GM: ‘Prescriptive’ DSRC rules could hinder cybersecurity

General Motors (GM) wants the FCC to know that it is taking numerous actions to secure vehicle architecture, telematics and the connected vehicle ecosystem from cybersecurity vulnerabilities, saying any “prescriptive rules and regulations” could actually hinder cybersecurity rather than enhance it.

GM’s chief product cybersecurity officer, Jeff Massimilla, and other GM executives met with FCC staff last week to discuss GM’s efforts in the area of cybersecurity. The meeting came in response to a petition that Public Knowledge (PK) and New America Open Technology Institute (OTI) filed in June asking for an emergency stay of operation of Dedicated Short-Range Communications Service (DSRC) until rules are adopted to protect the cybersecurity and privacy of DSRC users.

Massimilla cautioned the commission that “prescriptive rules and regulations that would be potentially outdated by the time they were published could actually hinder cybersecurity rather than enhance it,” GM revealed in an ex parte filing. Instead, he stressed an emphasis on risk management and cross industry and governmental collaboration as an appropriate approach to cybersecurity.

Security became a focal point after hackers demonstrated the ability to seize control of braking, steering and acceleration functions. A Wired article last summer famously chronicled how hackers were able to commandeer a Jeep Cherokee on a highway with the author in the vehicle.

PK and OTI want the FCC to adopt several safety measures before permitting the auto industry to deploy DSRC, including making automakers file a cybersecurity plan before activating DSRC systems and requiring them to inform customers what types of personal information they collect and how they will use that information.  

For its part, GM says it was the first automaker to develop a global organization within the company to consolidate cybersecurity functions for product development and connected services into a centralized, well-resourced organization with senior level leadership. The team collaborates with outside specialists and third parties with a mission of minimizing the risk of unauthorized access to vehicles and customer data in vehicles.

The Automotive Information Sharing and Analysis Center (Auto ISAC), of which GM is a member, recently was created for OEMs and suppliers to enhance cybersecurity awareness and coordinate across the global auto industry. In July, the Auto ISAC released best practices for the auto industry, building on principles agreed to by the auto industry and Department of Transportation. The National Highway Traffic Safety Administration (NHTSA) also is developing best practices in cybersecurity and is in regular communication with OEMs regarding cybersecurity topics.

GM argues that the Federal Trade Commission has used its authority to exercise oversight of cybersecurity incidents affecting privacy, and due to the nature of regulatory oversight that already exists, it’s not necessary for the commission to adopt additional regulations.

For more:
- see this filing (PDF)

Related articles:
Public Knowledge, OTI want FCC to protect DSRC users from cyberattacks
Feds close investigation into Jeep radio vulnerabilities
Sprint says its network not at fault in hacking demonstration of Chrysler vehicles