Mark Rosekind, administrator of the agency, wrote in a recent letter sent to select members of Congress that NHTSA intends to, "get out ahead of potential cyber-security issues on vehicles." That goal took on fresh urgency in July when researchers remotely commandeered control of a Jeep Cherokee from halfway across the country.
In pursuing that objective, the agency charged with keeping American motorists safe has been hindered by a number of obstacles. Among the problems: an engineering staff spread thin, a long-discussed cyber hub that's not yet operational, and a dispute in which NHTSA has distanced itself from the security researchers whose pioneering work first identified automotive vulnerabilities.
Rosekind, pictured above, has previously expressed concern over the role staffing levels have played the agency's failure to detect broader problems in a timely manner, a shortcoming that led to Congressional hearings which examined NHTSA's failure to connect information on fatal flaws in General Motors ignition switches. Cyber security presents a far more complex challenge.
"We had 80,000 complaints and eight people doing it," Rosekind said during an appearance in Michigan last week. "We have a pretty good cyber-security team, and they're really great, but they're really nowhere close to getting through millions of lines of code and the future things that are coming."
"Luckily, we've had white-hat fixes, but I'll tell you, the industry has understood this is an issue they need to get ahead of." - Jon Allen
Rosekind didn't offer specifics on the challenges, but documents obtained via a public-records request shed new light on those staffing levels. They show NHTSA's Electronics Systems Safety Research Division has four staff members in the agency's Washington DC headquarters and three more members at a testing center in East Liberty, OH. Those seven employees hold sweeping responsibilities. They are not only responsible for evaluating, testing and monitoring for potential cyber vulnerabilities, they're also charged with probing electronics reliability for functional safety systems, such as electronic stability control, and researching autonomous vehicles.
The information was contained in answers submitted by the agency to the House Committee on Energy and Commerce, which has been probing automotive cyber-security questions and intends to hold hearings at a to-be-determined date.
"The reality is you can't keep telling us to do all this stuff and not (fund) it," Rosekind said. "It's this classic responsibility without the authority, right? Go fix this, and go do this rule and do whatever, and with it you need the expertise and people and resources to get it done. I think this is going to be huge, because cyber security is the one that's going to touch all of us."
In some cases, the shortage has pushed NHTSA to look elsewhere for guidance on cyber-security matters. In other cases, it doesn't want outside help at all.
Independent Researchers Pushed Aside
Despite the concern over being understaffed, the Department of Transportation, of which NHTSA is a part, has eschewed the role third-party researchers play in studying automotive cyber threats. In comments filed with the US Copyright Office, which will soon determine whether independent researchers should have the continued right to access vehicle software, the Department of Transportation cast doubt upon their abilities, writing third-party researchers could inadvertently create hazards rather than fix them.
While there are no known instances of third-party researchers endangering motorists, they have discovered security vulnerabilities in millions of cars. Their work has prompted redesigns and repairs. A sampling: Academics at the University of Washington and California-San Diego demonstrated vehicles could be accessed and controlled by hackers in 2010, several independents have proven OBDII ports provide access to critical systems, German researchers found cellular vulnerabilities in BMWs, and most recently, Chris Valasek and Charlie Miller showed a Jeep Cherokee could be commandeered and controlled from Pittsburgh as it drove along a highway in St. Louis.
It was that last hack, made public in July, which ignited concerns across the federal government. Rosekind said the exploit underscored the fact car hacking is no longer a hypothesis, but a reality. But only weeks earlier, he took a harder stance against independent researchers than his DOT bosses, writing to the subcommittee members on June 30 that "manufacturers and suppliers are in the best position to identify weaknesses in their own products," the same argument automakers used against an exemption for researchers during a May hearing.
The record of independent researchers' work would suggest otherwise, but their role aside, carmakers have been slow to address known vulnerabilities. Earlier this month, Wired magazine reported it took General Motors five years to fix the OnStar vulnerabilities discovered in 2010 by the Cal San-Diego and Washington research team. Fiat Chrysler Automobiles knew about multiple vulnerabilities for more than a year, but did not begin to fix them until the Cherokee hack became public. Even then, FCA intended to address the vulnerabilities with a technical service bulletin. But days of mounting concern within the federal government prompted NHTSA to press the automaker for a full recall of approximately 1.4 million vehicles.
"All your kids are saying, 'I can go to mom or dad's car and start mucking around with the code.'" - Mark Rosekind
Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) haven't been as quick to accept that automakers should be trusted to handle car-hacking threats on their own. The two proposed legislation in July that would inform consumers about how well their vehicles protect security and privacy against minimum standards, and they've recently sent automakers a series of questions about their readiness to defend against cyber attacks. Last year, the senators conducted a similar probe, which found only 2 of 15 automakers were capable of defending against a real-time infiltration.
ISAC Initiative Not Yet Running
Rosekind said the agency will offer specific proposals that further address car hacking, sometime this fall. Documents indicate the agency wants automakers to assume intrusions will occur, and develop a layered defense that focuses on ensuring cars take safety-conscious steps once attacks occur.
In the meantime, the agency has touted the creation of an Information Sharing an Analysis Center as one of its chief accomplishments. Automakers agreed to form the partnership to pool information on threats and best practices, at NHTSA's behest, on July 14, 2014. But more than a year later, that network still hasn't commenced operations.
Jon Allen, a principal at Booz Allen Hamilton who has helped establish the framework of that information-sharing network, says an executive committee is still forming, an executive director must be chosen and then the new group must decide how to set up an intelligence portal to be shared among automakers. He expects it to be "fully operational" by November.
In a battle between good guys and malicious hackers, "it's just a matter of whose going to get there first," Allen told Autoblog. "Luckily, we've had white-hat fixes, but I'll tell you, the industry has understood this is an issue they need to get ahead of. The ISAC is a great first step. It's one example. They understand capabilities are increasing on vehicles, and so is the risk."
Beyond the ISAC, NHTSA has sought cyber-security answers by partnering with others groups both inside and outside the government. The documents sent to Congress indicate agency officials meet with suppliers in the aviation and space industries to learn about their strategies for secure design. It's not the first time NHTSA has looked toward aerospace for guidance – during the Toyota unintended-acceleration investigation, the agency sought the expertise of NASA. The agency attends events like DefCon and BlackHat, and participates in DARPA challenges.
"I think this is going to be huge, because cyber security is the one that's going to touch all of us." - Mark Rosekind
NHTSA has even worked with the Food and Drug Administration, to learn more about how the FDA established and disseminated cyber-security guidelines for medical devices, which often have similar safety-critical functions.
Planning for a traffic environment that uses vehicle-to-vehicle communication will only complicate the efforts to corral car hackers. Although the system is still in development, officials are already fearful a hacker could not only breach a single car, but damage multiple cars, potentially hundreds, in a single attack.
In planning for that, NHTSA has sought the expertise of aftermarket companies who use cryptographic keys for vehicle immobilization, and they've partnered with the US Army Tank Automotive Research Development and Engineering Center and Homeland Security. Together, they plan to "red team" test the V2V system before deployment, according to the documents. Federal officials feel they must prepare for those worst-case scenarios, in part, because after the Jeep Cherokee hack, they believe the worst is possible.
"Now autos is the biggest target for everyone to go after," Rosekind said. "They're on a pedestal now. They're the holy grail. All your kids are saying, 'I can go to mom or dad's car and start mucking around with the code.'"