Mark Rosekind, administrator of the National Highway Traffic Safety Administration, said he's mulling the role independent cyber-security researchers might play in investigating future automotive cyber threats. "Right now, we're in the process of collecting information about that," he said.
He'd better hurry. By the end of the month, the U.S. Copyright Office is expected to decide whether to provide independent researchers with an exemption in copyright law that would permit them to continue vehicle research. If they aren't granted such an exemption, their work could be imperiled.
Independent researchers have pioneered car-hacking research and found vulnerabilities in vehicles that automakers couldn't detect themselves. But the Department of Transportation, of which NHTSA is a part, has said the risk of allowing such third-party work outside the oversight of automakers or government officials outweighs the benefits, and the Environmental Protection Agency flat-out recommended the Copyright Office reject a proposed exemption. Offering his first insight on the role of independent researchers, Rosekind neither supported nor discounted the proposed exemption, but said safety must remain at the forefront of the discussion.
"How many times have we talked about resources of and millions of miles of code? There's no way we'll have the resources to look at that," he said. "A lot of folks talk about open source, but that doesn't mean you'll get the results you need. ... We're hearing all the different sides, and we're always looking at the safety aspects of that."
"How many times have we talked about resources of and millions of miles of code? There's no way we'll have the resources to look at that." - Mark Rosekind.
Whether or not carmakers make that code open-sourced, isn't necessarily the issue. Right now, automakers are claiming the software and code that run critical vehicle components shouldn't be accessed by anyone – they consider any attempts to do so by home mechanics or vehicle security researchers a violation of the Digital Millennium Copyright Act.
Rosekind said NHTSA will address car-hacking threats with specific initiatives that will be announced later this fall. They'll come in the wake of a remote breach of a Jeep Cherokee that allowed independent security researchers to commandeer and control the vehicle from halfway across the country. Publicly announced in July, the hack unsettled many federal officials and affirmed the importance of addressing cyber threats within the agency.
Speaking at an autonomous-car event in Washington D.C., Rosekind said that cyber-security threats, left unchecked, could hinder the adoption of autonomous vehicles, which are broadly expected to augment automotive safety and save the lives of tens of thousands of road users who would otherwise die in human-caused car crashes.
Asked about the role of researchers again in a question-and-answer session that followed his prepared remarks, Rosekind said, "that's an area we need to figure out. ... We're all about transparency, but that doesn't help if you put all the data out and it's not used. We need to determine which deliver on the safety need we'll have in the future, and I'm not sure that's been figured out yet."