chevron-down Created with Sketch Beta.
January 30, 2017 Articles

Taking the Wheel: New Federal Guidance on Vehicle Automation and Cybersecurity

By Patrick J. Cleary and Angela G. Strickland

This fall, the National Highway Traffic Safety Administration (NHTSA) released two documents outlining its proposed guidance concerning the regulation of two interconnected developments in motor vehicle design and vehicle operation—autonomous vehicle technologies and vehicle cybersecurity protection concerns. In releasing this guidance, NHTSA acted ahead of any Federal Motor Vehicle Safety Standards (FMVSS), proposed rulemaking, or regulatory requests, asserting that its mandate to ensure safe vehicles provides it the authority to issue such a policy.

his article provides a high-level overview of NHTSA's guidance on autonomous vehicle technologies and on cybersecurity best practices for modern vehicles, and discusses how the guidance likely changes original equipment manufacturer responsibilities. In particular, this discussion focuses on the potential move toward a holistic regulation of motor vehicles throughout the product life cycle and its effect on product liability law.

NHTSA Guidance

Overview. The past 20 years have seen the congruence of 3 fundamental changes to motor vehicles. First, electronic driver assistance technologies (like antilock brakes and stability control) are becoming standard on all vehicles, and new assistance technologies are introduced in each new model year. Second, new motor vehicles are now part of the "Internet of Things," connecting wirelessly to navigation systems, entertainment options, and even to other vehicles and transportation infrastructure. Third, vehicles with situational or complete autonomous vehicle capabilities are driving on private and public roads as part of vehicle testing and will likely soon be available to the mass public. These fundamental changes create the real possibility of markedly reducing motor vehicle accidents, improving occupant and pedestrian safety, and creating new transportation options for the general public.

The existing federal regulatory framework for motor vehicle safety, as enumerated in the National Traffic and Motor Vehicle Safety Act (49 U.S.C. § 301 et. seq.), arises from a period when motor vehicles were solely under the control of a human driver, had only rudimentary electronics, and received nothing beyond radio waves from the outside environment. NHTSA's primary tool for regulating vehicle safety is through the FMVSS. These standards establish minimum performance specifications and require vehicle features that a motor vehicle must comply with as a prerequisite for sale in the United States.

It is important to note that FMVSS standards are positive requirements a manufacturer must comply with when the vehicle enters the marketplace and that a manufacturer must self-certify that the vehicle complies with the standards at the time of entry. While manufacturers have certain obligations under the Motor Vehicle Safety Act and the Transportation Recall Enhancement, Accountability, and Documentation (TREAD) Act to monitor vehicle performance in the field, to report field incidents to NHTSA, and to perform recalls for safety-related defects, the FMVSS standards are self-contained and year-determinant, and they arise primarily from the paradigm of the pre-electronic vehicle. For example, if FMVSS 108, which addresses automotive lighting, signaling, and reflective devices, changes for a future model year, there is no obligation for a manufacturer to update existing vehicles; the manufacturer need only certify that the future model year vehicles comply with the changed FMVSS 108.

In July 2015, Wired magazine posted an article describing how two researchers gained remote access to a Jeep Cherokee and sent commands to control the vehicle brakes and transmission, overriding the pedal inputs made by the vehicle driver. Andy Greenberg, "Hackers Remotely Kill a Jeep on the Highway—with Me in It," Wired, July, 21, 2015. This is the first reported event in which hackers remotely gained access to a vehicle through wireless networks. In February 2016, Google reported its first crash involving its autonomous vehicle. Alex Davies, "Google's Self-Driving Car Caused Its First Crash," Wired, Feb. 29, 2016. And in July 2016, a fatal crash occurred in a Tesla Model S operating in "autopilot" mode. David Z. Morris, "What Tesla's Fatal Crash Means for the Path to Driverless Cars," Fortune, July 3, 2016.

These events highlight how the existing FMVSS standards and current regulatory standards do not address vehicle cybersecurity or the regulation and certification of autonomous vehicle technologies. Both the Jeep and the Tesla fully complied with the FMVSS standards applicable at the time of sale.

Federal Automated Vehicles Policy. In late September, NHTSA released the Federal Automated Vehicles Policy, issued "as agency guidance rather than rulemaking." While the policy does not have the force of law, NHTSA believes that the policy will "set the framework for the next 50 years with guidance for the safe and rapid development of advanced automated vehicle safety technologies."

The policy has four main parts:

  1. the Vehicle Performance Guidance for Automated Vehicles
  2. a model state policy for regulating and licensing autonomous vehicles
  3. NHTSA's current regulatory tools
  4. modern regulatory tools NHTSA expects to implement for autonomous vehicle development

Three of the four parts, including the Vehicle Performance Guidance and modern regulatory tools, envision a markedly different vehicle regulatory environment and manufacturer obligation for vehicles on the marketplace than what is traditionally expected under similar NHTSA standards and policies.

In the Vehicle Performance Guidance section, NHTSA outlines the concept of a pre-commercial-sale 15-point "Safety Assessment" requiring manufacturers and other entities developing highly autonomous vehicle (HAV) technology to voluntarily report how areas such as data sharing, privacy, cybersecurity, crashworthiness, and the consequences of an HAV's actions on others are being addressed. The policy also discusses how the guidelines "appl[y] to both automated systems' original equipment, and to replacement equipment or updates (including software updates/upgrades) to automated systems."

In the Modern Regulatory Tools section, NHTSA envisions both pre-market approval of autonomous vehicle technologies, under the safety assessment guidelines, and post-sale authority to "regulate the safety of software changes provided by manufacturers after a vehicle's first sale to a consumer." This post-sale obligation would likely include conducting safety assessments before releasing updates to the "functions and technical capabilities of the vehicles."

Cybersecurity Best Practices for Modern Vehicles. Not more than a month later, in late October, NHTSA released the Cybersecurity Best Practices for Modern Vehicles. In its press release on the best practices, NHTSA stated it establishes a "proactive safety approach to protect vehicles from malicious cyber-attacks and unauthorized access by releasing proposed guidance for improving motor vehicle cybersecurity." Press Release, NHTSA, U.S. DOT Issues Federal Guidance to the Automotive Industry for Improving Motor Vehicle Cybersecurity (Oct. 24, 2016). Like the policy before it, the best practices lack the force of law but provide clear direction on how NHTSA intends to address the threat of cyber attacks on connected vehicles.

The best practices envision a significant management commitment to cybersecurity, including dedicated corporate officers; conducting internal and external risk assessments; researching, investigating, implementing, testing, and validating product cybersecurity measures and vulnerabilities; and providing internal and external channels to communicate cybersecurity risks throughout the organization. These measures could include engaging hackers in so-called "white hat" hacking exercises. White hats are security researchers or hackers who, when they discover a vulnerability in software, notify the vendor so the hole can be patched. Kim Zetter, "Hacker Lexicon:  What Are White Hat, Black Hat, and Gray Hat Hackers?," Wired, Apr. 13, 2016. In addition, the best practices expect that original equipment manufacturers will participate in industry-wide risk assessments and threat-sharing, adapt their cybersecurity strategies based on other sector experiences, and voluntarily disclose to both NHTSA and the industry any real or detected threats.

Section 6.7 of the best practices outlines what NHTSA calls "Fundamental Vehicle Cybersecurity Protections." While not exhaustive, the cybersecurity protections lay out 11 "required" design, control, system access, and threat-recording "protections [to] serve as a small subset of potential actions which can move the motor vehicle industry towards a more cyber-aware posture."

Potential Changes in Products Liability Law and Manufacturer Responsibilities
While neither the policy nor best practices have been enacted in whole or in part as federal regulations, it seems likely that much, if not all, of NHTSA's guidance will become part of the federal motor vehicle regulations and the standard of care required for motor vehicle manufacturers.

From a products liability litigation perspective, the policy and best practices envision markedly different and expanded responsibilities on vehicle manufacturers throughout the product life cycle.

First, both the policy and best practices anticipate a marketplace in which manufacturers monitor and share product performance and cybersecurity vulnerabilities throughout the product life span. As discussed above, vehicle manufacturers have certain specific legal obligations to customers after the initial point of sale. Under the policy and best practices, manufacturers will have evolving and expansive duties to customers throughout the vehicle life span and will have to exercise these duties in a way that does not expose the customer to cybersecurity risks. It is likely that legislatures and courts will recognize a duty and standard of care owed by manufacturers to vehicle owners to monitor and update connected vehicles and vehicles with autonomous technologies.

Second, the policy and best practices foreshadow a future in which product designs are not static after the product manufacturing date. Manufacturers will have the obligation to update vehicles against cybersecurity threats and to address problems, primarily through over-the-air software updates. Currently, most states evaluate whether a design is defective at the time of first sale to a customer. This framework assumes a static vehicle design and a particular time when the finder of fact evaluates the design. Connected vehicles and vehicles with autonomous technologies will not have a static design or a fixed date when the design was finalized, particularly for vehicle software. Expect to see courts and legislatures change the test for when a vehicle is defective to the date of the last approved software update for that vehicle.

NHTSA's recently released Federal Automated Vehicles Policy and Cybersecurity Best Practices for Modern Vehicles provide guidance on how NHTSA foresees regulating connected vehicles and vehicles with autonomous technologies. In doing so, they envision a holistic and continual regulatory regime in which manufacturers support the vehicle throughout the product life span, dramatically changing the landscape of automotive product liability law.

Keywords: litigation, products liability, National Highway Traffic Safety Administration, NHTSA, autonomous vehicle technologies, cybersecurity, policy, best practices

Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).