Is the Transportation Department doing enough about auto cybersecurity?
GAO says the National Highway Traffic Safety Administration should determine how it would respond to a cyberattack on a high-tech car if it happened on the road.
As cars increasingly rely on software and computerized operating systems, automakers face pressure to beef up cybersecurity, and the government must figure out what it would do if a cyberattack took place on the road.
According to a Government Accountability Office report released on April 25, hackers could penetrate high-tech automotive systems using long-range attacks that target cellular connections and short-range attacks that go after Bluetooth controls. If successful, hackers would be able to access steering, brakes, telematics and other critical controls.
Carmakers, suppliers and cybersecurity firms told GAO that the automotive industry faces several challenges, including a "lack of transparency, communication and collaboration" on cybersecurity at different levels of the supply chain and the high cost of cybersecurity solutions. The industry formed the Automotive Information Sharing and Analysis Center in 2015 as a place for members to share threat information with one another.
In its report, GAO says the National Highway Traffic Safety Administration should determine how it would respond to a vehicle cyberattack if it happened on the road.
"Until it develops such a plan, in the event of a cyberattack, the agency's response efforts could be slowed as agency staff may not be able to quickly identify the appropriate actions to take," the report states.
NHTSA officials said they are looking into developing government standards or regulations for car cybersecurity but might not make a determination until 2018. The agency is currently funding research into firewall and gateway systems for vehicles, research into delivering firmware updates over the air to connected vehicles and research into solutions for detecting intrusions into automotive systems and software.
However, they said their ability to conduct such research is dependent on funding. NHTSA's Office of Vehicle Safety Research requested $36 million in funding for fiscal 2015 but received only $29 million from Congress.
There has been some action on Capitol Hill to secure high-tech vehicles. The Security and Privacy in Your Car Study Act of 2015, sponsored by Reps. Joe Wilson (R-S.C.) and Ted Lieu (D-Calif.) would require NHTSA to identify areas of possible regulation when it comes to isolating automotive systems, minimizing the risk of hacks and protecting operator data.
"Interconnected cars offer opportunities for safer highways but also increase the risk that cyberattacks could turn our cars into weapons or paralyze an entire city," Lieu said in a statement that urged Congress to move on the legislation. "The GAO study confirms this and shows that progress is being made by both the Department of Transportation and automakers, but there are some glaring holes that need to be addressed quickly."