Clarifying the Hype Around Auto Cyber Threats

I, like most Americans, have a love affair with the automobile. Give me an unlimited budget and I will quickly exceed it, purchasing pretty much every available car, truck and SUV on the market.

That's a big part of the reason why I have been following the cyber story de jour: auto cyber hacks. Each day sees new hacking story about a new technique to penetrate your car's computers, with allegedly harmful results.

The icing on the cake here was the recall of over one million automobiles in order to fix a cybersecurity flaw. Well, what about the fact that hackers would have to have "unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time" in order to actually do anything bad to a car? Pshaw -- the mere existence of the recall was all the cyber-Chicken Littles needed to declare the sky was falling.

Unsurprisingly, Capitol Hill fired up its outrage engine, threating hearings, regulations and legislation to address these "worries." All because a few researchers spent way too much time figuring out how to unlock a car door or play with software.

You want my reaction? It's a big fat "Meh". Let me explain.

First, let's begin with a widely acknowledged fact: the automobile industry is pretty darn sophisticated. It is established, organized and adept at running complex manufacturing operations. More importantly, it knows that its customers REALLY care about safety and security. Put all that together and it is as well positioned as any industry to respond to cyber threats.

Also consider the following:

  • Safety and security is a primary concern when it comes to auto design, construction and maintenance. Why? Because automobile customers expect their cars to be safe. It is a primary factor in deciding whether to purchase a specific vehicle. Auto manufacturers know that, and they know that ignoring safety innovations means potential lost sales. It only follows then that addressing cyber security will be a natural course for automobile manufacturers to follow.

  • The automobile industry is well suited to address software flaws or weaknesses through its strong and proven recall program. Anyone who has ever owned a vehicle is familiar with the relatively smooth recall and fix program. That same process is already used for software issues, and we are moving towards a system where security fixes can automatically be pushed to consumers. All of this means that the automobile industry is likely well ahead of cyber criminals when it comes to correcting security and safety flaws.
  • If there is one thing that the automobile industry knows, it is how to manage a diverse and far flung supply chain, and ensuring quality control amongst its suppliers is a key component of that. Supply chain integrity is a critical component of cybersecurity, as far too often successful cyberattacks have been committed by sneaking in malicious code through a sub-developer or inserting counterfeit products into a larger enterprise system. This is another example of where the automobile industry is ahead of the field and can easily step in as a market leader in security.
  • The automobile sector is likely the only one set up to measure its own cybersecurity, and also mesh well with the insurance industry. First, remember that for years the automobile industry has worked closely with the insurance sector to measure vehicle safety (à la the Insurance Institute for Highway Safety). That forum has become the gold standard for measuring vehicle safety, and there is no reason why the automobile and insurance sectors cannot replicate that success with respect to cyber security.
  • Second, the auto insurance community is well known for incentivizing the use of safety and security features on cars by offering policy discounts for their use. That program should easily be extended to the use of cybersecurity measures in cars ("Your car has non-signature based detonation chambers? Great, that will save you 5 percent a month on policy premiums"). This will be in marked contrast to the difficultly currently being experienced in trying to tie cyber incentives to traditional property or general liability programs.

    All of this is of course in addition to the more general notion that hacking into automobiles is a fairly pointless exercise. The idea that someone could remotely control your car (or multiple cars for that matter) and put you in peril sounds scary, and to be fair it is a possible event.

    Still, let's be fair and distinguish between "possible" and "probable". Car hacking is possible, but is it probable? Hardly. The return on investment for doing so just isn't there. Remember that most cyber criminals are likely in it for the money, and there are much easier ways to make money than by crashing other people's cars on purpose.

    So, I'm back to "meh". I understand why people worry about this issue and that it makes for a good news story. But I also recognize that devoting billions of dollars to create new, immortal, federal bureaucracies that oversee auto cybersecurity is a big waste.

    We have better things to focus on like, oh, I don't know, figuring out if foreign hackers are stealing every secret we have from government agencies. Like that would ever happen...

    Brian E. Finch (@BrianEFinch) is a partner at Pillsbury Winthrop Shaw Pittman LLP.