26–27 September 2017

Tokyo, Japan

Life imprisonment for car hacking. Is that a good idea?

Lawmakers in the US state of Michigan are now so worried about car hacking that they’ve proposed making it punishable by life in prison.

Michigan Senators Ken Horn and Mike Kowall have proposed a cybersecurity bill aimed at hackers and connected and autonomous cars. While Senate Bill 928 sets out the type of crime and corresponding sentencing guidelines for car hacking, Senate Bill 927 spells out that car hacking will be a felony. The legislation says car hacking will be punishable by life in prison.

Automotive News quoted Kowall as saying, “I hope that we never have to use it. That's why the penalties are what they are. The potential for severe injury and death are pretty high. Some of these people are pretty clever. As opposed to waiting for something bad to happen, we're going to be proactive on this and try to keep up with technology.”

Sounds sensible. Critically though, the wording of the bill would appear to outlaw any form of ethical hack executed without the express permission of the owner or the manufacturer;

“A person shall not intentionally access or cause access to be made to an electronic system of a motor vehicle to wilfully destroy, damage, impair, alter, or gain unauthorized control of the motor vehicle”

Wait a minute! Nobody one wants a future in which hackers are taking control of and crashing cars for mischief or criminal ends. The penalties for wilfully endangering the lives of innocent people must be as severe here as they are in other spheres of industry or life. But if security researchers can’t probe for vulnerabilities without the possibility of facing felony charges, surely we’re all less safe?

Would we have been better off not knowing that it was possible to remotely take control of a Jeep as it drove along a highway? The history of IT security thus far strongly suggests that we need openness to discover the flaws and vulnerabilities that lead to compromised safety for users.

Louis Brandeis, Supreme Court Justice (and the man who, arguably, did more than anyone to define modern notions of the individual right to privacy) put it rather better a century ago:

“Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is the best of disinfectants”

Let’s hope the US Senate is able to come up with legislation that can more sharply discriminate between threat actors with malicious or reckless intent as opposed to those upon whom we sometimes have to rely to expose some of the more tired and lazy engineering that might just lurk within the vehicles we buy.