As automakers race to develop automated vehicles, the challenge of securing these automotive systems has taken on an elevated role for automakers, prompting Volkswagen and U.S. House legislators, separately, to voice a need for a greater commitment to securing vehicles against cybersecurity threats.
Volkswagen partnered with a team of former Israeli intelligence officials to launch an automotive cybersecurity company. The joint venture, named Cymotive Technologies will create security solutions for “next generation connected cars” and automated vehicles, according to a release.
The management team consists of three cybersecurity professionals who served in senior roles within Israel's intelligence agency Shin Bet. Yuval Duskin, director of the intelligence agency until 2011, will serve as chairman. He is joined by former head of Shin Bet's Technological Division Tsafrir Kats and former head of the internal intelligence agency's Information and Computerization Division Dr. Tamir Bechor.
High-profile political hacking incidents have alerted the automotive industry to the need to tackle cybersecurity threats facing connected vehicles, according to Paul Godsmark, chief technology officer (CTO), Canadian Automated Vehicles Centre of Excellence (CAVCOE). “I think what we've seen from Volkswagen is a clear recognition that strong cybersecurity protection is needed,” he told SCMagazine.com.
The venture is a promising development that could improve automotive cybersecurity across the industry, according to Tim Erlin, senior director of IT security and risk strategy for Tripwire. However, Cymotive may find itself in a challenging predicament if the company opts to research competitors' vulnerabilities, rather than only focusing on Volkswagen security issues, he added. “Reporting a vulnerability in a competitor's vehicle could affect sales or costs for remediation,” he wrote in an email to SCMagazine.com. “Cymotive will have to tread carefully with research and disclosure.”
Public trust in automotive security is “crumbling,” Rod Schultz, vice president of product, Rubicon Labs, wrote in an email to SCMagazine.com. “Poor embedded security decisions, coupled with false performance claims, have compromised the trust of an entire industry, and a concerted effort by VW to build back that trust through security innovation will pay off in the long run,” he wrote.
Earlier this week, four members of the U.S. House of Representatives called for the National Highway Traffic Safety Administration (NHTSA) to address digital threats facing connected vehicles by securing on-board diagnostics ports. The OBD-II port “as it currently exists creates a growing risk to the safety and security of passengers,” the Congressmen wrote in a letter to NHTSA Administrator Mark Rosekind. “As such, we are writing today to request that NHTSA convene an industry-wide effort to develop a plan of action for addressing the risk posed by the existence of the OBD-II port in the modern vehicle system.”
The letter was signed by Energy and Commerce Committee Chairman Fred Upton (R-Mich.), Communications and Technology Subcommittee Chairman Greg Walden (R-OR), Oversight and Investigations Subcommittee Chairman Tim Murphy (R-Pa.), and Commerce, Manufacturing, and Trade Subcommittee Chairman Michael C. Burgess, M.D. The OBD-II ports were used by security researchers Chris Valasek and Charlie Miller in the Jeep Cherokee hack last year.
Automobiles generally are a heavily regulated industry, however consumer and advocacy groups have not yet made “a concerted effort in articulating a clear policy agenda,” Chris Calabrese, vice president for policy at the Center for Democracy & Technology (CDT), told SCMagazine.com. While autonomous cars have "enormous potential" to create positive outcomes, he said there is much work needed "in order to get there, especially in bolstering vehicle cybersecurity and agreeing on an acceptable level of risk.“When you're hacking computers, there is a limited amount of damage that you can achieve,” Godsmark told SCMagazine. “When you're hacking systems you can do a lot of damage - and when you're hacking a car, you can kill people — you can kill multiple people.”