Drive safe! – Cyber Security for connected and autonomous vehicles
While connected and autonomous vehicles are clearly on the rise worldwide, companies in the automotive sector need to prepare for increasing cyber security threats in order to comply with data protection law and protect both their know-how and a customer’s life and limb.
There is no doubt that connected and autonomous vehicles are on the rise worldwide. Connected and autonomous driving has for several years now been one of the areas with the highest spending on research and development. In 2018, Uber alone spent USD 457 million in R&D expenses. Whilst there are intensive discussions on how this promising development may change the future of transportation and improve overall traffic safety by removing risks resulting from human driving errors, it is also important to keep in mind that these vehicles are not immune to cyber security threats. As the EU Agency for Cybersecurity (ENISA) pointed out in its last “Threat Landscape Report”, cyber security attacks become increasingly sophisticated and can take place in various different ways. Naturally, this development does not spare vehicles, whose increasing connectivity provides a high-risk gateway for potential attacks by cybercriminals. While the exciting evolution of connected and autonomous vehicles is progressing fast and continuously, companies need to take such cyber security threats into account for various different reasons:
Compliance with data protection and IT security laws
As many other devices in the Internet of Things, connected and autonomous vehicles process a large amount of (personal) data. From mere location data and caller IDs to data on the driver’s level of fatigue, driving style or credit card information – the list can be extended almost indefinitely. Under EU law, controllers of personal data (such as car manufacturers or application providers) have to implement appropriate technical and organisational measures (TOMs) “to ensure a level of security appropriate to the risk” posed by processing personal data (see Art. 32 GDPR).
As the French data protection authority (CNIL) already pointed out in October 2017, the need for data security applies to data collected and used within the vehicle as well as to data transmitted away from the vehicle. From a security point of view, local data processing presents fewer risks than data processed outside of the vehicle. Where the data collected in the vehicle remain under the user’s control and are not transmitted to the service provider, appropriate TOMs could be authentication of all data-receiving devices as well as making available access to data only upon reliable user authentication. Where data is transmitted outside of the vehicle and to the service provider, however, appropriate TOMs could be the encryption of communication channels by means of a state-of-the-art algorithm and an encryption-key management system that is unique to each vehicle. Of course, there are certain kinds of data which by their nature are so sensitive (e.g. financial data, health data) that additional layers of security can be necessary no matter where the processing takes place.
As one of the GDPR’s key principles, security in the processing of personal data is incredibly important. Moreover, in the light of the rapidly increasing number of cyber security threats, it seems likely that EU legislators will create further IT security obligations for companies in the area of connected and autonomous driving in the near future. Thus, having appropriate data-security measures in place will not only maintain the trust of the company’s customers, but may also help avoiding trouble with regulators (and potentially high fines).
Protection of know-how and “data ownership”
Another argument for an increased focus on cyber security threats is the protection of know-how and potential “data ownership”. Connected and autonomous vehicles produce data that has an enormous value for very different stakeholders (e.g. OEMs, insurers and application providers) who want to use and monetize this data, for example, by improving old or creating new business models. Taking adequate measures against cyber security threats (e.g. industrial espionage) is one key building block in the factual protection of this value.
Moreover, while there is currently no clear answer who legally “owns” the collected and processed data under European law, the data and the know-how embodied therein can – at least partially – be protected as trade secret. Not without reason the World Intellectual Property Organization refers to trade secrets as being “gold nuggets” – they can be one of the most important assets in the intellectual property portfolio of an organisation. Trade secrets can include any confidential business information which provides an enterprise with a competitive edge (such as consumer profiles, lists of suppliers and clients, and manufacturing processes).
However, according to the new EU-trade secret legislation, the protection of information as a “trade secret” presupposes that “reasonable measures” were taken to keep it secret (see Art. 2 (1) of the Trade Secret Directive which has been adopted by the EU in 2016). Consequently, if companies want to enjoy such protection, they need to keep in mind the raised standards for IT security. As with the GDPR-obligation to implement adequate TOMs, the exact choice and arrangement of measures to ensure data secrecy in the individual case is up to the organisation, and not prescribed by law.
Protection of a customer’s life and limb
The theft of (personal) data and know-how stored in the cars and their infrastructure, however, does not remain the gravest concern for companies in the car business and their customers. As one author accurately described: “When hacking occurs in a data center, the worst that can happen is a loss of data. When a self-driving car is hacked, what can happen is a loss of life.” This is not a grim picture drawn by an unenthusiastic AI-opponent, but potential reality as demonstrated by the 2015 hack of a car by two researchers. They developed a software that enabled them to wirelessly sabotage a car, take over its steering and even make the accelerator stop whilst driving on a highway. One can only imagine the outcome of such an attack, had it been performed by hackers with a hostile spirit. Besides the tragic impact such an attack could have on the customer itself, companies would conceivably face enormous liability threats and reputational losses if such an attack actually ever took place.
As illustrated above, companies have many incentives to think ahead when it comes to the cyber security of connected and autonomous vehicles. The best way for companies to tackle these challenges is building a “security by design”, i.e. building IT security from the beginning of the development phase onwards and embedding mechanisms which allow for constant improvement of the system. While guidelines published by bodies such as the UK government and the European Automobile Manufacturers’ Association (ACEA) can provide a first orientation in this regard, having a sophisticated cyber security strategy in the context of connected and autonomous vehicles will be absolutely vital to actually ensure “safe driving”.