Originally published on Forbes.com.

In the 1959 novel, Endurance, Alfred Lansing recounts the two-year (1914-1916), failed voyage of twenty-eight men attempting to cross the Antarctic continent. Without spoiling more than is exposed in the first few pages, the tale weaves together the journals kept by the survivors, which detail a seemingly never-ending string of unfathomable risks, painful impediments, and improbable outcomes. While navigating these icy waters, one of the more memorable quotes came from the captain, Frank Worsley, “Hope tells a flattering tale.” 

These days, that philosophical quote is bouncing around the heads of different transportation leaders as hopes tell the flattering tales of avoiding cybersecurity hacks, safety recalls, and unfathomable risks. 

Unfortunately, in January WIRED Magazine reported yet another major vulnerability that existed (and is now semi-fixed) in “over a dozen carmakers” including Subaru, Toyota, Honda, Kia, Infiniti and Acura. This particular flaw allowed a white hat hacker (a.k.a. a “good-guy” researcher) to not just unlock the car and control the ignition, but unearth the location history for up to a year as precisely as being “… able to see [the owner’s] doctor visits, the homes of the friends she visited, even which parking space [she] parked in every time she went to church.” The researcher, Sam Curry, rightly points out this information could be weaponized against influential or wealthy customers in a million different ways, e.g., blackmailing a government official. 

So what does “hope” have to do with any of this? Automakers have been warned repeatedly about the escalating cybersecurity hacks and software recalls (e.g., four of the top ten software recalls in 2024 were software-related). They have been cautioned about the Four Horsemen pointing towards a Day One event: a 250% increase in “massive” or “high-scale” public attacks, poor Over-The-Air (OTA) reflashing of software, a rush to centralize software despite personnel cuts (e.g., GM recently completing 5% layoffs) and aggressive offshoring without rigorous quality assurance. Yet they continue to hope: hope they somehow adhere to governmental requirements, hope they don’t require a recall, and hope they don’t risk the brand. “Our cybersecurity program serves as a primary pillar to enable GM’s vision of a future with Zero Crashes, Zero Emissions and Zero Congestion,” states Kevin Tierney, GM’s Vice President of Global Cybersecurity. But given the disarray of certification standards, distributed software amongst dozens of hurried suppliers, and an ongoing battle with justifying the additional spend on reinforcing such cybersecurity pillars (which, as best pointed out in a 2018 article by WardsAuto, which explores executives to “… consider [cybersecurity spending] like a bipolar patient on medication: just because you haven’t had an incident doesn’t mean you should reduce your medicine”) such pronouncements like Tierney’s contain some percentage of either hubris, naiveté, or aspirational thinking. 

DEC 2024: Gone is the day where software-related defects were simply a negligible annoyance that only affected the user experience. Four of the top ten recalls – which by definition affect the safety of the occupants – were software-related. (Infographic by A. Brink). – ENVORSO

Building that bedrock for the pillar takes a rare, communal focus since it is “… a shared responsibility,” per Microsoft’s Vice Chairman, Brad Smith. That’s especially true in automotive given any given vehicles is a system of systems. “The ecosystem in automotive is vast and intricate. Components like semiconductors, have been engineered 4-6 years before market entry of an automotive system and have to function for the lifetime of a vehicle; approximately 15-20 years,” states Dr. Mathias Dehm, Chief Product Cybersecurity Officer of Continental. “Security by design is essential. Ensuring threat analyses are translated into protective designs and repeatedly improving engineering practices is vital. We can only be successful with a cross-company security culture and trusted information exchange, which cannot magically appear based upon hope.” And this need for a safety and security culture will only be tested further as recent advances in Artificial Intelligence (AI) such as DeepSeek will likely add greater speed-to-market pressures, which tend to emphasize optimism over due diligence. “Where things get even more scary to security practitioners is if the backend systems like AI for example, become connected to cars and execute movement or control over a vehicle,” states Lawrence Pingree, Vice President of Dispersive, when discussing the Subaru hack. “Both the car manufacturer and the liability of the driver could be questioned in such a potential eventuality. Those become blatant safety issues. It’s important that manufacturers get the data they need, but at the same time, customers have more control so that the data isn’t misused.” 

In another historical piece set on the ocean, Poseidon’s Spear, the author tells us “Hope is the most intoxicating drug, better than wine or opium.” 

Hopefully (no pun intended), a dozen or so automakers go to rehab soon. 

Author’s Note 

I have seen behind the curtain. I have witnessed important tasks (that shall go unnamed for the sake of plausible deniability) cut for the sake of “on-time delivery” to the customer. These shortcuts do not happen by accident. When a company has a strong safety and security culture, it requires transparency on project management delivering adequate resources, acute understanding of system requirements fulfilling security goals, an architecture that comprehends the threats and hazards, and rock-solid testing sans missed steps. This is the exception; not the norm. 

Until automakers get control of not just their next generation, software-defined vehicle, but additionally their quality assurance, they are hoping for success. 

And as Anderson Cooper would tell you, “Hope is not a plan.” 

Want to prevent software recalls through better development processes? Schedule a free 60-minute session with our Atlassian experts to evaluate your toolchain and agile practices.