DETROIT — Fighting cyber-security attacks on connected and driverless cars will require new levels of cooperation among automakers, suppliers and the government, the Justice Department's leading attorney for national security said on Tuesday.
Speaking at the 2016 SAE World Congress in Detroit, Assistant Attorney General for National Security John P. Carlin noted that, according to some estimates, by 2020, 75 percent of new cars are expected to have Internet connectivity; by 2022, "driverless cars will be able to navigate crowded city streets; and by 2025, the driverless car market will be worth $42 billion — up from practically nothing today."
While acknowledging that connectivity and safety technology are welcome improvements, Carlin cautioned: "The same innovations that revolutionize the auto industry create vulnerabilities if not carefully deployed. Connectivity creates access. Potential access to vehicle control systems could be used against us to undermine the very safety the technology was designed to provide."
The threats, he said, range from hackers gaining access to vehicle systems "just because they can" to the theft of intellectual property to life-threatening terrorist attacks.
As reported by Edmunds, last year Fiat-Chrysler recalled 1.4 million U.S. vehicles, including 2014-'15 Jeep Grand Cherokee and Jeep Cherokee SUVs, to address software vulnerabilities in certain radio systems that left them open to hacking of control systems.
Other automakers that responded to hacking threats include General Motors, which had to issue a new OnStar RemoteLink app following a hack by a security researcher who said he took over some functions of a Chevrolet Volt, and Tesla, which issued a software update after hackers said they were able to take control of a Tesla Model S electric sedan.
To combat cyber threats, Carlin said, various government agencies have made considerable progress in working together, but "sharing information and intelligence between law enforcement is not enough."
There also needs to be cooperation between the government and automotive and technology companies.
As an example, he said, the government can do more than establish and enforce regulations. It can help by sharing information to make various segments of the industry aware of threats: If one supplier or manufacturer reports a threat, government agencies can disseminate that information to other sectors.
But, Carlin told the audience of automotive engineers and executives: "You are on the front lines in the fight for a secure Internet and secure cars, defending against attackers who can hack your systems and steal your information."
Connected systems, he said, need to be built from the ground up to withstand cyber-attacks: "As cars are increasingly connected to the outside world — via cellular, Bluetooth and other exposed entry points — control systems must be engineered from the outset with security in mind. That means building cybersecurity into all phases of product development, beginning with the concept and product design."
Said Carlin: "It will be far cheaper to invest in securing your automobiles' systems today than to pay for a recall and patch systems tomorrow."
Edmunds says: Consumers are increasingly expecting in-vehicle connectivity, and this multi-level approach to security will be necessary if hacking is to be prevented.