Lawmakers Propose Bills to Secure Connected Planes, Trains and Automobiles

metamorworks/Shutterstock

The legislation would set “reasonable” security measures for the numerous IT systems that power our increasingly connected vehicles.

As our planes, trains and automobiles become increasingly connected in cyberspace, a pair of lawmakers want to make sure manufacturers are doing everything they can to secure the vehicles against unwanted digital intrusions.

Sens. Ed Markey, D-Mass., and Richard Blumenthal, D-Conn., last week introduced a pair of bills that would require the government to regulate the security of the numerous IT systems onboard cars and commercial planes. The proposals come months after Washington D.C.-area lawmakers recommended banning the Washington Metropolitan Area Transit Authority from buying train cars from a Chinese manufacturer, citing potential espionage threats.

Though the two bills call on manufacturers to follow best practices like isolating critical systems and frequent penetration testing, they avoid codifying any specific security measures, giving regulators the flexibility to update standards as the threat landscape evolves.

“Evolving transportation technologies offer enormous potential to improve safety, help protect the environment and entertain passengers,” Markey said in a statement. “But these same technologies could pose massive cybersecurity and privacy vulnerabilities if appropriate safeguards are not in place. The [legislation] will make sure our drive[r]s and fliers are all able to travel safely in the internet era.”

The Cybersecurity Standards for Aircraft to Improve Resilience Act, or Cyber AIR, would prompt the Federal Aviation Administration and national security agencies to set cyber standards for the numerous tech systems onboard commercial aircraft. Under the proposal, manufacturers would need to secure every endpoint of every system with “reasonable measures to protect against cyberattacks,” including system isolation. After roughly nine months, planes that don’t meet those standards would be ineligible for FAA production and operating certificates.

The bill would also require airlines and manufacturers to disclose any attempted or successful cyberattacks against aircraft, ground control or maintenance systems to the FAA. The administration would use that information to update its cyber regulations. Under the proposal, the FAA and Federal Communications Commission would also form a joint task force to assess the security of customer Wi-Fi networks onboard planes.

In February, the Trump administration called on government agencies to step up their efforts to defend the aviation industry from cyberattacks. The National Strategy for Aviation Security, which previously hadn’t been updated since 2007, aimed to defend not only against attacks that could knock a plane out of the sky but also more conventional attempts to collect data on passengers, companies and critical infrastructure.

The pair’s other bill, the Security and Privacy in Your Car Act, or SPY Car, would give the National Highway Traffic Safety Administration three years to finalize similar “reasonable” security regulations for all cars sold in the U.S. The standards are meant to keep hackers from taking over the vehicles’ internal operations or stealing any data collected by its onboard systems. Under the bill, those protections would also be clearly advertised to consumers through a “cyber dashboard.”

The legislation would also give drivers more control over how the data collected by their cars is used. Today, cars collect a huge amount of data on their performance, as well as the people who drive them. Under the bill, drivers would be able to opt out of data collection for non-safety related systems and manufacturers must get drivers’ consent before using any data for advertising purposes. Companies would also be barred from denying services to people who opt out of data collection.

House lawmakers have yet to introduce companion legislation for either the SPY Car Act or Cyber AIR Act, a spokesperson for Sen. Markey told Nextgov.

The bills come about two months after lawmakers from Virginia, Maryland and D.C. proposed a bill that would ban WMATA from buying its latest metro cars from China Railway Rolling Stock Corp. Lawmakers fear the company, which has won major public transit contracts in Chicago, Los Angeles and Boston, could use the partnership to spy on riders. So far, all four senators from Virginia and Maryland have signed onto the bill, and nine congressmen are sponsoring the House counterpart.