b"<html>\n<title> - THE INTERNET OF CARS</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n\n\n\n\n\n\n                          THE INTERNET OF CARS\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                    TRANSPORTATION AND PUBLIC ASSETS\n\n                                AND THE\n\n                 SUBCOMMITTEE ON INFORMATION TECHNOLOGY\n\n                                 OF THE\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           NOVEMBER 18, 2015\n\n                               __________\n\n                           Serial No. 114-55\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n         Available via the World Wide Web: http://www.fdsys.gov\n                      http://www.house.gov/reform\n                                  ______\n\n                         U.S. GOVERNMENT PUBLISHING OFFICE \n\n97-974 PDF                     WASHINGTON : 2016 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Publishing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                     JASON CHAFFETZ, Utah, Chairman\nJOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, \nMICHAEL R. TURNER, Ohio                  Ranking Minority Member\nJOHN J. DUNCAN, JR., Tennessee       CAROLYN B. MALONEY, New York\nJIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of \nTIM WALBERG, Michigan                    Columbia\nJUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri\nPAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts\nSCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee\nTREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia\nBLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania\nCYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois\nTHOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois\nMARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan\nRON DeSANTIS, Florida                TED LIEU, California\nMICK, MULVANEY, South Carolina       BONNIE WATSON COLEMAN, New Jersey\nKEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands\nMARK WALKER, North Carolina          MARK DeSAULNIER, California\nROD BLUM, Massachusetts              BRENDAN F. BOYLE, Pennsylvania\nJODY B. HICE, Georgia                PETER WELCH, Vermont\nSTEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico\nEARL L. ``BUDDY'' CARTER, Georgia\nGLENN GROTHMAN, Wisconsin\nWILL HURD, Texas\nGARY J. PALMER, Alabama\n\n                    Sean McLaughlin, Staff Director\n                 David Rapallo, Minority Staff Director\nMichael Kido, Staff Director, Subcommittee on Transportation and Public \n                                Assetts\n   Troy Stock, Staff Director, Subcommittee on Information Technology\n                           Sarah Vance, Clerk\n             Subcommittee on Transportation & Public Assets\n\n                     JOHN L. MICA Florida, Chairman\nMICHAEL R. TURNER, Ohio              TAMMY DUCKWORTH, Illinois, Ranking \nJOHN J. DUNCAN, JR. Tennessee            Member\nJUSTIN AMASH, Michigan               BONNIE WATSON COLEMAN, New Jersey\nTHOMAS MASSIE, Kentucky              MARK DESAULNIER, California\nGLENN GROTHMAN, Wisconsin, Vice      BRENDAN F. BOYLE, Pennsylvania\n    Chair\n\n                 Subcommittee on Information Technology\n\n                       WILL HURD, Texas, Chairman\nBLAKE FARENTHOLD, Texas, Vice Chair  ROBIN L. KELLY, Illinois, Ranking \nMARK WALKER, North Carolina              Member\nROD BLUM, Iowa                       GERALD E. CONNOLLY, Virginia\nPAUL A. GOSAR, Arizona               TAMMY DUCKWORTH, Illinois\n                                     TED LIEU, California\n                                     \n                                     \n                                     \n                                     \n                                     \n                                     \n                                     \n                                     \n                                     \n                                     \n                                     \n                                     \n                                     \n                                     \n                                     \n                                     \n                                     \n                                     \n                                     \n                                     \n                                     \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on November 18, 2015................................     1\n\n                               WITNESSES\n\nMr. Nat Beuse, Associate Administrator, Vehicle Safety Research, \n  National Highway Traffic Safety Administration, U.S. Department \n  of Transportation\n    Oral Statement...............................................     7\n    Written Statement............................................     9\nMr. Harry M. Lightsey, III, Executive Director, Global Connected \n  Customer Experience, Global Public Policy, General Motors \n  Company\n    Oral Statement...............................................     9\n    Written Statement............................................    10\nMr. Sandy Lobenstein, Vice President, Connected Services and \n  Product Planning, Toyota Motor Sales, USA\n    Oral Statement...............................................    10\n    Written Statement............................................    12\nMr. Diarmuid O'Connell, Vice President of Corporate and Business \n  Development, Tesla Motors, Inc.\n    Oral Statement...............................................    12\n    Written Statement............................................    13\nMr. Dean C. Garfield, President and CEO, Information Technology \n  Industry Council\n    Oral Statement...............................................    13\n    Written Statement............................................    15\nMs. Khaliah Barnes, Associate Director, Administrative Law \n  Counsel, Electronic Privacy Information Center\n    Oral Statement...............................................    15\n    Written Statement............................................    17\n\n                                APPENDIX\n\nLetter from Consumer Technology Association......................    44\n\n \n                          THE INTERNET OF CARS\n\n                              ----------                              \n\n\n                      Wednesday, November 18, 2015\n\n                  House of Representatives,\n Subcommittee on Transportation and Public Assets, \n        joint with the Subcommittee on Information \n                                        Technology,\n              Committee on Oversight and Government Reform,\n                                                   Washington, D.C.\n    The subcommittees met, pursuant to call, at 2:00 p.m., in \nRoom 2154, Rayburn House Office Building, Hon. John L. Mica \n[chairman of the Subcommittee on Transportation and Public \nAssets] presiding.\n    Present from the Subcommittee on Transportation and Public \nAssets: Representatives Mica, Amash, Duckworth, DeSaulnier, and \nBoyle.\n    Present from the Subcommittee on Information Technology: \nRepresentatives Hurd, Farenthold, Walker, Blum, Kelly, \nConnolly, and Lieu.\n    Also Present: Representative Chaffetz.\n    Mr. Mica. Good afternoon. I'd like to welcome everyone to \nthe Subcommittee on Transportation and Public Assets and also \nthe Subcommittee on Information Technology hearing today. And \nthis meeting will come to order. Without objection, the chair \nis authorized to declare at any time a recess.\n    The order of business will be as follows. Since we have a \njoint subcommittee hearing today, we'll have opening statements \nfrom myself, Mr. Hurd, Ms. Duckworth, Ms. Kelly. And after that \nwe will hear from our witnesses. And then--well, after we have \nheard from all the witnesses we'll go into questions.\n    So with that, I'll give the first opening statement. And, \nagain, welcome everyone.\n    It's interesting the age that we live in of new technology \nand communications. With all of the incredible technology that \nwe see and take for granted every day, we're entering a new era \nin transportation technology. And there's some of the older \npanelists or members and audience will remember when you used \nto open the hood of a car and you could take out the various \nparts, identify everything. Now you need almost a Ph.D. degree \nto figure out what's in there, and its capabilities are just \nastounding. A lot of safety features in cars we didn't have \nbefore.\n    But we today are going to address the issues relating to, \nagain, what we call the Internet of Cars and look at some of \nthe implications of that technology. And I think some of this \nwas highlighted just some time ago when, I guess it was a Jeep \nvehicle was hacked. And fortunately it wasn't folks who chose \nto do harm, but it did demonstrate that vehicles with certain \ntypes of electronic capability can, in fact, be hacked, and it \ndoes pose some questions.\n    We've called together today leaders of industry and some \nothers. We have NHTSA. But I particularly want to thank the \nprivate sector partners.\n    Several weeks ago we had a roundtable and an open and frank \ndiscussion of kind of where we are and where we're going and \nwhat the industry's doing to deal with some of these issues. \nAnd I think they've been most cooperative and I appreciate \nthat. And we learned a lot from that particular informal \nmeeting.\n    Today is a little bit more formal. We do have a lot that we \ncan--a lot of benefits too. In 2010, there were 1.2 million \ndeaths on the world's highways. The United States, some 10 \nyears ago, we had 43,000 deaths. We have taken that down to \n33,000. And there are a lot of positive things that have been \ndone, again through safety, technology, warning systems, a \nwhole host of electronic devices now in our vehicles that make \nus safer.\n    The positive economic benefit from connected vehicles is \nestimated to be $500 billion. And we want to ensure that the \nelectronic systems we have in these vehicles can't be hacked, \nthat, in fact, that we have safety provisions put in and \nprotections for the consumer and for the public.\n    In 2012, when I helped author the MAP-21 bill, we directed \nthe National Highway Traffic Safety Administration to complete \na review and ultimately determine the needs for safety in \nvehicles and electronic systems. We'll hear from some folks \ntoday where they are in the requirement that we crafted and put \nin that bill. We're now a year and a half past the deadline we \nset in law.\n    Automakers have fortunately been setting their own \ncybersecurity standards, which is the good news. The bad news \nis that we have a lot of variety and people going in different \ndirections. While the National Highway Traffic Safety \nAdministration continues to move forward mandating dictated \nshort-range communication devices in cars, we must make certain \nthat this technology hasn't been surpassed by the next best \nthing that's coming up, and advances in technology are rapid.\n    We've spent over $500 million on testing just this \ntechnology that was discovered in 1999. And in 1999 the state \nof the art for some of our communications was the flip phones. \nAnd we've come a little bit further from that.\n    So while I fully support connected vehicle technology and \nhelp with its advancement, in the future we'll see vehicles \nthat can talk to each other, we'll see safety provisions in \nvehicles that will make cars safer and more reliable and have a \nwhole host of features that will benefit the consumer and the \ntraveling public. But we must be able to allow a bridge to get \nto that environment as the new technologies come to light while \nremaining cognizant of the need for consumer privacy.\n    So this afternoon I look forward to hearing testimony from \nour potential witnesses. And I pledge to work collaboratively \nwith everyone here on this side, both sides of the aisle, and \nwith the industry. I think we're entering a new exciting era, \nbut we want to be ready for it.\n    Let me now recognize Ms. Duckworth, the ranking member of \nthe Subcommittee on Transportation and Public Assets, for her \nopening statement.\n    Ms. Duckworth. Thank you, Chairman Mica. And welcome both \nto Chairman Hurd and Ranking Member Kelly. Welcome also to our \nwitnesses.\n    Today there are an estimated 5 billion devices that make up \nthe ecosystem that we call the Internet of Things. It's not \njust Fitbits, smartphones, and baby monitors that communicate \nover the Internet. Our motor vehicles are computers on wheels \nthat rely on the same methods of communication. And as we've \nseen too many times, computers and computer networks are \nregularly the victims of hackers.\n    We've already mentioned the July instance this year when a \nvehicle was hacked. Less than a month later from that instance \na researcher demonstrated how vulnerabilities in a different \nmanufacturer's vehicle could also let hackers learn the owner's \nhome address, steal credit card information, and much more.\n    So far there have been no known incidents of malicious \nattempts to hack vehicles. But I have to ask the witnesses here \ntoday, is that because the overall security of the vehicle \ncomputers is that good or have we simply been that lucky?\n    Congress gave the National Highway Transportation Safety \nAdministration the responsibility to regulate cybersecurity in \nvehicles. But manufacturers and suppliers are in the best \nposition to identify weaknesses in their own products. Ensuring \nthe cyber safety of cars, vans, trucks, and motorcycles on the \nnearly 4 million miles of roads that crisscross the United \nStates requires partnership of government, industry, and \nresearchers. Each has an important role to play.\n    That's why I find it especially troubling that, according \nto Bloomberg, one of the automobile manufacturers involved in \nthe July hack waited 18 months--18 months--to tell Federal \nsafety regulators about the security flaw, while the other \nmanufacturer reportedly knew about this vulnerability for 5 \nyears.\n    Those failures by manufacturers to report cybersecurity \nvulnerabilities to the Federal Government undermine the \npartnership that is necessary to protect the public safety from \ncybersecurity threats. That is simply unacceptable.\n    As Transportation Secretary Foxx said in May, ``Connected \nautomated vehicles that can sense the environment around them \nand communicate with other vehicles have the potential to \nrevolutionize road safety and save thousands of lives.'' I \nagree with him.\n    I look forward to examining these issues in more detail and \nthank the chairman for bringing this hearing. Thank you.\n    Mr. Mica. Thank you, Ms. Duckworth.\n    I'd now like to recognize Mr. Hurd, who chairs the \nSubcommittee on Information Technology, for his opening \nstatement.\n    Mr. Hurd.\n    Mr. Hurd. Thank you, Chairman Mica.\n    Today's hearing is one of a series of hearings the IT \nSubcommittee intends to hold on emerging technologies. And we \nare proud to join with you and the Transportation Subcommittee \nhere today.\n    My first car was as a Toyota 4Runner, and I liked to call \nher Shirley Marie. I got her in the summer of 2000 and had the \ncar up until the summer of 2013. We had a lot of adventures \ntogether, but one thing she couldn't do was connect to the \nInternet.\n    And flash forward to 2020. Gartner forecasts that about one \nin five vehicles on the road worldwide will have some form of \nwireless network connection by 2020, amounting to more than 250 \nmillion connected vehicles. A recent study by the McKinsey \nGlobal Institute predicts that the Internet of Things, which \nincludes the Internet of Cars, could have a total potential \neconomic impact of between $4 and $11 trillion by 2025. The \nreport further states that the hype around the Internet of \nThings may actually understate the full potential.\n    I agree. The hype likely does understate the full \npotential, but only if policymakers, industry, consumers, \nprivacy advocates, and other stakeholders understand where real \nvalue can be created and focus on supporting innovation and \ncybersecurity and privacy best practices. I worry that \novereager regulators in Congress will overact to a stunt hack \nwith restrictive regulations and heavy-handed legislation.\n    I look forward to hearing from our witnesses from the \nautomotive industry today on what steps they are taking \nproactively to secure their connected vehicles and protect \npeople's safety as well as their privacy.\n    I look forward to hearing from Mr. Garfield on what the \nmany innovative companies he represents are doing to ensure the \nsame, that people are safe, that their information is secure, \nso that they can be confident and embrace the benefits offered \nby connected vehicles.\n    And I look forward to hearing from Mr. Beuse on what NHTSA \nis doing to achieve the highest standards of excellence in \nmotor vehicle and highway safety while staying strictly within \ntheir statutory authority and taking care not to hamper \ninnovation.\n    I yield back.\n    Mr. Mica. Thank you, Mr. Hurd.\n    And I'm please now to recognize Ms. Kelly, who is the \nranking member of the Subcommittee on Information Technology.\n    Welcome again, and you're recommended.\n    Ms. Kelly. I thank Chairman Hurd and Chairman Mica, as well \nas Ranking Member Duckworth and our witnesses for today's \nimportant conversation.\n    Today's cars have been dubbed computers on four wheels. \nThey gather and store a vast array of personal information \nabout their drivers, affording greater convenience and safety, \nbut also greater erosion of privacy and security. Our \nautomakers, as they long have, are inventing new technologies \nthat have made the driver's experience more enjoyable and \nefficient. Over-the-air and vehicle-to-vehicle technologies, \nthings that were once only science fiction, can save lives and \nhelp prevent accidents.\n    But with great innovation comes new questions over security \nchallenges and how data is stored and used. As the number of \nInternet-connected cars grows, so too does the threat of \nvehicle hacking. If cars are going to store personal sensitive \ninformation about where the driver lives, the route the driver \ntakes to get there, and where the driver stops along the way, \nthere should be assurances that the information is stored \nsecurely and protects the identify of the driver.\n    Our subcommittee's review of previous cyber attacks on \ngovernment and corporate computer networks revealed that the \nsame vulnerabilities show up time and time again. The \ninterconnectivity of seemingly unrelated parts of the networks \nmakes it substantially easier for a hacker to move through a \nnetwork and locate sensitive personal information.\n    But it's not just computer systems that lack segmentation. \nSeemingly unrelated components of Internet-connected cars do as \nwell. A modern car's brakes can talk to its radio. The radio \ncan tell whether the doors are locked and the doors know \nwhether the windshield wipers are on.\n    One of the key topics of today's hearing for me is whether \nthe auto industry is designing cars with operating systems that \nsecurely store personal and technological innovation, I'll be \nfocused on how automakers, Congress, and regulators can work \ntogether to secure our vehicles from malicious attacks and \nprotect Americans and their data.\n    I thank our witnesses for their participation today and \nlook forward to hearing your thoughts on how we can achieve \nthis goal.\n    Chairman Hurd, Chairman Mica, I'd like to yield the \nremainder of my time to the gentleman from California, \nRepresentative Lieu.\n    Mr. Lieu. Thank you, Ranking Member Kelly, for yielding the \ntime.\n    And thank you, Chairman Mica, Chairman Hurd, and Ranking \nMember Duckworth, for calling this important hearing.\n    The Internet of Things brings technology and connectivity \ninto every corner of our lives, including our cars. With the \npervasiveness of technology, cybersecurity standards and \nprivacy protections become more important than ever. Unlike \nother sectors, security and privacy by design are not yet fully \nengrained in automotive manufacturing culture, as evidenced by \nthe news regarding cars' cybersecurity issues with wireless \nentry keys and hacks of cars.\n    However, regulation can be slow, rigid, and discourage \ninnovation if done wrong. Rushing to regulation is not, in my \nopinion, the answer, but neither is a lack of accountability or \nstandards. The advances that the industry has made in the past \nyear, such as setting up an Information Sharing and Analysis \nCenter and a set of enforceable privacy principles, have been \ndone in part because of public and government pressure.\n    The Security and Privacy in Your Car Study Act, also known \nas the SPY Car Study Act, a bipartisan bill cosponsored by \nCongressman Joe Wilson and myself, is a step in bringing \nindustry advocates and government together to strike a balance \nbetween innovation and consumer protection.\n    I serve on Active Duty in the military. I'm still in the \nReserves, and I'm trained to think about worst-case scenarios. \nSo there are three overarching scenarios and questions I'd like \nto pose to the panel. Hopefully during the time today you might \nbe able to answer it.\n    The first is, is it possible now or in the future for a \nhacker to remotely take control of a car and use it either as a \nweapon or cause an accident?\n    Second, is it possible now or in the future for a hacker to \ntake control of a fleet of cars and use them as weapons or \ncause accidents?\n    And then, third, is it possible for a hacker now or in the \nfuture to take partial control over cars? So let's say you're \ngoing down a highway at 60 miles per hour and suddenly the \nbrakes go on without your knowledge thereby causing an \naccident. And I'd be curious to know if, one, those are \ntheoretical possibilities, and then, second, if so, what can be \ndone to mitigate that aspect.\n    Americans have a right to drive cars that are safe and to \nkeep their information about their daily lives private. I look \nforward to hearing the testimony from today's panel of \nwitnesses and look forward to asking additional questions on \nthis issue of public importance.\n    Thank you. And I yield back.\n    Mr. Mica. Thank the gentleman.\n    Since thereare no other statements, any other members have \nany quick statements?\n    Okay. Then the chair will hold the record open for 5 \nlegislative days for any member who'd like to submit a written \nstatement.\n    Mr. Mica. Let's turn now to recognizing our panel of \nwitnesses. I'm pleased to welcome first Nat Beuse, who is the \nassociate administrator, vehicle safety research, at the \nNational Highway Traffic Safety Administration at the United \nStates Department of Transportation. Mr. Harry Lightsey, who's \nthe executive director of global connected consumer experience \nand global public policy at General Motors Company. Mr. Sandy \nLobenstein, and he is the vice president of connected services \nand product planning at Toyota Motor North America. And Mr. \nDiarmuid O'Connell, and he is vice president of corporate and \nbusiness development at Tesla Motors, Inc. Mr. Dean Garfield, \nhe is the president and CEO of the Information Technology \nIndustry Council. And finally, Ms. Khaliah Barnes, and she is \nthe associate director and administrative law counsel at the \nElectronic Privacy Information Center.\n    So welcome all of our witnesses. I might tell you too in \nadvance that I'll swear you in, in just a second. And we also \ntry to get you to limit your statement, your verbal statement \nbefore the committee to 5 minutes. You can ask through the \nchair to have additional information or data put into the \nrecord.\n    So with that, we are an investigative and oversight \ncommittee and subcommittees of Congress. If you'd please stand \nand I'll swear you in. Raise your right hand.\n    Do you solemnly swear or affirm that the testimony you are \nabout to give before this joint subcommittee meeting of \nCongress is the whole truth and nothing but the truth?\n    Let the record reflect that all the witnesses answered in \nthe affirmative.\n    Thank you. Be seated.\n    Okay. We'll go right to our witnesses. And let me start \nfirst with Mr. Beuse. Welcome him again, and all of you, and \nthank you for your cooperation today. And he is the \nadministrator of the vehicle safety research at the National \nHighway Traffic Safety Administration.\n    Welcome, and you're recognized, sir.\n    And you all bring the mics up as close as you can so we can \nhear you.\n\n                       WITNESS STATEMENTS\n\n                     STATEMENT OF NAT BEUSE\n\n    Mr. Beuse. Good afternoon, Chairmen Mica and Hurd, Ranking \nMembers Duckworth and Kelly, and members of the subcommittees. \nI appreciate this opportunity to testify about how the National \nHighway Traffic Safety Administration, or NHTSA, is addressing \nemerging challenges associated with new connected vehicle \ntechnologies.\n    In 2013, there were over 5.7 million vehicle crashes in the \nUnited States that resulted in 32,719 deaths. The consequences \nof these crashes ranged from personal tragedies that will \nimpact individual families forever to the billions in economic \ndollars that we can actually measure.\n    NHTSA's mission is to address these crashes and the \nincreasing use of connected and automated vehicle technologies \nwe believe can help us do that. When combined together, new \ntechnologies such as vehicle-to-vehicle communications, or V2V, \nand automated technologies have the potential to dramatically \nchange the safety picture in the United States.\n    However, as the chairman pointed out, these new \ntechnologies also bring new and different challenges. For \nexample, consumers hear a lot about cybersecurity as it is \nrelated to banks and personal information. Indeed, it often \nseems like every day or every other day there is a breach \nreported in the media. Now in the auto space cybersecurity is \ntaking on new visibility, even showing up in TV shows as \nrecently as this past weekend. NHTSA understands these dynamics \nbut believes that the challenges associated with connected \nvehicles are addressable and they should not keep us from \npursuing the innovations that can save lives.\n    Testing and analysis indicates that V2V can address up to \napproximately 80 percent of crashes involving two or more motor \nvehicles. This technology promises to be transformative and \ncould even enable a new era of safety that not only saves \nlives, but brings other benefits as well.\n    When fully realized, this communication technology is \nextendable even beyond vehicles and the infrastructure. It can \nbe deployed to other devices that would be carried by \npedestrians and cyclists, thereby addressing those types of \ncrashes as well. However, for V2V to be effective, it relies on \na robust security system and for the vehicles themselves to be \nsecure.\n    In exploring the potential of connected vehicles and other \nadvanced technologies, NHTSA understood that cybersecurity \nwould be essential to the public acceptance of new vehicle \nsystems and to fulfill the safety promise they hold. To develop \na robust cybersecurity environment, NHTSA modified its \norganizational structure, developed vital partnerships, adopted \na layered approach, considered legislative actions, and \nencouraged members of the industry to take independent steps to \nhelp improve the cybersecurity posture of vehicles. NHTSA's \ngoal is to be ahead of potential vehicle cybersecurity \nchallenges and seek ways to address them.\n    NHTSA consulted other government agencies, vehicle \nmanufacturers, suppliers, and the public to develop its cyber \nprogram. The approach covers various safety-critical \napplications deployed on current vehicles, as well as those \nenvisioned for future vehicles that may feature more advanced \nforms of communications and automation.\n    However, we also believe there are tremendous opportunities \nin this realm for proactive steps. In fact, such steps are \nessential. Regulation and enforcement alone will not be \nsufficient to address these risks. Cybersecurity threats simply \nmove too fast and are too varied for regulations to be the only \nanswer.\n    The auto industry can play an essential role by \ncooperatively establishing rigorous best practices that address \nthe broad range of cyber threats, by reacting quickly and \nappropriately when such threats emerge, and by working closely \nwith the government and independent security analysts to \nidentify and defeat attacks.\n    NHTSA and DOT have also given special consideration to the \nsecurity system that enables V2V technology. USDOT and many, \nmany partners have spent some time developing the network and \nthis trusted architecture that goes along with this system. \nWhile we have made significant progress, we believe that more \ntesting is necessary and we plan to undertake that work.\n    The trust aspect of the system is based on PKI. Though \nextensively used today, NHTSA and its research partners \nactually tweak the design to balance security and privacy. We \ntake consumers' privacy very seriously, and in the context of \nour notice of proposed rulemaking on vehicle-to-vehicle \ncommunications, we will address privacy as it relates to that \nsystem.\n    The effectiveness of V2V technology also relies on an \nallocated portion of spectrum. In light of growing demand for \nspectrum, spectrum sharing has been a topic of much discussion. \nDOT is not opposed to sharing the spectrum. Toward that end, \nDOT is working closely with FCC, NTIA, members of the industry, \nand other stakeholders on an expedited basis to test and \nevaluate potential sharing solutions for the 5.9 gigahertz \nspectrum. We are waiting for devices.\n    Under the leadership of Secretary Foxx, the Department has \ntaken several steps to support the deployment of V2V and V2I \ntechnology. In August 2014, NHTSA issued an advanced notice of \nproposed of rulemaking. In 2016, we plan to follow that up with \na proposal. And just recently the secretary announced some \npilot programs, all aimed to further deploy this technology.\n    Connected and automated vehicles that can sense the \nenvironment around them and communicate with these other \nvehicles and with the infrastructure have the potential to \nrevolutionize road safety and save thousands of lives. NHTSA is \nalready laying the groundwork needed for the road ahead and \nlooks forward to working with Congress, manufacturers, \nsuppliers, others in the administration, and the American \npublic in this exciting transportation future.\n    I look forward to addressing your questions.\n    [Prepared statement of Mr. Beuse follows:]\n    [Written statements can be found here: https://\noversight.house.gov/hearing/the-internet-of-cars/]\n    Mr. Mica. Thank you. And we'll withhold questions until \nwe've heard from everyone.\n    Let me introduce and welcome again Harry Lightsey, who is \nthe executive director of global connected customer experience \nand global public policy a General Motors.\n    Welcome. You're recommended.\n\n              STATEMENT OF HARRY M. LIGHTSEY, III\n\n    Mr. Lightsey. Thank you very much, Chairman Mica, Chairman \nHurd, Ranking Member Duckworth, and Ranking Member Kelly. And \nthank you for the opportunity to testify before your \nsubcommittees.\n    In the roughly 100 years of its existence, the automobile \nhas impacted American life in ways unique to any other machine. \nIt has impacted how we live and work, where we live and work, \nhow our cities have grown, and how our country has grown.\n    Yet the machine itself remains basically what it was at the \ntime of its inception: a gasoline combustion engine connected \nby a drive train to wheels on the road, driven by a human \nbeing. But we are now entering an era where all those basic \ntenets will change dramatically. Cars will more and more have \ndifferent modes of mobility other than a gasoline engine. They \nwill be connected to each other in ways that will make the \ndriving experience safer and more enjoyable. And they will more \nand more relieve the human being of the driving task.\n    Because we know that humans are fallible and will have \ncrashes in cars, the automobile industry and the National \nHighway Transportation Safety Administration, or NHTSA, have \nspent the last half century designing and building automobiles \nto be safer when they crash, with innovations like seat belts, \nair bags, and crumple zones. Today we are designing and \nbuilding automobiles to avoid collisions entirely, with \ntechnologies like forward and rear collision warning, backup \ncameras, lane keeping, and blind spot warnings.\n    Increasingly, these technologies allow the machine to \nassist in the driving task itself when the human driver does \nnot react appropriately or quickly enough to prevent a crash. \nSoon technologies like vehicle-to-vehicle communications will \nbe deployed with the promise to impact over 80 percent of the \ncrashes on today's roads. The savings in terms of lives saved, \nproperty damage prevented, medical costs, and congestion will \nbe enormous.\n    At General Motors, we are moving quickly to take advantage \nof these innovations. We are the first automobile manufacturer \nto build connectivity into our vehicles. And GM OnStar has over \n6 million customers in the United States and over 1 million \ncustomers connected on our 4G LTE broadband platform. We have \ndeployed many advanced safety technologies into our vehicles, \nincluding announcing the deployment of vehicles with advanced \nreview mirrors. And we are the only automaker that has \nannounced the commitment to deploy vehicles with V2V technology \nwith our Cadillac CTS model next year.\n    However, we must acknowledge that with change comes \nchallenge. We must deploy these innovations in the safest \nmanner possible. We must commit to our customers that we \nrespect their privacy and will protect their information. Our \nautomobiles contain software that may have vulnerabilities that \nbad actors could exploit to threaten our customers' safety and \nprivacy, and we must do all we can to prevent automobile \nhacking.\n    We must realize that we are competing with other \ntechnologies for the use of scare resources like spectrum. We \nmust be able to use these resources in an efficient manner so \nlong as that use does not interfere with the safety-critical \nmission of our systems. If we have the freedom to innovate \nwithin these parameters, the promise of the future cannot be \nimagined today.\n    Thank you, and I look forward to your questions.\n    [Prepared statement of Mr. Lightsey follows:]\n    [Written statements can be found here: https://\noversight.house.gov/hearing/the-internet-of-cars/]\n    Mr. Mica. Thank you.\n    And we'll now hear from Mr. Sandy Lobenstein, vice \npresident of connected services and product planning at Toyota.\n    Welcome, and you're recognized.\n\n                 STATEMENT OF SANDY LOBENSTEIN\n\n    Mr. Lobenstein. Thank you. Good afternoon.\n    It's an exciting time for the auto industry. More vehicles \nare being connected and outfitted with advanced safety features \nand onboard connected safety services, as well as infotainment \nsystems, and we have the ability to interact with these from a \nsmartphone. The truth is, though, that we are only at the \nbeginning of the beginning. The connected car of the future \nwill far surpass the connected car of today with its features \nand capabilities.\n    To address questions about the use of vehicle data, the \nauto industry came together and developed privacy principles \nfor vehicle technologies and services. These privacy principles \ninclude meaningful protections, including heightened \nprotections on the use of certain vehicle data, like the \nvehicle's location or how someone drives.\n    For example, automakers agreed not to share data with third \nparties for their own use or to use this type of data for \nmarketing purposes without the affirmative consent of the \nvehicle owner.\n    With the privacy principles, the auto industry is at the \nforefront of protecting consumer data in the emerging Internet \nof Things. This code of conduct is precisely the type of effort \nthat the government has encouraged from the private sector and \nit should serve as a model for other Internet of Things \nsectors.\n    Cybersecurity is also a key focus, and although no criminal \ncyber attack on a vehicle has occurred, the auto industry is \nwell aware that the cybersecurity risks that exist for other \nconnected devices also exist for connected cars. We fully grasp \nthe potential consequences of a successful real world attack.\n    In that light, the auto industry is forming an ISAC to \nexchange information about cybersecurity threats to vehicles. \nToyota is pleased to be serving as the first Auto-ISAC board \nchair, and we're fully committed to the Auto-ISAC's success. We \nexpect initial information sharing from the Auto-ISAC beginning \nby the end of this year.\n    Some are making the case that automotive-specific \ncybersecurity best practices and standards are needed. The \nquestion is whether automotive best practices will look any \ndifferent than existing best practices that guide cybersecurity \nin other contexts.\n    That being said, the auto industry recognizes that an \neffort to adapt existing best practices to the vehicle may be \nappropriate. That is why the industry has recently embarked on \nan effort to identify existing best practices that are being \nand can be applied to vehicles and to address any potential \ngaps.\n    For the very same reasons that the government has refrained \nfrom mandating cybersecurity standards in other sectors, there \nis a significant risk with the government mandating \ncybersecurity standards for vehicles. Industry can move quicker \nthan government to update out-of-date practices or to adjust to \nnew threats. In addition, setting specific government standards \nmay encourage some companies to simply comply, not to do more \nto protect consumers.\n    Finally, a sector-specific approach will almost certainly \nhave significant implications for the harmonious development of \nthe Internet of Things at large.\n    As the Internet of Cars evolves, we are also on the cusp of \na radical transformation in vehicle safety that will be made \npossible by vehicle-to-vehicle communications. Dedicated short-\nrange communication, or DSRC, is a technology that will allow \nus to overcome the range, field-of-view, and line-of-sight \nchallenges posed by sensor technology, enabling vehicles to \nidentify collision threats at a greater distance or around a \ncorner.\n    When the FCC allocated spectrum in the 5.9 gigahertz band \nfor DSRC, it spurred an extensive collaboration between the \nUSDOT and the automobile industry on DRC development. The FCC \nis also currently exploring opening up the band to unlicensed \ndevices.\n    Due to the spectrum crunch, we support the prospect of \nsharing spectrum if it can be proven that no harmful \ninterference will impair DSRC's safety-of-life mission. A \npromising proposal has been offered that has the potential to \naccomplish this goal. The proposal's developer and the auto \nindustry have recently proceeded to validation testing, and we \nremain confident that it will be proven out as a workable \nspectrum-sharing solution.\n    In closing, I'd like to provide two final observations. \nFirst, the Internet of Cars ecosystem is evolving. Technology \ncompanies, telecommunications providers, insurance companies, \nand others have introduced and will continue to introduce \nproducts and technologies designed to directly communicate with \nvehicles. As the ecosystem continues to evolve, responsibility \nfor protecting vehicles from potential cyber attacks and for \npreserving consumer privacy should also evolve to include all \nrelevant players in this space.\n    Second, there's a number of Federal agencies that are \nseeking to oversee, regulate, or influence cybersecurity and \nprivacy related to the Internet of Things either broadly or \nwithin narrow subsets. The resulting cacophony of working \ngroups' efforts, initiatives, and proposals is exceedingly \ndifficult to manage and prioritize. Without consolidation of \nthese efforts, clarification of the roles of various agencies \nand better coordination, the opportunity provided by the \nInternet of Things will almost certainly suffer.\n    Thank you for the opportunity to testify before you.\n    [Prepared statement of Mr. Lobenstein follows:]\n    [Written statements can be found here: https://\noversight.house.gov/hearing/the-internet-of-cars/]\n    Mr. Mica. Well, thank you.\n    And we'll recognize Mr. Diarmuid O'Connell, and he's vice \npresident of business development for Tesla.\n    Welcome, sir, and you're recognized.\n\n                STATEMENT OF DIARMUID O'CONNELL\n\n    Mr. O'Connell. Good afternoon. Thank you, Mr. Chairman, \nmembers of the committee. We appreciate the opportunity to come \nhere today and for the opportunity to speak.\n    Tesla cars are known for being exceptionally safe. \nIndependent testing by NHTSA has awarded Tesla Model S, our \ncurrent offering, the highest possible safety rating, five \nstars, not just overall, but in every subcategory without \nexception. Approximately 1 percent of all cars tested by the \nFederal Government achieve five stars across the board. Safety \nis a watchword at Tesla.\n    Automotive injury and fatality rates have fallen \nsignificantly over the last several decades as a result of \ncrash safety improvements such as air bags, energy-absorbing \nvehicle structures. And Tesla believes that in order to \nmaintain the pace of reducing injuries and fatality rates, \nvehicles need to increasingly use computerized vehicle systems \nto avoid crashes with particular opportunity afforded in the \nfully connected vehicle space.\n    Two examples of Tesla's connected car functionality leading \nto significant safety benefits compared to nonconnected \nvehicles are the following. The first would be automatic \nemergency braking, a vehicle feature which attempts to avoid \naccidents by applying brakes when a collision is believed \nimminent. Tesla is one of 10 vehicle manufacturers whohave \ncommitted to making this a standard feature in all vehicles and \nTesla has already delivered on this promise.\n    The same connected vehicle technology is applied to Tesla's \nautopilot functionality, where improvements are constant as \nvehicles effectively learn from varying road conditions and \nshare those learnings with the entire fleet through \nconnectivity.\n    Several studies demonstrate that uptake rates of recalls in \ngeneral are about 70 percent. That is to say that for a given \nvehicle fault that warrants a recall, about 70 percent of the \nvehicles affected will get repaired. Put another way, 30 \npercent of vehicles will be left driving around in \ncontravention of Federal safety standards or with a safety-\nrelated defect.\n    Connected vehicle technology offers a significant \nopportunity for us to do better. Modern vehicles are heavily \nsoftware controlled and therefore software changes alone can \noften resolve a safety issue. In late 2013, Tesla became aware \nof a potential hazard believed to be related to incorrect \nthird-party receptacle installation and wiring. After rapid \ninvestigation, a vehicle software change was identified. It was \ncapable of detecting and solving the third-party fault. Because \nof Tesla's leading connected vehicle capabilities, the software \nsolution was automatically delivered to the entire fleet.\n    In contrast to the industry average, recall uptakes of 70 \npercent, Tesla's automatic software updates can achieve uptake \nrates of nearly 100 percent within a short amount of time, \nmeasured in days.\n    So precautions and concerns as we go forward. The first \nprecaution is to ensure that any software updates to a vehicle \nare authorized by the manufacturer. This can be achieved by \nusing industry standard cryptography, a technology referred to \nas signing.\n    The second precaution is to strongly isolate networks from \nthe mechanical systems of the vehicle. If a processor on the \nvehicle has network connectivity, the processor should not also \nhave direct connections to the vehicle's mechanical systems, \ni.e., steering, acceleration, brakes, and gear selection. We \ndon't have gear selection, but that's a separate matter. Some \nmanufacturers implement this isolation with technology referred \nto as a gateway.\n    The third precaution is to use industry standard encrypted \ncommunications protocols for connections to the vehicle. This \nensures privacy and the integrity of data as it's transferred \nto and from the vehicle.\n    With respect to regulation. We're in a period of rapid \ninnovation for automotive safety. Tesla vehicle safety already \nsignificantly benefits from investments in vehicle \nconnectivity. We expect innovation and success in delivering \nenhanced safety to only continue as the full potential of \nconnected vehicles is realized. Overzealous or more \nparticularly premature regulation that does not allow for \ninnovation or creative solutions can actually deter or block \nsafety innovations, and as a result, any move in this direction \nmust be considered carefully and only to the extent absolutely \nnecessary, in our view.\n    Thank you again for the opportunity to provide this \ntestimony, and we'll welcome any questions.\n    [Prepared statement of Mr. O'Connell follows:]\n    [Written statements can be found here: https://\noversight.house.gov/hearing/the-internet-of-cars/]\n    Mr. Mica. I'd like to recognize Mr. Garfield. And he's with \nITI.\n    Welcome, and you're recognized.\n\n                 STATEMENT OF DEAN C. GARFIELD\n\n    Mr. Garfield. Thank you, Chairman Mica, Chairman Hurd, \nRanking Member Duckworth, Ranking Member Kelly, members of the \ncommittee. On behalf of 65 of the most dynamic and innovative \ncompanies in the world, we thank you for hosting this hearing. \nIt is perfectly timed before 42 million Americans get on the \nroad to engage in their Thanksgiving commute. And I would \nsuspect that 5 to 10 years from now the cars in that commute \nwill look quite different. And so I'll focus my testimony on \nthat issue, which is the transformation that's occurring, the \ninnovation that's taking place in that space, first. And then, \nsecond, what we're doing to ensure that we accelerate \ndeployment, but in a secure and safe way.\n    It's often said that it's difficult to appreciate history \nwhen you're experiencing it and living in the middle of it. But \nfrom my conversation with our companies, we're living in an \ninnovation renaissance. The convergence of almost ubiquitous \nbroadband with exponential improvement in computational \nprocessing, as well as with low cost and almost unlimited \nstorage, is transforming mobile computing. That includes the \noriginal mobile technology, which is the car.\n    We see that manifested today in advanced driver assistance \nsystems, whether that is the adaptive cruise control or \nautomatic braking, which I have in my car, which has prevented \naccidents on multiple occasions. We'll see that in the future \nin what the other panelists have mentioned, whether it's \nvehicle-to-vehicle or vehicle-to-infrastructure communication \nor in autonomous vehicles.\n    Our companies are working hard at deploying technologies to \nmake those types of vehicles available sooner rather than \nlater, whether that's dedicated short-range communications, \nadvanced LTE, or 5G wireless. As a number of the panelists have \nnoted, it is early days yet, and so it's impossible to tell \nwhich technology will work most effectively. What we do know is \nthat there will be radical transformative improvement in \nsafety, access, as well as how we view our cities.\n    The other panelists have spoken about some of the safety \nissues, so I won't repeat that. But think about all of people \ntoday who aren't able to drive because of a disability or \nbecause they're too old or because they're too young. Through \nconnected vehicles or autonomous vehicles, those people will \nhave access to transportation in a way that they don't today.\n    Similarly, when we don't have to think about cars being \nparked all the time, the way we think about our landscape on \nour cities will change dramatically. Our companies are \ninvesting billions of dollars to bring that to the market \nsooner rather than later and are partnering with many of the \ncompanies on this panel in order to make that possible, and as \nwell working with the public sector to enable that.\n    A big part of our work is ensuring that consumers have \nconfidence in the safety and security of those vehicles and \nsecurity will become even more prominent in the future. For us, \nwe have long experience working on security issues, \nparticularly cybersecurity, whether it's protecting networks \nfrom the network edge to the cloud and everything in between.\n    And increasingly the norm is security by design, which is \nbuilding in robustness, resiliency, and redundancy at the \nsoftware and hardware level so it's not a latch-on later on. \nWhat that means is you can actually build into a chip set the \nencryption protocols to protect on unintended encroachment, as \nwell as the ability to adapt if that encryption is \ncircumvented.\n    We have found it quite productive to work with NIST in \nadvancing that work. NIST has taken a collaborative approach in \nworking with the public and private sector, working together in \ncoming up with a framework of standards and best practices \nwhile allowing sufficient flexibility for innovation.\n    There is still work left to be done, and that speaks to the \nrole that Congress can play. A number of the members of the \npanel have pointed to the number of efforts and initiatives \nthat are being undertaken in this space. Congress can play an \nimportant role in bringing order to that cacophony, as Mr. \nLobenstein identified.\n    Second, there is really a need, and Ranking Member \nDuckworth made this point, for a national Information of Things \nstrategy. There is so much work taking place in this space, but \nnot much of it is well coordinated into a national strategy \nthat serves our economic, security, and safety interests.\n    Finally, once we look at what's being done and develop a \nstrategy, there is an appropriate place for regulation to deal \nwith market gaps, and we would advocate that the approach \nthat's been taken by NIST in developing a regulatory framework \nthat's based on best practices that also allows for flexibility \nis the appropriate approach.\n    Thank you.\n    [Prepared statement of Mr. Garfield follows:]\n    [Written statements can be found here: https://\noversight.house.gov/hearing/the-internet-of-cars/]\n    Mr. Mica. Thank you.\n    And we'll recognize waiting patiently Khaliah Barnes, \nassociate director and administrative law counsel at the \nElectronic Privacy Information Center.\n    Welcome, and you're recognized.\n\n                  STATEMENT OF KHALIAH BARNES\n\n    Ms. Barnes. Thank you, Chairman Mica, Chairman Hurd, \nRanking Member Kelly and Ranking Member Duckworth. I'm Khaliah \nBarnes, associate director and administrative law counsel for \nthe Electronic Privacy Information Center.\n    EPIC is an independent nonprofit research organization \nfocused on emerging privacy and related human rights issues. We \nthank you for holding the hearing today and for taking time to \nconsider the important privacy implications of the Internet of \nCars.\n    New vehicle technologies offer a variety of new services to \nAmerican drivers and are quickly being implemented by car \ncompanies. But these new technologies, typically based on \nInternet connectivity, also raise substantial privacy and \nsecurity concerns that Congress needs to address.\n    As cars become more technologically sophisticated, they \ncollect a lot of personal data, including physical locations, \ndestinations, text messages, and phone records. Most car \ncompanies and other companies, including Google, fail to inform \nconsumers of their data-collection practices, and few give \nconsumers true control over their data.\n    Auto companies also use personal driving information for \nvarious but vague purposes, which leaves consumers in the dark \nabout who has access to their information and why. This \ninformation is often retained for years, if not indefinitely.\n    The very real possibility of remote car hacking poses \nsubstantial risk to driver safety and security. Connected cars \ncan be remotely hacked and controlled from anywhere in the \nworld via the Internet where hackers can take control of \nvarious features, including brakes, steering, and car locks. \nWireless hacking can also provide access to the car's physical \nlocation using built-in GPS navigation systems, which can \nfacilitate crimes such as stalking, harassment, and car theft.\n    Congress must enact meaningful safeguards to protect \nprivacy and security in the Internet of Cars. Last year a group \nover 20 automakers, including General Motors and Toyota, signed \na voluntary pledge for privacy and security. While the pledge \nis an important first step, it is no substitute for Federal \nbaseline privacy and data security regulations. The pledge \nfails to provide essential privacy protections, lacks any \nmeaningful enforcement, and supports the status quo of the \nwholesale collection of sensitive driver data.\n    To protect the privacy and security of American drivers, \nCongress will need to do more. First, Congress should act on \npending legislation. The SPY Car Act of 2015 would establish \nFederal standards for connected cars. The act empowers NHTSA, \nin consultation with the FTC, to develop cybersecurity and \nprivacy regulations for driver data. The SPY Car Act provides a \ngood framework for meaningful safeguards.\n    There's also the House draft bill that would require car \ncompanies to develop modest privacy policies for the collection \nand use of driver information. The House draft falls short of \nproviding robust privacy protections. The draft would not \nrequire manufacturers to actually develop or even implement \nprivacy-protecting measures. Instead, the companies would only \ninform drivers about whether the company chooses to take \nvarious privacy-protecting measures. The draft also immunizes \ncar companies from FTC scrutiny for simply developing a privacy \npolicy. The draft would broadly criminalize vehicle hacking, \nincluding for research purposes.\n    The Senate bill comes much closer to safeguarding the \ninterests of American drivers than does the House draft. In \nfact, we would oppose enactment of the House draft, which would \nbe a step backwards for Americans who are concerned about \nprivacy and security.\n    Second, Congress should establish fines for hacking \nconnected cars, but only where there's malicious intent. This \nwill permit research to uncover security vulnerabilities, many \nof which we've discussed today, while punishing hacking that is \nintended to cause harm.\n    Third, Congress should grant NHTSA authority to issue \nprivacy rules. The SPY Car Act of 2015, with its emphasis on \nenforceable NHTSA rules and civil fines for offenders, provides \nthe type of privacy and security safeguards drivers need. As \nCongress moves forward, it is critical that NHTSA has \nrulemaking authority over the emerging industry. NHTSA's rules \nshould incorporate practices detailed in the Consumer Privacy \nBill of Rights, which is a sensible comprehensive framework for \nprivacy protections that provide substantive privacy \nprotections and would help establish fairness and \naccountability for the collection and use of driver \ninformation.\n    Every day without car privacy and safety protections places \ncountless drivers at risk of having their personal information, \nor worse their physical safety, compromised. It's time to put \nconsumers back in the driver's seat when it comes to privacy. \nCongress must act swiftly to combat the current and future \nprivacy threats posed by the Internet of Cars.\n    Thank you for the opportunity to testify this afternoon, \nand I would be pleased to answer your questions.\n    [Prepared statement of Ms. Barnes follows:]\n    [Written statements can be found here: https://\noversight.house.gov/hearing/the-internet-of-cars/]\n    Mr. Mica. Well, thank you. And I'll thank all of our \nwitnesses. And we'll go right into questions.\n    First, let me get to Mr. Beuse with the National Highway \nTraffic Safety Administration. In 2012, when I helped craft the \nMAP-21 legislation, I put a section 31402, Electronic Systems \nPerformance, and it said specifically, ``Not later than 2 years \nafter the date of enactment''--that was July, I'd give you \nAugust of 2012--that ``the Secretary shall complete an \nexamination of the need for safety standards with regard to \nelectronic systems in passenger motor vehicles.'' Then it has a \ncouple of criteria.\n    It says, ``Upon completion of the examination...the \nSecretary shall submit a report to committees.'' And I see I \nscrewed up. I should have put the Department of Transportation \nin here too, because they don't have one, but we have Commerce, \nScience, and Transportation of the Senate, and Energy and \nCommerce in the House.\n    Have you completed that report?\n    Mr. Beuse. No, Mr. Chairman, that report is still under \nreview. What we have done, which is unprecedented, which was we \nput the entire research program that we developed in \nconsultation with other government agencies, the private \nindustry, et cetera, out for public comment.\n    Mr. Mica. So it's not--I mean, I guess I just put these \nthings in law and then we just forget them. But it should have \nbeen July, we'll give you August, of 2014.\n    Ms. Duckworth, isn't this 2015 and November? Okay. So we're \na little bit behind.\n    Mr. Beuse. Agree, it's taken way too long.\n    Mr. Mica. And is there a draft?\n    Mr. Beuse. There is a draft that's entering----\n    Mr. Mica. Because I tried to get a draft from the \ncommittee, and they said they did not have one. This is from \nthe--either of the committees. Can you submit to the joint \nsubcommittees here a draft?\n    Mr. Beuse. I'm not sure if I can, but we will take that \nback.\n    Mr. Mica. You're not sure if you can?\n    Mr. Beuse. The work that has been done that my office is \nresponsible for----\n    Mr. Mica. Yeah, well, we want to see it. You can, and you \nwill, and we'll have it here within 10 days, okay?\n    Mr. Beuse. Okay.\n    Mr. Mica. All right. That's the way we operate here. So you \ndidn't comply.\n    We don't have any penalties now, do we, if someone hacks a \nvehicle? Ms. Barnes?\n    Ms. Barnes. That is correct.\n    Mr. Mica. Yeah, so the law is still pending. You favor the \nSenate's side as far as privacy in your testimony. But we have \nseen that they can be hacked. That's also correct.\n    Ms. Barnes. That's also correct.\n    Mr. Mica. Yeah. And so far no one with malintent has \nhacked, but you could probably stop an engine, you could \ndisable brakes or steering, because all of those have \nelectronic components. Would that be a good assumption? I'm not \ntechnologically competent, but----\n    Ms. Barnes. That is correct, Chairman.\n    Mr. Mica. Okay.\n    Ms. Barnes. You would be able to disable those features.\n    Mr. Mica. So they haven't acted and Congress hasn't acted. \nI have to put blame also on us.\n    Then we gave a lot of money, maybe----\n    Mr. Garfield. If I may.\n    Mr. Mica. Yes, go right ahead, Mr. Garfield.\n    Mr. Garfield. To suggest the implication of that colloquy \nsuggests nothing is being done, when, in fact, much is being \ndone.\n    Mr. Mica. Well, it's not that nothing is being done.\n    Mr. Garfield. Particularly on cybersecurity.\n    Mr. Mica. We give certain directives. I was going to get to \nthe question of them working with you all, both, and you did \ntalk to NIST----\n    Mr. Garfield. Correct.\n    Mr. Mica. --which sets standards, and had pretty good \nreport back, and NHTSA, both--everybody has participated?\n    Have you participated, Mr. Lightsey, with them?\n    Mr. Lightsey. Yes, Mr. Chairman, we embrace the NIST \nframework. We have adopted that into our----\n    Mr. Mica. With both of those Federal agencies or with a \nprivate sector group?\n    Mr. Lightsey. We have had discussions with NIST and with \nNHTSA.\n    Mr. Mica. Okay.\n    And you, Mr. Lobenstein? Yes?\n    Mr. Lobenstein. Yes. We have also had discussions.\n    Mr. Mica. Mr. O'Connell?\n    Mr. O'Connell. To be factually perfectly accurate, I'm \ncertain we are absolutely involved with NHTSA on an ongoing \nbasis. I can't testify to the involvement with NIST.\n    Mr. Mica. Okay. I just want to find out. And again, I \ncommend you for coming together as an industry and working, and \nI don't want to imply that nothing has been done. But my job is \nto give certain directives to agencies, and then see if--I'm \nnot here just, you know, to look good. I know I do. But----\n    Mr. Garfield. Yes, you do, Mr. Chairman.\n    Mr. Mica. But my job is to hold their feet to the fire, and \nwhen you put something in law, some of the newer members will \nfind around here, you can put it in law, I put things in law \nthree, four times, and they still don't comply. But we won't go \nthere today.\n    Again, we gave you a lot of money. We spent about $500 \nmillion in taxpayer funds testing the dedicated short-range \nradio communications devices. What's NHTSA currently doing to \naddress the potential issues with security credential \nmanagement system? Where are we on that?\n    Mr. Beuse. Those funds are not NHTSA funds. Those are the \nJPO funds, Joint Program Office funds.\n    Mr. Mica. Is that under you or----\n    Mr. Beuse. That is not under me, sir.\n    Mr. Mica. Who is it under?\n    Mr. Beuse. It's under the Joint Program Office, which is \nnow part of the Office of the Secretary. I can't tell you----\n    Mr. Mica. It's under DOT.\n    Mr. Beuse. It is under DOT, sir.\n    Mr. Mica. Yeah, okay. So I can say under you, okay, under \nDOT. But they have had half a million. What's the result there?\n    Mr. Beuse. Sure. So what we're doing, what the Department \nis doing----\n    Mr. Mica. Half a billion.\n    Mr. Beuse. --is putting sort of hardware behind that \nsystem. I alluded to it in my testimony. What's been done to \ndate has been a lot of hard work with a lot of smart people \ncoming up with the design, but now we feel we need to actually \nbuild this and operate it to see what are the vulnerabilities \nand do some large-scale testing.\n    Mr. Mica. Do you have any idea exactly where? I'm told that \nsome of what you have done were really actually slid behind \nsort of the advances in technology. And how much more money, \nhow much more time will it take? Do you know?\n    Mr. Beuse. I think that's exactly why the Secretary of \nTransportation has committed to putting this technology out for \npublic comment as part of a NHTSA proposal in 2016.\n    Mr. Mica. So that's not till next year?\n    Mr. Beuse. I guess in 2 months or so we'll start 2016, but \nthat is the goal. He asked us to accelerate that rulemaking, \nwhich we have.\n    Mr. Mica. Well, we have spent a lot of money and we don't \nsee a lot of progress. And when would you have your final \nreport, the report that I requested here? It's in draft. You're \ngoing to give us the draft. When will you have that finalized?\n    Mr. Beuse. I can get back to you on the record on that, \nsir.\n    Mr. Mica. Within the next 10 days.\n    Mr. Beuse. Absolutely.\n    Mr. Mica. I want a date, a firm date.\n    Mr. Beuse. Absolutely.\n    Mr. Mica. And then I want it made part of the record, okay.\n    Mr. Beuse. Absolutely.\n    Mr. Mica. I'm sorry. Don't mean to be, you know, demanding, \nbut----\n    Mr. Beuse. Sir, I understand your frustration.\n    Mr. Mica. Okay. Again, we try to act responsibly and we \nexpect the agencies to do the same thing.\n    So right now, just my final question, cars can be hacked \nwith electronic systems. We don't have in place either a \nstandard or ability to stop that. I guess that's a simple way \nto put it. Is that correct, Mr. Lightsey?\n    Mr. Lightsey. Mr. Chairman, thank you. GM has invested a \nlot of time and effort into making it as difficult as possible \nto hack into cars. As I indicated, we have embraced the NIST \nframework.\n    Mr. Mica. No, that's an individual effort. We applaud you \nfor that. But my question is, we really don't have a standard, \nwe don't have the ability to prevent that developed, do we?\n    Mr. Lightsey. We have the ability to implement things as a \nbusiness, which is what we are doing.\n    Mr. Mica. So your cars can't--General Motors' cars can't be \nhacked?\n    Mr. Lightsey. I can't say whether they can be hacked or \nnot. I can say that we are making them as difficult as we \npossibly can.\n    Mr. Mica. Okay, but that's your individual, and I'm asking \nabout do we have a standard. We don't that I know.\n    Mr. Lobenstein.\n    Mr. Lobenstein. Yes, Mr. Chairman. I think we are trying to \nbe proactive. We----\n    Mr. Mica. But again, the question--and I applaud each of \nyou, and Telsa--Tesla--that's wrong--but Tesla will tell us \nthey are five star and all of that. But my question was, is \nthere a standard developed and is there a protection in place? \nThe answer is for you.\n    Mr. Lobenstein. We have actually begun working as an \nindustry----\n    Mr. Mica. Okay.\n    Mr. Lobenstein. --to establish cybersecurity.\n    Mr. Mica. But we don't have that in place.\n    Mr. O'Connell.\n    Mr. O'Connell. I'm not aware of an industry standard. The \none thing I would add, sir, is that there is a difference \nbetween sort of hard access hacking and wireless hacking, and \nthat's something--we've seen the former, which is people with \naccess to a vehicle then being able to modify certain access.\n    Mr. Mica. So hard access can----\n    Mr. O'Connell. Hard access hacking has happened on isolated \ncases. I am personally unaware of any wireless hacking that has \ngone----\n    Mr. Mica. But there are no protections or standards.\n    Mr. Lobenstein. As I said, no standards that I'm aware of.\n    Mr. Mica. Or if it can be done.\n    And then, again, part of the responsibility is Congress has \nset no penalties. We haven't held the agency's feet to the \nfire.\n    I will give you the last word, Ms. Barnes. Anything you \nwant to comment?\n    Ms. Barnes. Sure. I will just point out, and it is in our \nwritten testimony, key examples of computer scientists and \nother researchers finding ways to wirelessly hack into \nvehicles.\n    Mr. Mica. Okay.\n    Mr. Garfield.\n    Mr. Garfield. There is a difference between there being \nstandards and there being laws. There are certainly standards \nbeing developed around cybersecurity, and there are certainly \nlaws in place that would punish someone, whether it's the \nComputer Fraud and Abuse Act or the Digital Millennium Computer \nAct, from folks hacking into cars or anything else. The \nquestion is, are there laws mandating particular standards, and \nI would argue that mandating a particular standard would be the \nabsolute wrong approach.\n    Mr. Mica. Well, we don't have that, but we still don't have \nindustry-wide standards or protections on hacking, on privacy, \na whole host of things we have heard today.\n    Let me, I have taken more than my time.\n    Mr. Beuse. Mr. Chairman, just on that last question. The \nindustry group, the SAE International, just recently, like \nwithin the last week, has developed a set of voluntary industry \nbest practices. We just got it, so we are just looking at it, \nbut I just wanted to make sure you knew that that was out \nthere.\n    Mr. Mica. Usually things happen just before the hearing.\n    Let's go to Ms. Duckworth.\n    Ms. Duckworth. Thank you, Mr. Chairman.\n    So I want to speak, gentlemen and Ms. Barnes, to ISACs, the \nsector-specific Information Sharing Analysis Centers, which are \nnonprofit, member-driven organizations formed by critical \ninfrastructure owners and operators who share information \nbetween government and industry about cyber threats and lessons \nlearned; not necessarily in the automobile industry, but in \nother areas.\n    Mr. Beuse, can you talk about what sort of mechanisms or \norganizations have been instituted by NHTSA, and also by the \nindustry, to work towards secure Internet-connected vehicles?\n    Mr. Beuse. Sure. There has actually been quite a bit of \nwork done. NHTSA was really at the forefront in trying to \nencourage the development of the ISAC, and we are very pleased \nthat it is actually up and running now. There are some \nadditional steps that we think probably are necessary. One is \nclarifying what the role that it will have in its interactions \nwith the agency, and also how that group will be expanded to \nother sectors, including suppliers.\n    Ms. Duckworth. I would like to speak to the suppliers \nportion of it. This is something that has come up in my work on \nthe Armed Services Committee on military equipment. \nCybersecurity is certainly something of great, great potential \nharm to our military. And one of the things that I found out, \nthat for a military weapons platform, something as critical as \nthe new F-35 fighter jet, there is not complete security of the \nsupplier network.\n    Could any of the three gentlemen from the three automobile \nmanufacturers here talk a little bit about what you have done \nto secure or safeguard or ensure that your supplier network is \none that you can trust? I have in my congressional district \nHuawei, which is a chip manufacturer, which has been identified \nby the U.S. Government and different folks as a problematic \ncompany that actually engages significantly in espionage, both \nin corporate espionage as well as in governmental intelligent \nespionage as well.\n    What are you doing to make sure that the chips that you \nare--I'm assuming you don't make your own chips. But what are \nyou doing to make sure that your supply network is also secure?\n    Mr. Lightsey. Thank you, Ranking Member.\n    GM, as I was indicating to the chairman, we have invested a \nsubstantial amount of resources and time into the whole \ncybersecurity issue. In fact, we created a global organization \nwhose sole mission is end-to-end cybersecurity of our products \nand services. And that organization is headed by our chief \nproduct cybersecurity officer who reports to the senior \nmanagement of the company, including the CEO, and to the board \nat regular intervals about the cybersecurity status of our \nproducts and services.\n    That includes our supply chain, and we have requirements \nthat our suppliers must meet. We audit them on those \nrequirements, and we test their products, and we have those \nproducts as part of--we certainly embrace security by design. \nSo from the very beginning of the design of those products, all \nthe way through to production, those products are tested by \nboth internal and external experts.\n    Ms. Duckworth. For cyber vulnerabilities are you talking \nabout----\n    Mr. Lightsey. Yes, for cyber vulnerabilities, penetration \ntesting, other techniques that are common and standard.\n    Ms. Duckworth. Okay. Mr. Lobenstein, and then Mr. \nO'Connell.\n    Mr. Lobenstein. Yes, for Toyota, cybersecurity and safety \nis of paramount interest to us, and we also use industry \nstandard best security practices, including security by design, \nrisk assessments, multilayer defense. Even in our telematics \ngroup we have our cybersecurity team embedded in our activities \nfrom the day that we put pen to paper on a strategy, 4 years \nbefore a product is launched, through development, through \nengineering, and even through the operations.\n    One thing I also wanted to mention is that in the Auto-ISAC \nwe have also invited our automotive suppliers to participate in \nthat. So we are bringing them in that ISAC so we can share \ninformation with them as well.\n    Ms. Duckworth. Mr. O'Connell.\n    Mr. O'Connell. Yeah, a couple of thoughts. Many of the \nthings we do are consistent with what my colleagues have just \nmentioned with respect to looking at cybersecurity and general \nrobustness of the system. A couple of things that differentiate \nTesla, one is our concern, based on being an industry leader in \nthe electric vehicle space, we have a unique concern about the \nintegrity of our operations, because as a new industry entrant \nwe are uniquely subject to these risks.\n    That said, we take a systems-level approach especially in \nour software development, but also on our vehicle side. So we \nhave a much higher degree of vertical integration. Many of our \nsoftware systems are designed from the ground up as a whole \nsystem rather than relying on outside providers of software.\n    With respect to our chip technologies, we are largely, to \nmy knowledge, sourcing from domestic sources. But we are \nwholly, you know, focused on the vulnerabilities as any Silicon \nValley company would be.\n    Ms. Duckworth. I'm out of time, Mr. Chairman.\n    Mr. Hurd. [Presiding.] Thank you, Ms. Duckworth, and I \nalways appreciate your insightfulness in your questioning.\n    I now recognize my colleague from the great State of Texas, \nMr. Farenthold, for 5 minutes.\n    Mr. Farenthold. Thank you very much, Mr. Chairman, and I \nappreciate the opportunity to be here.\n    Are you pronouncing your name Mr. Beuse? Is that correct?\n    Mr. Beuse. Beuse, yes.\n    Mr. Farenthold. Okay, Mr. Beuse.\n    There is a huge amount of investment that automakers and \nU.S. tech companies like Google, Uber, Intel are making in \nautonomous vehicles overall and autonomous vehicle crash \nprevention technologies that don't rely on DSRC at all. What if \nany steps is NHTSA taking to support this type of innovation \nwhich is one of the reasons the U.S. leads globally in \nintelligent transportation systems?\n    Mr. Beuse. So with respect to the automated vehicle \ntechnologies we couldn't agree more. We think that there is a \nfuture for both connected and automated. So we are pushing hard \non both. If you see recent examples by the Secretary on \nautomatic emergency braking, for example, we just included that \ntechnology into our new car assessment program, which is one of \nthe most visible programs at the Department in terms of \nconsumer information.\n    The other thing we have done is we have encouraged industry \nto slowly make that technology standard, slowly by meaning \ntrying to get to a place where they can offer that as a \nstandard feature on all vehicle models without a regulation. \nAnd that was the September announcement that just happened. And \nso you can see we are pushing on those automated technologies. \nLikewise, on connected vehicle technology, we believe that it's \na mandate that's necessary to get that market to go.\n    Mr. Farenthold. So how are we going to tie this in with the \nproposal to mandate DSRC in all light vehicles? Are you going \nto require these companies to put DSRC on top of their own \ntechnologies and are we forcing a standard on folks that we may \nnot be ready for?\n    Mr. Beuse. I think that's exactly what the proposal is \nmeant to find out, sir. I think if you look at the approach of \nthe Department, it is to try to get this technology out of the \nresearch phase and ready to deploy and ask some of these very \ndifficult questions of the technology about if it's ready to \ndeploy. We certainly believe it's ready to deploy. We believe \nthe two technologies are complementary, they are not in \ncompetition with each other, and there is a role for both.\n    Mr. Farenthold. All right. Well, thank you very much.\n    And, Mr. O'Connell, I want to visit a little bit about what \nyou guys are doing at Tesla. You all take a different approach \nto determining security issues and other concerns where you \nbasically have a bug bounty on there and employ white hat \nhackers. Can you talk a little bit about what you do and why \nthat's a good thing and how it's working?\n    Mr. O'Connell. Sure. Our approach is really consistent with \nthe sort of software development, if you will, Silicon Valley \napproach to hardening software over the course of time, and it \nrelies on a system of incentives whereby we encourage folks to \ntest our system, both in professional and informal \nenvironments, and we reward them when they identify \nvulnerabilities.\n    This is consistent with the sort of incentives and \ndisincentive systems that I think generally works in the human \nenvironment. But we find it works. It's worked very well in \nmost software environments, and it's working very well for us \nas well. And it allows us to rapidly identify problems and \nrectify them and then through connectivity, as I mentioned \nbefore, implement the solutions.\n    Mr. Farenthold. All right.\n    And, Mr. Beuse, recently the U.S. on an international basis \nsupported a global standard for DSRC in the W band at 77 \ngigahertz, while we are looking locally at a whole different \nfrequency range, around 50 gigahertz. Is this an example of one \nhand not talking to the other? Wouldn't we be better off with \none international global standard?\n    Mr. Beuse. I'm not exactly familiar with that particular \nissue. I do know that on the technology radio side of things we \nhave worked very hard to make sure that we have same standards \non both sides of the Atlantic, so to speak, so that we can have \none common set of hardware.\n    Mr. Farenthold. Mr. Lobenstein, would you like to address \nthat?\n    Mr. Lobenstein. So we fully support the idea of spectrum \nsharing. There has been some deployment actually in the \nJapanese market near the 5.8 gigahertz band. We also think it's \nimportant to protect this bandwidth within the United States \nbecause DSRC provides lifesaving services, and we need to make \nsure that that----\n    Mr. Farenthold. Is there a technical reason it is not going \nto work at 77 gigahertz like the rest of the world is talking \nabout?\n    Mr. Lobenstein. I'm sorry, Mr. Farenthold, but I'm not a \ntechnologist, so I'll have to pass on that.\n    Mr. Garfield. Well, actually, if I might?\n    Mr. Farenthold. Sure.\n    Mr. Garfield. It speaks to the point we were making earlier \nabout all of the different--the disparate efforts in this area \nand why an agency that is focused on standards and standards \ndevelopment globally like NIST has to be a part of this \nconversation.\n    Mr. Farenthold. Okay. I see I'm out of time. I look forward \nto a second round of questions.\n    Mr. Hurd. Thank you, Congressman Farenthold.\n    Now I'd like to recognize the ranking member of the IT \nSubcommittee, and my friend, from the great State of Illinois, \nRobin Kelly, for 5 minutes.\n    Ms. Kelly. Thank you, Mr. Chair.\n    The promise of Internet-connected vehicles is that they \nbring greater levels of comfort, convenience, and safety, but \nthat same Internet connectivity means that these computers on \nwheels face the same cyber threats and vulnerabilities as other \ncomputers.\n    Mr. Garfield, given the volume of successful compromises of \ncorporate and government networks, in your estimation, how \nlikely is it that we will see hackers instead of just \nresearchers succeed in hacking connected cars and especially in \nlight of Ms. Barnes' testimony?\n    Mr. Garfield. It's hard to predict the future, but I think \nthe likelihood is real and that it is likely. I think the \ninformation that Mr. O'Connell shared about the approach in the \nsoftware industry on taking an agile approach where we adjust \ncontinually, we are testing continually, and integrating \nsecurity and privacy by design with redundancy, resiliency, and \nrobustness, so we are not compromised completely, is the proper \napproach.\n    Ms. Kelly. Is there anything that keeps you up at night, \nany scenario that concerns you the most?\n    Mr. Garfield. Generally, I sleep quite well. But actually, \nI think part of my worry is that all of the great things we \nhave been talking about will be a dream deferred because our \npolicy apparatus won't be as agile as our software development \nto keep up with these shifts. And so I get the instinct to act, \nand we should act. What we are suggesting is that we act in a \nstrategic coordinated fashion that ensures our shared interests \nare achieved.\n    Ms. Kelly. Thank you.\n    And Mr. O'Connell, Mr. Lobenstein, and Mr. Lightsey, when \nyou think of new features that you are adding to your cars, is \nthere anything, not that you would do it on purpose, but that \nyou're adding that you think could be negatively compromised as \nyou're getting more connected, I guess?\n    Mr. Lightsey. Yes. So as we have said, we certainly embrace \nall the tenets that Mr. Garfield has spoken about, and we \nincorporate security by design, defense in-depth strategies \nthroughout our review. And so from the very beginning that any \nservice or hardware begins to go through the design cycle for \nour automobiles, that cybersecurity posture of that particular \nelement is being evaluated, the risk is being assessed, and \nappropriate measures are being taken to mitigate that risk. And \nthat goes all the way through production and into the lifecycle \nof the vehicle itself.\n    Ms. Kelly. Thank you.\n    Mr. Lobenstein. For Toyota the safety and trust of our \ncustomers is paramount. And as I mentioned before, on the \ntelematic side we employ the same cybersecurity best practices \nthat have been mentioned here today. We include our \ncybersecurity experts from the very beginning and they provide \nfeedback to us that we implement, and I think as we go forward \nwe will continue to expand on that. And we also look forward to \nworking as an industry to develop cybersecurity best practices \nthat we can all employ.\n    Mr. O'Connell. You didn't ask me, but I sleep well at night \ntoo, and for two reasons. One, I know that we are employing \nwithin Tesla some of the industry's best, as far as developing \nnew applications and considering issues, important issues such \nas privacy and cybersecurity.\n    The other piece that gives me peace at night is that we are \nworking within a context, as Representative Farenthold referred \nto, of open innovation whereby it's not wholly--the integrity \nof our systems is not wholly reliant on the capabilities of \nTesla, but rather looks to resources outside of Tesla to \nimprove the systems that we are developing and to rapidly \nimplement those systems.\n    Ms. Kelly. Thank you.\n    Lastly, at the beginning of your testimony, Mr. Beuse, you \ntalked about some of the statistics of people dying on the \nhighway.\n    Mr. Garfield, your testimony references the tremendous \neconomic and societal benefits that can be derived from \nautonomous and connected vehicles. In your opinion, what should \nCongress be doing and the Federal Government more broadly to \nensure the potential of this technology is realized? What more \ncan we do?\n    Mr. Garfield. Yeah, thanks for asking. There is certainly \nimportant work for Congress. There are so many different \nagencies that are working on the Internet of Things, and \nconnected cars are a part of that. Congress can play a great \nrole in bringing clarity on a path forward in filling gaps \nwhere they exist. So, for example, Representative Lieu spoke \nabout the SPY Act that's going through the House and trying to \nbring order to all of the work that's going on. We think that \nwould be quite valuable.\n    Ms. Kelly. Okay, thank you. And I yield back.\n    Mr. Hurd. Now, I'd like to recognize the gentleman from \nNorth Carolina, Mr. Walker, for 5 minutes.\n    Mr. Walker. Thank you, Mr. Chairman.\n    About 5 or 6 years in the early 1990s I worked in the \nautomobile industry on the retail side, and I can look back on \nthose 20 years and see how much paperwork on the dealer side \nwas required then to how much is required now. So the last \nthing that we want is more Federal regulations on these men and \nwomen who are working hard to provide jobs out in the industry.\n    So I do have a couple of questions, though, to make sure \nthat we are headed in the right direction for Mr. Beuse. What \nrole, if any, in the Internet of Cars can only be filled by the \nFederal Government? I'd like to hear your thoughts on that.\n    Mr. Beuse. So one of the things we're doing is really \ntrying to ensure kind of proactive steps from the get-go. It's \nbeen mentioned a couple times about security by design. We \nthink that's absolutely paramount. And one of the things we \nhave been doing all along is we saw this coming from very far \naway, that in order to see the vision of the future with \nautomated and connected vehicles we really had to start \nfocusing on that. And so we have been pushing and prodding as \nbest we can to get that happening.\n    Mr. Walker. Sure. In your opinion, do we really need an \nauto industry-specific regulator and auto industry-specific \nbest practices an standards here, or is the National Institute \nof Standards and Technology voluntarily cybersecurity framework \nsufficient enough or the right approach? Can you address that?\n    Mr. Beuse. Sure. It might be all of that, sir. It really \nmight be all of that. Right now what we have concentrated on is \na kind of a two-prong approach with that. First is actually \nworking directly with NIST to work with the auto industry on a \nset of best practices. But as a regulatory agency, we have to \nkeep in mind that that is our job, and if there's a need to set \na floor, we will do so.\n    Mr. Walker. Fair enough. Let me switch gears here but stay \nwith you, Mr. Beuse, for just another minute or 2.\n    Does the Federal Trade Commission currently have \njurisdiction under Section 5 to police the privacy policies of \nautomakers to the extent they collect customer personal \ninformation from these connected car devices?\n    Mr. Beuse. So that's probably a question more directly \ndirected at the FTC, but what I can tell you is that we have \nbeen working very closely with the FTC on privacy issues.\n    Mr. Walker. Okay. Does the Department of Transportation, or \nthe NHTSA, have particular expertise that would warrant having \nthem, rather than the FTC, to answer your response, oversee the \nprivacy policies related to the connected car devices?\n    Mr. Beuse. So we have do have privacy experts. That is one \nof the things we will be addressing in our V2V rulemaking. And \nso we have expertise at the agency, in our Department.\n    Mr. Walker. Is there a certain timeframe that you're--is \nthis a date or conference or meeting that you will be \naddressing this? Is there a specific meeting for that?\n    Mr. Beuse. Sure. Sure. What we will be doing is in the \ncontext of our notice of proposed rulemaking on V2V \ncommunications we will have much discussion on the privacy \naspects of V2V.\n    Mr. Walker. Last question for you. And I've got--hopefully \nhave time for one more for someone else on the panel.\n    Most of the technologies that are in development are \nindependent of the DSRC and do not rely on the DSRC. What is \nthe NHTSA doing to enable further technology adoption and take \ncare not to hamper the innovation that we're seeing?\n    Mr. Beuse. We're using all the tools at our disposal, \nincluding consumer information, regulations where appropriate. \nIt really is an era that we can--when we see lifesaving \ntechnology, we really want to push to get it deployed as soon \nas possible.\n    Mr. Walker. All right. Let me slide over to Ms. Barnes for \njust a minute if I could please.\n    In your testimony you noted the sensitivity of consumer \ninformation collected by the connected vehicles. You did a \ngreat job sharing that. But just to review, can you describe \nwhat types of personal identification information might be \ncollected and what entities would be collecting it other than \nthe vehicle manufacturers?\n    Ms. Barnes. Thank you for your question. Some examples of \npersonally identifiable information that can be collected is \nlocation information, which can reveal an individual's pattern, \nher habits. There's also the collection of biometric \ninformation, also the collection of credit card information \nwith certain telematics placed inside of the car. Individuals \ncan within their car speak into their system for a text \nmessage, so that's audio and that's also text messages.\n    And looking at the privacy policies of certain auto \nmanufacturers, it's almost an endless amount of outside \nentities. Oftentimes car manufacturers do not specify the \nvarious third-party entities to which they give information to. \nWe know in certain contexts it's marketers. We know that there \nis an increased market for insurance companies to gain \nadditional access. And without sufficient legal requirements, \nlaw enforcement could also gain access to this sensitive \ninformation.\n    Mr. Walker. All right, thank you. That was very well \narticulated.\n    I have got a few seconds left, but just maybe get a quick \nanswer from our manufacture guys. Regarding connected vehicles, \nin what countries are we seeing the most innovation on this \nright now? Are you able to address that and just maybe just go \ndown the line in 8, 9 seconds? And with that, I'll yield back \nthen.\n    Mr. Lightsey. I think this is certainly a very globally \ncompetitive part of our industry. I think right now the United \nStates, it leads in terms of deployment of advanced \ntechnologies. But I think this is rapidly changing, and I think \nthe proper policies need to be in place to assure that this \ninnovation continues in the United States.\n    Mr. Lobenstein. Thank you.\n    I agree. I think we are moving very quickly in the United \nStates to adopt these types of technologies, although in \ncountries like Japan technologies, for instance DSRC, V2V, and \nV2I, have already been put in place.\n    Mr. O'Connell. I won't refer to our unique regional hubris, \nbut I think that the most advanced efforts are taking place in \nthe U.S. right now and I would like to see us continue to be on \nthe leading edge of this.\n    Mr. Walker. Thank you. I yield back.\n    Mr. Hurd. Mr. DeSaulnier, you are recognized for 5 minutes.\n    Mr. DeSaulnier. Thank you, Mr. Chairman. I want to thank \nthe chairmen and the ranking members for this hearing.\n    Mr. O'Connell, you can go on and talk about the hubris of \nthe Bay Area as long as you want to. I'm representing that area \nof the country.\n    First of all, Mr. Chairman, I request that a statement from \nthe Center of Democracy and Technology be entered into the \nrecord.\n    Mr. Hurd. Without objection.\n    Mr. DeSaulnier. And then maybe to Toyota and General \nMotors. The whole issue of independent researchers, Mr. \nO'Connell has talked to Tesla's advocacy for such comments, a \ncolleague talked about other technology companies doing that. \nCould you tell me if Toyota and General Motors has the same \nfeeling that they will allow for independent researchers to \nhelp them to make sure that their software is working properly? \nAnd I say this somewhat in the context of what's happened in \nthe industry vis--vis Volkswagen. So maybe you could respond to \nwhether you agree with Mr. O'Connell and Tesla's approach or \nwhether you have a different one.\n    Mr. Lightsey. Yes. So we generally agree with this \napproach. We have specific relationships with certain groups of \nsecurity researchers and academics. As I said, they perform \nvaluable services for us in terms of testing the vehicle \nsoftware and the systems on the vehicle to help us design, make \nthem better in design, so that hacking them is more difficult.\n    We also publicly disclose that we're looking very hard at a \nsecurity vulnerability program. Whether or not it's exactly \nlike the one that Tesla described will be determined. But we \nshould be rolling that out very quickly. And we want to know, \nif our software has vulnerabilities, we want to know that both \nfrom folks within the company and outside the company.\n    Mr. DeSaulnier. Mr. Lobenstein.\n    Mr. Lobenstein. We at Toyota also welcome information from \nso-called white hat hackers. We have regular communications \nwith them. We have relationships with them. We also attend some \nof the same conferences that they do. And we also do employ \nthird-party cybersecurity testing on some of our systems to \nensure that we have got all the most up-to-date information and \nwe are patching any vulnerabilities that we might find.\n    Mr. DeSaulnier. Okay. Switching subjects to privacy. So the \nprivacy principles are exciting to look at. But given Ms. \nBarnes' concerns, and I will say my concerns, in the California \nlegislature we had very spirited debates about providing for an \nopt-out for any third-party data, and the industry lobbied \nheavily against it. It didn't get out of its first Policy \nCommittee.\n    So in that context, I think with the language that you have \nin the privacy agreements that you have come up with and the \nvalue you place on consumer confidence and what you are using \nand the concerns that have been expressed here today as well, \ncan you provide a comprehensive list of all the data currently \ntracked and stored in your vehicles, Mr. Lightsey? Can you \nprovide that information and can you provide it to the \ncommittee, borrowing on the chairman's earlier comments of \nwithin a couple weeks?\n    Mr. Lightsey. Sure. Definitely.\n    Mr. Lightsey. Our customer relationship is certainly the \nmost valuable thing that we have in our company, and we respect \nthe privacy of our customers, and we want to protect their \ninformation. I will say that before we disclose any information \nto any third party we get a specific affirmative consent from \nour customer to do so.\n    Mr. DeSaulnier. Mr. Lobenstein.\n    Mr. Lobenstein. We also follow a similar process. We want \nto be very transparent with our consumers on the data that \nwe're collecting and how we are using it. In four instances \nwhere location-based services are used, we ask for the \naffirmative consent of our consumers because those services \nsometimes provide lifesaving services like crash notification.\n    Mr. DeSaulnier. I appreciate that.\n    Mr. O'Connell.\n    Mr. O'Connell. Yeah. So several levels of protection \ninvolved at Tesla. First of all is the opt out. I mean, people \nhave the option to not share any of their data with us. When we \ndo share, when there is bidirectional flow of data, we \nanonymize that data and we aggregate it such that not only can \nyou not identify the user, but you can't even identify the \nvehicle. So that's our philosophy.\n    But the intent of, as I'll remind, the intent of all of \nthis is to increase principally the safety of our vehicles, and \nthen secondarily, but of great concern, the utility of our \nvehicle to our customers and drivers.\n    Mr. DeSaulnier. I appreciate that. And hopefully we will \nhit all of them.\n    Mr. Garfield, maybe you could just comment on the \nindustry's privacy standards in your view that related to other \ntech privacy protections.\n    Mr. Garfield. In general, the privacy norms in the United \nStates and actually globally are driven by the FIPS standards, \nwhich also is at the heart of the FTC regulation in this area, \nwhich over time has become more expansive, not just to deal \nwith expectations that are explicitly articulated but those \nthat are normative.\n    Mr. DeSaulnier. Thank you, Mr. Garfield.\n    Mr. Chairman, I yield back.\n    Mr. Hurd. Thank you, sir.\n    And I'd like to recognize myself for 5 minutes.\n    Mr. Beuse, can you take 30 seconds and tell me, just to \nmake sure I'm clear, what DSRC is?\n    Mr. Beuse. Dedicated short-range radio communications.\n    Mr. Hurd. And how is it going to be used?\n    Mr. Beuse. To send basic safety messages between devices.\n    Mr. Hurd. And this is being developed by the Department of \nTransportation?\n    Mr. Beuse. In conjunction with a whole host of alphabet \nsoup.\n    Mr. Hurd. Agencies, Federal agencies.\n    Mr. Beuse. Federal agencies, suppliers, manufacturers, \ncompanies.\n    Mr. Hurd. So here is my concern about that. DOD and VA \nspent over half a billion dollars trying to get two electronic \nhealth records to work together. And after 4 years, they said: \nUh, this is really hard, we are going to have to go separate \nareas.\n    And now we are talking about being in an industry where you \nhave so much private sector investment that are figuring this \nout, why are we even thinking about the Federal Government \ngetting involved in doing this when that standard hasn't \ndeveloped out of the private sector? The private sector is \ngoing to be a little bit better equipped to develop this type \nof technology and the thing is probably going to work a little \nbit better.\n    I don't know. Mr. Garfield, do you have some opinions on \nthis?\n    Mr. Garfield. We do.\n    Mr. Hurd. I'd like to hear them.\n    Mr. Garfield. Our view is, and I shared it implicitly in my \ntestimony, is that there are complementary technologies that \nare being developed, including advanced LTE and 5G, that we \ncan't tell which is going to prove most effective. And so we \nthink having the ability for all of those, including DSRC to \nadvance, but without a thumb on the scale, including the thumb \non the scale of the Department of Transportation.\n    Mr. Hurd. Yeah. And, Mr. Beuse, why do we think that the \nDepartment of Transportation should be doing this and why this \nis going to be helpful in the concept of interconnected cars? \nAnd I also appreciate you talking about the safety concerns \nrelated with interconnected cars.\n    Mr. Beuse. So maybe just to clarify, I think there's a \nmisconception about what we are doing at the proposal level, \nright? So we are writing a proposal to ensure interoperability, \nsecurity, and everything else that is needed to support \ncommunications between vehicles. If at some point in the future \nor even in response to the proposal data comes in that shows \nthere is an alternative technology that can meet the safety \npotential, then----\n    Mr. Hurd. Do we not think that that's already there? I \nthink Toyota is doing it. I think Tesla is doing it. I think GM \nhas even tinkered with this. I think it's--the cat's out of the \nbag.\n    Mr. Beuse. In response to the ANPRM, none of those comments \ncame in. There was not one person that responded back saying \nthat this technology shouldn't be mandated, it's not the right \ntechnology.\n    But again, I think we are writing that rulemaking with an \nopen mind, and it's just a proposal, and so the idea is we'll \nget comments and we'll evaluate where we are. I think the whole \nnotion of going this step is really to take it out of the \nresearch where it's been for so long and really shine a light \non it so we can----\n    Mr. Hurd. Absolutely, because I had dear friends in a \nrecent car accident and there was a fatality, and the car that \ncame and hit them, first eyewitnesses said that the car never--\nthere was no braking involved. And the technology, advanced \nemergency braking, that Tesla is developing--I think other \nmanufacturers are--I want to see this as quickly as possible.\n    And, Mr. O'Connell, my question to you is, you know, is \nthere any barriers that are preventing you all from moving even \nfaster on deploying this technology?\n    Mr. O'Connell. No. I think it's human will and open \ncommunications both, you know, between the parties here at the \ntable and with government bodies, so that, you know, confidence \nis obtained all around. Use the convening power of our separate \nagencies and share information. That's what's going to solve \nthis problem.\n    Mr. Hurd. Yeah, because if we can protect more citizens \nfrom crashes, you know, this is going to be a great thing for \nall of us.\n    Mr. Lobenstein, my question to you, and this is from you \nhaving your hat as the new chair of the Auto-ISAC, have you \nbeen given any information, any intelligence, been briefed on \nanything of known attackers targeting specifically vehicles, \ntypes of vehicles? Is Russian organized crime creating, you \nknow, focused on getting access into vehicles? Have you seen \nthat kind of information?\n    Mr. Lobenstein. I apologize, Mr. Chairman. I'm not actively \ninvolved in the Auto-ISAC myself, so I don't have that \ninformation. I can get that for you.\n    Mr. Hurd. Ms. Barnes, are you familiar of anything like \nthat where there is briefing on known attackers, Russian \norganized crime, Chinese state sponsors, that are looking at \ngetting access to vehicle information?\n    Ms. Barnes. At this moment, no. I'm sorry. I'm not aware.\n    Mr. Hurd. Because again, one of my concerns is that, you \nknow, I did this for a living. We did this on trains. We did \nthis on subways, and, you know, looking at how can you take \nadvantage of it. We've got to know what the threat is, and this \nis why I think this creation of the Auto-ISAC is important.\n    And if you're not getting the kind of information sharing--\nbecause the Federal Government should be sharing as much \ninformation as it possibly can with the private sector, for the \nprivate sector to protect themselves, and to protect \nconsumers--and if you're not getting that, let me know.\n    And my last point is, the Office of Personnel Management \nhad difficulty protecting the records of 23 million people. And \nthey had the audacity to not even say ``my bad'' when they sent \nout the letters to the people that did receive the letter that \nthey were compromised. By the way, I was one of them. And at \nleast when some of these issues have been--arise within the \nauto industry, that I got a letter pretty quickly talking about \nhow you fix it, how you do it. And there was a responsiveness \nthat I wish the Federal Government had.\n    And so I think it's--I'm always concerned when we put too \nmuch faith in Federal agencies to protect our information. And \nit's cooperation. It seems like it is, Mr. Beuse. I appreciate \nthat. But this is where we need to work together and we need to \nmake sure that innovation and entrepreneurship is allowed to \ngrow.\n    With that, I'd like to----\n    Mr. Garfield. Actually, if I can make a quick plug for data \nbreach----\n    Mr. Hurd. You got a couple seconds.\n    Mr. Garfield. --data breach legislation, which has been \npending for quite some time, almost a decade, is long overdue, \nand could be helpful here as well.\n    Mr. Hurd. I would like to recognize my colleague from \nVirginia, Mr. Connolly, for 5 minutes.\n    Mr. Connolly. Thank you, Mr. Chairman, and welcome to the \npanel.\n    Maybe, Mr. Garfield, I'll start with you. Can you tell us \nthe difference between autonomous and assisted vehicles?\n    Mr. Garfield. In common nomenclature the idea is that an \nautonomous vehicle doesn't necessarily rely on vehicle-to-\nvehicle or vehicle-to-infrastructure communication, so it is \ntruly not connected to another car or to communication from \ninfrastructure.\n    Mr. Connolly. Or to a driver?\n    Mr. Garfield. Or to a driver, correct.\n    Mr. Connolly. And assisted would be?\n    Mr. Garfield. It's assisted by some network communication, \neither with the infrastructure or with another----\n    Mr. Connolly. But also might be driverless in that sense?\n    Mr. Garfield. Correct.\n    Mr. Connolly. Okay.\n    Maybe we can start with you, Mr. Lightsey. You know, I \nrepresent northern Virginia here in the Nation's Capital. The \nnational capital region as measured by A&M's Urban Mobility \nScorecard now has the Nation's worst congestion as measured by \nthese metrics: 82 hours stuck in traffic every year on average; \n35 gallons of gas wasted idling every year; and at least $1,800 \nin lost time every year.\n    How could these technologies assist a region like this with \narguably the worst congestion as measured by those metrics?\n    Mr. Lightsey. Yes, thank you.\n    So first of all, let me backtrack a little bit to Chairman \nHurd's questions about DSRC and just let me say on behalf of \nthe industry and on behalf of GM, private industry has also \ninvested a substantial amount of money, equal to or greater \nthan the amount of money that the government has invested in \nthis technology. And we very much view this as complementary to \nthe onboard sensor technologies that are also being used with \nmany of these safety systems.\n    So DSRC has the advantages, as Mr. Beuse referenced in his \nintroduction, it has the advantage today of being the only \ntechnology we know of that meets all of the latency \nrequirements to actually be able to have these vehicles talk to \neach other in time to prevent a collision or crash from \nhappening, and works in bad weather with obstructed vision, \nwithout obstructed vision, and those are the advantages that we \nsee to DSRC.\n    But I think if you take together all of these collisions, \nall of these technologies, you know, any time that we can \nprevent a crash from happening, we get the attendant benefits \nof all of the congestion that happens when you have a crash.\n    Mr. Connolly. I concede that, but that's really not my \nquestion. I think we have covered safety and I completely \nconcede that. And for some people their intuitive reaction when \nyou talk about driverless cars, I'm going to put it that way, \nis well, I'm not in control, what if something happens, what if \nit goes awry? And I think, well, 94 percent of current \nfatalities are due to human error. Surely we can do better than \nthat and we can reduce, I think, significantly.\n    Mr. Garfield. And you are seeing better already with \nadvanced driver-assisted systems.\n    Mr. Connolly. Yes.\n    Mr. Garfield. So it will only get better and better.\n    Mr. Connolly. But how can it work in helping to alleviate \nand better manage congestion in areas like ours? I guess that \nwas kind of what I was getting at.\n    Mr. Lightsey. Right. So if you take the whole system, \ncertainly as we bring the infrastructure into play and traffic \nsignals become more aware of what cars are flowing in what \ndirection, they can time themselves to optimize the traffic \nflow. Autonomous vehicles, as being better controlled than by a \nhuman operator, will be able to follow each other a little bit \nmore closely in a safe manner and, therefore, make more \nefficient use of the roadways that we already have instead of \nus having to continually add new lanes to our highway system. \nThose are the kinds of things that we are talking about.\n    Mr. Connolly. Well, I want to give Mr. Lobenstein and Mr. \nO'Connell from the manufacturing point of view an opportunity \nto comment as well. But I have got to observe, and this is the \nNation's Capital, we are not that good at deploying technology \ncurrently. I mean, in terms of traffic management, not much. \nAnd I have been involved in local government for a long time. \nWe tried to get it, you know, deployed. I think, Mr. \nLobenstein, you mentioned Japan. Japan is light years ahead of \nus in the deployment of technology for managing traffic \ncontrol. But why don't you two comment.\n    Mr. Lobenstein. They do have V2V and V2I technology \ndeployed already for improving traffic flow. And I think if we \nlook at the technology, traffic information was provided one \nway to vehicles years ago, and now the vehicles understand and \ncan communicate back their flow and we know real-time when \nthere is traffic and where there is traffic. And I think \nexpanding the communication, whether it is V2V or V2I, allows \nus to then improve routing, which improves safety, it has \nimprovements in productivity for individuals as well as \nbusiness, when you think about delivering goods and services, \nand it has the capability to improve emissions as well.\n    Mr. Connolly. Mr. O'Connell.\n    Mr. O'Connell. On topic but slightly tangentially, there is \na great YouTube video that shows 20 cars put on a racetrack \nwith individual drivers all given a green light to start moving \nat a certain time at a certain speed, and something within like \ntwo or three laps they are all congested. So human systems are \nnot great, as you note.\n    Infrastructure is also hard. My comments are most salient \nwithin the context of Tesla. We are already fielding driver \nassistance technology, what we refer to as autopilot, which \nrelieves the driver of certain control responsibilities at \ncertain times and within responsible contexts. So presumes that \nthe driver is there, presumes that their hands are on the \nwheel, but in certain speed environments, low-speed \nenvironments, such as congestion, a vehicle can modulate its \nown position within traffic and keep traffic flowing.\n    I mean, it's tempting to think that this sort of technology \ncould be implemented rapidly across a fleet. It's too bad the \nconnectivity doesn't exist across the fleet so that we can't \nrapidly uptake systems. But I think you are going to see it \nimplemented more and more quickly over time.\n    Mr. Connolly. And if I could just observe at the end here, \nMr. Chairman, I think what's hopeful is how rapidly we already \nare adjusting to technologies that assist us in this effort. \nSo, you know, on our own, we are getting on this and finding \nout what's a better route because of congestion. I can even \nlook at reports coming in for what's causing the congestion and \nthen I can make a judgment as to whether I want to go or not. \nGPS has revolutionized. I have to explain to my young staff \nwhat a map was. We've become hooked on this already, and it is \nan efficiency. So I'm confident that actually as we really \nadvance technology, I think we are going to adjust.\n    Thank you so much for being here.\n    And thank you Mr. Chairman.\n    Mr. Mica. [Presiding.] Thank you, Mr. Connolly.\n    I recognize the chairman of the full committee, the \ngentleman from Utah, Mr. Chaffetz.\n    Mr. Chaffetz. Thank you.\n    And thank you all for being here.\n    This is one of the most exciting parts of our economy. This \nis somewhere we can lead the world. It's something that's going \nto create real jobs and have a real impact, I think, on \npeople's lives as long as the Federal Government doesn't come \nin and screw it up--which we have prone to do in the Federal \nGovernment.\n    One of the raging discussions and topics that we are going \nto have in this Nation, particularly in light of the horrific \nterrorist acts in Europe and what we have experienced here in \nour own homeland, is a further discussion about encryption. \nBecause I think one of the big questions before our Nation is \nhow much privacy, how much security are we going to give--how \nmuch privacy are we going to give up in the name of security?\n    And it's a difficult question when you see friends and \nloved ones and people on television being killed. It's a very \ndifficult thing. But on the other hand, I also want my wife, my \nkids, myself, my friends, my neighbors to be as safe and \nprotected from would-be people who want to cause them harm and \ntap into information.\n    So maybe if I could start with Mr. Garfield here. If you \ncould address the whole encryption issue, how does it really \nwork? Because you really can't create a key just for the good \nguys, just for law enforcement, right? It's either encrypted \nand secure or it's not. Give me your perspective on that, \nparticularly in light of what this country is dealing with \nright now.\n    Mr. Garfield. Thanks for the question, Mr. Chairman. I \nwould start by saying that the people that I work with are \npatriots and so are as sickened by what they saw in Paris as \neveryone else in this room.\n    The context in which we are having this conversation \nactually speaks to the issue, because when we're talking about \nsecurity and safety encryption is an important tool for \nenabling that. And so the conversation is not either-or, it's \nhow do we advance security with encryption as a tool, while \nalso making sure that national security is protected?\n    And I think there are ways to do that. I think a folly is \nto think that creating backdoors or making keys available to \njust some people is that solution, because ultimately, if you \ncreate vulnerabilities, they'll be widely exploited.\n    Mr. Chaffetz. Yeah, but can't you just give it to the guy \nat the genius bar and your wife and just call it a day? Explain \nto the person who is not as familiar with this how this works \nor doesn't work.\n    Mr. Garfield. Well, the challenge with just giving it to \nthe person at the genius bar is the same challenge that we're \ntalking about with 90 percent of traffic accidents are caused \nby human error. And so you're entrusting one person who may be \nvulnerable to being compromised with the security for everyone. \nAnd so that is the problem with empowering the guy or the gal \nat the genius bar, is you're creating a vulnerability that \ncould then be widely exploited.\n    Mr. Chaffetz. Anybody else want to address this? Anyone \nelse on the panel here?\n    Mr. O'Connell. Probably not.\n    Mr. Chaffetz. Do you want to have it be encrypted?\n    Mr. O'Connell. I'll, at some risk to myself, maybe I'll do \nthat. You know, I think it's an issue of philosophy, right? I \nmean, as Mr. Garfield said, none of us--implied--none of us has \na unique repository of knowledge or capability.\n    I think open systems are ultimately the best systems to \ninnovate and to protect. It's a dynamic process. But it's one \nwhere, I guess, you vest hope either in the inherent goodness \nof man or the inherent badness of man, and I prefer to vote for \nthe former. I think that it's the minority that are malignant, \nand that in a truly open system, where innovation is encouraged \nand rewarded, where there's sufficient penalties for malignant \nbehavior, you're going to see a net positive benefit over the \ncourse of time.\n    Mr. Chaffetz. Well, thank you.\n    And I think as members on this panel and in the Nation \ngrapple with this, I think that the 99 percent of our \npopulation that does deal with things in a safe and secure way, \nthey are good, honest, decent people. I think the bigger \nobligation is to protect them as best we can. And certainly \nthere can be carveouts for law enforcement needs. If you have a \nprobable cause, articulable suspicion, you have a terrorist \ntype of activity going on, of course there are things, whether \nit be geolocation or other types of things, that they should be \nable to tap into.\n    But if you're a suspicionless American, if you're somebody \nwho is leading a good, decent, honest life, I think you have an \nexpectation of privacy in this Nation. And that will certainly \ncome into play not only with cars, but the Internet of Things. \nAnd everything that's going to be connected, I think this is \ngoing to be one of our big questions we're all going to have to \ngrapple with.\n    Mr. Garfield. If I can add one more thing.\n    Mr. Chaffetz. Sure.\n    Mr. Garfield. I think how we approach these issues have to \nbe grounded in something, and I think what they need to be \ngrounded in is our values. And part of our values here in the \nUnited States is that we act consistent with laws, right? There \nare certainly legal frameworks for gaining access to that \ninformation, and we will work with law enforcement to ensure \nthat our national security is protected while at the same time \nthere's a fundamental belief that people's rights will be \nprotected as well. And we figured out how to strike that \nbalance and we'll continue to do so, and that's partly why \nwe're viewed in the way that we are around the world.\n    Ms. Barnes. And if I may just briefly add onto that if I \ncould have a moment. Another way in which to ensure both the \nprivacy and security is we're hearing a lot about privacy in \ndesign, which is building privacy into the cars. But more \nprivacy protective would actually be privacy-enhancing \ntechniques which would minimize or eliminate the need to \ncollect personally identifiable information, so that when there \nis a report of a malicious hack, those who need information \nregarding the hacker only getting the absolute necessary \ninformation about the hack, removing the personally \nidentifiable information. It's not important where the driver \nwas going or what she was speaking out inside of the car, but \ninstead that a system has been compromised.\n    Mr. Chaffetz. Well, thank you.\n    And as I yield back, I do hope members are able to look at \nthe geolocation legislation, the GPS Act that we have here, \nthat you would need a warrant, or articulable suspicion \ncertainly, but a warrant to actually track somebody's \ngeolocation, because I do think that is the content of their \nlife.\n    So I appreciate the time. I yield back.\n    Mr. Mica. Thank you, Mr. Chairman.\n    Other members have questions?\n    Mr. Farenthold.\n    Mr. Farenthold. Thank you very much.\n    I'd like to take up a little bit on where Chairman Chaffetz \nleft off.\n    Ms. Barnes, earlier the automakers testified that they are \nvery careful with the information they collect and they don't \nshare it. Reading your written testimony, I'm not sure that you \nwould agree with that.\n    And, you know, there's a lot of information that's tracked. \nI haven't turned off geolocation on my phone. So this is my \nVeterans Day map. On a map it shows everywhere I was. I can \nslide over. It tells me I got into the Houston airport and were \nthere for 32 minutes at 4 in the morning. I had breakfast in \nRefugio. I went home and took a shower. I went to Robstown, \nTexas. I went to the USS Lexington. I went to Brewster Street \nto welcome some bicycle riders. I then went to Applebee's to \ngreet some veterans. I went to the Veterans High School.\n    It knows everywhere I was, how long I was down there, and \nhas deduced where I live and where I work without me having \ntold it a thing. This is turned on by default in almost every \nperson's phone. I would imagine that cars collect the same \ninformation. And unless I'm aggressive about turning it off or \ntelling them I don't want it shared with marketing partners, \nI'm going to have something pop up, say, ``You're near a \nWhataburger. Why don't you stop for a burger and fries?''\n    So, I mean, there's a lot of information that's out there. \nDo you want to comment on that and maybe we need a better opt \nout on this?\n    Ms. Barnes. So I always advocate for stopping at \nWhataburger.\n    But opt out routinely fails consumers. This idea that \nthere's such an information asymmetry that the auto \nmanufacturers, as well as their third-party services who are \ncontracting with them, can gobble up all of the information and \nthe consumer is simply unaware.\n    And when we are looking at the privacy pledge, it also--the \nconsumer doesn't have any type of choice. But choice is simply \nnot enough for the consumer. That's why we need some type of \nstandard where a consumer will have guaranteed privacy \nprotections.\n    The onus should not be on the consumer to turn off her \nlocation information at every single subset. And when you look \nin the Car SPY Act, there's a provision that would allow an \nindividual to turn off data collection should she choose, but \nstill retain the functionality.\n    Mr. Farenthold. So how easy is it? Okay, we can talk about \nhackers, but let's talk about the government. How easy, right \nnow under current law, is it for the government to contact \nGoogle or contact Tesla, Toyota, GM, and say, ``I want the \ninformation for XYZ person?'' And do they need a warrant, or is \nit just, I mean, is it a letter? What do they need?\n    Ms. Barnes. So in certain contexts it would depend exactly \nabout what type of personal data it is. Some of the information \nmay be protected under ECPA and other statutory provisions. But \nin the absence of full-on protection for all of the types of \ninformation that is collected, not only by auto manufacturers, \nbut as well as their third-party services, that's why there \nneeds to be----\n    Mr. Farenthold. They could potentially be subpoenaed by \nprivate parties as well.\n    Ms. Barnes. Easily, yes, sir. Insurance companies, \nmarketers, those are some of the provisions to prevent \nmarketers to get it as well.\n    Mr. Farenthold. So do any of the auto manufacturers have an \nidea how many of these they get a year, requests for \ninformation from the government, be it a subpoena or a Federal \nagency?\n    Mr. Lobenstein, you look like you have an answer.\n    Mr. Lobenstein. So I'm not aware of the number of requests \nwe get, but we have had a longstanding policy that any time we \ndo get requests for that type of information we require either \na court order or a warrant before that information's released.\n    Mr. Farenthold. Mr. Lightsey?\n    Mr. Lightsey. We have that same policy. We will not give \naway any of our customers' private information unless there's a \ndue process of law.\n    Mr. Farenthold. All right. Thank you very much.\n    And let me ask, I've got another minute or so here, we talk \nabout encryption and all the technology that's in the cars, in \nthe computers, but we look at--we also have created a system \nwhere we're now making it difficult for us to repair our own \ncars, to modify our own cars. We've basically killed the \nindustry of being able to go out and buy another radio for our \ncar because it's all integrated in the GPS system and the auto \ncontrol systems.\n    There was recently a case with a John Deere tractor where \nthey wouldn't let him fix it, saying the copyright on the \nsecurity and the anticircumvision provisions of the Digital \nMillennium Copyright Act made it illegal for them to fix it \nwithout going to a John Deere dealer.\n    I'm afraid we're going to see this in the car and we see \nthe death of the corner garage or we see the death of your \nability to do any sort of modifications to your car, you know, \nwhether it's with bigger tires to jack up your pickup truck or \ndo things to enhance performance.\n    Mr. Garfield. Actually, the example you gave is a great \nexample of regulatory processes working. And so every 3 years \nthe copyright office has to evaluate the DMCA to ensure that \ngood faith research is able to be advanced. And recently the \ncopyright office said that as a part of doing good faith \nresearch you can do so on a car, right, and get beyond the \nencryption systems. And so it's a great example of an agile \nsystem working effectively.\n    Mr. Farenthold. My concern, of course, is you never really \nown your vehicle because there's so much software involved you \nactually may just be licensing the software to, you know, \noperate something that would become a brick if you tried to \nmodify it or transfer it or do something else. But that's \nsomething----\n    Mr. Garfield. Not to be overly contentious, but we can't \nhave it all ways, right? So we can't say we want connected cars \nmoving down the highway and be secure and safe while at the \nsame time saying we want everyone to be able to get into that \nand be able to stop it while it's moving.\n    Mr. Farenthold. I think Mr. O'Connell is saying we want \nopen source software where we can actually see what's being in \nand have control over your own vehicle. I mean, where's the \nline there?\n    Mr. O'Connell. To be clear, I didn't necessarily advocate \nfor open source software, but I do advocate for an open system \nof improving software. So that's an important differentiator.\n    And I would add, though, that, to the point of your last \ncomment, there are models out there which posit that people \ndon't even want to own their car anymore. So this may be--the \nspecific problem you reference may no longer be a problem, \nwhich opens up the possibility that there are others, but you \nfor reference.\n    Mr. Farenthold. All right. Well, I appreciate you all's \ncomment on that, and yield back.\n    Mr. Mica. Well, thank you.\n    Any other questions at this time?\n    Just I guess in closing, well, I'm sitting here thinking my \nwife is a pretty smart lady, and she does all of the computer \nwork at the house and paying bills and everything. And on a \nSunday afternoon she's on the computer and she gets a call from \nMicrosoft service center, and they ask for some information and \nshe reluctantly kind of gave it to them. The next thing I know \nis her computer is locked, and it's an extortion attempt.\n    And I got on the phone. I found out they were Pakistanis. \nI'm a Member of Congress, so I contacted--we have a whole \ncommunications network. We have the Capitol Police. We have \naccess to the FBI and folks you don't even want to know. And \nthey basically told me: You're screwed. And it was extortion. I \nmean, I could see extortion to can't start your car, someone \nhas hacked it. So, I mean, this just happened with our little \nhome computer.\n    It was interesting, though, we bought some new software and \nit was at a location not our principal residence, so we didn't \nhave a lot on there. But after we bought that, then she found \nout from the software company that they keep another lock \nbehind--protection behind that and can--and actually can \nrelease the system. But they get you to think we have \nincredible capability.\n    I was in a General Motors car. I love the--you had it \ndisplayed here--the teenager device. I just told the Gonzaga \nHigh School, I spoke there just--I think it was yesterday. I \ntold all those teenagers what's coming. And they were aghast, \nyou know.\n    But the things you can do are unbelievable. And I told the \nclass, too, I said: Your biggest--you know, whoever was paying \nattention to Paris and the terrorist threat--but those kids get \nin a car and that is the biggest cause of death for our \nteenagers. We've gotten deaths down from 43,000 to 33,000. But \na huge percentage of those are kids. And the device I saw in \nthe General Motors car was pretty astounding, how you can \ncontrol that.\n    But, again, I guess a question more than the comment is, \nthe private sector's come up with some incredible innovations. \nYou're setting standards and trying to protect the owner and \nthe consumer. You've got a good association coming together \ntrying to bring folks together. I'm anxious to see your report, \nI guess you cited, Mr. Garfield, that was just turned over. The \nrole and scope of government in all this, like the chairman \nsaid, we usually overlegislate and then the government usually \noverregulates. So trying to get it right, you want to also \nprotect rights, which Ms. Barnes has said.\n    And I hammered on DOT because it's now 3 years ago I said \nlet's see where we're going with this and tried to set a \nschedule, which hasn't been adhered to. So a bit of frustration \nin that. It is complicated. They need to work with you. It \nsounds like for the most part they are. We don't want them to \ncome out with standards or requirements or technology mandates \nthat are obsolete or by the time we enact them sometimes \nthey've an overreach. So that's a challenge we face.\n    Maybe in closing any quick guidance on how to proceed? Mr. \nLightsey, I want to hear from the private sector. I know we're \ngoing down a certain path, but what do you think, again, the \nproper role of government?\n    The standards, I've worked with NHTSA. And I just told Ms. \nDuckworth I tried to get a biometric standard after 9/11. That \nwas three times I put in law a biometric standard for iris. And \nI think we may be there, it's 12 years later. Hauled them in, \ntried to get them, they're very difficult to nail down. And \nwith changing technology, you've got sort of it's like trying \nto change the wheels on a vehicle that's moving down the \nhighway at 75 miles an hour.\n    But tell me how you would like to see this unfold, Mr. \nLightsey, Mr. Lobenstein, and Mr. O'Connell, the three guys who \nare representing the companies that actually produce vehicles. \nGo ahead.\n    Mr. Lightsey. Yes. So thank you, Mr. Chairman. And with all \ndue respect, our industry can't afford to wait for government \nand we're not doing that. We're investing a substantial amount \nof resources and energy into innovating with our products and \nservices to make our products safer and to make them more \nenjoyable by our customers who are----\n    Mr. Mica. Now, once again I have to nail you down. What's \nthe proper role of government regulation, law? Where do we go?\n    Mr. Lightsey. Well, as I was saying, Mr. Chairman, I think \nour industry has shown time and again that we can and do work \nwell together for our customers. And I think that the industry \nneeds the freedom to innovate and to do that work.\n    Mr. Mica. And who in government would you put? Should we \nleave it with NHTSA or DOT or where? How should it be \nstructured, responsibility from the Federal level?\n    Mr. Lightsey. From the Federal level, we work well with \nNHTSA, we have a good relationship with them, and we've proven \nthat we can do that. I think that in this space obviously the \nFederal Trade Commission is active in this space, and we've \nbegun to work with them as well, and we will work with whatever \nagencies that Congress in its wisdom decides are the ones that \nneed to be involved in this.\n    Mr. Garfield. If I could interject----\n    Mr. Mica. Well, after I hear from Lobenstein and O'Connell. \nI didn't really get a real handle on--we haven't even talked \nthe FTC. God, no.\n    Let me hear your take, Mr. Lobenstein.\n    Mr. Lobenstein. Thank you, Mr. Chairman. I think, first of \nall, we appreciate the work that has taken place between the \nauto industry and NHTSA so far on DSRC. That's been a 15-year-\nlong road to get to where we are today, and we think we have a \ngood technology that's ready to go. And once we get this \nspectrum issue closed, I think we can move forward with that \nsafety-of-life mission that DSRC promises us.\n    In terms of cybersecurity, you know, we've looked at the \nNIST framework, and we think that NIST is a good agency for us \nto partner with and as an industry to create the same types of \nbest practices and self-guiding principles that we've already \ndone in terms of privacy and security.\n    Mr. Mica. NHTSA at one level, NIST at another level?\n    Mr. Lobenstein. Yes, sir.\n    Mr. Mica. Okay. Mr. O'Connell.\n    Mr. O'Connell. Mr. Chairman, a couple issues of principle \nand then a direct answer to your question.\n    You know, it's all about incentives. At Tesla no one could \nbe more interested in our own survival, especially as a small \nyoung company, than we are. So putting the right incentives in \nplace is key.\n    I think that whatever we do and whatever agency it resides \nin, we need to foster innovation, number one, and then sharing. \nSo putting the proper incentives in place to innovate and to \nshare.\n    I think an instructive case of how this proceeded was \nadvanced emergency braking, where rather than resisting an \nimpulse to regulate, NHTSA and other agencies fostered the sort \nof development of the technology and then encouraged the \ndeployment of that technology and did so, as far as I know, \nwithout the benefit of any sort of regulatory norms.\n    The hazard with standards is that of course in a long \nprocess you move toward lowest-common-denominator behavior, and \nso that's to be encouraged in some cases, but not--I mean, the \nstandard-setting process--but not wholly appropriate in \ninnovative arenas like this.\n    As to the agencies, I don't have any particular point of \nview, I'm afraid to say.\n    Mr. Mica. Okay.\n    Mr. Garfield.\n    Mr. Garfield. The only thing I would add is that one of the \nreal challenges here is that these are cross-cutting issues \nthat impact and implicate multiple agencies. And one way that \nCongress could certainly help is bringing order to that by \nmaking sure that there is greater coordination among all the \nagencies.\n    So it's not to suggest NHTSA be cut out and the Department \nof Commerce be brought in. It's really Congress can play a \ncritical role in making sure the FTC, the FCC, NHTSA, and NIST \nat the Department of Commerce are actually coordinating and \nworking with each other to achieve the things that we all have \nin mind.\n    Mr. Mica. Well, again--you did a very good job, Ms. Barnes, \ngiving us your agenda recommendations. Thank you-- on the \nprivacy side--but thank you for participating.\n    I look forward hearing back, seeing some of your plans, \nsir.\n    What I'd like to do is we'll leave the record open, without \nobjection, for 10 days. We may have additional questions, there \nare quite a few here that we didn't even get to, to submit to \nthe witnesses. They'll be made part of the record.\n    So without objection, that's so ordered.\n    Mr. Mica. And, again, I'm looking forward to having a \nreport and the other items we requested today from NHTSA made \npart of the record.\n    And, again, thank you, each of you. Very interesting. \nProbably they'll look back in 10 years and we'll have made such \nincredible progress. But we want to do the right thing at this \nimportant juncture, and that's bringing out these issues, and \nyour progress and where we need to go is important.\n    So there being no further business before the subcommittee, \nthe dual subcommittees here, we will adjourn this hearing. \nThank you.\n    [Whereupon, at 4:12 p.m., the subcommittees were \nadjourned.]\n\n\n                                APPENDIX\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n               \n               \n [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]              \n               \n\n                                 [all]\n                                 \n</pre></body></html>\n"