Cybersecurity roundtable: future voluntary solutions, information sharing, and best practices to counter cyber threats.
The Summit's first panel, chaired by Jon Allen (Acting Executive Director, Auto-ISAC and Principal, Booz Allen Hamilton), addressed voluntary solutions, information-sharing, and best practices. Before introducing the panelists, Allen offered an overview of Automotive Information Sharing and Analysis Center (Auto-ISAC). It's noteworthy, he said, that this ISAC formed before there was a major incident.
The panelists included Bently Au (Chief Information Security Officer, Enterprise Information Security Program, Toyota Motor Sales, USA, Inc.), Steven Center (Vice President, Environmental Business Development; Vice President, Product Regulatory Office, American Honda Motor Company, Inc.), Josh Corman (Founder, I am The Cavalry and Director, Cyber Statecraft Initiative, the Atlantic Council), and Jeffrey Massimilla (Chief Product Cybersecurity Officer, Vehicle & Vehicle Services Cybersecurity, General Motors Company).
The panelists expressed some of the same sentiments about competitive advantage heard earlier in GM CEO Mary Barra's keynote. Au, pleased with the trust he's seen built through information sharing, noted that cybersecurity is not a competitive area. Center comparee Auto-ISAC to NATO—an attack on one is an attack on all. Massimilla agreed that best practices aren't a field of competition, and they're not a least common denominator, either.
Corman saw an opportunity for the automotive industry to avoid the contentious relation between researchers and industry that one has unfortunately seen in, for example, the software industry. "Autonomous vehicles will require enormous confidence and enormous reliability," he noted, and we can't permit mutual suspicion between industry and researchers to compromise this. Academic research, prototyping, and reference architecture are being pulled together. Tell your customers how they can handle failure, and "tell your researchers you won't sue them for reporting failure."
It's been important, Massimilla said, for us to look at what other people have learned as they've worked out collaboration. He sees sharing within ISACs as an important way of doing this, and a way that offers hope of distinguishing important information against the inevitable background of noise. The ISAC is an opportunity for collaborative learning. To Allen's question about the sorts of lessons that might be learned from other sectors, Corman thought the most interesting lessons are the ones learned "wherever bits and bytes meet flesh and blood."
There was general agreement on the value of research and vulnerability demonstrations in moving the industry toward a more predictive, proactive approach to the cybersecurity of its products. Corman sees an interesting challenge in providing an approach to instrumenting vehicles for accident investigation that still protects users' privacy. Massimlla said that the same practices that keep you private should also keep you safe. (Corman returned to the theme of privacy during the question session at the end of the discussion. Displaying an "I [heart] privacy" button in testimony to his sincerity, he also reminded people that, in the operation of vehicles and elsewhere, privacy might not be an absolute value. "I love my privacy. I want to be alive to enjoy it," he said. "I don't want to see corpses with their privacy intact.")
Center (with Au agreeing) saw a positive regulatory and collaborative environment. Massimilla argued that best practices must be adaptable to diverse approaches and ways of doing business: collaborators after all remain competitors, which means they do things differently. So while safety and security aren't places they seek competitive advantage, the best practices the industry's members share should be sufficiently adaptable to cover the ways in which they do seek legitimate competitive advantage.
"We have a window of exposure before best practices are implemented," Corman warned, and that window "must be closed as soon as possible." He recommended that industry build its security capacity before coming legal changes begin to force that capacity.
Allen concluded by observing that best practices don't constitute a compliance model. "We're not going to flip this into a compliance matrix."