Start of main content

'Connected car' and cybersecurity: present and future

| News | Ciberseguridad / Litigation

Vicente Moret and Carlos Rodríguez explain that the automotive industry has to prepare and adopt strategies that comply with the numerous legal rules that make up the regulatory framework for cyber security at European and national level in order to avoid economic, legal and commercial consequences that can be triggered by a cyber attack

The deployment of 5G networks together with advances in artificial intelligence will make a profound transformation in mobility possible. One of the main consequences will be the exponential evolution of connectivity associated with the car, which will speed up the implementation of autonomous driving, making the car the most outstanding Internet of Things ("IoT") based device, not only because of its potential as an autonomous element, but also because of its role in the development of smart cities, and potentially also of smart homes or connected homes when the car is parked at our home.

A lot has been written about the economic, technological and even geopolitical spin-offs from this digital disruption, but perhaps the most topical is the cyber-security of connected vehicles themselves. Thus, for example, the recent attempt to hack into Tesla's factory would have meant a breach that could have affected the entire car fleet marketed by the company. It should be noted that the interactions of these connected vehicles mean the possibility of access to the most precious and private sphere of our family life: information kept in our telephone, home automation systems in our house. Our physical integrity can also be placed in the hands of a system that must obviously be stable and secure. Therefore, without prejudice to the fact that in our societies, which are in the midst of a digital transformation, the security of networks and systems must be a priority task, the truth is that in the case of autonomous vehicles, this concern for reinforcing cyber security is even more crucial.

In fact, the legal perspective is extremely broad, as issues such as legal liabilities arising from the malfunctioning of AI-based devices offer multiple questions that regulators will need to address. Thus, for example, in its White Paper on Artificial Intelligence of February 2020, the European Commission has dedicated an important part of the text to highlighting the multiple legal questions that hang over the autonomous vehicle in terms of the responsibilities derived from the operation of the algorithms on which it is based and the security of the enormous amount of data that is going to be generated. The Commission has therefore established the need to create a common space for mobility data, which particularly affects autonomous driving.

Added to this are ethical and other compliance aspects associated with AI use that are more acute in the case of the car, such as training data, data storage, information to be provided to the user, the robustness and accuracy of the system, or final human supervision. In short, the key factors applicable to all AI applications, such as facial recognition, are even more complex and important in the case of autonomous driving. 

Furthermore, the new European Regulation on Vehicle Safety, which will come into force in 2022, requires new cars to have a cyber security certificate to be marketed. This is the logical consequence of a single European market that aims to protect the consumer, clearly regulate the liability regime and at the same time does not limit research and investment. The sector must bear in mind that legal certainties in this area, both from the point of view of external regulatory compliance and from the internal point of view of procedures, are indispensable.

For this reason, many cyber-security companies are already developing products to secure these vehicles and it is clear that this is one of the concerns of the major manufacturers. ENISA itself, the EU's Cybersecurity Agency, has insisted on the need to strengthen the security of connected cars and has made this a priority in regulating the mandatory cyber security certification schemes it is currently developing. 

Within the convergence that is taking place between different regulatory fields, data protection and cyber-security, as ENISA has already explained in its recommendations, it would even be necessary to speak of a "cyber-security by design" where the regulatory impact of cyber-security would be included as an essential requirement to be taken into account in the manufacture of any part or part of a larger device associated with a connected car. In short, manufacturers and suppliers need to protect vehicles against cybersecurity threats and therefore the whole sector must introduce this variable from the very design of the vehicle, to its manufacture, the supply chain or the recharging systems. 

Although despite the popular belief that it is not true that crisis equals opportunity in Chinese culture, let us hope that it does in Spanish culture and at a time when the impact of the Covid has shaken the standards of much of the industry, and may be an opportunity for, among others, the Spanish automotive supplier industry. Having a "cyber security from design" in their processes and even obtain a certification that will be mandatory soon may be two great opportunities. 

This requires industry to adopt its own strategies that also comply with the numerous legal standards that make up the regulatory framework for cybersecurity at European and national levels. This regulatory compliance protects the company against the economic, legal and commercial consequences that may be triggered by a cyber-attack; among others, the damage that may be suffered by the systems or persons, the loss of data and relevant information or personal information affecting users, the cost of reputation, possible sanctions by the competent authority or possible legal liabilities of any kind that may be deduced.

Writers: Vicente Moret Millás. Andersen 'Of Counsel'. Counsel to the Cortes Generales. 

Carlos Rodríguez Sau. Partner in CSV Consulting

The article can be read in Expansión.

End of main content