NAFA CEO Phil Russo, CAE: Starting The Conversation On Cybersecurity And The Connected Car

By now it’s likely you’re all aware of the term "connected car," the phrase assigned to all vehicles equipped with Internet access and other technologies that allow vehicles to share information with devices both inside and out of the vehicle. This information can be in the form of geolocation, automatic notification of crashes, notification of speeding and safety alerts, checking the status of systems, route optimization, or a host of other services.

The integration and convergence of transportation and communications technologies in connected cars offers tremendous opportunity for innovation, improved performance, convenience, and safety. However, there are many unanswered questions (and possible risks) associated with these emerging technologies, including:

• Who owns the data being collected?
• How are vehicle and driver security and safety being assured?
• What degree of privacy can be expected?
• Who will have access to the OBD2 Port?

Automobile manufacturers collect huge amounts of data on every vehicle they produce. However, it has not been determined who will be the rightful owner of that data. Should it be the OEM, the vehicle owner, the lessee, the lessor, a third-party supplier involved in the data collection?

Also, there are many avenues through which a cyber attacker can gain unauthorized access to a vehicle or multiple vehicles in efforts to jeopardize safety or undermine privacy. For instance:

• Malicious code can be sent wirelessly, through Bluetooth, or a wired USB connection.
• Installation of data-collection devices using the on-board diagnostics (OBD) port
• Current wireless vehicle-to-vehicle and vehicle-to-infrastructure connections are not secured, allowing easy access.
• A malware harboring vehicle could infect any diagnostic tools plugged into it.

The U.S Congress has demanded answers from automakers and the National Highway Traffic Safety Administration (NHTSA) on how they plan to deal with cybersecurity challenges in vehicles. Meanwhile, privacy advocates are suggesting the implementation of standards on the gathering of data collected by vehicles. These standards would:

• Ensure transparency so vehicle owners are made explicitly aware of the collection, transmission retention, and use of driving data;
• Provide consumer choice, giving vehicle owners the ability to opt out of data collection and retention without losing access to key navigation or other features (when technically feasible), except for in the case of electronic data recorders or other safety or regulatory systems; and
• Prohibit marketing based on personal driving information collected without the owner clearly opting in.

NAFA can play an important role in this conversation. NAFA is the only association representing the entire fleet management community and, as such, can be extremely influential.

Over the next few weeks you will have opportunities from NAFA to learn about the cybersecurity issue and provide your input. For instance, our Legislative Counsel Patrick O’Connor will speak about this subject during his Legislative Update at the upcoming NAFA Institute & Expo (I&E) in Austin, Texas. We will also conduct a webinar on this subject soon after I&E. We have also spoken with our colleagues at Automotive Fleet magazine about working collaboratively on this issue so that we can have one, unified, conversation in the fleet industry. Look for those joint efforts in the weeks ahead!

In the meantime, please feel free to contact me or Pat O’Connor if you have any questions or comments on this issue.

Sincerely,

Phil

Back to NAFA Connection