Today, cybersecurity is a significant issue facing autonomous vehicle makers. Virtually any software that connects to the Internet is susceptible to a cybersecurity attack and autonomous vehicles will have at least one Internet connection. 

In June 2017, U. S. Secretary of Transportation Elaine Chao announced the preparation of new autonomous vehicle guideline, which will be announced in the second half of 2017. They are expected to cover areas like state deference to federal regulations, reporting requirements for accidents and other incidents involving test and production vehicles, human-machine interfaces, consumer education and training, post-crash behavior, and crashworthiness. 

Inside Counsel sat down with John McNelis of Fenwick & West, who represents high technology venture capitalists and companies from privately held start-ups to publicly traded corporations and advises these companies on procedures for protecting their intellectual property through patents, copyrights, trademarks, and trade secrets.

Secretary Chao met with auto executives and noted that while the future of autonomous vehicles is bright, “we have a responsibility to ensure that the new technology is safe and secure.” His emphasis on safe and secure imply that the 2017 guidelines may improve safety guidance by addressing safety issues peculiar to autonomous vehicles, including standardization of road markings and identifying conditions under which autonomous vehicles are not permitted to operate, according toMcNelis.   

“The federal government has taken a wait and see approach to autonomous vehicle regulation hoping that industry action and state regulation provide enough guidance,” he explained. “Their trust was not rewarded. The federal government has seen that a lack of leadership in this area created a grab bag of guidance and state regulations that has caused confusion and slowed the testing and adoption of autonomous vehicles.”

According to McNelis, public acceptance of autonomous vehicles and safety are two reasons why the 2017 Guidelines must address vehicle data recording and sharing, privacy and cybersecurity. “People are justifiably concerned about their personal data being compromised and want to feel confident that consistent safety procedures are required.”

“One problem that exacerbates the inherent cybersecurity risk of autonomous vehicles is that some of these vehicles are developed by companies that are not original equipment manufacturers (OEMs),” said McNelis. “These companies modify a vehicle developed by an OEM by introducing software, sensors, and other devices that enable the vehicle to perform autonomous functions.”

Therefore, the autonomous operations are being built using software and hardware that is separate from, or in addition to, software and hardware designed by the OEMs. The autonomous functions also use computer networks that were not designed for a high level of automation and remote access, so this development bifurcation is ripe for cybersecurity gaps.

Recently, there have been several automotive cybersecurity breaches. In fact, in one breach, German researchers spoofed a cell-phone station and sent fake messages to a SIM card used by a vehicle’s telematics system. This gave the researchers access to remote convenience features of the vehicle, which enabled the researchers to remotely unlock the vehicle’s doors. Additionally, in 2015, two unauthorized individuals could hack into a vehicle using its Internet connection and remotely stop the vehicle on a highway. And, in 2016, another vehicle’s Wi-Fi connection was breached and the driving systems were controlled remotely by an unauthorized party. 

Any type of malware that can put your home computer or smart phone at risk can be modified to put autonomous vehicles at risk, according to McNelis. For example, ransomware attacks that encrypt all the data on your computing device can be modified to take control or stop the operation of a vehicle unless payment is made. A user of an autonomous vehicle may not have time to figure out a solution to a vehicle that is not operational due to ransomware. But, having an autonomous vehicle controlled by an unauthorized party due to a breach can result in intentional damage to the vehicle, people and property.

McNelis said, “Privacy, liability, and cybersecurity are three areas where significant legal questions arise. It is an exciting time for autonomous vehicles in both the technology and legal issues created.”