In today's connected world, cyber is everywhere. This is particularly true in the automotive sector, where advanced, connected technologies are producing unprecedented disruption in almost every aspect of the automotive ecosystem, including manufacturing and supply chain, consumer engagement, connected and autonomous vehicles, dealer interactions, financing and, of course, enterprise operations.
With disruption often comes wide-ranging cyber risks for the automotive ecosystem. Cyberattacks can breach data, privacy, and safety; disrupt operations and compromise coveted intellectual property; cause financial losses; and dilute consumer trust in a brand. These are daunting challenges—but they also open up interesting opportunities. To gain insight on how automakers are approaching “cyber everywhere,” we sat down with General Motors’ (GM) vice president of global cybersecurity, Jeff Massimilla, to understand what GM is doing from an enterprise and product perspective to mitigate cyber risk.
DELOITTE: How would you describe “cyber everywhere” in the automotive industry and how has it evolved over the past five years?
JEFF MASSIMILLA: The very concept of “cyber everywhere” has evolved greatly over the past five years. Earlier, it focused just on information technology systems, with the aim to prevent the loss of intellectual property. Even then, GM had a somewhat broader definition than other companies because of OnStar.1 Today, however, cyber everywhere is truly an end-to-end connected ecosystem, from the back office through the telecom carriers and down to the platform itself, enabling automated driving and convenience features, mobile hotspots, and so on. GM still has an information security function, but it has evolved to be highly focused on data privacy. Focus has also moved to the manufacturing environment, the most recent evolution of cyber everywhere across most industries. Insulating manufacturing from disruption, while protecting employees and product integrity, is all very important now. As a result, our cybersecurity organization is involved in every aspect of GM’s business.
"Understanding the different solutions and sharing knowledge across the industry are critical to address the rapidly evolving cyber threat landscape."
DELOITTE: How can automotive companies promote external collaboration to address cyber risks?
JM: Collaborations, whether within or outside of the automotive industry, are extremely important to understanding different solutions, and sharing this knowledge is critical in addressing the rapidly evolving cyber threat landscape. We collaborate with several industries including medical devices, aerospace and defense, and consumer electronics. The point of these relationships is to exchange knowledge and expertise around the key challenges in connected ecosystems. In the automotive industry, we have two very specific collaboration initiatives. The first is the US Auto Information Sharing and Analysis Center (Auto-ISAC), which allows us to collaborate within a competitive industry. It encourages meaningful interactions among automotive companies with varying levels of cyber maturity. It provides a safe, trusted environment for participants to create best practices for the entire industry. The second critical piece is related to supply chain security—we work closely with our partner suppliers to ensure the integrity, security, and quality of our products. Collaboration presents some challenges too, with the main one being forming a collaboration mentality across the ecosystem, so that everyone is working together to mitigate the risks of cyber incursion.
DELOITTE: How do you navigate the threat of cyber risk to your business operations and products when you work with partners that might be operating in less mature cyber environments?
JM: Over the past few years, awareness of cybersecurity, as it applies to safety and privacy in the automotive industry, has skyrocketed. Regulation is not behind either—the California Consumer Privacy Act, Europe’s General Data Protection Regulation, various privacy regulations in South America, and regulatory activities on this front in China. The importance of having a strong cyber posture cannot be overstated. Closer to home, at GM, cyber is a key priority and I’m impressed with, and appreciative of, GM’s leadership in establishing maturity around cyber. GM’s strong focus on cyber emanates from the CEO and her senior leadership team. We also have a cybersecurity committee within our board of directors. I truly believe that is the foundation for driving maturity in this space. Additionally, we try to share everything we can to bring the entire industry up, rather than compete on cyber. After all, cyber has to be done correctly, so that there is no risk to our customers or products
"We try to share everything we can to bring the entire industry up, rather than compete on cyber."
DELOITTE: What sets GM apart in terms of its approach to cyber everywhere?
JM: There are varying levels of maturity among companies operating both within and outside the automotive space. Certainly, several organizations take it very seriously. There are also companies in the middle and some that have not prioritized cyber as an operational imperative. Large companies like us, that have the ability to attract the best cyber talent, have a responsibility to provide expertise, best practices, and tangible solutions to help smaller companies that struggle to get the right talent.
DELOITTE: Overall, how would you rank the industry’s preparedness for the challenges of cyber today and how well do you think the industry is prepared for cyberattacks?
JM: The Auto-ISAC is foundational to the cyber preparedness of the auto industry and establishing trust among competing organizations, which is critical. For example, if a major cyberattack puts customer safety at risk, we would tap into the Auto-ISAC structure to share updates and discuss mitigation strategies in real time because customer safety is most important in our industry. In addition, the Auto-ISAC is uniquely positioned to facilitate proactive incident-response exercises. We do this within our company all the time, but to do it as an industry—interacting with other stakeholders in the event of a cyber incident—is another level of preparedness.
DELOITTE: How is GM bringing consumers along in this cyber journey?
JM: We recognize that the increasing level of autonomy in vehicles can make cybersecurity a fundamental concern for our consumers. Yet in our experience, consumers don’t necessarily equate increasing vehicle connectivity with cybersecurity risk. Further, although data privacy is a concern, consumers may relate that more to the data and devices they bring into the vehicle. All that being said, we believe that overall consumer behavior and good cyber hygiene are a critical part of our ability to keep our consumers safe. For example, bringing a compromised smartphone into the vehicle could be problematic from a cybersecurity perspective. We, however, develop our products assuming that brought-in devices are already compromised and that the consumers may be doing things in the vehicle that they should not be doing. As such, we develop our defensive posture with the central pillars of privacy and safety in mind.
DELOITTE: What should car companies be prioritizing and what do you think are the most important things that need to happen to be successful in an evolving cyber ecosystem?
JM: Cyber is a rapidly evolving landscape and we certainly don’t have all the answers, but we’re focused and learning every day. First, cyber has to be a board-level priority, a CEO priority, and a priority within each function of the business because our industry is so interconnected. So, a top-down mandate will set the wheels rolling. Second, filling the massive talent gap in the industry is imperative for long-term success. The automotive industry and GM are competing with some of the most high-tech companies out there, including those in Silicon Valley. Overcoming the talent shortage by working with universities, government agencies, and other stakeholders is something the industry needs to do to be successful in the long run. Finally, it is incumbent upon larger companies to be proactive in helping the industry, so companies that do not have a similar ability to do everything on their own can have access to the knowledge and solutions that make the entire system stronger.
Cyber is a national security challenge and it is important to focus on it from an overall perspective. After all, you are only as strong as the weakest link in your ecosystem.
DELOITTE: How can companies achieve and accelerate top-down support from the board and senior executives?
JM: Company leaders have to show openness toward cybersecurity and an appetite for risk management. Their mutual willingness to do so is equally important. I think it also starts with the relationships being built among companies at the board, CEO, or cyber leader level. If those relationships exist, cross-pollination of ideas can occur. At GM, we are very interested in the whole industry moving forward together.
DELOITTE: Finally, do you have any thoughts on the key messages required to articulate the business case for top-down support?
JM: In today’s digitally connected world, cybersecurity must be one of the top risks for any technology dependent and forward-thinking company. The ramifications of a single cyber event could be catastrophic. So, recognizing the cyber risk and deploying the right mindset and resources are paramount. It’s almost like having a permanent, post-breach mentality.