August 4, 2016–Sens. Edward J. Markey (D., Mass.) and Richard Blumenthal (D., Conn.) asked FCC Chairman Tom Wheeler today to consider taking action to ensure that the 5.9 gigahertz dedicated short-range communications (DSRC) band is only used for vehicle safety applications, and not for other commercial applications “that may make vehicles more vulnerable to safety, cyber, and privacy threats.”
The DSRC band is the subject of a battle between automakers and Wi-Fi and other unlicensed devices proponents that want to share the spectrum, and the gist of the senators’ requests to Chairman Wheeler matches up with that of Public Knowledge and the New America Foundation’s Open Technology Institute, which filed a petition for rulemaking and emergency stay request with the FCC earlier this year (TRDaily, June 28) asking the FCC to develop rules to protect the cybersecurity and privacy of connected-vehicle users.
In their letter today, the senators said they were “pleased” that the FCC issued a public notice on July 25 seeking comment on use of the DSRC band. In addition to asking Chairman Wheeler to have the agency consider reserving the band for vehicle safety applications, the senators said the agency should consider requiring automakers, commercial entities, and anyone else licensed to use DSRC spectrum to submit privacy and cybersecurity plans to the FCC, require those entities to periodically update those plans, and require them “to notify appropriate law enforcement, government agencies, and consumers if a serious breach occurs and take appropriate steps to mitigate the harms of such a breach.”
The senators asked Chairman Wheeler to collaborate with the Federal Trade Commission and the National Highway Traffic Safety Administration on the issue, and to reply to their letter by Aug. 25. The senators said timely action on the issue was important as automakers prepare to deploy vehicle-to-vehicle and vehicle-to-infrastructure technologies in their products.
“We have entered the Internet of Things (IoT) era, where our cars, transportation infrastructure, and devices can all be interconnected,” they said. “But make no mistake, IoT can also be considered the Internet of Threats if appropriate safety, cybersecurity, and privacy safeguards are not put in place. We must ensure that these vehicles have robust safety, cybersecurity, and privacy protections in place before automakers deploy vehicle-2-vehicle and vehicle-2-infrastructure communication technologies.”
As to the potential dangers of sharing the DSRC band with non-vehicle safety applications such as paying for tolls, parking, gasoline and drive-through restaurant meals, the senators said, “while these technologies are promising, we are concerned that DSRC systems could increase vehicles’ vulnerability to safety, cyber, and privacy threats.”
“For example, hackers could remotely access one vehicle or one commercial application and then use its DSRC system to spread malware to other vehicles and systems,” they said. “That could allow hackers to commandeer vehicles and intentionally cause crashes.”
“Further, businesses could collect and analyze sensitive driving information, such as where the vehicle travels or how long it stays there, without the knowledge and consent of the consumer and then send targeted advertisements via dashboard consoles, in-car entertainment systems, or digital billboards,” they said. The senators noted that NHTSA is considering whether to mandate that all new cars have DSRC systems, and said that “we must act without delay. There should be mandatory rules in place for vehicles.”
Last year (TRDaily, July 21, 2015), the two senators introduced the Security and Privacy in Your Car (SPY Car) Act, which would direct NHTSA to work with the FTC to develop standards to prevent hacking into control systems of vehicles manufactured for sale in the U.S. and to protect the privacy of data generated by connected vehicles. – John Curran, firstname.lastname@example.org