Ideas and suggestions are always welcome. Please let us know how we can improve your newsletter! We welcome your feedback.
LexisNexis® for Corporate Counsel
LexisNexis® Webinar Center
LexisNexis® Legal Newsroom
Live CLE Webinars | OnDemand Webinars
Edited by: Neil M. Sitron | Crowell & Moring, LLP
Autonomous vehicles are coming fast and furious. The technology for autonomy is increasing at a rapid rate, with an ever-increasing number of vehicles on the road with varying levels of autonomous features. Large auto manufacturers, established technology companies and the mythical “garage startups” are all seeking to participate in what is already a billion-dollar industry (at least in terms of the amount of money being invested in the companies, technology and ancillary products). However, in order for the fully autonomous vehicles to launch on a large scale, especially with respect to level 4 (high automation) and level 5 (full automation), the government and the public must be assured of an acceptable level of safety.
Government regulation of autonomous vehicles has, thus far, been characterized by a patchwork of federal, state and municipal regulations. Since 2012, at least 34 states and D.C. have considered legislation in this area and 8 states and D.C. have enacted autonomous vehicle legislation (starting with Nevada back in 2011). Further, a number of additional states and localities have passed legislation relating to the approval of research and development, government-sponsored studies and the testing of autonomous vehicles. Although the various states and localities have had different economic motivators for being on the forefront of autonomous vehicle support and regulation (Michigan has a historical focus on manufacturing, while Pennsylvania has focused on car sharing), they have all expressed a significant interest in ensuring that the vehicles in their jurisdiction provide sufficient assurances of safety.
At the federal level, the National Highway and Transportation Safety Administration (NHTSA) recently issued guidance and policy for the safe development of highly autonomous vehicles. That guidance includes (1) vehicle performance guidelines, (2) model state policy, (3) regulatory tools, (4) new regulatory actions that NHTSA believes could be helpful in ensuring the safe deployment of automated vehicles and (5) a set of 15 best practices for automated vehicle manufacturers regarding the safe pre-deployment design and development and testing of automated vehicles prior to commercial sale or use on public roads.
At a state level, the most recent and comprehensive legislation was a package of four bills passed in December 2016 by the State of Michigan allowing autonomous vehicles, including automated platoons of trucks and networks of self-driving cars picking up individual passengers, to operate on Michigan’s roads. In announcing this legislation, Governor Rick Snyder specifically emphasized a focus on safety, touting this legislation as a means of improving passenger safety and significantly reducing fatalities through the widespread use of autonomous vehicles. Other states, such as California (which recently issued revised draft regulations), Pennsylvania (which has launched an Autonomous Vehicles Testing Policy Task Force, which includes as members government officials as well as General Motors, Uber and AAA, to devise guidelines for testing autonomous vehicles) and Massachusetts (which created a special working group to promote the testing and deployment of autonomous vehicles), have been taking steps forward in the promoting and allowing the use of autonomous vehicles in a manner that allows the regulators to focus on ensuring the safety of the vehicles through adherence to NHTSA guidelines, development of new technologies or frameworks, or otherwise.
However, because various states and localities have been taking alternate routes toward allowing (or prohibiting) autonomous features in vehicles driving on their roads, there is an ever-present risk of creating laws by trial and error. This is neither in the interest of the industry nor the government. Further, the uncertainty of the development and launch path of autonomous vehicles presents risks to regulators and legislators in moving too slowly, too quickly or in the wrong direction. While federal guidelines will give some cover, it is unlikely that state and local governments will want to be too far in front of the industry or their peers, which presents a risk of legislation lagging too far behind the industry. No government official, of course, wants to be the one who spearheaded the launch of autonomous vehicles that caused the loss of life through accident or malfunction. In any event, given that most testing has been done in warm weather or controlled conditions, there are a number of questions that need to be answered in terms of ensuring adequate safety mechanisms and protections for autonomous vehicles in non-ideal conditions. These all present questions of whether regulation and legislation move quickly enough to address the industry’s projected progression along the autonomy spectrum over the next few years. If legislators lag too far behind the industry, or safety studies and testing take longer than would be hoped, it is possible that the full-scale launch of autonomy could be significantly delayed, with technology sitting idle until the regulations catch up.
Vehicles are already a part of the so-called “Internet of Things” (IOT) an interconnected network of 20 billion nodes and millions of remote devices, which now include everything from home automation to offices to manufacturing. This interconnected network will see an exponential increase in the amount of data running between and among them and cloud providers. As autonomy moves along the spectrum, the risks of being a part of the IOT increase in both likelihood and damage. Therefore, cybersecurity protection is, and will be, a significant focus of attention for manufacturers, regulators and consumers in two important respects: (1) protection of the vehicle itself and (2) data protection.
The most obvious, and physically dangerous, risk of cybersecurity breakdown in autonomous vehicle relates to the protection of the vehicle itself. If a human is not at the wheel, what happens if a malicious party takes control? Unfortunately, this is not simply a theoretical question. In 2015, Wired Magazine covered a proof of concept hack by two white-hat hackers, who took control of a Jeep Cherokee, cut its transmission and disabled the vehicle while it was driving on the highway. This single incident prompted Chrysler to recall 1.4 million vehicles. And, of course, this was not an autonomous vehicle—it was simply a connected car. Currently, before even introducing autonomy, vehicles are connected to the IOT in several different ways, such as via Bluetooth® and infotainment systems.
Another less obvious risk of cybersecurity breakdown is in a failure of data protection. Autonomous vehicles will rely on a constant stream of data, and all of that data will have value. Data streaming from an autonomous vehicle will include information of the driver, the vehicle, the road and the surroundings. Failure to secure that data could lead to significant consequences both for the driver (such as a hacker being able to track the driver from place to place) and the manufacturer (such as a hacker being able to steal proprietary information and trade secrets). There are an infinite number of possibilities for nefarious uses of that data.
Issues of cybersecurity have not been lost on the average consumer. A recent online survey of consumers released by the University of Michigan found that 76% – 88% of the respondents were at least slightly concerned, and more than 40% of respondents were very or extremely concerned, with the risk of hackers taking control of autonomous vehicles or gaining access to personal data.
Both private industry and government have been working toward finding solutions, or at least protections, in the area of cybersecurity for connected vehicles now and autonomous vehicles in the future. Millions of dollars are now being invested in startups and investments in the vehicle cybersecurity market. Further, leaders in the industry are working together with each other and the government in an effort to stay ahead of the hackers. Recently, a private industry consortium of Intel, Uber, Aeris, Rambus and Karamba Security, named Future of Automotive Security Technology Research (FASTR), published a manifesto as a call to action to OEMs, transportation network companies, other industry professionals, academics, researchers and hackers to collaborate on approaches to ensure the cybersecurity of connected and autonomous vehicles. On the government side, Congressmen Joe Wilson and Ted Lieu co-sponsored a bi-partisan bill, The Security and Privacy in Your Car Study Act, that would require NHTSA to work with the Department of Defense, other government agencies, private industry and academics to study, analyze and build cybersecurity protections for vehicles. Given the amount of data that will be flowing from autonomous vehicles in the not-too-distant future (4000GB per vehicle per day, as predicted by Intel), cybersecurity protection will be of upmost importance for ensuring the viability and safety of widespread use of autonomous vehicles on our roads.
Semi-autonomous and autonomous vehicles are already on our roads, be it in a limited capacity. In order to reach a level of widespread use, not only is the basic technology of autonomy required, but the regulations promoting and ensuring public safety must be fully in place. Further, given the high profile data breaches of government agencies, retailers and financial services giants, and the general consumer fear of the hacking of autonomous vehicles, both the government and consumers must be fully convinced of the cybersecurity protecting them from origin to destination.