March 22, 2017–Sens. Edward J. Markey (D., Mass.) and Richard Blumenthal (D., Conn.) said today they reintroduced legislation that would direct the federal government to establish standards for automobile cybersecurity and to address cybersecurity vulnerabilities of the U.S. commercial aviation system.
The two bills – the Security and Privacy in Your Car (SPY Car) Act and the Cybersecurity Standards for Aircraft to Improve Resilience (Cyber AIR) Act – were introduced in the last congress (TRDaily, July 21, 2015, and April 7, 2016), but never made it out of the Senate Commerce, Science, and Transportation Committee.
The SPY Car bill would direct the National Highway Traffic Safety Administration to work with the Federal Trade Commission to develop standards to prevent hacking into control systems of vehicles manufactured for sale in the U.S. NHTSA would have 18 months after the bill becomes law to issue a notice of proposed rulemaking to put the bill’s provisions into effect, and three years after passage to issue final rules. The rules would then be reviewed every three years thereafter and updated as necessary.
The cybersecurity standards contemplated by the bill would apply to new vehicles sold in the U.S. two years after the bill’s enactment, and would require “all entry points to the electronic systems” of vehicles to be “equipped with reasonable measures to protect against hacking attacks,” and to “incorporate isolation measures to separate critical software systems from noncritical software systems,” the bill says. It also says that all driving data collected by a vehicle’s electronic systems shall be “reasonable secured to prevent unauthorized access.”
Violations of the hacking protections part of the bill would be punishable by civil fines of up to $5,000 for each violation, according to the text of the bill. The bill also says that vehicles should display a “cyber dashboard” that informs consumers about the extent to which the vehicle features cybersecurity and privacy protections beyond the minimum requirements determined by the government.
The Cyber Air Act would direct the secretary of Transportation to issue rules within 270 days requiring airlines and aircraft makers to disclose to the Federal Aviation Administration any “attempted or successful” cyber attacks on any aircraft system or ground support or maintenance systems, whether or not the system is critical to safe operation. The FAA would then be required to share data obtained through those disclosures to airlines, aircraft makers, and other federal agencies regarding related cybersecurity vulnerabilities. In addition, DoT would be required to consult with the departments of Defense, Homeland Security, and Justice, and the FCC and the director of national intelligence and then offer requirements for cybersecurity to airlines and aircraft makers. Those would include requiring “all entry points” to the electronic systems of aircraft and ground and maintenance facilities to be equipped with “reasonable measures to protect against cyberattacks, including the use of isolation measures to separate critical software systems from noncritical software systems,” the bill says.
The bill would charge the Commercial Aviation Communications Safety and Security Leadership Group established by DoT and the FCC in January 2016 to evaluate cybersecurity vulnerabilities of broadband wireless equipment designed for consumer use on aircraft. The group would be charged with ensuring the development of “effective methods for preventing foreseeable cyberattacks” that exploit broadband wireless communications systems on aircraft, and with requiring air carriers and aircraft makers to adopt measures recommended by the group. “Whether in their cars on the road or in aircraft in the sky, Americans should be protected from cyberattack and violations of their privacy,” Sen. Markey said in a statement today. “If hackers access the critical systems of a car or plane, disaster could ensue and our public safety could be compromised. We must ensure that as technologies change, our safety and privacy is maintained. I thank Senator Blumenthal for his partnership on this critical issue.”
“This critical legislation will help protect the public against cybercriminals who exploit advances in technology like wireless-connected aircraft and self-driving cars,” Sen. Blumenthal said in a statement. “As technology rapidly advances, we must ensure the auto and airline industries protect their systems from cybersecurity attacks. Security and safety cannot be sacrificed as we achieve the convenience and promise of wireless progress.” – John Curran, email@example.com