The art of leading without leading: GM and the delicate dance of automotive cybersecurity
How General Motors is staying ahead of the cybersecurity curve -- without making itself a target.
Jeep builds the kind of vehicle that you'd be tempted to label as impervious to attack, if only because it's one of the few models still on the road that whet its teeth shuttling troops around the various theaters of World War II. But, in 2015, it wasn't a typical sort of weakness that thrust the company's vehicles into the headlines, it was something rather less tangible: a software vulnerability.
Security researchers found a flaw in Fiat Chrysler's Uconnect, a breach allowing hackers on the outside to access the cars' internal systems. A recall was quickly instituted, and as of yet there have been no reported cases of this flaw being exploited in the wild, but it was still a major black eye for the company. In the eyes of many, it was a scary preview of a future to come, a future where the roads are full of two-ton targets for a new generation of black hat hackers. The active connections that manufacturers had been hurriedly stuffing into cars suddenly seemed less like convenience and more like exposure.
About six months earlier, General Motors was quietly taking action, formal action, by creating an internal team focused specifically on identifying potential threats within the company's systems -- cars and everything that interacts with those cars. That team, which today numbers about 80 individuals, reports to Jeff Massimilla, who became General Motors' Chief Product Cybersecurity Officer.
GM Chief Product Cybersecurity Officer Jeff Massimilla.
"I have a very unique team," Massimilla told me. "Half of it is very highly technical, mathematicians, cryptologists, military backgrounds in cybersecurity. Red team activities, so certified ethical hacking and things like that. The other portion of my team are the people that can bridge that highly technical group back to the automotive space."
Indeed, that mix is indicative of the automotive industry's shifting approach towards the sensitive issue of cybersecurity: listening and adapting rather than silencing and entrenching.
"We're deploying a defense and depth strategy, so defensive systems in layers on our vehicles," said Massimilla. "We're engineering our systems to be upgradable over time, to be able to address vulnerabilities as they're identified."
And while that internal red team will be doing their best to identify those flaws early, Massimilla and his team are realistic enough to know that they'll never test every possible combination. For that they need outside help.
To get that, General Motors is partnering with HackerOne, a company that helps organizations of all sizes connect with security researchers around the globe. Through HackerOne, companies can go so far as to post bug bounties, giving independent hackers financial incentive to report findings through the right channels.
"We're very, very good in the automotive space," said Massimilla. "But interacting with researchers is a bit of a new field for us, so leveraging relationships with something like HackerOne will be very valuable."
Massimilla is also ensuring GM takes a leadership role at the various automotive standards bodies, chairing the SAE group for cybersecurity, and Massimilla himself serving as Vice Chair of the Auto Alliance's Information Sharing and Analysis Center (ISAC), an industrywide collaboration focused on information-sharing and threat-identification.
It's a delicate balance, though, as the road to cybersecurity is littered with the bodies of those corporate entities that were too confident in their abilities. "You never say you're a leader in this space, because it puts a target on you. But at the same time we're operating in a way that we're developing leadership. The resources that we're developing are to put us in a good position."
One of the major concerns surrounding automotive cybersecurity has to do with researchers' ability to dig into these systems. Indeed, thanks to bills like that proposed last year by National Highway Traffic Safety Administration, the very act of an outsider looking for a vulnerability within a car's systems may become illegal. Massimilla takes a pragmatic stance on the situation: "There's been a lot of bills, a lot of discussion on Capital Hill on many aspects around cybersecurity... Right now there's nothing out there that says it is illegal, and therefore we want to embrace it as an organization."
That said, there's a limit to the amount of openness that General Motors can offer. "Security through obscurity is a really bad idea," Massimilla said. "At the same time, automotive systems are extremely complex." The amount of proprietary systems involved, often from third-parties, means that taking the drastic step of going open source isn't really an option here.
Indeed, the ever-evolving integration of standards is creating an interesting new challenge for these heavily bespoke systems. "[If] you're going to take in an Apple CarPlay and an Android Auto interface, it's your job to harden, to separate, to provide defensive measures between the critical systems. Whether it be a hypervisor, whether it be physical separation through firewall, whether it just be securing the inability to change software on that control module."
While you can never fully guarantee the security of a system, particularly a system sprinkled with disparate proprietary solutions throughout, Massimilla and his team are seemingly taking the right steps and, more importantly, adopting the right attitude.
But is another big, ugly automotive hack inevitable? Massimilla is wise enough not to give a straight answer: "It's hard to predict. I think that the reason that we are devoting so many resources and we continue to devote resources is to ensure that we are doing everything that we can to be as prepared, as secure, as able to detect and respond as possible in the event of anything."