All-in on transformation, but carefully, carefully.
Heidi King keynote, Is Cybersecurity Standing in the Way of Public Confidence? Billington CyberSecurity
By The CyberWire Staff
Aug 6, 2018

All-in on transformation, but carefully, carefully.

Where is the automotive industry headed?

In his morning keynote, GM President Daniel Ammann offered a view of the industry's near future. He spoke, of course, for General Motors, but nothing in any of the other presentations suggested that his views represented an outlier. The automotive industry, Ammann said, is undergoing a transformation larger than anything seen in the last 100 years. GM's direction for the future may be summed up as "electrification, connectivity, and autonomy." Safety and cybersecurity are now considered to be effectively identical. Autonomous vehicles are poised to have huge positive benefits in terms of availability, affordability, and safety.

Former Homeland Security Michael Chertoff expressed similar sentiments about the advantages that would come with connection and autonomy. He cautioned, however, that those benefits would not induce people to overlook the problems that the new technologies would bring with them, as Silicon Valley is currently learning, to its cost. He urged the industry to pursue, before the emergent systems are actually in the markets and on the roads, not only security-by-design, but risk-management-by-design.

Josh Davis, of Toyota Motor North America, noted the industry's rapid evolution toward combining traditional design, research and development, and manufacturing with sales, service, and marketing. Toyota Connected was formed to accelerate products focused on user experience, and this general tendency has coincided with the movement toward connectivity and autonomy. 

Josh Jaffe (of Daimler Financial Services) saw the industry as looking for a user experience with the automobile that involves essentially no interaction with the car. This, he said in an understatement, is a significant change for the industry. What the coming consumer wants is simply to "get from point A to point B in a way that enables them to control their experience." 

And why is the automotive industry headed in this direction?

Heidi King, Deputy Administrator of the National Highway Traffic Safety Administration (NHTSA), began her keynote by reviewing advances in safety through occupant protection. Most crashes have a strong human element in the causal chain, she pointed out. Drivers continue to make poor decisions. This is where advanced digital technologies come in: to help avoid driver error and thereby minimize crash risk.

There are challenges here. As driver interfaces are increasingly digital, King said, it's not immediately apparent to most drivers how much their car depends on software. Public awareness of cyber risk is young and growing, she said, but the public doesn't tend to think of cyber risk as involving safety risk. Consumers think of cyber risk in terms of risks to data, privacy, and so forth, but not in terms of risk to life. Thus the importance of the sector getting cybersecurity right. If initial problems erode public confidence, technological advance and its expected benefits will be inhibited and delayed. 

Challenges of transformation in a century-old, mature industry.

Kristie Pfosi, of Mitsubishi Electric Automotive America, reminded the audience that very small amounts grow to very significant sums when you manufacture products on a large scale. It sounds simple and affordable if a particular enhancement can be said to cost a small amount per unit, but when this scales to mass production, costs mount rapidly. This complicates making both the business case for cyber to the company, and the use case to the consumer.

Supply chain issues are complex, especially when one considers automotive cybersecurity as a lifecycle issue, not simply a design and manufacturing challenge. Jeffrey Massimilla (VP, Global CyberSecurity, GM) explained GM's motivation for bringing its worldwide cyber operations under a single unit. This helped achieve consistency and avoid internal competition. It also helps manage the challenges of enabling security across a vehicle's life. "The 'IT guy' at some small dealership, who's also the 'cyber guy,' is often a 15-year-old," he said. "That's the reality, and you've got to be able to reach that 15-year-old."

Gregory Swinehart of Deloitte thought that the food industry's early experimentation with blockchain may hold promising lessons for the automotive industry and its supply chains. 

The summit's panel on strengthening the automotive supply chain moderated by Dr. Andre Weimerskirch (VP Cybersecurity and Functional Safety, Lear Corporation) with participation by Stacy Janes (Chief Security Architect, Indeto), John Cotner (Security Architect, Automotive, NSP Semiconductors), and Michael Westra (Connected Vehicle Cyber Tech Manager, Ford Motor Company) pursued some thoughts on this topic. Cotner pointed out that standards are insufficient to producing a secure architecture. A system may well be compliant but not secure. And the panel agreed on the importance of clarity for the supply chain: we won't achieve security by design until we begin including security in our specifications to vendors.

Enablers of transformation.

Cooperation across the industry was generally endorsed by all the speakers. It has become a commonplace in the cybersecurity sector that collaboration across organizations is a good thing, with most of the reservations having to do with concerns about the ways in which working with some companies or governments could increase the risk of IP theft or espionage, and this was substantially the view expressed at the Summit. GM's Ammann argued that customers were best served by industry-wide security collaboration.

Several speakers also emphasized the importance of continuous learning. NHTSA's King urged those in attendance to consider emulating the transparent self-criticism and insistence on learning that one sees in the US Navy's nuclear submarine program. Bug bounties are one form such criticism has taken. GM announced its own commitment to a large bug bounty program that not only rewarded those who found and disclosed software vulnerabilities, but that also brought outside researchers in for orientations on GM products and software. (Encouraging independent researchers to test, check, and evaluate their software is a departure for the industry and one likely to receive a general welcome. As recently as 2016, fear of litigation by vehicle manufacturers was a major concern of white hat vulnerability researchers.) GM's Ammann also advocated closer cooperation with other sectors, particularly aerospace and consumer products.

Reducing the likelihood of driver error is better thought of as shifting risk from drivers to programmers. Thus, King said, we need robust risk management processes, and a culture that openly searches for risks and vulnerabilities. Because public confidence in cybersecurity is vital to success, the National Highway traffic Safety Administration believes software-intensive development is essential to advancing safety. 

And what are the risks?

Paul Abbate (Associate Deputy Director, FBI) described the cyber threat landscape as both "vast" and "complex." Dealing with that threat landscape has both national security and criminal justice implications. The threat actors tend fall into familiar bins: terrorists, nation-states, organized crime, and then "blended threats." The Bureau is seeing more of this last category as some nation-states use organized criminal groups to pursue their ends. The other FBI representative at the Summit, Jason Bilonski of the Detroit Field Office, stressed the danger state-run advanced persistent threats pose to the industry. "State actors are in this for the long haul. Let's not forget about China's industrial espionage," he said. In the US, as Bilonski put it, you can't go to the FBI and say, "we need this widget, go steal it." In some other countries you can.

As GM's Ammann put it, the industry is designing against a rapidly evolving threat from "those who work in darkness" with a "passion" to foment chaos and disruption. It's a quickly shifting and highly adaptive threat. Indeto's Stacy Janes observed that there's a high degree of cooperation among cybercriminals in the dark web and in the black markets. "They move with the speed of a startup."

Former Homeland Security Secretary Michael Chertoff suggested another disturbing possibility: one of the weapons of choice for terrorists has become the automobile. It's not too much of a leap to consider that some smart terrorist will decide it's easier to hack a vehicle and control it as a weapon.

Much of the burden of Chertoff's keynote was the risk that growing data collection poses to the automotive industry. "Disruption" is an ambivalent term, and Chertoff noted two features of the coming disruption that connected and autonomous vehicles will bring with them. First, such complex systems will generate an enormous amount of data, and many people, from legitimate businesses to states to criminals will want to monetize those data. Second, the growing prospect of attacks on industrial control systems, with all the safety risks those attacks would bring, argue that we need a fresh approach to risk management.

In addition to traditional threats, Chertoff pointed out, new modes of attack are emerging. A central, core part of a network need no longer be the point of attack. Consider the well-known Target hack that compromised point-of-sale systems. That incident originated with an HVAC contractor working at a single store. Compare that incident with the way mechanics in a shop use their own, possibly infected devices, when they work on a car. 

There are some points we ought not to overlook, in Chertoff's view. For one thing, we shouldn't overlook the implications of connectivity for data privacy. The data being requested of cars (and therefore of drivers) by insurers, for example, could amount to intrusive surveillance. Facebook's recent experience is instructive. The social media company once thought everybody loved all the sharing, and that their use of data was unproblematic. They've now learned otherwise.

Regulation and legislation.

Chertoff strongly advised industry to think through matters of responsibility and liability before regulation and legislation assume their final forms. That we'll see increased pressure at both Federal and state levels to regulate connected and autonomous vehicles is clear. He advocated some version of the SAFETY Act for auto industry. The SAFETY Act was designed to encourage investment in competent and capable counter-terror technologies. It might be worth urging Congress to extend the SAFETY Act at least in some respects to the auto industry.

Regulation, when it comes, should be outcome- and effects-based. Chertoff praised the auto industry's proactive approach to data privacy and data management, and he urged the companies to pay close attention to issues of privacy that data collection inevitably raises. Industry should expect the states to regulate as well, and so should think about the states' concerns in advance. There's an opportunity here to lead through voluntary standards development.

Senator Gary Peters (Democrat of Michigan) closed the summit. Senator Peters has been closely involved in legislation surrounding the development of autonomous vehicles. He said that there's no margin of error in this direction industry's taking. The blowback from an incident would be decisive. A cyber attack on a bank account would be bad to be sure, but a hacker driving someone into a wall, "that's existential."

The current regulatory framework simply doesn't work for autonomous vehicle technology, Senator Peters said. There are still significant public policy issues to be worked out, but we need to overhaul the regulatory framework. He commended the START Act as a beginning. He believes it offers the prospect of less onerous regulation and incentives for successful testing.

Liability is clearly an unsolved problem. To what extent, for example, will ride-sharing services like Uber or Lyft carry liability? In the Senator's view, OEMs will clearly bear much initial liability.

Finally, what of nation-state adversaries? Senator Peters took a brief but tough line. "We need to do more to punish cyber bad actors." He advocated "very strong sanctions, tougher than we've put forward so far. We need to be able to punish in order to deter. And we need to define an act of war in cyberspace."