Connected and vulnerable: cybersecurity in vehicles

Abstract

Back in 2015, two hackers hacked a Jeep Cherokee, wirelessly gaining access to the controls of the vehicle through the vehicle’s entertainment system. The hackers slowed the vehicle down on a highway. Remarkably, this did not result in accidents. This did, however, illustrate the already existing cybersecurity risks of vehicles and their threat to road safety, thereby making legislators aware of these dangers. Recently, several legislative steps were made to improve the cybersecurity in vehicles. As cybersecurity enters the realm of road safety, it is necessary to identify the key principles for cybersecurity in vehicles. The current legal framework is discussed in light of these principles, identifying gaps in the current legal framework for cybersecurity in vehicles. As this contribution argues, the focus of the current legislative measures focuses predominantly on the ‘first line of defence’. These measures aim to prevent unauthorised access to the vehicle’s systems, but fail to identify the steps necessary to limit the damage that can be done if this first line of defence is breached and unauthorised access is gained. Moreover, other identified cybersecurity principles are not adequately ensured. In addition, the fragmentation of the current legal framework in itself gives rise to concerns.