The National Highway Traffic Safety Administration (NHTSA) is recommending that the automotive industry strike a balance between the need for cybersecurity and “third party serviceability” of new vehicles, addressing the data access question that is at the heart of the new “right to repair” movement.
The recommendation is one of many included in “Cybersecurity Best Practices for the Safety of Modern Vehicles,” an update to the federal agency’s 2016 guidance for addressing a range of cybersecurity issues.
NHTSA acknowledges that striking a balance between cybersecurity and third-party access to data is difficult, but advises that both should be priorities for the OEMs.
“The automotive industry should provide strong vehicle cybersecurity protections that do not unduly restrict access by alternative third-party repair services authorized by the vehicle owner,” the document states.
“NHTSA recognizes the balance between third party serviceability and cybersecurity is not necessarily easy to achieve. However, cybersecurity should not become a reason to justify limiting serviceability. Similarly, serviceability should not limit strong cybersecurity controls.”
Because “An average motor vehicle remains on the roads for over a decade and needs regular maintenance and occasional repair to operate safely while in service,” the agency said, “[t]he automotive industry should consider the serviceability of vehicle components and systems by individuals and third parties.”
The section is expanded from the 2016 version, but similar in approach. That document recommended that the industry “should provide strong vehicle cybersecurity protections that do not unduly restrict access by authorized alternative third-party repair services.” The earlier version made no mention of owner authorization.
“As vehicle technology and connectivity develop, cybersecurity needs to be a top priority for every automaker, developer, and operator,” NHTSA Administrator Steven Cliff said in a statement accompanying the document. “NHTSA is committed to the safety of vehicles on our nation’s roads, and these updated best practices will provide the industry with important tools to protect Americans against cybersecurity risks.”
NHTSA said the 2022 Cybersecurity Best Practices “leverage agency research, industry voluntary standards, and learnings from the motor vehicle cybersecurity research over the past several years…. Though the document is non-binding, it contains important best practices that will influence the industry going forward.”
The publication comes as the Massachusetts “right to repair” case appears to be drawing to a close. That case is a challenge by the Alliance for Automotive Innovation (AAI), representing the OEMs, to legislation approved by voters in 2020.
Under Section 2 of the new Massachusetts Data Access Law, any OEM that sells a vehicle in the state that utilizes a telematics system “shall be required to equip such vehicles with an inter-operable, standardized and open access platform across all of the manufacturer’s makes and models.” The legislation became effective with the 2022 model year.
AAI claims that, among other things, the deadline was impossible to meet, and that OEMs could not comply with the law without violating federal safety and environmental laws.
The federal judge in the Massachusetts case, Douglas P. Woodlock, has been critical of a lack of direction from NHTSA on the issue of vehicle cybersecurity. When an attorney for AAI noted that the agency said during trial that the disputed law “might require them to step in,” Woodlock responded that NHTSA had been “reluctant debutante.”
“What we got was a Zen koan, or perhaps the Oracle at Delphi, telling us what the role of NHTSA would be. What you got was them saying, ‘We’re concerned.’ Aren’t we all,” Woodlock said.
In Maine, proponents of similar automotive right-to-repair legislation have filed paperwork for a statewide referendum in 2023.
The right-to-repair issue will also be studied by the U.S. Government Accountability Office (GAO). A spokesman for the agency told Repairer Driven News in June that the work would begin in about six months.
The study comes at the request of U.S. Rep. Jan Schakowsky, chairwoman of the Consumer Protection and Commerce Subcommittee, who said federal agencies need guidance on how to balance wider access to data with cybersecurity concerns.
The GAO, sometimes referred to as the “congressional watchdog,” is an independent, nonpartisan investigative agency.
“It is critical that the Federal government ensure consumers have choice in how they repair their vehicles. However, as vehicle technology continues to evolve, ensuring consumers’ right to repair may be complicated by the intersection of other important interests, such as cybersecurity and the impact of copyright protection and exemptions,” the Illinois Democrat said in a letter to Comptroller General Gene Dodaro.
Under the 2014 memorandum of understanding (MOU) between American OEMs and the aftermarket, “which many believe has been successful,” the OEMs agreed to provide independent shops and vehicles owners with the same diagnostic and repair information available to dealers, Schakowsky said.
The MOU was cited by the Federal Trade Commission in its “Nixing the Fix” report, released in May 2021, as having the effect of creating “a broad, if not complete, right to repair in the automotive industry across the United States.”
That memorandum, however, predated the use of telematics to transmit vehicle data to manufacturers, Schakowsky said. “The data transmitted to manufacturers includes those used for diagnostic and repair purposes—potentially undermining the industry’s self-regulation of right to repair via the 2014 memorandum,” she said.
Featured image by metamorworks/iStock