One of the chief ways they might ease that concern would be by imposing 90-day waiting period before independent cyber-security experts could share details of their efforts.
Officials with the U.S. Copyright Office floated that idea – essentially a compromise – during a hearing Tuesday that may determine whether security researchers can continue to access software coding that runs many critical functions in cars without fear of legal repercussions.
Proponents of independent car-hacking research have asked the Copyright Office to grant an exemption under provisions of a federal law that governs access to copyrighted materials. They say this sort of independent research plays a critical part in pushing manufacturers to better protect their vehicles, but OEMs argued their disclosures increased the potential for harm. That grim possibility seemed to register with copyright officials Tuesday.
"What if you find a vulnerability the bad guys don't know about yet," asked Jacqueline Charlesworth, general counsel and associate register of copyrights asked during the proceedings held at the UCLA School of Law in Los Angeles. "That's what I'm struggling with here."
As an informal policy, researchers often disclose vulnerabilities to manufacturers before publishing details, including software code, of their hacks. But they discouraged the panel from making that a mandatory requirement.
"In many cases, the responsible thing to do is to tell the vendor first, and the record shows researchers who have done this research have informed vendors," said Kit Walsh, staff attorney with the Electronic Frontier Foundation. "However, the freedom to disclose publicly is an essential element to making sure vulnerabilities do get fixed."
Independent researchers have published landmark studies of cyber vulnerabilities in vehicles, showing they can control critical vehicle functions like steering, braking and acceleration through both wired and remote connections to a vehicle's controller area network. Dr. Charlie Miller and Chris Valasek, senior director of vehicle research at IoActive, have pioneered much of the field, and worried that a 90-day window could have a "chilling effect" on their own studies and the work of others.
Asked about the prospect of the Copyright Office crafting an exemption that held a 90-day disclosure window, Miller told the panel, "researchers who find vulnerabilities aren't making the vulnerabilities. We're finding them. So to say we're enabling the bad guys, we're not. We're trying to get it fixed. The bad guys can take advantage whether we have a law or not."
One of the undercurrents from the morning's hearing was a disagreement on how receptive automakers have been to acknowledging and responding to the work of independent researchers. Attorneys for General Motors and the Auto Alliance, the industry's main lobbying arm, said the industry has worked with several outside organizations, such as nonprofit Battelle, in examining car-hacking vulnerabilities.
They doubted that a 90-day window would be enough time to fix vulnerabilities before they were disclosed.
"It's not like the software industry, where today so many consumer software packages are distributed online and that model can be applied here," said Steven Metalitz, an attorney with the Auto Alliance. Fixes cannot be applied "anywhere near as quickly in the auto industry."
Tuesday's morning's hearing on a proposed exemption to the Digital Millennium Copyright Act's Section 1201 was the first of many the Copyright Office will hold over the next two weeks.
The morning session specifically examined vehicle research. An afternoon session later today will weigh the rights of gearheads and independent mechanics to diagnose and repair cars against the manufacturers' desire to prevent access and circumvention to software that controls many car functions.
We'll update this post today throughout the proceedings. Check back for updates.