UK Government Issues Cybersecurity Guidance for Connected and Automated Vehicles

On 6 August 2017, the UK government released ‘The Key Principles of Vehicle Cyber Security for Connected and Automated Vehicles’, guidance aimed at ensuring minimum cybersecurity protections for consumers in the manufacture and operation of connected and automated vehicles.

Connected and automated vehicles fall into the category of so-called ‘smart cars’. Connected vehicles have gained, and will continue to gain, adoption in the market and, indeed, are expected to make up more than half of new vehicles by 2020. Such cars have the ability through the use of various technologies to communicate with the driver, other cars, application providers, traffic infrastructure and the Cloud. Automated vehicles, also known as autonomous vehicles, include self-driving features that allow the vehicle to control key functions–like observing the vehicle’s environment, steering, acceleration, parking, and lane changes–that traditionally have been performed by a human driver. Consumers in certain markets have been able to purchase vehicles with certain autonomous driving features for the past few years, and vehicle manufacturers have announced plans to enable vehicles to be fully self-driving under certain conditions, in the near future.

The principles set forth in the UK government’s guidance are part of a wider push by the government to establish the UK as a player in the development of smart cars. Earlier this year, the government announced its plans for the Automated and Electric Vehicles Bill, which will aim to establish the UK as a global leader and ensure that “the next wave of self-driving technology is invented, designed and operated safely in the UK” and it has further pledged £200 million to this cause.

The guidance has been produced in response to the large (and growing) risk of cybersecurity attacks presented by connected and autonomous vehicle technology. Increased connectivity and autonomy necessarily rely heavily on continuous streams of data. As Grayson Brulte, one of the leading authorities on autonomous vehicles, recently commented, “the scientific breakthroughs in artificial intelligence, LiDAR and edge computing combined with high-definition 3D mapping have made it possible for fully autonomous vehicles to operate in unpredictable environments such as cities.”

All of these scientific breakthroughs involve the collection and processing of massive volumes of data, which creates potential vulnerabilities from a cybersecurity perspective. With respect to autonomous vehicles, there are significant threshold questions that remain unanswered and that will significantly affect the cybersecurity risks of such vehicles. For example, it is unclear to what extent autonomous vehicles will interact with the transportation infrastructure and other vehicles or whether such vehicles will be designed to rely as heavily as possible on data that is generated by the vehicle itself. Similarly, it is unclear whether and under what conditions human intervention will be permitted, or whether it will be determined that the human risks of fallibility, distraction, and occasional malicious intent offset the potential safety benefit of human involvement. The autonomous vehicle industry has not reached consensus on these issues.

Nevertheless, it is apparent that providers will need to focus on developing robust programs for attempting to maintain the security of connected and autonomous vehicles. They also will need to pay close attention to the storage, processing and transfer of personal data in light of increased regulation and scrutiny under EU and international data protection and privacy regimes. As examples, providers will need to carefully consider disclosure obligations to relevant authorities as well as consents from consumers.

The principles set forth in the UK guidance are targeted towards the prevention of hacking and data theft by ensuring that cybersecurity becomes a key consideration for everyone in the automotive manufacturing supply chain. The guidelines consist of the following eight principles:

Principle 1: Organisational security is owned, governed and promoted at board level–this is aimed at promoting a ‘culture of security’ within an organisation
Principle 2: Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain
Principle 3: Organisations need to provide product aftercare and incident response to ensure systems are secure over their lifetime
Principle 4: All organisations, including sub-contractors, suppliers and potential third parties, must work together to enhance the security of the system
Principle 5: Systems are designed using a defence-in-depth approach–security measures should be designed to address failures and breaches through defence-in-depth and segmented techniques
Principle 6: The security of all software is managed throughout its lifetime
Principle 7: The storage and transmission of data is secure and can be controlled
Principle 8: The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail

These principles are articulated at a high level and are fairly self-evident to those with experience in the cybersecurity industry. Also, as of yet, these principles are not binding and do not impose concrete obligations on manufacturers of connected and automated vehicles. This cautious approach may reflect an appreciation that this emerging technology does not lend itself to detailed rules that might, in hindsight, turn out to be misguided. It may also reflect a recognition that development of autonomous vehicle technology is occurring on a global scale, and thus stringent regulation risks the loss of development projects to less regulated jurisdictions.

As featured in The National Law Review on September 13, 2017

Driverless cars on public highways? Go for it, Trump administration says

Go for it! In essence, that’s the Trump administration’s new directive on driverless-car development.

Under those guidelines, automakers and technology companies will be asked to voluntarily submit safety assessments to the U.S. Department of Transportation, but they don’t have to do it.

And states are being advised to use a light regulatory hand.

At a driverless-car test track in Ann Arbor, Mich., Transportation Secretary Elaine Chao painted a near future of greater safety, fewer deaths, higher productivity and more time spent with loved ones as robots increasingly take over the tasks of driving and commuters are freed for other activities.

She unveiled a document titled “Vision for Safety 2.0” and delivered a speech that was strong on vision and light on regulation.

“More than 35,000 people perish every year in vehicle crashes,” she said — 94% of those through driver error. After years of decline, fatalities are growing, she said. “Automated driving systems hold the promise of significantly reducing these errors and saving tens of thousands of lives in the process.”

Although the Vision document is vague, Congress is likely to pack on some meat. Last week, the House of Representatives passed a bill that eventually would let automakers each put as many as 25,000 cars on the road even if some features don’t meet current safety standards set by the National Highway Traffic Safety Administration. The cap would rise over a four-year period, allowing each automaker to field 275,000 driverless cars by the end of that period.

The House bill would require safety assessments, but permission to test would not be required. States would be required to follow federal regulations.

The Senate is considering a similar bill, though the Commerce Committee will consider at a Wednesday hearing whether to exempt trucks from the law. Labor unions fear that driverless technology could lead to job losses. Chao, who has expressed similar concerns in the past, said she’s working closely with Congress on the matter.

She was joined at Tuesday’s announcement by Mark Riccobono, president of the National Federation of the Blind, who said fully autonomous vehicles offer “an unprecedented opportunity to bring equal access to people with disabilities.”

Although widespread use of driverless cars is at least several years away, automakers and technology companies are making rapid progress, and features — such as automatic braking and adaptive cruise control — are already available on many new vehicles.

Tesla’s Autopilot feature, for example, enables the vehicle to pass cars automatically on the freeway. An option on the new Cadillac CT6 enables drivers to cruise along a freeway lane for hours without driver intervention. Even models from relatively inexpensive makers such as Hyundai, Mazda, Kia and Subaru offer automatic braking to avoid rear ending the car ahead.

Not everyone was happy with Chao’s announcement. Some consumer groups, which already thought the Obama administration’s standards were too lax, criticized a further pullback from government regulation.

“This isn’t a vision for safety,” said John M. Simpson, Consumer Watchdog’s privacy project director. “It’s a road map that allows manufacturers to do whatever they want, wherever and whenever they want, turning our roads into private laboratories for robot cars with no regard for our safety.”

Two House Democrats, Frank Pallone Jr. of New Jersey and Jan Schakowsky of Illinois, issued a statement that calls Chao’s move a step backward: “The administration chose to cave to industry and pressure the states into not acting.”

But driverless-vehicle proponents cheered Chao’s presentation. “This is great news. Over-regulating autonomous vehicles will slow down the adoption of a technology which will create millions of new high-paying jobs across the United States and make roads safer for all Americans,” driverless industry consultant Grayson Brulte said.

Mitch Bainwol, chief executive of the Alliance of Automobile Manufacturers lobby group, appeared at the Chao event and said, “The future is not something we should be afraid of or try to slow down.”

The new standards replace guidelines published by the Obama administration in September 2016 that asked automakers to voluntarily submit reports on a 15-point “safety assessment.” They were also urged, but not required, to defer to federal rules on safety. Chao did not criticize those guidelines, but called them “Vision for Safety 1.0.”

“The new policy adjusts the tone but continues much of the substance of (the Obama administration) document,” said Bryant Walker Smith, law professor at the University of South Carolina. “It clearly reflects the input of the traditional automotive industry but doesn’t exclude potential new entrants such as Waymo.”

The previous approach, however, didn’t eliminate a patchwork of state-by-state regulations. California’s regulations, for example, are considered fairly strict. Florida, Michigan and Arizona barely regulate driverless cars.

The new “Vision for Safety” advises state officials to remain technology-neutral and not favor traditional automakers over technology companies; to remove regulatory barriers that keep driverless cars off the roads; and to make the federal Transportation Department’s voluntary recommendations into law.

New legislation that emerges from Congress, however, could have more serious implications for state regulations. Under the House bill, California and other states could not bar driverless cars allowed under federal law.

How that might affect a new set of driverless regulations that California officials plan to unveil by the end of the year is unclear. The state Department of Motor Vehicles, which regulates driverless cars, said in a prepared statement that it is reviewing the new federal guidelines.

Transportation officials from both administrations consider driver-assist technology and autonomous cars to be essential safety features that could dramatically reduce collisions, injuries and deaths.

The vast majority of traffic collisions are caused by human driver error, federal safety statistics show. Fatalities have been rising in recent years as cellphones and other distracting devices have become more popular.

In 2016, U.S. highway traffic deaths rose 6%, to about 40,000.

As featured in the September 12, 2017 edition of The Los Angeles Times

Persuading Residents to Invest in Mobility

The future autonomous world is discussed often at the 2017 Telematics Update conference here, but for it to come to fruition numerous infrastructure projects must take place.

And that may be a tough sell to residents who only want their city to keep streets illuminated and garbage picked up.

“Saying you’re investing x-millions of dollars in (dedicated short-range communication) is not a message residents in most cities (are waiting to hear),” Mark de la Vergne, chief of mobility innovation-City of Detroit says on an urban mobility panel at the conference June 7. “How this gets communicated outside of rooms like these is challenging.

“It is a foreign (concept) in a lot of cities where catching the bus and making sure you’re home for your kids is the No.1 priority,” he continues. “Wondering about autonomous vehicles and DSRC is literally nothing that is close to being on your radar.”

De la Vergne advises cities to start thinking about how to communicate the merits of smart mobility, which includes a future where vehicles communicate with each other and the infrastructure.

John Barney, vice president-transportation sector for Ericsson, points out Audi’s Traffic Light Information is a good way of showing skeptical taxpayers a real-world technology that could benefit their lives. The vehicle-to-infrastructure technology is on some ’17 Audi A4, allroad and Q7 models sold in Las Vegas. The vehicles, via onboard 4G LTE, receive information from the city’s traffic-management systems and through an in-vehicle display tell drivers how much time remains until a red light changes to green.

“It’s out there (and) it’s easy to point to and helps explain why we’re doing some of these things in a way a non-telematics person will understand,” Barney says.

Audi has said it hopes to go beyond the time-to-green feature and use traffic-management system data in the U.S. to predict the best travel speed to “maximize the number of green lights one can make in a sequence.”

Barney says any infrastructure improvements municipalities are making should be with a future smart world in mind. For instance, he says Ericsson and Philips created a streetlight with hidden small cells for high-speed broadband.

“When you start planning and putting in that infrastructure like streetlights, think about, ‘How can I leverage this piece of infrastructure more so than just as a light?’” Barney says. “It may be a small cell (or) a pollution detector going into that. So you start to build (infrastructure) without it being a big bang (to taxpayers) when you get there.”

All panelists emphasize the need for the public and private sectors to become partners, rather than for the latter to engage in the hard sell.

Any tech company looking to interface with a city’s mobility leadership should be able to show how its technology will improve residents’ lives, says Grayson Brulte, co-chair of Beverly Hills, CA’s Autonomous Vehicle Task Force and a member of the city’s Smart City/Technology committee. “Don’t just say we have the best widget or the best (artificial intelligence),” he says. What can you do to improve (residents’ lives) and how can the mayor and the elected officials go out and sell it to the city of how it’s going to improve (residents’ lives)?”

Says Zipcar’s Justin Holmes, “I spent more of my career in the public sector than the private sector. I used to say stop sending sales people to me.”

From the point of view of Zipcar, the oldest car-sharing service in the U.S. originating in 2000, Holmes, director-corporate communications and public policy, says cities now and in the future best can help the cause of smart mobility by giving car-sharing services access to curb space and right-of-way.

“We partner with cities all around the country to have about 1,000 dedicated parking locations…in a highly visible curb-side location,” Holmes says. “And that’s important for cities because Zipcar’s role and cities are incredibly aligned. Every car we put on the road takes away the need for up to 13 personally owned vehicles. And so that level of investment in curb space is completely aligned with the cities’ vision to help reduce reliance on exclusively personally owned vehicles.”

Similarly, Brulte notes Beverly Hills is evaluating converting valet zones into autonomous-vehicle pick-up and drop-off zones.

But Holmes says investment in existing infrastructure is more of a short-term goal.

“Fast forward to the long term, and cities are going to play a larger role as these arbiters of public spaces, particularly with regards to right-of-way, in ways we have not yet imagined,” he says.

As featured in WardsAuto on June 8, 2017

Uber fires Anthony Levandowski, engineer at center of legal battle with Waymo

Uber has fired Anthony Levandowski, the star engineer at the center of the company’s fight with self-driving rival Waymo.

Levandowski — a former Waymo employee who until recently was leading Uber’s effort to replace human drivers with robot cars — has refused to hand over documents requested by Waymo and a federal court judge in a high-profile legal battle between two Silicon Valley giants. Waymo is part of Alphabet Inc., the parent company of Google.

Uber is being accused of stealing Waymo’s self-driving technology. The San Francisco company has denied the allegations.

An Uber spokeswoman said Tuesday that the company’s driverless car program will continue to be run by Eric Meyhofer, who took over from Levandowski in April. Levandowski’s direct reports have been moved to Meyhofer.

“We have been pressing Anthony to comply and assist with our internal investigation for months,” the spokeswoman said. “We set a deadline that he did not meet, and we will not wait for this issue to make its way through the courts.”

The firing represents a milestone of sorts for Uber, which has a reputation for protecting executives who reflect badly on the company.

“This is a clear indication that [Uber Chief Executive] Travis Kalanick has grown up,” driverless industry consultant Grayson Brulte said. “He is evolving into a leader who is owning his mistakes.”

Waymo sued Uber in February, alleging Uber made illegal use of 14,000 documents it says Levandowski stole from Waymo while he was a Waymo employee.

The stakes in the emerging market for semi-autonomous and completely driverless cars are huge. Market forecasters say it’ll become an annual market worth tens to hundreds of billions of dollars over the next decade.

Technology companies, traditional automakers and others are fighting for a foothold. Companies that gain proprietary technological advantage will benefit the most.

Waymo, under the Google name, was first out of the gate with a major driverless car project in 2009. Other companies are hoping to catch up with Waymo and then bypass it.

After Levandowski left Waymo, he started his own company: driverless-truck start-up Otto. Uber soon bought Otto, reportedly for $680 million, and put Levandowski in charge of Uber’s driverless project.

Uber has insisted that it developed its driverless technology independently and that it does not possess and has not made use of any stolen material.

Levandowski has refused to turn over the documents or his computer to anyone, citing a 5th Amendment right against self-incrimination. That led the federal judge in the case, William Alsup, to pressure Uber to take action against Levandowski.

“Uber has no excuse under the 5th Amendment to pull any punches as to Levandowski,” the judge said in a written order this month.

Uber then threatened to fire Levandowski if he didn’t comply. Tuesday, Uber announced his termination.

Meanwhile, Uber continues to resist Waymo’s court request to release the term sheets Uber and Levandowski signed when Uber bought Otto last summer.

The Waymo-Uber battle is over a technology called lidar. Considered by most experts as an essential element for driverless cars, lidar uses light beams to identify objects including traffic signs, motor vehicles, bicyclists and pedestrians.

Lidar is not a new technology, but engineers are racing to adapt it for automotive use, trying to shrink its size and lower its cost while improving its performance.

Levandowski is widely considered a top figure in driverless vehicle research. Whatever his personal attributes, his knowledge and experience will be hard to replace. Perhaps to compensate, Uber announced this month that it will expand its driverless car research program to Toronto, under Raquel Urtasun, also a highly regarded researcher. Some of the most important breakthroughs in artificial intelligence and machine learning in recent years have emerged from the University of Toronto.

As featured in the May 30, 2017 edition of The Los Angeles Times

Uber Pittsburgh Driverless Deal Sours

Things aren’t looking good for Uber after its driverless experiment in Pittsburgh soured relations with local authorities.

Surprised? Me neither.

The New York Times reports that the ride-sharing company didn’t fulfill their end of the bargain in terms of job creation in low-income neighborhoods. They also charged for driverless rides initially pitched to the city as a free “services for the public.”

Moreover, Uber failed to support Mayor Bill Peduto in his application for federal funding to improve transportation last year. Relations between CEO Travis Kalanick and the mayor soon went south:

When it came to what Uber and what Travis Kalanick wanted, Pittsburgh delivered. But when it came to our vision of how this industry could enhance people, planet and place, that message fell on deaf ears.

Kalanick courted Peduto with the benefits of driverless trials back in 2015. The NYT notes that this wooing period came about after Uber hired a number of talented experts away from the Carnegie Mellon University, much to the annoyance of faculty there.

Kalanick & co. say that their testing was beneficial to the area, creating 675 jobs and helping local facilities. Not that the rumblings of a few dissatisfied officials would stop Uber from achieving its goals. A company statement read:

Uber is proud to have put Pittsburgh on the self-driving map, an effort that included creating hundreds of tech jobs and investing hundreds of millions of dollars. We hope to continue to have a positive presence in Pittsburgh by supporting the local economy and community.

There are currently 60 vacancies being advertised for their Advanced Technology Group in Pittsburgh as of May 22. That is five more openings since Driverless previously reported on their recruitment drive there last month. But that doesn’t necessarily mean Uber are sourcing this talent from Pittsburgh, despite Kalanick’s initial promise.

Driverless have reached out to both Mayor Peduto and Uber for comment. Meanwhile, Grayson Brulte, the co-founder of Brulte & Company and Autonomous Tomorrow, said that both Pittsburgh and Uber were to blame for this fiasco in forgoing a written contract with each other. But he added that trust was the crux of the issue:

When it comes to autonomous vehicles, the biggest issue today is trust. In order to put an individual or a three-year-old in a driverless vehicle, you have to have trust. The way that the Uber/Pittsburgh relation is evolving, it’s eliminating trust.

If Uber said they were going to commit $25 million and it gave their word, honor your word. Don’t come up with an excuse like “we didn’t have enough time.” That’s nonsense. You give your word, you keep your word. And if it costs you $25 million to get good-will to operate in a city, then you do it. — Grayson Brulte

However, Brulte also highlighted that this was just “a bump in the road” in comparison to Uber’s ongoing lawsuit with Waymo.

As featured in Driverless on May 22, 2017