DC Meets Detroit: Government Automotive Cybersecurity Roundtable
This panel took up the intersection of government regulation, oversight, and support with industry efforts to enhance the security of its products. Jason Stein (Vice President, Publisher and Editor, Automotive News) moderated this session. The panel included Dr. Mark Rosekind (Administrator, National Highway Traffic Safety Administration), Admiral (Retired) Thad Allen (Executive Vice President, Booz Allen Hamilton), Terrell McSweeny (Commissioner, Federal Trade Commission), and Senator Gary Peters (D-Michigan, US Senate).
Stein opened by describing the wake-up call car hack demonstrations gave the industry. Allen reminded that panel that technology expands the attack surface; that information technology (IT), operating technology (OT), and industrial control systems (ICS) all make their contribution to the challenge. McSweeny (with an ironic reassuring wisecrack that she was from the FTC and here to help us) said that the cyber safety of vehicles is an important consumer trust issue (and she would return to the importance to industry's success of consumer trust throughout the discussion). She advised the automobile industry to avoid other industries' mistakes, and above all to avoid anything that might serve to criminalize research.
Rosekind—and he'd be echoed later by US Transportation Secretary Foxx, reminded everyone of the annual death-toll from traffic accidents, a toll everyone is committed to reducing, and one that can be reduced by technological advance. Speaking as a regulator, he saw government and industry on exactly the same page with respect to automotive cybersecurity. The sheer volume of the devices and data represents the greatest challenge. "That target's in everybody's garage," as he put it. Peters thought the government needed to punish threat actors, and called (in surprisingly strong language) some episodes of cyber espionage "acts of war."
The FTC's McSweeny offered lengthy praise of white-hat security researchers. She advocated responsible disclosure (which a subsequent panel would call "coordinated disclosure") and she said that the FTC sought to take a "process-oriented approach" to a "dynamic" field that's rapidly evolving best practices. She likes Auto-ISAC's best practices, finding them similar to an approach the FTC has long advocated. McSweeny also expressed the opinion that regulations must be technology neutral. Allen and Rosekind agreed that regulation had tended to be too slow to change as technology advanced.
Recognizing, he said, that this might be unexpected, Rosekind praises industry efforts in automotive cybersecurity. "This isn't a space where the NHTSA is swinging a big stick," he said. "We have to do this collaboratively or the traveling American public will suffer." Allen noted a blurring of lines between government and industry responsibilities, and he commended Auto-ISAC for getting ahead of regulation. McSweeny agreed that voluntary cooperation on best practices had been very successful, and hoped that all would recognize the importance of privacy and data ethics. It is, she repeated, about consumer trust, "and that's the biggest stick in the room."
This panel closed with considerable time available for questions. To one questioner who asked whether the automobile industry would be held liable for cybersecurity failures, Senator Peters answered simply "I believe they will." Allen reminded the panel that there are also operator responsibilities for cyber safety, and Rosekind said that the liability was already here.
Asked if partisan wrangling could be expected to impede cyber security standards, Peters said that (while recognizing the usual partisan tensions) automotive cybersecurity was to a great extent a bipartisan issue.
An often alluded to but seldom directly mentioned incident was the recent fatal crash involving a Tesla vehicle that may have been operating in Auto-Pilot mode. With this in mind, a question asked if we needed to slow adoption of new technology. Rosekind gave a direct and unambiguous answer: no. "We cannot wait for perfect," he said. "Too many lives are at stake." We should instead expedite technology that can save lives. Peters hopes to see a new test facility for autonomous vehicles at established at Willow Run, and that this government facilitated industry test range would help introduce new technology quickly and safely.
What of the role of independent research—how can we avoid criminalizing hacking? McSweeny offered a Hippocratic caution—government should first do no harm, and recognize that "hackers are gonna hack." She said she believed that crowdsourcing can be an efficient path to security. There should be responsible disclosure, but no undue restriction. "The standard for data security practices should be reasonableness, not perfection."
Then should there be liability protections for researchers? McSweeny thought this an Interesting question, and that further study was needed. Allen and Rosekind agreed that anonymization is central to information sharing. Rosekind quoted astronaut Eugene Cernan to the effect that no one lives long enough to make all the mistakes that can kill them, so we have to share information that can help us operate safely.
The final question asked if cybersecurity would be a new topic in trade negotiations. Peters said it certainly would (and again equated acts of espionage with acts of war). Sanctions, he noted, are one traditional response to hostile state action. We need reliable attribution, and must consider the proportionality of our response.
McSweeny and Allen took the last words, Allen advocating a "people-centric" approach to cybersecurity, and McSweeny seeing good things in industry, particularly in the fact that privacy and data ethics are now C-suite issues.