Description
Attack surfaces are increasing as products are increasingly more connected. This has been acknowledged by the European Commission in their Europe: fit for the digital age strategy and in recent legislative proposals. Most importantly, the proposed Cyber Resilience Act sets minimum cybersecurity requirements for products with digital elements. These requirements range from effective and regular tests to the dissemination of free security updates in case of a cybersecurity breach. This should ensure a base level of cybersecurity throughout the product’s lifetime.Unfortunately, there is a catch: not all products with digital elements fall within the scope of the Cyber Resilience Act. For instance, vehicles are not subject to the proposed Act. The exclusion of this category of products with digital elements seems to be based on the premise that ‘the sectoral rules achieve the same level of protection as the one provided for by this Regulation’ (recital 14). This contribution is challenging this premise, as it explores the level of cybersecurity as laid down in the proposed Cyber Resilience Act and compares it to the level of cybersecurity ensured by the sectoral rules in vehicle regulation.
As vehicles become ever more connected in a push to develop self-driving cars, their attack surfaces also increase. Several instances of vehicle hacking have already made the headlines in recent years. Disengaging the brakes, taking over the steering and killing the engine of a car while driving have proven to be real dangers caused by the exploitation of a cybersecurity vulnerability. So, a cybersecurity breach of a vehicle can pose an immediate threat to life. The cybersecure state of a vehicle is therefore pivotal to road safety. Nevertheless, the regulation of cybersecurity in vehicles is left to the fora regulating traditional vehicle safety, such as seatbelts, airbags and tire pressure.
A possible consequence of the exclusion of vehicles from the Cyber Resilience Act is that the level of cybersecurity offered in vehicles might be lower than that of the level of cybersecurity of products with digital elements that fall within the Act’s scope. Could this mean that your smartphone is going to be more cybersecure than your car?
Period | 19-Apr-2024 |
---|---|
Event title | BILETA annual conference 2024: Digital and Green: Twin Transitions? |
Event type | Conference |
Location | Dublin, IrelandShow on map |
Degree of Recognition | International |