March 29, 2017–Before dedicated short-range communications (DSRC) networks are launched, cybersecurity must be addressed, according to a paper submitted to the National Highway Traffic Safety Administration today in response to a notice of proposed rulemaking released in December proposing to require that all new light vehicles have vehicle-to-vehicle (V2V) technology to help drivers avoid crashes (TRDaily, Dec. 13, 2016).
“Empirical security research already shows the general lack of security in vehicles,” said the paper. “DSRC, as presently conceived, would make matters worse. It presents a new attack surface with special considerations, given its integration into critical control systems. The absence of security frameworks or a compliance regime risks life and safety. Providing a basic standard of care cannot be left to the market for safety-of-life systems—it is not in the case of PCI DSS, HIPPA, and a number of other standards. Without a framework, the ills of the broader IT market will be realized in vehicles, privacy and security will be risked, and the costs of security will not be easily controlled, disproportionately harming those with the least amount of economic agency.
“It is necessary for the industry to ensure that the use of DSRC is predicated on the compliance with a reasonable security framework, which it currently lacks,” the paper added. “This approach supports both motorists and automotive OEMs.”
The paper was written by Alex Kreilein, cofounder and managing partner of SecureSet. Last year, Public Knowledge and the New America Foundation’s Open Technology Institute filed a petition with the FCC for an emergency stay and rulemaking asking the agency to develop DSRC rules that protect the cybersecurity and privacy of connected-vehicle users (TRDaily, June 28, 2016). – Paul Kirby, firstname.lastname@example.org