The NCSL Blog


By Mark Wolf

If you own a newer vehicle with an advanced navigation system you may well have decided that your car thinks you're a lousy driver.

Chris Murphy and Jose-Marie Griffiths during a Forum session on autonomous vehicle security.Drift into another lane without using your turn signal? The car beeps. Forget to buckle your seat belt? A warm but insistent voice reminds you. Approach another vehicle too closely while in cruise control and your car slows you down. It hasn't criticized your choice of music or your singing voice. Yet.

Today's advanced navigation systems are basically training wheels for the coming autonomous vehicle revolution. Experimental vehicles are already being tested that promise to largely or completely remove the "driver" from any operation functions. Some industry estimates project more than 245 million cars with at least the ability to manipulate steering and acceleration to be on the road by 2025.

Researchers are hopeful the autonomous operation will drastically reduce the 94 percent of serious automobile crashes attributable to driver error, but the question hanging over the technology is how the vehicles can be made secure from outside forces taking control. 

In a famous incident in 2015, two "white hat" cybersecurity researchers hacked into a 2014 and stopped it dead in its tracks on a Florida interstate, leading Chrysler to recall 1.4 million vehicles.

"The modern automobile is a mobile connected intelligent software platform and any such platform is subject to hacking," said Chris Murphy, a regional administrator of the National Highway Traffic Safety Administration, during an NCSL Capitol Forum session on the Intersection of cybersecurity and autonomous vehicles.

Government, industry and the academic world need to collaborate on the issue, he said.

Among the components of assuring cybersecurity are ensuring software updates are performed, installing intrusion detection systems and establishing secure communications between vehicles, especially autonomous trucks which can operate in convoys without a "driver" controlling each vehicle.

"Privacy and security are two sides of the same issue," said Jose-Marie Griffiths, president of Dakota State University, who has served on the President's Information Technology Advisory Committee and as a director at the National Science Board.

Privacy is not completely gone. People are concerned about privacy and government overreach and the ability to know what's going on in their lives, but most people are unaware of the extent of surveillance and the amount of data being captured," she said.

"You used to not be able to tamper with a vehicle unless you have physical access to it. You could open the hood play with the brakes, put sugar in gas tanks. Even then you could only modify one vehicle at a time. Now hackers can remotely hack millions of vehicles simultaneously.

Griffiths envisioned a ransomware attack in which malware disables tens of thousands or millions of vehicles and releasing them only when a sum of money is paid. "And those who pay are increasingly susceptible to more attacks. You pay once, you're likely to pay again," she said.

Far worse, she said is if hackers were are able to remotely manipulate vehicle control systems, causing crashes and leading to catastrophic loss of life.

"No internet-connected system can be constructed to keep a motivated state or criminal enterprise out of the system," she said.

"Most vehicles (with autonomous features) have hundreds of discrete electronic control units and hundreds of millions of lines of code. People think they are buying a Toyota but they are really buying parts from a hundred different suppliers all put together."

Cybersecurity, she said, can't be put on top of that. It needs to be based on the design of the vehicle and embedded throughout.

Another vulnerability os over-the-air commands sent to vehicles to warn occupants of a crash up the street or road work that could slow traffic.

Because manufacturers are focused on safety, efficiency and functionality, she said, security is not a feature that gets enough attention.

"it has to be a key component. As legislators you can ask questions about what security provisions they plan to make," she said.

The most insidious kind of cyberattack involves broadcasting  inaccurate messages to sensors.

"They don't have to be changed very much to cause chaos. Imagine of GPS signals were tamped with just slightly. We could all be driving off cliffs," said said.

"We need cyberlaw today like we needed environmental law back in the 70s."

For all the security issues that need to be solved, she said, autonomous vehicles can enhance safety because they react so much quicker than humans.

"The maximum time for an autonomous vehicle to react is 90 millionths of a second (humans react in tenths of seconds). And they are going to bring that down to 1 millionth of a second with 5G (internet speed)."

Mark Wolf is the editor of the NCSL Blog.

Contact Mark.

Actions: E-mail | Permalink |

Subscribe to the NCSL Blog

Click on the RSS feed at left to add the NCSL Blog to your favorite RSS reader. 

About the NCSL Blog

This blog offers updates on the National Conference of State Legislatures' research and training, the latest on federalism and the state legislative institution, and posts about state legislators and legislative staff. The blog is edited by NCSL staff and written primarily by NCSL's experts on public policy and the state legislative institution.