In a world where motor vehicles can be weapons and cars increasingly depend on internal computers and Internet connections, automakers are under increasing pressure to find ways to guard against cyber-attacks.
Auto industry chiefs, security experts and government officials warned at an auto industry conference here on Friday that hackers can threaten to do everything against cars that they do to other computers: remotely steal owner information, or hijack them and render them more dangerous than the truck that killed 84 people in Nice, France on July 14.
“When you look at autonomous autos, the consequences are so much greater” than the Nice attack by a possibly Islamic State-inspired man, said John Carlin, assistant US attorney general for national security.
“We know these terrorists. They don’t have the capability yet. But if they’re trying to get people to drive truck into crowds, than it doesn’t take too much imagination to think they are going to take an autonomous car and drive it into a crowd of people,” said Carlin.
General Motors’ chair and chief executive Mary Barra said that the advanced information technology that comes in new cars, especially “connectivity” systems linking cars to the Internet, creates huge new challenges.
“One of these challenges is the issue of cybersecurity, and make no mistake, cybersecurity is foundational,” she said.
Barra pointed to the need to protect the personal data of customers who use their in-car system for banking or to pay for other services.
“The fact is personal data is stored in or transmitted through vehicle networks,” she said.
On top of that is the complexity of the newest auto IT systems, which, she said, “opens up opportunities for those who would do harm through cyber-attacks.”
“Cybersecurity is an issue of public safety,” she said.
Carlin said cyber-attacks generally have cost the US economy billions of dollars, and that the problem is that hackers often outrace efforts to strengthen security.
That will be the case for the auto industry, especially as it pushes ahead with self-driving cars, he said.
“We know these terrorists. They don’t have the capability yet. But if they’re trying to get people to drive truck into crowds, than it doesn’t take too much imagination to think they are going to take an autonomous car and drive it into a crowd of people,” said Carlin.
The problem, said Steven Center, a Honda Motor Co vice-president, is that car makers are under pressure from consumers to add more and more connectivity features to their vehicles.
The landscape is changing fast, according to Jonathan Allen, a cybersecurity expert with Booz Allen who is helping car makers and their suppliers organise to deal with threats.
Up until only two years ago, manufacturers tended to downplay the threat posed by hackers, he noted.
But there has been a significant cultural shift within automotive business, which is now taking the challenge very seriously.
For one thing, the threat to the reputation of car makers is far more substantial, noted Josh Corman, founder of I am the Cavalry, a cybersecurity consulting firm.
Online fraud is one thing, but hacking into cars could actually threaten “flesh and blood”, so that car makers have to be even more vigilant, he said.
Jeffrey Massimilia, GM’s chief cybersecurity officer, said sharing information broadly across the industry is one of the keys to fighting off the threat.
Within the past year, the industry and key suppliers have gotten government approval to share information among themselves on cybersecurity without the threat of anti-trust action.
Automakers are also recruiting “white hat” hackers who help hunt down vulnerabilities in the IT systems of cars.
“We should have a way for people to find things and report them,” said Titus Melnyk, senior manager of security architecture at Fiat Chrysler Automobiles (FCA), which recently invited “the bug crowd” that looks for weaknesses in new software, smartphones, computers or consumer electronics.
“These threats are evolving. At FCA we take that seriously,” he said.