Federal agency warns that Massachusetts ballot question would “pose an unreasonable risk to safety” and “increases the risk of cybersecurity attacks.”

BOSTON, MA – JULY 24, 2020 – The federal agency tasked with keeping American families safe on roads and highways this week submitted public written testimony on Massachusetts Question 1, writing that the ballot question “increases the scale of risks of any potentially successful cybersecurity attack” and “would raise substantial safety risks for American families.”

In response to a request from Massachusetts legislative leaders, the National Highway Traffic Safety Administration (NHTSA)  submitted written testimony detailing a number of problems with Question 1, including the increased threat of attacks by malicious actors, the lack of cybersecurity protections, and the inherent dangers of creating a standardized system.

NHTSA, in its role overseeing motor vehicle safety, “focuses on cybersecurity vulnerabilities that present potential vehicle safety consequences.” The letter identifies many such vulnerabilities in Question 1, which is backed by the $200 billion-a-year automotive aftermarket industry.

Question 1 would grant remote, real-time, two-way access to every vehicle in Massachusetts through a mobile device. The information would include GPS location data and other sensitive information that could be easily misused by hackers, stalkers and other criminals and bad actors.

Among the many problems with Question 1 identified by NHTSA:

Safety

  • Question 1 “would require manufacturers to provide remote functionality that may potentially pose an unreasonable risk to safety…”
  • NHTSA warns that “Malicious actors, some of which are sponsored by hostile foreign governments, have the motivations, resources, and tools available to compromise access to safety-critical systems. A cyberattack on one or more motor vehicles has enormous potential safety consequences—a 4,000 to 80,000 lbs. vehicle operating at highway speeds can pose an incredible amount of danger to its surroundings if manipulated.”
  • If Question 1 passes, “manufacturers that offer telematics systems could find themselves in a situation that would require them to remove all access controls from their telematics systems, including controls designed to ensure the security of safety-critical systems. NHTSA has grave concerns with any proposed policy that would effectively prohibit wireless access controls in motor vehicles sold in the United States.” 
  • If Question 1 passes, “This would raise substantial safety risks for American families.” 

Cybersecurity

  • Question 1 does not “reflect any established best practices or other measures to address cybersecurity risks…nor does it address feasibility, practicality, or availability of protocols or other measures that could appropriately protect against cybersecurity risks…”
  • Question 1 “would prohibit manufacturers from complying with both existing Federal guidance and cybersecurity hygiene best practices.”
  • Question 1 “increases the risk of cybersecurity attacks that could jeopardize public safety.”

Question 1 also requires that the access system be “standardized” – a requirement that NHTSA explicitly warns against:

“The requirement to establish universal and standardized access requirements increases the scale of risks of any potentially successful cybersecurity attack… Having more vehicles with a common architecture…means that a single successful malicious cyberattack could have much wider scale of consequences because it can affect a larger number of vehicles.” 

NHTSA notes that the agency’s efforts to develop and refine best practices to protect vehicle systems, primarily by limiting external connections and controlling access to vehicle functions, “may be rendered impossible by the provisions of [Question 1].”

The testimony concludes with an admonition that, “steps proposed to ease access for serviceability cannot be allowed to compromise vehicle cybersecurity and public safety.”

The Coalition for Safe and Secure Data has been raising all of these concerns over the past year and agrees wholeheartedly with the National Highway Traffic Safety Administration. We urge all Massachusetts voters to heed NHTSA’s warnings and vote ‘NO’ on 1.

###