Electronic innovations that revolutionize new vehicles create hacking vulnerabilities if not carefully deployed. That’s the view of the U.S. Department of Justice. “Connectivity creates access,” said Assistant Attorney General John P. Carlin at the SAE 2016 World Congress in Detroit today. “Potential access to vehicle control systems could be used against us to undermine the very safety the technology was designed to provide,” Carlin noted.
Security researchers last year hacked a Jeep, gaining the ability to shut down the engine, disable the brakes, affect steering, and control turn signals, door locks, the tachometer, radio, HVAC and GPS. That incident resulted in a recall of nearly 1.5 million vehicles by FCA US. Chrysler had previously patched the software for current production, but at the insistence of NHTSA pre-patch models are being recalled. (NHTSA Blasts FCA Recalls – Big Fines, Maybe Criminal Charges Coming for Italian Automaker? Litigation Ongoing.)
According to one forecast, by 2020, 75% of new cars shipped will have internet connectivity. There could be 220 million so-called “connected” cars on the road, each with more than 200 sensors. These cars will allow drivers to stream music, look up movie times, get real-time updates about traffic and weather conditions and much more.
Another study estimates that by 2022, driverless cars will be able to navigate crowded city streets, and that by 2025, the driverless car market will be worth $42 billion (excluding the base price of cars) – up from practically nothing today.
Recognizing this grave hacking risk, last month, the FBI, the Department of Transportation and the National Highway Traffic Safety Administration, released a joint public service announcement warning the people of the real dangers of remote exploits of vehicles on our streets.
The Role of the National Security Division at Justice
Carlin explained that at the National Security Division, “we focus on tackling cyber threats to the national security – in other words, threats posed by terrorists and state-sponsored actors. It is not fair to let you face these adversaries alone. The government ought to help, and we do.”
“The September 11th terrorist attacks showed us that putting walls up between foreign intelligence and law enforcement makes connecting the dots of a plot very difficult. So a decade ago, Congress created the department’s first new litigating division in almost half a century, the National Security Division,” said Carlin.
“We ensure unity of purpose in the department’s number-one mission – to protect against terrorism and other threats to our national security. And we unite prosecutors and law enforcement officials with intelligence attorneys and the intelligence community to ensure that we approach national security threats using every tool and resource available to the federal government.
“In the years since National Security Division’s creation, it is increasingly clear that the factors that motivated our creation and guided our efforts to combat terrorism are equally true in our efforts to protect our valuable national assets.
“As with counterterrorism, we realized that prosecution is only one of the many tools the U.S. government brings to bear. So the National Security Division restructured and adapted to support a whole-of-government approach to national security cyber threats. Criminal prosecutions, sanctions, trade pressure and diplomatic options are just some of the responses available to us as we combat online threats to the national security.
“These tools allow us not only to defend against and disrupt attacks, but also deter them in the first place – to fundamentally change our adversaries’ cost-benefit analysis. Our attorneys, as well as our national security partners in the FBI and elsewhere in the government, live by the all-tools approach. We ensure that we have the necessary expertise no matter who is behind the threat, what their motivation is or what tool we need to use,” Carlin.
The Threats the U.S. Faces
“As a result of the proliferation of technology – and the myriad ways to exploit it – we face a changing world order in which lone hackers, organized crime syndicates and nation states are all increasingly able to harm our shared networks and our livelihood. Every sector of the economy is a target – infrastructure, financial institutions, entertainment, agriculture, energy and yes, the auto industry.,” said Carlin.
First – destruction and damage. Foreign, state-sponsored actors wage destructive attacks intended to coerce and intimidate. In the 2014 Sony attack, North Korean-sponsored hackers damaged computer systems, compromised valuable information, released corporate data and intellectual property at significant cost and threatened employees and customers.
Last year, the Department of Homeland Security warned about infections targeting industrial control systems with malware like “Black Energy.”
Last month, Justice announced the indictment of seven hackers affiliated with the Islamic Revolutionary Guard Corps who conducted distributed denial of service (DDoS) attacks against the financial sector, costing tens of millions of dollars in remediation costs and resulting in hundreds of thousands of customers being unable to access their accounts. One of these defendants is also charged with obtaining unauthorized access into the Supervisory Control and Data Acquisition (SCADA) systems of the Bowman Dam in New York, which allowed him to obtain information regarding the status and operation of the dam.
Second – theft. State and non-state actors use the Internet to steal intellectual property, export-controlled information and personally identifiable information at unprecedented levels. Anyone is fair game – intrusions have targeted the federal government’s Office of Personnel Management, the healthcare industry, airline passenger travel reservations among other sectors.
Third – terrorism. ISIL is crowd-sourcing terrorism – using cyber intrusions to obtain information or resources that, when placed in the hands of terrorists, could prove deadly. But more than that, they use online tools to their advantage by +leveraging social media to call for sympathizers worldwide to conduct attacks and facilitating their operational planning through encrypted communications using mainstream technology.
Automotive Engineering Recommendations
- Design with security in mind. As cars are increasingly connected to the outside world – via cellular, Bluetooth and other exposed entry points – control systems must be engineered from the outset with security in mind. That means building cybersecurity into all phases of product development, beginning with the concept and product design. It will be far cheaper to invest in securing automobile systems today than to pay for a recall and patch systems later.
- Equip and educate yourself. Make sure you have a comprehensive – and comprehensible – cyber incident response plan. You cannot manage your corporate risk if you do not understand it.
- Know business contacts create risk. Malicious actors can exploit your outside vendors – no matter how resilient you think your defenses may be. Consider guidelines to govern third-party access to your network and ensure that your contracts require vendors to adopt appropriate cybersecurity practices.
- Protect your bottom line. Companies are increasingly considering cyber insurance, and you should consider how this may fit into your risk management strategy. Cyber insurance may offer financial protection and may also incentivize companies to audit their system’s defenses.
- Do not go it alone. We are safer when we work together to track and share cyber threats and to identify trends and common weaknesses. The auto industry recently established its own sector-specific information sharing and analysis center – the Auto-ISAC, which serves as a hub for the industry to share in real time, cyber threat information and countermeasures. Just as with ISACs in the financial services, information technology and energy industries, the Auto-ISAC can become a central resource for proactively and uniformly addressing cyber threats to the automotive industry.
