If two cyber security bills introduced into the Michigan legislature become law, a person who hacks the computer system of a car could face up to life in prison. One one hand, if someone takes over control of car and causes it to crash with injury or death resulting, that person deserves to go to jail. But is that really what these legislative initiatives are about?
Let’s begin by saying this is taking place in Michigan, the state that is ground zero for the US automotive industry. Any cyber security laws passed in Michigan that affect the industry are going to have the fingerprints of the major car companies all over them.
One such piece of legislation is Senate bill 927. It says,”A person shall not intentionally access or cause access to be made to an electronic system of a motor vehicle to willfully destroy, damage, impair, alter or gain unauthorized control of the motor vehicle.” Doing so is deemed a felony and is punishable by incarceration with a maximum penalty of life imprisonment.
Cyber security is of critical importance as cars become more like rolling computer systems and less like traditional automobiles. Digital systems control much more than ignition timing and pollution controls in today’s cars. They also control the throttle, brakes, and steering. Wireless access exacerbates the problem. In theory, terrorists could take control of our cars and cause them to crash into each other.
Let’s be honest. Any computer that can be accessed wirelessly can be hacked. On April 3, 2015, the pilot of a German Wings airliner deliberately flew his plane into the French Alps, killing all 150 people on board. In the aftermath of that tragedy, some asked whether it was possible for ground controllers to take over control of airplanes in flight in order to prevent such things from happening. The answer was yes, of course controllers could do that. The technology exists. Airplanes today are all equipped with autopilot systems that can perform virtually any function a human pilot can. But authorities fear any link from the ground could be hacked by those with evil intent, leading to more disasters.
In July of last year, two hacker/researchers collaborated to take control of critical functions of a Jeep Grand Cherokee. One of the hackers, Chris Valasek, was able to access the car from his home in Pittsburgh while it was being driven by his colleague, Charlie Miller, on a highway outside St. Louis. That got the attention of lots of people both inside and outside the automotive industry.
Notice that the Michigan legislation applies just as harshly to Valesek and Miller as it does to someone acting with malicious intent. Not all hackers are evildoers. Many so called “white hats” seek to alert manufacturers to flaws that could be exploited by people who are up to no good. Tesla Motors, whose cars have perhaps the most intimate wireless connectivity of any on the road, actually has a program that pays hackers to find and reveal flaws in its computer systems.
Does Michigan really intend to punish white hat hackers? It’s all part of an emerging battle between manufacturers, repair facilities, and owners. The car companies take the position that the software in the automobiles they build is proprietary intellectual property. They claim their rights are protected by the Digital Millennium Copyright Act, Section 1201.
The US copyright office disagrees. Last fall, it exempted digital researchers and individual car owners from the provisions of the DMCA, but delayed operation of the exemption until October of this year. The exemption applies only to individual owners, not third parties. Anyone who offers to “chip” your ride to extract more performance or raise fuel economy is not protected.
For their part, Valasek and Miller claim their work is invaluable and that car companies are slow to fix problems in their software. For instance the pair say Jeep was aware of the security issues with the Grand Cherokee since 2014 but did nothing about them until the day after they reported the results of their experiment.
No matter where you stand on this issue, most car companies today take the position that the data and software inside that shiny new car of yours doesn’t belong to you, it belongs to them. They only give you a license to use it when you buy or lease the car. Apparently, the powers that in Michigan (car companies) don’t trust the feds to adequately protect them. They want their position enshrined in local law, complete with the threat of life in prison if you disobey them. Somewhere, George Orwell is smiling.