CNN Q&A on Automotive Cybersecurity with Assistant Attorney General John Carlin
Rene Marsh, Transportation and Government Regulation Correspondent, CNN, held a question-and-answer session with John Carlin, Assistant Attorney General for National Security, US Department of Justice.
Marsh began by asking how Carlin's division at Justice worked with the FBI and other law enforcement agencies. He replied that the National Security Division was formed in response to the intelligence failures that preceded 9/11. Its goal is to make full use of available legal tools to protect against attacks. He's found that most victims of hacks don't report the incidents to law enforcement despite there being very good reasons to do so. So the challenge is now to overcome obstacles to sharing information between the government and the private sector.
Asked what the threat to the automotive industry looked like? Carlin answered that it looked like terrorists, spies, crooks, and hacktivists. "We're on the cusp of the IoT transformation," he said, and the automobile sector is on the cutting edge of that transformation. We must design-in security. "We know terrorists want to kill in splashy ways," he said. "They don't yet have much hacking capability. But they will."
Espionage is another challenge. A case brought against hackers from China's Peoples Liberation Army, for example, involved theft of design information. Other hacks by the same source sought price information. "Theft of information is here. It's cost us billions." Ransomware will eventually come to cars.
Marsh asked how the automobile industry was doing, relative to the threat. Carlin said that offense outstrips defense, and that no system is perfectly safe. " So this is a risk mitigation exercise." The Sony hack required us to draw some red lines. So, first, we find out who did it, then we will say who did it, and finally, there will be consequences. Marsh asked whether filing charges against people who will, realistically, never be brought to trial can be an effective deterrent? Carlin thought that prosecution was one tool, and that we need to use all-tools. "Yet indictments do seem to have a chilling effect on attackers."
Since Carlin mentioned Sony, Marsh asked what the auto industry might learn from the attack on that media company? Sony, Carlin said, knew whom to call. They got help from the Department of Justice. "As soon as we were able to say it was North Korea, that took the heat away from the victim."