The protection of vehicle cybersecurity is a critical element of motor vehicle safety, particularly as cars come to rely on electronics and software-based systems. We appreciate NHTSA’s attention to this topic, including through its safety research and its push for the creation of the Automotive Information Sharing and Analysis Center (Auto ISAC), its recall work, and the completion of this document.

While we agree with most of NHTSA’s recommendations to industry in the Best Practices, vehicle cybersecurity is too important to be left to voluntary measures. We urge NHTSA to develop a mandatory safety standard for cybersecurity based on sufficient public research and consultation with other federal agencies, and to require full reporting of cybersecurity considerations and vulnerabilities in the interim. Through these steps, NHTSA would ensure that companies put the safety and security of consumers first. The agency should be supported in this endeavor by Congress, which should provide NHTSA with adequate resources to carry out its important work and pass clarifying legislation, if needed, to confirm the agency’s authority.

As NHTSA pursues a rulemaking on cybersecurity, we urge the agency to also take into account the following recommendations and other considerations directly related to the Best Practices guidance it has produced:

  • NHTSA should require rigorous and independent third-party auditing in addition to companies’ self-audits.
  • Cybersecurity researchers should have broad access to incident and risk data.
  • Information sharing is critical.
  • We strongly support NHTSA’s proposed Fundamental Vehicle Cybersecurity Protections, including the use of encryption, and urge all companies to implement them.
  • The Best Practices should include stronger guidance on information privacy.
  • We support the broad scope of the Best Practices.
  • We generally support the layered approach for cybersecurity outlined by NHTSA, as well as the agency’s recommendations for company documentation.
  • NHTSA should account for aftermarket devices designed to improve vehicle cybersecurity.
  • Consumers should retain the ability to have their vehicle serviced by the entity of their choice.

For the full comments, click here.