HR 3262 Introduced - GUARD Act
Last month Rep Upton (R,MI) introduced HR 3262, the Guarding against Unauthorized Attacks Related to Driving (GUARD) Act. The bill would require DOT to submit to Congress a report on cybersecurity risks to motor vehicle safety.
Definitions
This bill provides a definition for a single term, ‘motor vehicle’. The definition refers to 49 USC 30102.
Study Required
Section 2 of the bill requires DOT to “conduct a study on the state of cybersecurity regarding motor vehicles”. In the process of conducting the study, DOT is required to:
Develop a comprehensive list of Federal agencies with jurisdiction over cybersecurity and a brief description of such jurisdiction or expertise of such agencies,
Identify all interagency activities taking place among Federal agencies related to cybersecurity regarding motor vehicles, including working groups or any other relevant coordinated effort,
Develop a comprehensive list of public-private partnerships focused on cybersecurity regarding motor vehicles, as well as any industry-based bodies, including international bodies, which have developed, or are developing, mandatory or voluntary standards for cybersecurity and the status of such standards,
Identify each regulation, guideline, mandatory standard, voluntary standard, and other policy implemented by each Federal agency identified under this subsection and each guideline, mandatory standard, voluntary standard, and other policy implemented by industry-based and recognized international bodies,
Review the technology, measures, guidelines, or practices used across the motor vehicle industry as of the date of the enactment of this Act to identify, protect, detect, respond to, or recover from cyber security incidents affecting the safety of a motor vehicle, focusing on the most advanced vehicle security solutions such as AI-driven vehicle security software,
Identify existing cybersecurity resources to assist individuals in maintaining awareness of cybersecurity risks associated with motor vehicle safety and mechanisms for alerting a human driver or operator regarding cybersecurity vulnerabilities,
Identify means to protect vehicle occupants from cybersecurity incidents affecting safety that may arise while the motor vehicle is operating, and
Identify pervasive industry vehicle software security solutions, such as, embedded in at least 150 million vehicles and 50 percent of the electric vehicle marketplace at the time of enactment.
Report to Congress
Six months after the completion of the study above DOT is required to prepare a report to Congress. The report will address the results of the study and provide recommendations:
To enable the exchange of information and lessons learned across the industry, and across relevant Federal agencies, regarding cybersecurity incidents, threats, and potential vulnerabilities in a timely manner; and
For other measures deemed reasonable, appropriate, and practicable with respect to cybersecurity related to motor vehicle safety.
Moving Forward
Upton is a member of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that he likely has sufficient influence to see the bill considered in Committee.
I see nothing in the language of this bill that would engender any specific opposition. Given the importance that Congress is increasingly putting on cybersecurity issues, I suspect that this bill will receive significant bipartisan support, both in Committee and on the Floor of the House.
Commentary
It seems odd that the crafters of this bill would deem it necessary to define ‘motor vehicle’ and not provide any definitions of the cybersecurity related terms. I suspect that part of this is to provide DOT the widest leeway in conducting their study. Unfortunately, the larger part of that is the basic lack of understanding that most congressional staff has with cybersecurity related issues in general. You can see that in much of the wording in §2(a) of the bill in regards to what the study will address.
For example:
§2(a)(5) - review the technology, measures, guidelines, or practices used across the motor vehicle industry [emphasis added] as of the date of the enactment of this Act to identify, protect, detect, respond to, or recover from cyber security incidents affecting the safety of a motor vehicle, focusing on the most advanced vehicle security solutions such as AI-driven vehicle security software [emphasis added];
I suspect (and have not heard any discussion about) any wide-spread cybersecurity measures in place, much less ‘AI-driven vehicle security software’. There are certainly researchers looking into these systems (including AI), but the automotive industry has little incentive (and certainly no requirement) to invest in such cybersecurity activities.
I do applaud the staff who crafted this bill for one requirement, §2(a)(7):
“identify means to protect vehicle occupants from cybersecurity incidents affecting safety that may arise while the motor vehicle is operating”
Just like in industrial control systems, or any cyber system for that matter, absolute security will never be attainable. While preventing cyber attacks remains an important goal, it is more important to ensure that the results of a successful attack, it is probably more important to ensure that a successful attack does not have catastrophic effects on the vehicle occupants or people in the surrounding area. Thus research on attack mitigation would be as valuable as attack prevention.