Lawmakers urge auto safety agency to end its dangerously reactive approach to cybersecurity


Washington (June 11, 2020) - Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.), members of the Commerce, Science and Transportation Committee, today sent a letter to the National Highway Traffic Safety Administration (NHTSA), following-up on their prior inquiry about the cybersecurity risks of internet-connected cars. In their original letter, the Senators asked NHTSA to share any information it has on the cyber vulnerabilities of connected cars, as well as any actions it is taking to protect the public from such threats.


In NHTSA’s reply, the agency claimed it is “not aware of any malicious hacking attempts that have created safety concerns for the motoring public.” However, this statement sets aside many examples of demonstrated vulnerabilities in connected-cars and indicates a hands-off approach to this growing threat to public safety. Moreover, NHTSA’s reply revealed that the agency is also neglecting to oversee and keep the public informed about over-the-air (OTA) software updates designed to fix safety defects in cars without a physical recall.


“We are deeply troubled by NHTSA’s deafening silence in response to the repeated reports of vulnerabilities and risks of hacking of internet-connected cars,” write the Senators in their letter to Acting Administrator James Owens. “We believe NHTSA must end its dangerously reactive approach to cybersecurity and do more to protect consumers before a malicious attack leading to a fatality occurs.”


A copy of the letter can be found HERE.


Internet-connected vehicles can potentially be hacked and remotely controlled by malicious actors, creating risks not only to the lives of car drivers and passengers, but also to pedestrians and property along the road. To address these risks, Senators Markey and Blumenthal have introduced the Security and Privacy in Your Car (SPY Car) Act, legislation that directs NHTSA and the Federal Trade Commission to establish federal standards to ensure cybersecurity in increasingly computerized vehicles and to protect drivers’ privacy.


In today’s letter, Senators Markey and Blumenthal ask questions that include:

  • How is NHTSA proactively protecting the public from cybersecurity threats to internet-connected cars?
  • Is NHTSA monitoring, and does it act, when researchers demonstrate successful hacks on connected cars?
  • How does NHTSA monitor and respond to OTA software updates for internet-connected cars?
  • Does NHTSA have the legal authority to change its regulations to require public disclosure of OTA software updates designed to correct safety-related defects?