By Jonathan Michaels, MLG Automotive Law APLC
Law360, New York (January 6, 2017, 12:10 PM EST) --
In the latest international terrorist attack to kill dozens of victims, a truck driver in Baghdad Monday pretended to be recruiting day laborers before detonating explosives hidden in the vehicle. He claimed 36 lives.
In the not-too-distant future, experts warn, terrorists may instead strike from a laptop computer in another city, and the vehicle they use as a weapon could be yours.
According to a new report from Billington Cybersecurity, the automotive industry needs to adopt tough safety standards, and take cybersecurity cues from super-high-tech industrial giants like Boeing, to create autonomous vehicles that can’t be hacked.
Mark Rosekind, administrator of the National Highway Traffic Safety Administration, is quoted in the report saying that the sheer volume of devices and data in connected and autonomous vehicles represents a challenge to the automotive industry.
“That target’s in everybody's garage,” Rosekind said.
The report also notes that, although we’re at least a few years from having autonomous vehicles dominate the new car lot, the vulnerability already exists in today’s vehicles, which are more complicated and more advanced than ever before, each carrying an average of 100 million lines of code. As manufacturers make effort to churn out autonomous or semi- autonomous vehicles, expect that number to jump to 200 to 300 million lines in the near future.
As Mary Barra, the CEO of GM recently stated, “I fully expect the auto industry to change more in the next five years than it has in the last 50.” And this is where the concern lies.
White-hat hackers have already proven that breaking into a car’s computer engine control unit (ECU) is no difficult task. Those close to the industry will recall a demonstration in which hackers placed a journalist in a Jeep Cherokee to demonstrate how they could take over from a laptop several miles away. “As the two hackers remotely toyed with the air conditioning, radio and windshield wipers, I mentally congratulated myself on my courage under pressure,” wrote WIRED reporter Andy Greenberg. “That’s when they cut the transmission.”
ISIS is at the infancy stages of cyberattacks, but make no mistake about it, it has arrived. In April 2016, ISIS targeted 3,000 ordinary New Yorkers in a cyberattack, posting their personal information online and announcing, “We want them dead.”
The month before, an ISIS group hacked into the New Jersey Transit Police website and obtained the names, home addresses, phone numbers and working locations of the officers, calling on its supports to carry out lone-wolf attacks on the officers.
Sen. Gary Peters, D-Mich., said, as a policy maker, he has trouble mandating standards because the technology is developing so rapidly that, “as soon as we set standards, they’re going to be exceeded.” Perhaps ironically, the same day of the Baghdad attack, a bill aimed at helping to improve automotive cybersecurity failed to pass.
Senators Edward Markey, D-Mass., and Richard Blumenthal, D-Conn., members of the Commerce, Science and Transportation Committee, had introduced the Security and Privacy in Your Car (SPY Car) Act, which would direct the NHTSA and the Federal Trade Commission to establish federal standards to secure automobiles and protect drivers’ privacy.
“Drivers shouldn’t have to choose between being connected and being protected,” Markey said. “We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles.”
The bill languished in committee before officially dying when the 114th Congress ended on Jan. 2.
In the meantime, in October, NHTSA issued federal guidance to the automotive industry for improving motor vehicle cybersecurity. The policy asks developers to control access to firmware, limit the ability to modify security firmware, and control communication to back-end servers so communication between servers and vehicles can be properly secured. Transportation Secretary Anthony Foxx said at the time, “Cybersecurity is a safety issue, and a top priority at the department.”
It is only a matter of time before ISIS — or another terrorist regime — begins attacking the interconnectivity of cars, reigning havoc on all. Reckoning back to the Jeep Cherokee incident, imagine the destruction that could be caused if hackers simultaneously caused each Jeep to fully accelerate, while disabling the steering and brakes. Or consider the resulting damage if terrorists caused the vehicles to start in people’s garages in the middle of the night, causing their house to fill with toxic exhaust. The scenarios are not that far-fetched.
Barra has recognized the concern: “The threat landscape is continually evolving, and sophisticated attacks are specifically designed to circumvent even the most robust defense systems. Whether it is phishing or spyware, malware or ransomware, the attacks are getting more and more sophisticated every day.”
Counter-cyberattack company Security Mentor suggests that the auto manufacturers place “bug bounties” on their cars, offering rewards to anyone who can hack into their systems. The company believes that employing emerging hacking techniques is the only way automakers can guard against malicious intent. So far, manufacturers have been resistant to the idea.
But that’s not to say that auto manufacturers aren’t looking for ways to hack-proof their developing autonomous tech.
In September, Volkswagen announced a partnership with the former head of Israel's Shin Bet intelligence agency to develop cybersecurity systems for internet-connected cars and self-driving vehicles.
The new company, CyMotive Technologies, will be 40 percent owned by the German automaker and 60 percent by Yuval Diskin and two former colleagues who had senior posts in the Shin Bet.
The venture has an office in a suburb of Tel Aviv and will also open in Wolfsburg, Germany.
“To enable us to tackle the enormous challenges of the next decade, we need to expand our know-how in cybersecurity in order to systematically advance vehicle cybersecurity for our customers,” said Volkmar Tanneberger, head of electrical and electronic development at Volkswagen.
Heraclitus of Ephesus, the pre-Socratic Greek philosopher, famously said, “If you do not expect the unexpected, you will not find it; for it is hard to be sought.”
As unfortunate as it is, we are all but a stone’s throw away from the catastrophic implementation of a cyberattack on our vehicles of today and tomorrow. We cannot wait to create a defense after the carnage has occurred. We must act now, and expect the unexpected.
Jonathan Michaels is the founding member of MLG Automotive Law APLC in Newport Beach, California, which specializes in representing clients in the automotive industry.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.