John W. Peterson’s 1970 hymn’s chorus is “I will trust you when I cannot see, when I’m faced with adversity, and believe your will is always best for me. I will trust when I cannot see.” Good for a church, maybe, but those haven’t been the lyrics to automotive’s kumbaya over nearly the last decade since Wired Magazine featured Charlie Miller and Chris Valasek remotely hacking into a Chrysler. This technological milestone placed the industry on notice of the impeding deluge of hacks, and highlighted the urgent need to address trust in the fidelity of the overall system.
That confidence, though, is multi-layered and complex: the developer trust, the ecosystem trust, and the buyers’ trust.
The layers of trust from the manufacturer downward are almost as deep as the 2010 thriller “Inception.” The CEO must trust the Chief Information Security Officer (CISO) who must trust the mid-management to oversee the requirements being built into the vehicle programs (as well as the internal I.T.) will meet or exceed regulations from around the world. From there, the Chief Engineer must trust that both the manufacturer’s and suppliers’ developers have ingested the Technical Security Requirements and formulated a process and product that assures the desired detection and protection. Thereafter, the developer trusts that the test engineer has developed test plans and scripts to ferret out any vulnerabilities. And then all of this is repeated over the next twenty years as new cyberattacks arise. Across every vehicle. Across every system. Across every component.
Solution 1: The first, age-old solution is assessments of the process. If engineers follow guidelines and checklists, work products should adhere to standards.
Solution 2: The second solution has just recently arrived earlier in 2023: co-testing platforms. In these types of systems, suppliers load code into a testing environment behind a semi-transparent curtain. The manufacturer can see the code was tested against all of the appropriate standards and known threats, but does not have visibility into the Intellectual Property (I.P.), the exact weaknesses found, etc. so trust can be built in the solution without revealing anything proprietary or damning. “Today, the cybersecurity process for vehicles is very arduous; lots of checklists throughout the process generating tons of documents to prove that they did the right engineering efforts to secure the vehicle,” states Block Harbor’s Founder and CEO, Brandon Barry. “All of this must happen while the company’s business model is disrupted. [Such systems] can allow them to share live data between automaker and supplier in terms of the data that matters for the standards and regulations so trust can be rebuilt in the new solution and allow for rapid updates.”
Part of the challenge,” elaborates Block Harbor’s COO, Murtada Hamzawy, “is that while trying to overcome those business challenges there’s a new level of trust required; moreso than previously. Having a platform where all parties can see in real-time that proper testing has happened helps to quickly ensure that trusting relationship.”
Imagine the simultaneous trust-and-mistrust that’s required: trust to share information about known attacks, and mistrust that other players will not accidentally (or intentionally) share security information, impose new regulations or maliciously use shared data to win in the marketplace.
Such is the ecosystem of vehicle-to-infrastructure and vehicle-to-vehicle systems. Competitors talking with competitors and government agencies to learn about new hackers, possible threats and mitigations.
Meanwhile, governmental organizations like UNECE impose new regulations that require automotive manufacturers to prove they have robust cybersecurity management systems and software update capability or they may lose their right to sell vehicles in their country or region (e.g., Europe). Billions of dollars at play, and any shared information about vulnerabilities may erode that trust.
Solution 1: The Automotive Information Sharing and Analysis Center (Auto-ISAC) was formed in August of 2015 to create a haven for sharing information. Per an anonymous source, “The start was very slow since companies weren’t sure with whom they could share what, but information is now flowing better.”
Solution 2: Simultaneously, third party assessors provide certification of any given company’s cybersecurity management processes. Sampling is inherently imperfect, but it minimally provides a semi-transparent window into a company’s rigor.
A compelling and repetitively used headline within automotive boardrooms since 2016 has been PR Newswire’s “8 in 10 Consumers Would Be Wary Or Never Buy From An Automaker If That Brand Experienced A Car Hack.” In fact, the KPMG study found the exact number was 82%.
Except it’s not.
Literally every major brand has been hacked in some fashion (as documented in the 2020 Forbes article “Top 25 Cybersecurity Hacks: Too Many Glass Houses To Be Throwing Stones”). And the only sustained drop in stock prices or revenue was Volkswagen in 2015 which, in all likelihood, was attributable to Deiselgate.
So the question that proceeds “How would you win [back] the trust of the public” is “Does the buyer really care?”
Solution: This is the one area of trust with no improvement solution, but possibly no needed solution. [Re]gaining the buyer’s trust via advertising would be the equivalent of posting a bullseye sticker on the windshield for worldwide hackers seeking fame. So maybe the solution is, “Wait until the buyers [hopefully] forget.”
Assuming the company survives that.
For some reason that I can only attribute to the complete handoff of control, the public continues to associate the need for bulletproof cybersecurity with autonomous vehicles. For instance, just a few weeks ago The Hill reported that “… some experts say that the shift to autonomy may pose greater cybersecurity risks if potential hackers target software vulnerabilities.”
But that 2015 hack already demonstrated effectively that impotent humans can hopelessly occupy the driver’s seat while hackers access the car’s steering, throttle, brakes, etc. In fact, as part of a 2016 episode of “Last Week Tonight” on encryption and cyber-trust, HBO showed video of the hack and John Oliver exclaiming, “Yeah, no sh** the driver was panicking! You killed his engine on the freeway.”
That wasn’t an autonomous car. Nor were any of the vehicles in the record 268 publicly-reported automotive cyberattacks in 2022, which have grown steadily since 2018 (79).
So riddle me this: Why are we so trusting right now?