DOJ Challenges Auto Industry: Let's Try to Build Unhackable Car

One estimate shows that by 2020, 75 percent of new cars will have Internet connectivity, causing some officials to worry about the possibility of a terrorist attack on smart vehicles.

by Tresa Baldas, Detroit Free Press / April 13, 2016
Six states and the District of Columbia have passed legislation aimed at creating an orderly and managed process for testing and introducing autonomous-vehicle traffic in their jurisdictions Shutterstock

(TNS) -- In its quest to build connected and self-driving cars, the automotive industry is facing a daunting task that national security experts say is a must: Design a car that's terrorist-proof — or at least try.

With 220 million Internet connected cars expected to be on the roads within five years, a national security expert visited Detroit Tuesday and urged automakers to be mindful of the growing cyber-security threats posed by terrorists, information crooks and spies who could potentially try to hack into wired vehicles and cause mayhem of all sorts.

While there are no known cases of terrorists hacking a connected car, the Department of Justice official stressed that automakers need to try to stay one step ahead of any potential hackers and ask:

"'What are the bad buys thinking? We've seen them be creative before," said Assistant Attorney General for National Security John Carlin, who met with auto executives and law enforcement personnel at Cobo Center at a presentation titled, “Emerging National Security Cyber Threats and Their Implications for the C-Suite.”

During his speech, Carlin reminded the audience about last year's intentional hacking of a sports utility vehicle by security researchers, who hijacked a Jeep Cherokee over the Internet. They managed to turn the steering wheel, disable the brakes and shut down the engine -- among other things -- triggering the eventual recall of nearly 1.5 million vehicles.

"It doesn’t take much imagination to see how similar vulnerabilities could be used against us by our adversaries to bring about horrific results," Carlin said.

Carlin spoke on national security cyber threats and economic espionage at the opening management program of the SAE 2016 World Congress. He addressed the growing threat posed by sophisticated computer intrusions to the transportation sector and the economy at large, as well as the role the government and private sector must play in protecting companies before, during and after a serious hack.

In a sit-down interview with reporters, Carlin stressed that his reason for visiting Detroit was not to raise panic or stir fear, but to encourage automakers to assess the security risks associated with connected cars before anything bad happens.

"It's better in every respect to think of the risk on the front end," Carlin said, later adding: "We can't play catch up ... Assume the worst."

Concerns about cybersecurity in the automotive industry began to emerge several years ago. In 2014, a group of automakers and suppliers led by Delphi, Battelle, the Alliance of Automobile Manufacturers and the Association of Global Automakers banded together to formed a coalition to study cyber security issues.

Last year, two car hacking reports vaulted automotive cyber security into national headlines: In February, "60 Minutes" demonstrated how a car could be hacked as Lesley Stahl was driving the vehicle. In June, Wired Magazine published a story detailing how two researchers took control of a Jeep Cherokee.

But both events took place under a highly controlled environments and were orchestrated by hackers who had spent a lot of time targeting a specific vehicle. To date, there haven't been any documented cases of real-world, malicious car hacking.

Still, both reports elevated public concerns and set off alarm bells within the automotive industry, cyber security experts said today at an Automotive Press Association event.

Carlin noted how the auto industry has taken technology to a whole new level, making cars that can be opened by fingerprints, driven by themselves and shut down through the push of a button from anywhere. Connected cars in particular will soon hit the market by storm.

Carlin cited one estimate that shows by 2020, 75 percent of new cars shipped will have Internet connectivity. There could be 220 million so-called connected cars on the road by then, each with more than 200 sensors. These cars will allow drivers to stream music, look up movie times, get real-time updates about traffic and weather conditions, he said.

But there's more, Carlin said, noting that by 2022, driverless cars will be able to navigate crowded city streets; By 2025, the driverless car market will be worth $42 billion.

"You can easily see how the auto industry makes for a valuable target for hackers of all stripes. You have valuable information and infrastructure that they want," Carlin said.

In recent years, the country has witnesses a number of computer hacking incidents involving foreign spies, organized crime and terrorists.

For example, in a 2014 attack on Sony, what was believed to be North Korean-sponsored hackers damaged company computer systems, compromised valuable information, and released corporate data and intellectual property.

Most recently, seven hackers affiliated with the Islamic Revolutionary Guard Corps were indicted last month for alleged hacking-attacks against the financial sector, costing tens of millions of dollars in remediation costs and locking hundreds of thousands of customers out of their accounts. One of the defendants also allegedly hacked into the computer system of the Bowman Dam in New York, which allowed him to obtain information regarding the status and operation of the dam.

"Every sector of the economy is a target – infrastructure, financial institutions, entertainment, agriculture, energy and yes, the auto industry," Carlin said.

Brent Snavely contributed to this report.

©2016 the Detroit Free Press Distributed by Tribune Content Agency, LLC.