Senators Question Traffic Safety Agency About Cyber Dangers Posed by Internet-Connected Cars

Two lawmakers penned a letter to the National Highway Traffic Safety Administration Thursday questioning whether they’ve been notified or plan to address cyber vulnerabilities and dangers to public safety posed by the increasing use of internet-connected cars on American roads. 

In their letter, Senators Ed Markey, D-Mass., and Richard Blumenthal, D-Conn., raise concerns from a recent Consumer Watchdog report that suggests car manufacturers have made investors and shareholders aware of the risks associated with connected vehicles, but they have yet to disclose that critical information to the general public. The report, which was produced over five months in collaboration with car industry technologists, alleges all top 2020 cars have connections that are vulnerable to potentially detrimental “fleet wide attacks.”

“We are concerned that consumers are purchasing internet-connected vehicles without sufficient safety warnings and write to inquire about NHTSA’s knowledge of any cyber vulnerabilities, as well as what actions NHTSA is taking to address these issues,” the lawmakers wrote. 

According to the watchdog report, about 50 million internet-connected cars operate on U.S. roadways currently and two-thirds of all new cars will boast features and systems that connect to the internet by 2022. The senators, who are both members of the Commerce, Science and Transportation Committee and also recently reintroduced the Security and Privacy in Your Car Act, said the rise in computerized vehicles will also usher in new risks to citizens’ safety. 

“Most alarmingly, connected vehicles can potentially be hacked and remotely controlled by malicious actors, creating risks not only to the lives of car drivers and passengers but also to pedestrians and property along the road,” they wrote. 

Drawing from the report, the senators quote a 2018 filing with the Securities and Exchange Commission, in which car manufacturer Ford reported a serious chance of interruptions, outages and breaches and that operational systems, security systems and vehicles could be impacted by cyber incidents despite security measures. These issues could compromise vehicle safety and the privacy of personal information of customers, employees or others, the filing notes.

“A cyber incident could be caused by malicious third parties using sophisticated, targeted methods to circumvent firewalls, encryption, and other security defenses, including hacking, fraud, trickery, or other forms of deception,” the filing said. “We, our suppliers, and our dealers have been the target of these types of attacks in the past and such attacks are likely to occur again in the future.”

The senators said “despite this awareness and their notice to investors,” the same information has not been made clear to the general public, who Ford markets internet-connected cars to. 

Noting that they’re worried by the lack of publicly available information on the topic, Markey and Blumenthal ask NHTSA to weigh in on four questions. First, they ask whether the agency has been notified of malicious hacking attempts similar to those mentioned in the Ford filing to investors, and if so, they ask for details on NHTSA’s response and choice to refrain from notifying the public.

The senators also ask what actions the agency has taken or plans to take to address the cyber vulnerabilities of increasingly connected vehicles and whether NHTSA has a formal process to receive reports around hacking or other dangers associated with internet-connected cars. They go on to question whether public disclosure is legally required in the event of an incident or attack and also ask the agency to clearly define what entity is responsible for disclosing that information to the public.

The senators request a written response by Sept. 13.