Several recent articles (notably in Wired and the Washington Post) highlighted a new set of worries from cyberspace. Hackers located anywhere in the world can remotely gain control of anyone's vehicle, placing all motorists at risk of life and limb. Worse, the problem could persist for decades not only because automakers lack familiarity with writing secure software, but because it would take that long to retire every vulnerable vehicle. Something about that last claim seemed a bit off. Read both articles and you will not see the word “recall.”
Late last month, this omission was rectified when Fiat Chrysler, under pressure from the U.S. National Highway Traffic Safety Administration (NHTSA), recalled 1.4 million cars to fix a defect that allowed hackers to imperil drivers from afar. In essence, what was considered a huge threat was converted into a solved or at least solvable problem. NHTSA possessed two essential tools generally missing in the whole cybersecurity debate: a paradigm with which to understand the problem and the legal authority to do something about it. Understood as a discrete safety problem, NHTSA was able to use the existing tool of mandatory recall to address it. And while not everyone takes advantage of a recall, the cost of servicing a recall may persuade automakers to minimize their risks by paying attention to cybersecurity.
The significance of what happened should not be underestimated. As if there are not enough cybersecurity problems to fret about, the Internet of Things has now wedged its way onto the worry sheet. The automobile hack was merely the sharp edge of this wedge. Fortunately, the United States has many tools for dealing with most of the salient Internet-of-Things threats. Vehicle recalls, as noted, are one. The Consumer Product Safety Commission also has recall powers. The Food and Drug Administration has similar authority over medical devices. Building codes can be applied to some housing problems. The Occupational Safety and Health Administration has the power to make the workplace less hazardous (e.g., by making industrial machinery safer). Indeed, safety is something the United States has been dealing with for over 100 years, with increasing success over time. Any cybersecurity problem that can be conceptualized as a safety problem is ripe for a government solution.
Problem solved? Not entirely, unfortunately. Yes, these agencies have to do their jobs correctly, often in the face of congressional pushback. But even if they did so, there are aspects of the cybersecurity problem that do not lend themselves to being framed as safety problems. One is that hacking into many devices can allow surveillance on individuals (e.g., where your car goes, when you are home, your medical condition). Whereas harming safety is always a bad thing, politically, the United States is not as ready to declare that surveillance (e.g., by law enforcement) is always a bad thing. So, the authority to force recalls because devices can be tricked into leaking information is far less well established than it is for safety issues. Another is that while a legal structure exists to enforce safe software if it is embedded in a device, no such legal structure exists to enforce the safety of software downloaded from third parties or resident in the cloud. Nevertheless, a large chunk of the problem is solvable.
And that's why the Internet of Things is not the next dark cloud on the horizon.
Martin Libicki is a senior management scientist at the nonprofit, nonpartisan RAND Corporation.
Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.