A bill intended to protect vehicles against cyberattacks could have the exact opposite effect, FTC and NHTSA officials warn legislators.
House Republicans are looking to protect cars against hackers. But federal regulators told lawmakers at an Oct. 21 hearing that the bill might not work the way it is supposed to.
"The proposed legislation, as drafted, could substantially weaken the security and privacy protections that consumers have today," said Maneesha Mithal, head of the Federal Trade Commission's Division of Privacy and Identity Protection at the hearing of the Commerce, Manufacturing and Trade Subcommittee of the House Energy and Commerce Committee.
The draft bill -- which comes in the wake of news reports that showed how cyber adversaries can take over command and control of some automotive operating systems -- aims to improve vehicle security and provide more consumer autonomy over their personal information. The bill directs the National Highway Traffic Security Administration to form an advisory council to create and draft cybersecurity standards within the auto industry. Under the legislation, a $100,000 fine would be imposed on anyone who accesses a car's electronic system "without authorization," and car companies would be required to create and file privacy policies with the Transportation Department.
At the hearing, federal regulators warned that the bill would actually have the opposite of its intended effect. Mithal argued that under the proposed legislation, companies with privacy policies meeting the minimum requirements would be immune from FTC privacy laws. She also cautioned against the section authorizing fines for car hackers, saying that it could punish researchers testing for security flaws.
"By prohibiting such access, even for research purposes, this provision would likely [discourage] such research, to the detriment of consumers' privacy, security, and safety," Mithal said.
NHSTA Administrator Mark Rosekind, meanwhile, expressed concern that the bill would allow industry lobbyists to sway cybersecurity standards advisory council.
"The public expects NHTSA, not industry, to set safety standards," Rosekind said.
While Republicans defended their legislation, they acknowledged it still needed work.
"The staff discussion that we will review today is a starting point" said Energy and Commerce Committee Chairman and Fred Upton (R-Mich.) "[Some] ideas, like how to best ensure cybersecurity, may need to further evolve."