The continuing proliferation of internet-connected devices (the “Internet of Things”) has accelerated the availability of modern technological conveniences hand in hand with the erosion of cybersecurity and privacy. In October 2015, White and Williams released a client alert addressing the myriad privacy and security issues that the increased Internet of Things had already created, as well as explored new potential risks posed by such pervasive interconnectivity. In particular, the alert highlighted the potential physical dangers posed by the hacking of internet-connected cars. Such vehicles can be accessed by third parties to not only control accessory components, such as windshield wipers and air conditioning, but a driver’s very ability to operate the vehicle itself.
On March 21, 2017, Democratic Senators Ed Markey (Mass.) and Richard Blumenthal (Conn.) reintroduced parallel bills aimed to rectify these very issues and improve cybersecurity in automobiles and airplanes. The bills were originally introduced in the 2015-2016 Congressional session but failed to survive the Senate Commerce, Science, and Transportation Committee.
Senator Markey had previously released a report in 2015 entitled “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” which detailed auto companies’ inability to secure connected features in cars or to develop the capabilities to detect and respond to cyberattacks.
The Security and Privacy in Your Car (SPY Car) Act would require the Federal Trade Commission (FTC) and National Highway Traffic Safety Administration (NHTSA) to develop cybersecurity and data privacy standards and procedures specific to automobiles. This would include a rating system that would allow consumers to make informed purchasing decisions by ranking various car models according to their ability to meet and exceed the standards set by the FTC and NHTSA. During the first introduction of the SPY Car Act, Senator Markey explained that “[d]rivers shouldn’t have to choose between being connected and being protected. We need clear rules of the road that protect cars from hackers and American families from data trackers.”
The SPY Car Act calls for all motor vehicles manufactured for sale in the United States to be equipped with the ability to detect and report cyber breaches, and as well as prevent unauthorized third parties from taking control of the vehicle or siphoning driver data. Manufacturers who fail to adhere to the new standards would be fined $5,000 per car that lacked compliant security technology.
Similarly, the Cybersecurity Standards for Aircraft to Improve Resilience (Cyber AIR) Act would create numerous new minimum cybersecurity standards for air carriers. This includes requirements to take “reasonable measures” to prevent cyberattacks, including the provision of secure Wi-Fi on airplanes, disclosing breaches and performing risk assessment and maintenance. The Cyber Air Act requires the involvement of multiple government agencies to participate in the reporting of cyberattacks and the development of increased security measures specific to air carriers. Air carriers and manufacturers would be required to disclose any cyberattack (including unsuccessful attempts) on any system of the aircraft (including nonessential features), to the Federal Aviation Administration (FAA). The FAA would then use this information to improve its regulations and address cybersecurity vulnerabilities in aircraft systems. The Cyber AIR Act would also require the Secretary of Transportation to develop new aircraft production licensing requirements that address cybersecurity. The new licensing requirements are to include periodic security evaluations and corresponding updates to cybersecurity measures.
Regarding the use of wireless consumer devices on aircraft, the Cyber AIR Act would require the Commercial Aviation Communications Safety and Security Leadership Group to evaluate and report to Congress regarding cybersecurity issues posed by wireless consumer devices used on aircraft. This includes requiring air carriers, manufacturers, and communications service providers to develop preventative procedures for “foreseeable” cyberattacks on wireless devices.
The SPY Car Act and Cyber AIR Act are intended to protect passengers and those around them from Internet of Things technologies that carry the most potential for physical harm to public safety. These bills are hopefully the beginning of a belated trend to regulate the now ubiquitous Internet of Things in an ever more connected world.