Pen testing? Vulnerability scanning? The U.S. Senate’s newest member shows that he can ask the tough questions on privacy and data security. It’s about time.
The technical aptitude of our elected representatives - or the lack of it – is so pronounced that it has become the butt of jokes. Long after the late Alaska Senator Ted Stevens inaptly likened the Internet to a “series of tubes” in 2006, congressmen and women continue to exhibit head-slapping ignorance about topics (like online advertising) that (in theory) they are making laws to govern.
That’s why it was so refreshing to read a letter from one of the newest members of the U.S. Senate, Massachusetts’ junior senator Ed Markey(@EdMarkey), on the topic of security and connected vehicles.
Markey’s letter was sent out this week, addressed to 20 automakers including GM, Ford, Chrysler, Tesla and the North American subsidiaries of foreign firms like Toyota, Subaru, and BMW. It addressed a topic that’s still in its early days: connected vehicles that can interact with the Internet, the road, and each other through a host of small, embedded sensors.
While the media is fixated on the still distant (but cool) prospect of autonomous vehicles like Google’s self-driving car, Markey’s letter suggests that the attention of at least one lawmaker is seeing the forest for the trees. Namely: the need for robust vehicle security policies” to ensure driver safety and privacy in an age of more-automated and connected transportation.
While too many of Markey’s’ colleagues on Capitol Hill are still trying to get the facts straight on whether or not Google’s AdWords advertising platform is or is not kinda-sorta the same thing as NSA’s mass-surveillance programs like BULLRUN (nice try), Markey is posing the kinds of questions that suggest he (or someone advising him) has a nuanced appreciation of the complexity of the security and privacy raised by connected cars and, more broadly, the Internet of Things.
Among Markey’s questions to automakers are inquiries about the presence of wireless sensors on late model vehicles and the ability of external actors to gain access to critical automobile components by way of those sensors. Markey asked pointed questions about the internal processes car makers are using to vet the security of internal and third party components such Bluetooth and other wireless technologies, GPS, and sensors that power tire pressure monitors and other features. Markey wants to know what kind of internal and third party testing automakers do on vehicles before they are sold to consumers and how well those vehicles are secured against remote attack, unauthorized intrusions or the introduction of malicious code.
Importantly, Markey has asked automakers for specific information on the recent history of software-only fixes for problems named in official recalls (suggesting that the problem itself may have been software based). Going the next step, he asks them to describe the measures they have taken to secure those features from abuse by malware authors or other malicious actors.
The letter comes at an important time. As I’ve noted, a growing Internet of Things “lobby” is already marshaling to resist federal regulations that are perceived as threatening to growth. At a recent workshop hosted by the FTC in Washington D.C. a panel on “Connected Vehicles” saw a noted researcher Tadayoshi Kohno of the University of Washington square off with Christopher Wolf of the technology industry-backed Future of Privacy Forum.
Kohno’s argument, echoing Markey’s concerns, was that the sophistication and density of computers and wireless sensors in modern vehicles created the potential for malicious actors to remotely attack and control them – potentially in ways that could cause harm or death. Wolf countered that the safety and health benefits of features like GPS sensors, remote monitoring, and control and crash detection systems far outweighed the dangers. A Tesla owner apparently, Wolf trumpeted the recent update to his vehicle that automatically adjusted the suspension of the vehicle to reduce the chance of fires.
Of course, “safety vs. privacy” or “safety vs. security” are false dichotomies. Markey, a member of the Commerce, Science, and Transportation Committee, seems to get it – as perhaps no other elected representative does.
Markey is no technology whiz kid from Massachusetts’ Route 128 “Silicon Highway” or the hip warrens of startups surrounding MIT. Before ascending to the Senate in a special election in June to replace Sen. John Kerry, he spent more than 30 years as a Representative from Massachusetts in the House. He comes from a working class family and, as was noted during his campaign for the Senate, Markey has hardly any professional experience outside of public office.
What has been constant, however, is Markey’s track record as a strong consumer advocate and a strong backer of consumer privacy protections. These days, you can’t pretend to represent those issues without gaining a deep familiarity with technology – whether it be mobile phones, web-based email or connected cars – and surrounding yourself with people who know what they’re talking about. Like too few of his colleagues, Markey appears to have done that. It will be exciting to see what he’s able to do from his new post in the U.S. Senate!