The correct public policy response is implicit in this very good Wired article describing the whole thing. “Automakers need to be held accountable for their vehicles’ digital security,” writer Andy Greenberg says, quoting auto hacker Charlie Miller thus: “If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers.”
That’s two very important consumer protection systems in a couple of brief sentences: In one, carmakers suffer lost sales if their cars are hackable or perceived as such. The market feedback system—including the article itself—causes automakers to work to make their cars less hackable.
In the other, carmakers suffer monetary damages if their cars are actually hacked in ways that cause injury. The common law tort system causes automakers to work to make cars less hackable. (I don’t know if this is what Greenberg had in mind for accountability, but it’s the legal accountability that’s already in place.)
Yes, these systems cause carmakers to seek to control perceptions of hackabillity and to deny responsibility when a harmful hack occurs. But on the whole they promote good behavior on the part of automakers, and safety for drivers.
Speaking of the common law, we are on the threshhold of a sea change in how liability for software defects is apportioned by contract. Software has typically been sold or licensed without any guarantee of its fitness, letting the risk of software failures fall entirely on the purchaser. That model can’t apply where failures are dangerous such as in driving controls and many implanted medical devices. There, software sellers are liable for failure.
As software grows more secure and in applications where successful functioning is important, liability for flaws will shift to sellers. That should generally happen at the pace buyers demand, based on their willingness to pay.
As is typical, it is not the market processes and common law already husbanding automakers’ behavior that get the attention in Greenberg’s article. He writes of new legislation that would “set new digital security standards for cars and trucks.” Senators Markey (D-MA) and Blumenthal (D-CT) undoubtedly want drivers to be protected. What is open to question is whether any group of politicians in Congress and lawyers in federal agencies can set standards better than the myriad actors in the marketplace, allocating risks according to their desires and needs, under common obligations to protect others from harm.