I, like most Americans, have a love affair with the automobile. Give me an unlimited budget and I will quickly exceed it, purchasing pretty much every available car, truck and SUV on the market.
That's a big part of the reason why I have been following the cyber story de jour: auto cyber hacks. Each day sees new hacking story about a new technique to penetrate your car's computers, with allegedly harmful results.
The icing on the cake here was the recall of over one million automobiles in order to fix a cybersecurity flaw. Well, what about the fact that hackers would have to have "unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time" in order to actually do anything bad to a car? Pshaw -- the mere existence of the recall was all the cyber-Chicken Littles needed to declare the sky was falling.
Unsurprisingly, Capitol Hill fired up its outrage engine, threating hearings, regulations and legislation to address these "worries." All because a few researchers spent way too much time figuring out how to unlock a car door or play with software.
You want my reaction? It's a big fat "Meh". Let me explain.
First, let's begin with a widely acknowledged fact: the automobile industry is pretty darn sophisticated. It is established, organized and adept at running complex manufacturing operations. More importantly, it knows that its customers REALLY care about safety and security. Put all that together and it is as well positioned as any industry to respond to cyber threats.
Also consider the following:
- Safety and security is a primary concern when it comes to auto design, construction and maintenance. Why? Because automobile customers expect their cars to be safe. It is a primary factor in deciding whether to purchase a specific vehicle. Auto manufacturers know that, and they know that ignoring safety innovations means potential lost sales. It only follows then that addressing cyber security will be a natural course for automobile manufacturers to follow.
Second, the auto insurance community is well known for incentivizing the use of safety and security features on cars by offering policy discounts for their use. That program should easily be extended to the use of cybersecurity measures in cars ("Your car has non-signature based detonation chambers? Great, that will save you 5 percent a month on policy premiums"). This will be in marked contrast to the difficultly currently being experienced in trying to tie cyber incentives to traditional property or general liability programs.
All of this is of course in addition to the more general notion that hacking into automobiles is a fairly pointless exercise. The idea that someone could remotely control your car (or multiple cars for that matter) and put you in peril sounds scary, and to be fair it is a possible event.
Still, let's be fair and distinguish between "possible" and "probable". Car hacking is possible, but is it probable? Hardly. The return on investment for doing so just isn't there. Remember that most cyber criminals are likely in it for the money, and there are much easier ways to make money than by crashing other people's cars on purpose.
So, I'm back to "meh". I understand why people worry about this issue and that it makes for a good news story. But I also recognize that devoting billions of dollars to create new, immortal, federal bureaucracies that oversee auto cybersecurity is a big waste.
We have better things to focus on like, oh, I don't know, figuring out if foreign hackers are stealing every secret we have from government agencies. Like that would ever happen...
Brian E. Finch (@BrianEFinch) is a partner at Pillsbury Winthrop Shaw Pittman LLP.