The SELF DRIVE Act: Cybersecurity and Cars on Autopilot


The development of autonomous vehicles has been steadily progressing in recent years.[1] From advances in collision avoidance systems to the development of self-driving technologies, automakers have been working to increase the automation of cars, leading to a reduction in the risk of car accidents, which are primarily caused by human error.[2] Given the push towards developing self-driving technology in cars, the House of Representatives passed the Safety Ensuring Lives Future Development and Research in Vehicle Evolution (“SELF DRIVE”) Act, with the purpose of helping “ensure the safe and innovative development, testing, and deployment of self-driving cars across the country.”[3]

The SELF DRIVE Act includes three major components.[4] First, it prevents states from banning self-driving vehicles, and gives the National Highway Traffic Safety Administration (“NHTSA”) the authority to regulate self-driving vehicles as it does with “normal cars.”[5] Second, it grants “exemptions to existing safety standards for a company’s first 100,000 vehicles,” to promote and speed up the process of developing self-driving cars and getting them to market.[6] Finally, the SELF DRIVE Act mandates protections for consumer privacy and the prevention of cyberattacks on self-driving vehicles.[7]

Cyberattacks on self-driving vehicles may lead to the hacking of the vehicle, potentially leading to dangerous situations in which the hacker controls the entirety of the car’s movements.[8] To prevent this, the SELF DRIVE Act requires that automakers set up “a process for identifying and mitigating ‘reasonably foreseeable’ vulnerabilities,” and “have cybersecurity managers, training, and intrusion prevention and response systems in place.”[9] Some claim that the cybersecurity requirements are overly vague and open to interpretation, leaving automakers to decide on their own what vulnerabilities are “reasonably foreseeable.”[10] However, given the rapid pace of technological advancement, the broad regulatory language is apt, as it leaves room for new technical approaches and cybersecurity countermeasures to be implemented without requiring a change to the law.[11]

Modern cars which lack self-driving capabilities are also susceptible to hacking.[12] Not only is there a concern that hackers can take over the locking system, steering, and brakes of a car,[13] but there is also an additional personal information security concern which exists with cars to which a smartphone is connected.[14] When a smartphone is connected to a car, all of the personal information of the user which is recorded on the smartphone is accessible to hackers.[15] Although there has not been significant regulation in relation to the cybersecurity of such cars,[16] automakers have taken the issue seriously, and created the Automotive Information Sharing and Analysis Center (“Auto ISAC”) “to act as a clearinghouse for industry best practices” in relation to cybersecurity.[17] Both Auto ISAC and the NHTSA have released publications which indicate best practices for automobile cybersecurity, and provide detailed practices and policies for automakers to adopt in order to prevent hacks or information leaks.[18] With the transition to self-driving cars, whose cybersecurity risk is much higher, automakers will need to come up with “many dynamic solutions” and “multiple layers of security to make it as hard as possible for hackers to attack a car.”[19]

Today’s evolving technology makes our day to day lives much easier, but comes with an increasing vulnerability to cyberattacks.[20] With automakers working toward development of self-driving vehicles, many are worried about hackers accessing and taking control of these cars.[21] To promote the development of self-driving vehicles, the SELF DRIVE Act gives broad guidelines for cybersecurity programs, allowing for advanced cybersecurity measures to be implemented as they are established.[22] Given the broad language of the Act, automakers have the freedom to “create and test more [cybersecurity solutions]” and come to the “dynamic solutions” that will ensure our safety while autopilot enabled cars drive us.[23]

[1]See Bob Latta, Op-Ed: The Road Ahead for Self-Driving Car Legislation, Eno Center for Transportation (Nov. 13, 2017),

[2] See id. (discussing how 94% of car accidents are attributable to human error, and that the automation of cars reduces the risks of such accidents).

[3] Id.; see also Aarian Marshall, Congress Unites (Gasp) to Spread Self-Driving Cars Across America, Wired (Sept. 6, 2017, 4:33 PM),

[4] See H.R. 3388: SELF DRIVE Act, GovTrack (Oct. 18, 2017),

[5] See id.; Marshall, supra note 3.

[6] H.R. 3388: SELF DRIVE Act, supra note 4; see also Marshall, supra note 3.

[7] See H.R. 3388: SELF DRIVE Act, supra note 4; Marshall, supra note 3.

[8] Cyberattacks may also manifest as hackers simply tricking the vehicle into making driving errors. See Keith Laing, Carmakers Grapple with Robot-Car Hacking Fears, The Detroit News (Nov. 15, 2017, 12:02 AM),

[9] Grant Gross, Self-Driving Car Bill Leaves Cybersecurity Rules Open to Interpretation, The Parallax (Sept. 18, 2017),

[10] See id.

[11] See id. Furthermore, the NHTSA, with the regulatory power it received through the SELF DRIVE Act, can require that specific processes be implemented to ensure the cybersecurity of self-driving vehicles. See id.; Marshall, supra note 3. This will give carmakers the guidance that may be necessary to ensure consumer safety while maintaining the flexibility of agency regulation. See Gross, supra note 9; Marshall, supra note 3.

[12] See Caroline Mortimer, Hackers Now Able to Take Control of Cars to Cause Deliberate Accidents, Scientists Warn, Independent (Nov. 21, 2017),; H.R. 3388: SELF DRIVE Act, supra note 4.

[13] See Mortimer, supra note 12.

[14] See Jamarlo Phillips, FBI: Car Hacking is Real and Dangerous, (Nov. 14, 2017),

[15] Id.

[16] Though there have been proposals for cybersecurity regulation of the “Internet of Things,” which would presumably include such “connected cars.” See Stephen Edelstein, U.S. Senate’s New Cybersecurity Bill Could make Connected Cars Safer, The Drive (Aug. 1, 2017),

[17] Chester Dawson, The Dangers of the Hackable Car, The Wall Street J. (Sept. 17, 2017, 10:08 PM),; see also Connected Cars and Self-Driving Cars: Not on Auto Pilot in Terms of Legal Risks, Shearman & Sterling LLP (Jul. 11, 2016),

[18] Chanley T. Howell, The Top Six Takeaways from Auto ISAC’s and NHTSA’s Cybersecurity Best Practices, Foley & Lardner LLP (Mar. 2, 2017),

[19] Bridget Clerkin, How Will We Ensure Security in a Self-Driving World?, (Sept. 21, 2017),

[20] See id.

[21] See id.; Laing, supra note 8.

[22] See Gross, supra note 9.

[23] See Clerkin, supra note 19.


About Author

Comments are closed.

Fordham Journal of Corporate & Financial Law