Public Values, Private Infrastructure and the Internet of Things: The Case of Automobiles
9 Journal of Law and Economic Regulation 7, (Vol. 9. No. 1). 2016. 5. pp. 7~44.
38 Pages Posted: 10 Feb 2017
Date Written: October 1, 2016
In July 2015, two researchers gained control of a Jeep Cherokee by hacking wirelessly into its dash-board connectivity system. The resulting recall of over 1.4 million Fiat Chrysler vehicles marked the first-ever security-related automobile recall. In its wake, other researchers demonstrated the capacity for remote takeovers of automobiles. By September, it became public that GM had initiated a quiet over-the-air (OTA) update program to fix security vulnerabilities in millions of their vehicles.
These incidents reveal the critical security issues of modern automobiles, so-called “connected cars,” and other Internet of Things (IoT) devices, and underscore the importance of regulatory structures that incentivize greater attention to security during production, and the management of security vulnerabilities discovered after connected devices are in circulation. In particular, it highlights the importance of incentivizing the development of OTA update systems to support safety and security critical updates to patch vulnerabilities. OTA update systems are essential to IoT security and the health and safety of humans who rely upon it.
Today’s connected cars can have more than a 100 million lines of software code, and this code base is growing. This code plays a significant role in compliance with regulatory obligations, and a crucial role in automotive safety and security systems. Embedded sensors and algorithms trigger and modulate airbag deployment, seatbelt engagement, anti-skid systems, and anti-lock breaks, identify the size, weight, and position of people to inform airbag and seatbelt behavior, and inform parking assistance systems, anti-skid and anti-lock break systems, among others. Software’s role in automotive safety is growing making the assumptions and calibrations of the code governing critical safety systems, as well as its security, increasingly important to saving lives. Addressing the vulnerabilities in automotive code — such as the ones exploited by the Jeep hackers — and specifically the capacity for remote exploits, are an essential element of the future of automotive safety and security.
The design of OTA update systems implicates crucial issues of governance, and the balance of a variety of values — both public and private. Developing systems intended to ensure automotive safety and security involves both choosing among competing visions of security, and determining how to protect other values in the process. The articulation of cybersecurity goals, and the way they are balanced against other values, must occur in a public participatory process beforehand that includes relevant public and private stakeholders.
This paper sets forth principles that should in-form the agenda of regulatory agencies such as the National Highway Transportation (NHTSA) that play an essential role in ensuring that the IoT, and specifically the OTA update functionality it requires, responds to relevant cybersecurity and safety risks while attending to other public values. It explains the importance of OTA security and safety update functionality in the automotive industry, and barriers to its development. It explores challenges posed by the interaction between OTA update functionality, consumer protections — including repair rights and privacy — and competition. It proposes a set of principles to guide the regulatory approach to OTA updates, and automobile cybersecurity, in light of these challenges. The principles promote the development of cybersecurity expertise and shared cybersecurity objectives across relevant stakeholders, and ensure that respect for other values, such as competition and privacy is built into the design of OTA up-date technology. In conclusion, we suggest reforms to existing efforts to improve automotive cybersecurity.
Keywords: cybersecurity, privacy, administrative law, regulation, privacy by design, Internet of Things, IoT, Connected cars, NHTSA, governance, soiftware updates, transportation safety, health and safety
JEL Classification: K23, K32, L83, L91, L92
Suggested Citation: Suggested Citation