Congress looks at car hacking

Hackers remotely commandeer a car that is driving full speed on the highway, disabling the transmission and causing a massive traffic accident.

That scenario, discussed at recent computer security conferences and in media coverage, immediately attracted nationwide attention.  Unlike common hacks, which result in the theft or destruction of information, attacks on cars’ computer systems could cause physical injury or death.  A routine data breach is the cyber-equivalent of the flu; a car hack is the plague.

{mosads}Lawmakers quickly took notice.  On Wednesday, a House Energy and Commerce subcommittee considered a draft bill that explicitly prohibits hacking cars’ data.  Joan Claybrook, former administrator of the National Highway Traffic Safety Administration, told the committee in written testimony that consumers face “the very real threat of having their car hacked and their privacy data breached.”

Members of Congress, privacy advocates, and security experts differ about whether car hacking poses a significant and imminent public safety threat.  But one thing is clear: current laws do not adequately address the possibility of hacking Internet-connected automobiles – or, for that matter, most other new technologies.  Congress should use this public debate as an opportunity to revisit and rewrite federal computer hacking laws that have not kept up with the times.

The primary federal hacking law is the Computer Fraud and Abuse Act, a 1986 law that prohibits individuals from obtaining information or causing damage “without authorization” or “exceeding authorized access” to a “computer.”

The CFAA has come under attack from all corners of the cybersecurity world as an outdated, unfair, and ineffective law.  Civil liberties advocates criticize some courts that have found that failure to follow a websites’ terms of service could violate the statute and lead to prison time.  Academics have argued that the CFAA might criminalize well-intentioned research on computer security vulnerabilities. And law enforcement criticize the law for not explicitly criminalizing the sale of botnets, which infect innocent computers with malware.

The car hacking debate demonstrates that the CFAA is equally ill-equipped to handle hacking of devices that are not traditionally considered to be “computers.”  The revolution known as “Internet of Things” is connecting to the Internet just about every object that you could think of: not only cars, but refrigerators, manufacturing equipment, and medical devices, to name a few.  Cisco Systems estimates that by 2020, 50 billion devices and objects will be connected to the Internet.

Congress is wise to consider the implications of car hacking.  Regardless of the imminence of such an attack, it always is prudent to examine potential vulnerabilities.

But Congress should not end its inquiry there.  As the Internet of Things proliferates, we face vulnerabilities on countless fronts.  How do we prevent hackers from causing hospital equipment from malfunction during surgery, shutting down air traffic control systems on the day before Thanksgiving, or destroying billions of dollars in factory equipment?

As we have seen many times before, laws that regulate a single technology quickly become obsolete.  For instance, in 1988, after a video store disclosed Supreme Court nominee Robert Bork’s rental records to a newspaper, Congress passed the Video Privacy Protection Act, which restricts the disclosure of information about the rental of “prerecorded video cassette tapes or similar audio-visual material.”  While that law may have made sense in 1988, courts have had trouble applying it in the Netflix era.  And although it provided some privacy protections for video rentals, it did not address the many other areas where consumers demand privacy. 

Rather than addressing just one of thousands of cybersecurity threats, Congress should take this opportunity to rewrite the CFAA to ensure that it fairly and adequately addresses the threats from the CFAA and other new technologies that have developed in recent years. 

And hacking laws are only one part of the solution.  Many hackers attack from abroad, and pay little notice to U.S. criminal laws or civil penalties.  Once a car – or other device – has been hacked, the damage is already done.  Lawmakers should consider collaborative policies that encourage the private sector to invest in security measures that prevent such attacks from ever occurring in the first place.

Kosseff is an assistant professor of cybersecurity law at the United States Naval Academy.  The views expressed in this op-ed are those only of the author, and not of the Naval Academy or Department of Navy.