Best Practices target manufacturers, designers, and suppliers, and include a host of recommendations for designing and manufacturing vehicle systems and software. The Best Practices envision a significant management commitment to cybersecurity, including dedicated corporate officers, internal and external risk assessments (such as engaging hackers in so called "white hat" hacking exercises), research, investigation, implementation, testing, and validation of product cybersecurity measures and vulnerabilities, and creation of internal and external channels to communicate cybersecurity risks throughout the organization. Additionally, the Best Practices expect OEMs will participate in industry-wide risk-assessments and threat sharing, adapt their cybersecurity strategies based upon other sector experiences, and voluntarily report any real or detected threats to NHTSA and within the industry.
Importantly, although the Best Practices illustrate NHTSA's current view of the basic and minimum standards for OEMs, they do not impose any affirmative requirements for OEMs at this time. For now, but likely not for long, this aspirational approach to cybersecurity remains “voluntary.” Failing to make a serious commitment to embrace at least some of NHTSA's recommendations, however, opens up an alluring angle of attack when cybersecurity claims do occur. Plaintiffs and their experts will interpret and construe the Best Practices against OEMs, arguing they represent the “floor.” Fortunately, NHTSA’s recognition that the “cybersecurity environment is dynamic,” and that development of protections should be “built upon a risk-based prioritization,” reflects the reality that adopting and implementing even the highest commitment to cybersecurity cannot and will not prevent every malicious hacking attempt. OEMs will be expected to “mitigate cyber threats that could present unreasonable safety risks,” not eliminate every possible vulnerability no matter how serious
Section 6.7 of the Best Practices outlines what NHTSA calls Fundamental Vehicle Cybersecurity Protections. While not exhaustive, the Cybersecurity Protections lay out eleven "required" design, control, system access, and threat recording "protections [to] serve as a small subset of potential actions which can move the motor vehicle industry towards a more cyber-aware posture." The Cybersecurity Protections also impose specific requirements on OEMs to control when and where software and hardware developers can access their systems, limit how and when to access vehicle electronics, and protect vehicle control electronics. Implementing each of the proposed Cybersecurity Protections cannot prevent all cybersecurity attacks, but not doing them invites criticism from third party experts during cybersecurity litigation and risks breaching the "electronic standard of care." While it is too early to identify which of the Best Practices will be formally promulgated by NHTSA in the rulemaking process, the Best Practices are publically available and accessible to plaintiffs’ counsel and plaintiffs’ experts. As discussed, we will see arguments that the Best Practices represent the minimum "standard of care" for determining product defect regardless of whether the Best Practices are adopted in whole or in part. In order to proactively address these arguments, we recommend that manufacturers consider the following:
- First, study the Best Practices and identify what corporate changes, if any, are needed to conform with the Best Practices, or be prepared to offer a reasoned explanation if these practices are not or cannot be followed;
- Second, if not already doing so, identify and retain external consultants and experts to evaluate cybersecurity design process and robustness;
- Third, discuss cybersecurity protections and cybersecurity threat response with all third-party electronics suppliers, and
- Fourth, review the Cybersecurity Provisions, adopt the ones are appropriate for your applications and document appropriately if you conclude that adoption of one or more is not necessary.
The Bowman and Brooke Motor Vehicles Group is committed to helping our clients successfully navigate this new legal and rapidly developing regulatory environment. As part of this effort, we will provide a series of short updates on many of the changes outlined in the Best Practices.