The automotive industry is undergoing some rapid and dramatic changes. Not only are automakers pursuing wide-scale electrification of their product lines, but they’re also pumping more and more technology into these machines. Whether it be related to emissions or advanced safety equipment, automakers are getting very antsy about who is allowed to have cybersecurity data related to these components. In fact, a group including General Motors and Stellantis backed by the Alliance for Automotive Innovation are currently headed to trial against the state of Massachusetts. The battle is specifically over the state’s recently modified “Right To Repair” law. According to Reuters, automakers are specifically aiming to block independent repair shops from receiving data related to these tech systems, and even want to bar these shops from being able to work on these components full-stop.
Cybersecurity Vs Your Right To Repair
The legislation in question is a modified form of the Massachusetts’ 2013 “Right To Repair” law, which was just passed in November. The new legislation aimed to force automakers to share their cybersecurity data, including for emissions and safety features, with independent shops so that customers aren’t forced into the dealer network for repairs. Not onboard with the will of the people, automakers like General Motors and Stellantis have joined forces to challenge the legality of the changes.
The Alliance for Automotive Innovation sued the state following the law’s passing in November, and we now testifying in front of U.S. District Judge Douglas Woodlock in Boston. In a brief filed last week, the group was quite clear with their messaging. According to the automakers and their representation, allowing shops to access mechanical and software repair data will “make serious cyberattacks much more likely and deadly than the attacks on pipelines and meat processors currently in the news.”
While this language can be described as a fear-mongering play, the group continued to double down on their stance. The group maintains that this new “Right To Repair” law will force automakers to downgrade their cybersecurity measures, which would have negative impacts on current safety tech and emissions software. Because these two factors are controlled by the National Traffic and Motor Vehicle Safety Act and the Clean Air Act, the group claims the law change is unconstitutional and is in direct conflict with federal law.
Kevin Tierney, the vice president of global cybersecurity at General Motors, echoed these statements in a pre-trial affidavit. More specifically, he claimed the law’s “requirements run directly counter to GM’s cybersecurity approach, and would seriously compromise vehicle safety and emissions control.”
A Dire Aftermarket Impact
MC&T has been warning the aftermarket of GM’s current cybersecurity approach for two years. The automaker’s latest generation of ECUs have proven damn-near impossible to work around, severely limiting the aftermarket industry. Companies like FuelTech have been forced to integrate a myriad of aftermarket ECUs and computer systems to even attempt to modify the C8 Corvette for example. These systems are much more difficult to tune than a factory ECU, but at the moment it doesn’t appear that General Motors has any sympathy for their long-standing partners in the aftermarket space.
If this lawsuit is any indication of where things are possibly headed, other automakers aren’t going to be far behind. Stellantis has also begun to march down this path, telling us that the cybersecurity of the new WL Jeep Grand Cherokee sees new levels of fortification. Ford Motor Company has also admitted that tuning the Ford Bronco will likely end up being a futile endeavor.
Massachusetts Attorney General Maura Healey is set to defend the law, and argues that a third party should be established with a standardized system in place. This group would then be responsible for giving independent repair shops access to the vital cybersecurity systems automakers don’t want them to have. The Alliance for Automotive Innovation isn’t sure about such a program however, and worries about NASTF’s ability to protect all of that data in a central database.
“That would presumably become the focus point of every hacker, every ransomware hacker, every vehicle thief and every crime syndicate in the world,” said Steven Douglas, vice president for energy and environment at the Alliance for Automotive Innovation. “There’s just no possible way that NASTF could maintain that kind of security or that kind of data.”
The Consequences Of This Regulation
This court case has the potential to be much more important than it may seem on the surface. If the automakers win over the judge, the repercussions will be felt across the country. Automakers like General Motors, Ford Motor Company, Stellantis, Tesla, Rivian and others will be able to force customers to come to them for repairs related to any of these cybersecurity systems, which are integrated into many aspects of modern vehicles.
Not only does this create a problem related to overall repair costs, but it will limit customers ability to do any sort of modifications to their vehicle moving forwards. This will be a huge problem for the aftermarket, which already is feeling heavy pressure from the EPA and other regulatory agencies. While true that nobody on the right side of sanity wants cars to be less safe, this sort of line is one we need to really think about before crossing.
If you’d like to follow the case more in depth, it is labeled as follows: Alliance for Automotive Innovation v. Healey, U.S. District Court for the District of Massachusetts, No. 1:20-CV-12090.