Hacking Unmanned Vehicles: Who Will Be Responsible (RAND Corporation study)

Study on the preparation of civil liability systems

Unmanned vehicles should make transport safer and more affordable. Hackers, however, can interfere with this – they can hack these heavy and fast robots on wheels with AI, using them for criminal purposes.

RAND researchers have studied the legal consequences that hackers will overtake in case of hacking unmanned vehicles. Despite the fact that such a situation is unlikely, the risks of its occurrence can be high, given that hacking vehicles can lead to deaths, destruction of property, extortion or theft of information.

The researchers found that the existing civil liability law at the initial stage is likely to be flexible enough to accommodate most lawsuits that result from hacking robotic vehicles. Nevertheless, all parties involved in the process of introducing unmanned vehicles (manufacturers, owners, insurers, politicians and others) should already think about the risks, their consequences from the point of view of the law, as well as the response from the regulatory and legislative bodies .

The introduction of this technology and its ability to benefit society depends not only on the risks themselves, but also on their perception, as well as on legal structures that could compensate for them. Even if these risks are small, those responsible for developing legal standards will need to anticipate and respond to potential problems in order to maximize the benefits of unmanned vehicles.

Anticipation of an unmanned future

Unmanned vehicles can provide greater mobility for those who do not know how to drive, safer roads, and driving time can be devoted to more productive tasks – all this stimulates massive investment in this technology. Politicians, in turn, are beginning to decide how to integrate unmanned vehicles into society.

Along with problems such as the economic crowding out of professional drivers, the prospect of tens of thousands of cars driving without control at the behest of hackers should slow down the actions of politicians and advocates of unmanned vehicles, even if the likelihood of such a situation is small.

Unmanned vehicles are vulnerable to many different hacker attacks. Software vulnerabilities, physical attacks through devices with malicious code and hacking of key hardware components – all this should be considered. Through these attacks, hackers can turn off the vehicle, change its course in order to cause damage, as well as manipulate personal data and steal them – these are just some of the threats.

To help lawmakers anticipate the civil law consequences of hacking unmanned vehicles, RAND researchers examined several plausible scenarios in which an unmanned control system could be hacked, resulting in any damage that could be compensated through civil litigation.

Multiple vulnerabilities

RAND researchers looked at a series of hacking scenarios for unmanned vehicles, which will help demonstrate the variety of legal problems facing the civil law system, insurers, and other parties. These scenarios were created on the basis of real cases of hacking or damage to conventional vehicles and by reproducing scenarios designed to help in the analysis of liability.

RAND examined the following situations:

• Hacker gains access to the network of unmanned vehicles to turn off the car and demand a ransom from the owner to restore it
• A hacker takes control of a military officer’s car parked at a military base and controls it to damage a military aircraft in a hangar
• Hackers take control of the infrastructure that controls traffic lights and manipulate signals to cause traffic accidents at intersections
• Hackers send inject malware into unmanned vehicles owned by the rental company. This software infects other corporate systems, which leads to the loss of information about customer payment data, and the commission of fraudulent transactions.

For these scenarios, the civil liability of various parties was analyzed. During the discussion, parties were identified that could be called defendants in lawsuits related to cyber attacks on unmanned vehicles, with particular attention paid to the following parties:

• Drone manufacturers
• Software manufacturers
• Unmanned Vehicle Suppliers
• Owners of unmanned vehicles and persons serving it

Civil Law Response

Since there are very few federal and state laws on unmanned vehicles (and vehicles connected to the network), laws on product liability (along with guarantee laws), as well as state and federal laws on the protection of personal data, are likely to be the most important rules of law when considering lawsuits related to cyber attacks on unmanned vehicles.

Negligence and strict liability are two legal concepts that will play a key role in civil claims arising from attacks on unmanned vehicles. Both concepts suggest a balance between the prospects for cyberattacks and the costs associated with introducing less vulnerable alternative technologies.

Other areas of law that may define liability in the context of hacking unmanned vehicles include:

• Consumer Protection Law Violations
• Misrepresentation, Fraud and Concealment of Fraud
• Warranty
• Privacy Laws.

Civil consequences of hacking unmanned vehicles

RAND researchers applied the existing civil law framework to the scenarios they developed, which led them to numerous conclusions that would be of interest to those who will determine the future of robotic vehicles, including users, owners, manufacturers, insurers and politicians:

• Automakers, component suppliers, software developers, and unmanned vehicle distributors may be held liable for breaking into cars.
• Vehicle owners can also be held accountable for cyber attacks if, for example, they refuse to install an important security update, which could cause hackers to take control of their cars and cause damage.
• Existing civil liability legislation is likely to be flexible enough to adapt to claims for hacking unmanned vehicles (at least in the case of small and medium-sized attacks)
• Due to the role of predictability in determining accountability for third-party criminal acts (such as hacking), the issue of awareness of previous exploitation of a vulnerability is likely to play a key role in determining liability under existing civil law.
• An analysis of costs and predictability will influence the determination of liability for damage from cyberattacks when considering cases of negligence and liability for product quality.

  – Such an analysis will require vessels to familiarize themselves with the relevant technologies.

Government agencies will be potential defendants in civil claims arising from incidents involving unsafe infrastructure. Despite significant differences in state laws, state and local government agencies are likely to be protected by immunity, as they adapt the road infrastructure for unmanned vehicles. This immunity may not apply if departmental tasks, such as road maintenance, are performed.

When unmanned vehicles and ancillary infrastructure develop, state agencies are more likely to be held civilly liable if their negligence gives attackers room for action. Significant differences between states regarding the doctrine of immunity complicate the analysis.

Possible actions by regulators

The conclusion that the existing civil law base is most likely to adapt to the widespread introduction of unmanned vehicles does not cancel the fact that those responsible for developing the legal framework should consider the following question – will there be legislative approaches that define roles and responsibilities, to promote the introduction of this technology?

Such a regulatory framework can be beneficial in terms of clarifying responsibilities, but it can also be inflexible compared to the common law system in the face of difficult-to-predict technological development and new trends in factual circumstances.

Similarly, it would be useful to better understand and perhaps clarify consumer and commercial unmanned vehicle insurance against cyber attacks. In this way, consumers, car manufacturers and lawmakers will be able to better understand which parties will bear the costs associated with such attacks.

Legislators may also wish to carefully consider how the legal system can deal with a large-scale attack. Such an attack can lead to bankruptcy and gratuitous losses as a result of exceeding the capabilities of insurers and reinsurers to cover the risk. A similar alarm that arose after the September 11, 2001 attacks led to the adoption of a law on insurance of risks associated with terrorism.

Will consumers worry about hacking unmanned vehicles?

Unfortunately, consumers are accustomed to hacks that compromise their personal information. Cyber ​​security breaches did not increase consumer demand for cyber security. So far, consumers have shrugged, changed passwords and moved on. However, hacked unmanned vehicles are threatened by a number of consequences that far exceed the consequences of most consumer hacks in terms of the likelihood of death and destruction of property. This could lead to increased consumer interest in the cybersecurity of unmanned vehicles.

Main conclusions

1. Existing legislation is flexible enough and can satisfy most of the claims regarding hacking of unmanned vehicles.
2. Automakers, parts suppliers, and software developers can be held accountable if their cars are hacked.
3. Product liability laws — along with warranty laws, state laws, and federal privacy laws — are the most important pieces of legislation.
4. Manufacturers and owners should be aware of attacks on unmanned vehicles and take precautions to avoid such attacks and reduce the risk of their own liability.
5. Government agencies and infrastructure providers can also be held accountable if their negligence creates an opportunity for cyber attacks.
6. Some large-scale cyber attacks on unmanned vehicles can exceed the capabilities of insurers and lead to uncompensated losses. Politicians may wish to consider supporting reinsurance.