������Ƶ

On June 28, OTI and Public Knowledge filed a petition��for rulemaking on privacy, cybersecurity, and consumer protections for the 5.9 GHz band.��

Summary

In 1999, the Commission authorized an allocation of 75 MHz for “Dedicated Short-
Range Communication” (“DSRC”)4 Envisioned as part of a broader “Intelligent Transportation��Service” network that paralleled the emerging public Internet, the auto industry and the��Department of Transportation urged the FCC to adopt DSRC rules that enabled both��non-commercial life and safety applications, and commercial applications such as mobile payments��to gas stations, remote management of rental cars, and other undetermined commercial services.

Unfortunately, the Commission did not at that time consider the implications of DSRC��either for privacy or cybersecurity. The ability of DSRC units to monitor and report detailed��personal information about location and driving habits of individuals raise enormous concerns��for personal privacy. When coupled with storage of financial information and purchasing��information through future mobile payment applications, or the use of DSRC streaming��capability for delivering advertising or entertainment,��personal privacy grows exponentially.

Far more troubling, however, is the way in which the failure to impose adequate��cybersecurity��obligations on DSRC licensees and operators��threatens��the safety of our national��roadways. Over the last year, a number of high-profile hacking incidents have highlighted the��extraordinary vulnerability of cars to��cyberattacks. Hackers have demonstrated the ability to��seize control of braking, steering, and acceleration functions, which would allow a hacker to��remotely crash vehicles. One report from Intel chronicled 14 different ways a hacker can gain��access to a car’s operating system. In March 2016, the Federal Bureau of Investigation (“FBI”)��and the Department of Transportation (“DoT”) issued a joint Public Service Announcement��warning car owners about the increasing vulnerability of their cars to “remote exploits” (i.e.,��cyberattacks).

Even more troubling, Congressional reports have concluded that the car industry lacks��the capacity or the culture to respond effectively to these threats.��Markey Report found, the culture of the car industry encourages bad behavior on privacy, lax��cybersecurity,��discourages auto manufacturers from publicizing and sharing information on��potential vulnerabilities, and erects barriers to the ability of auto manufacturers to push out��timely cybersecurity updates.

To date, the one thing that has prevented��cyberterrorists��from creating a “car zombie��apocalypse” by infecting thousands of cars with malware designed to crash them into crowds or��one another has been the inability of cars to communicate with each other. As one expert��explained:��

“They haven’t been able to weaponize it. They haven’t been able to package it yet��so that it’s easily exploitable,” said John Ellis, a former global technologist fo��Ford. “You can do it on a one-car basis. You can’t yet do it on a 100,000-car��basis.”��

DSRC provides precisely this capability to “weaponize” the vulnerability of cars through��vehicle-to-vehicle communication (“V2V”). DSRC depends on high-speed, low-latency��communication between vehicles, and must be linked directly to critical functions like��acceleration, braking, and steering, in order to facilitate the supposed benefits to life and safety��brought about by DSRC. DSRC units provide an access route for malware to spread directly��from car to car, enabling hackers to steal the personal information of drivers and leaving cars��open to “ransomware” or coordinated terrorist attack. When combined with the impending��NHTSA mandate to require that all new model cars have DSRC units installed, the number of��cars capable of spreading malware will grow exponentially over time. Only by acting now,��before the auto industry can deploy any DSRC units, can the Commission adequately protect the��public.

Download the full comments below:��

��