Thales Blog

Autonomous Cars Need Security Guidance

September 11, 2017

Thales Thales | Cloud Protection & Licensing Solutions More About This Author >

The SELF DRIVE Act is steering its way through the U.S. Congress. Last week the House of Representatives passed this bill, which would provide car manufacturers and tech giants with exceptions to federal safety rules so that they could test as many as 100,000 experimental autonomous vehicles. It’ll now head to the U.S. Senate before it has a chance of becoming law.

Within the legislation are provisions on cybersecurity and privacy, two areas that have huge implications on how autonomous cars could affect our everyday lives.


The bill would require autonomous-car manufacturers to present a robust cybersecurity plan that would include, among other things:

  • how it would respond to a cyberattack or other unauthorized intrusions, including spurious vehicle control commands;
  • a process for identifying foreseeable vulnerabilities from cyberattacks;
  • a process for taking preventive or corrective action to such vulnerabilities;
  • a designated employee in charge of cybersecurity for highly automated vehicles;
  • a process for limiting access to automated driving systems; and
  • employee training on cybersecurity.

My take: The technology behind autonomous cars depends on connectivity with networks that provide real-time data on everything from global positioning to road conditions. While the concept of driverless cars has captured our imaginations, the reality is that more connectivity opens new and different pathways for cyberattacks.

We often see consumer manufacturers get caught up in rabid market demand before fully integrating comprehensive security measures into their hot products. In the case of autonomous cars, lives will literally be at stake, so we should ensure that security concerns are adequately addressed before it’s too late. The SELF DRIVE Act outlines sensible measures all manufacturers should take before we let any autonomous cars loose on our streets.

Autonomous cars need security guidance


The SELF DRIVE Act would require manufacturers to tell consumers how they are gathering and using data on vehicle owners and occupants. However, manufacturers that de-identify, anonymize or encrypt this data are exempt from the privacy plan.

My take: Inherently, self-driving cars will create vast amounts of data. We know from other industries undergoing digital transformations that data is their single-most valuable asset -- and sometimes their greatest liability. If autonomous car manufacturers don’t secure the data their cars collect with encryption or another de-identifying method, they will have a hard time convincing consumers that they won’t be the latest industry targeted by the crafty cyber criminals that are almost always one step ahead.

Self-driving cars will surely offer unparalleled convenience, but the security risks are too great for us not to examine what manufacturers need to do right now before consumers stoke a demand that’s too tempting to slow down.

Read more about our connected vehicle security solutions here.