Cybersecurity—The Cornerstone of Autonomous and Connected Vehicle Safety
[Prepared remarks by Daniel Ammann, President, General Motors.]
Thanks, Tom [Billington].
General Motors is pleased to sponsor and participate in this second "Billington Automotive Cybersecurity Summit" here in Detroit.
It's a great opportunity to exchange ideas and best practices about a vital issue in our industry.
As you know, this summit brings together experts and thought leaders from many sectors to examine the state of automotive cybersecurity, and to explore ways to strengthen our mutual cyber defenses.
In many ways, our future depends upon it.
At General Motors, our vision for that future is one of zero crashes, zero emissions and zero congestion.
The key enablers to making that vision a reality include electrification, connectivity and autonomous vehicles.
As we continue to develop our Autonomous Vehicle program, safety is paramount, just like it is in everything that we do.
That's a commitment from the very top of the company that runs throughout General Motors… in every facility, at every factory, and across every function… from safety in the workplace to safety on the roads.
For our customers, that means providing the safest products possible, including the strongest cybersecurity.
In today's connected vehicles, safety and cybersecurity are one and the same.
From the data flowing through vehicle systems to the information connecting the vehicle to the outside world, security is safety.
Cybersecurity becomes ever more important as this industry moves toward autonomous vehicles.
The stakes for AV are much higher.
AVs are poised to have a major positive impact on our world in terms of improved safety, affordability and availability of transportation.
However, one cyber incident could stymie their deployment altogether, or at least delay it for a long time.
Self-driving cars will not be accepted if people don't trust them to transport them safely.
We must, as an industry, work together to prevent security breaches and thwart bad actors… especially because the public and policymakers would view a major cybersecurity incident involving any one of us… as an incident involving all of us.
At General Motors, we view cybersecurity as a shared concern with the rest of the industry.
Our collective customers are best served by industry-wide collaboration and solutions.
We recognize that cyber threats are continually evolving, and attackers will seek to circumvent even the most robust defense systems.
Attacks are growing more sophisticated every day.
It's important that we work together as an industry to protect against attacks, detect incidents, and mitigate their consequences.
This battle is ongoing.
We are designing against a rapidly evolving threat, developed by those who work in darkness, with substantial resources and a passion to wreak havoc.
It's crucial that we invest the time, money and talent to stay ahead of these threats.
At General Motors, we're doing just that. Jeff Massimilla leads our broad, talented global cybersecurity team, and it stretches across all facets of our business.
At Cruise Automation, which leads our AV development, Tim Piastrelli leads a world-class cyber-team that is the best in the business.
Tim and Jeff will both be appearing on panels at this summit and will share more about our approach to cyber.
Overall, our cybersecurity organization is global in reach, and comprehensive in scope.
We look at threats from end-to-end, from the back office to all aspects of the vehicle itself.
We have reengineered our vehicle development process to include cybersecurity from the earliest stages of vehicle design, putting multiple layers of protection in place to defend the vehicle and its systems.
We've developed threat monitoring, detection and response capabilities, and we have a robust incident response plan, which we constantly test, rework and refine.
We have our own internal red team, which conducts regular penetration testing on all of our vehicle programs.
We also rely on third-party expertise and the research community, through our coordinated disclosure program.
In terms of our autonomous vehicle program, one key to its safety and cybersecurity is that we have an approach of continuous and rapid iteration.
We have taken the same approach with its overall development, by the way -- which allows our AV system to "learn" on the fly, with each iteration.
Taking that same approach to security results in an improved safety and security system with each new iteration, giving us the best chance to stay ahead of threats.
Another key to our AV security is vehicle integration, which enables our "defense-in-depth" approach.
By integration, I mean that our Cruise AV is designed from the ground up as an Autonomous Vehicle.
Unlike some others, we haven't just added autonomous hardware and software systems to a conventional vehicle.
Autonomy is integrated into the vehicle from the beginning.
As we continue testing our AV fleet in complex, real-world situations, we evaluate cybersecurity and monitor for anomalies, to verify that we're minimizing risk.
Our three-pillar approach to cybersecurity -- defense-in-depth, monitoring and detection, and incident response -- aligns with the safety-first approach we're taking with self-driving vehicles in general.
We are also acutely aware that our industry as a whole must succeed if we are indeed to transition to an autonomous future.
As I said, a failure by one is a failure by all.
That's why General Motors actively participates in industry-wide efforts to develop and implement strategies to reduce cyber risk, including the Auto ISAC, which is chaired by Jeff Massimilla.
The Auto ISAC identifies trends and cyber threats, and focuses industry efforts to safeguard vehicle systems and networks.
It is developing best practices to address automotive cybersecurity challenges, and we are committed to operating in accordance with those best practices.
Our collaboration efforts also include regular communications with NHTSA, the FTC and other government agencies, and our own Security Vulnerability Disclosure Program.
With this program, we provide outside researchers a clearly defined process to find vulnerabilities in our systems and vehicles, and to alert us when they do.
It's amazing how good they are at it!
To date, more than 500 researchers have participated in the program, helping us to identify and resolve more than 700 vulnerabilities, and strengthening our cybersecurity in the process.
We're about to take this program a step further.
We're going to add a "Bug Bounty" component to our disclosure program.
That means offering a "bounty," or cash payment, per bug found.
We are going to fly a small group of skilled researchers familiar with our systems to Detroit.
We'll show them the products, programs and systems for which we plan to establish these Bug Bounties.
Then we'll put them in a comfortable environment… ply them with pizza and Red Bull or whatever they might need… and turn them loose.
When the trip is over, we'll send them home with hardware to continue their research.
This program will add another strong component to our vulnerability testing, including in-house employees, third-party contractors, and these independent researchers.
Collaboration, and partnerships, will prove to be effective weapons in building defenses against cyberattacks.
There are very real benefits to building partnerships across the automotive ecosystem, and with other industries such as aerospace, defense, and consumer electronics.
For this to work, everyone has to work together, proactively, to be part of the solution.
Another key element we need to move the industry forward is talent.
The talent shortage on the front lines of the cybersecurity wars is real.
There are hundreds of thousands of jobs open in cybersecurity.
In fact, this country faces a shortage in virtually every field involving the STEM subjects of science, technology, engineering and math…
just as we're facing a future where about four out of every five jobs will be STEM-related.
The need to grow engineering and technical talent applies directly to the cybersecurity field as well:
If we don't have the right people to make it work, it won't work!
This is a crucial time for the automotive industry, which is undergoing a transformation that hasn’t been seen for more than a hundred years.
We need STEM talent, engineers, developers, cyber experts… and we need them now.
General Motors is committed to STEM education and the need to promote science and technology to students as young as grades K-through-8, especially girls, to attract them to careers in engineering and other STEM fields.
We invested more than 10 million dollars in STEM-education in 2017, and we will spend at least that again this year.
We also have an army of employees volunteering their time in various STEM programs in schools… presenting, teaching, mentoring… getting involved.
You have to invest time and effort to make an impact.
You have to get out and show kids why this is the greatest industry on earth, and why this is the greatest time to be in this industry.
Whether we're investing in our children's education, or in the cybersecurity of our self-driving vehicles, in both cases, we are investing in the future.
Both of these investments are hugely necessary, and the sooner the better.
That's something we can all agree on, and something we can all work together to make happen.
We all must continue to leverage our collective strength and institutional knowledge to move the industry forward, into a new age.
I'd like to thank Billington Cybersecurity for bringing us here today to discuss these important issues… and I thank all of you for your attention, and for your commitment to being a part of the solution.