The Time to Tackle Cybersecurity in Self-Driving Cars Is Now | Opinion

In July, U.S. news outlets reported on two significant yet seemingly unrelated tech stories. The first was a data breach at Capital One, where over 100 million users' sensitive personal information was exposed. The second was about Congress' efforts in crafting legislation that carefully reviewed the inherent complexities and nuances involved in regulating self-driving cars.

There may not seem to be much overlap between credit card data theft and legislation for self-driving vehicles. But when looking at both of these stories underneath the same lens, they reveal threads of an undiscussed narrative regarding cybersecurity in autonomous cars. Mainly, that there isn't enough.

This isn't surprising. If mature organizations like Capital One and Equifax still find themselves targets of mass data breaches, how will the emerging autonomous vehicle industry be able to predict, let alone respond, to potential cybersecurity threats?

Before assessing what cybersecurity measures manufacturers need to implement with autonomous vehicles, they must consider the connected landscape and full range of potential threats facing self-driving cars.

A Collected Network of Vehicles

Just because a vehicle is "autonomous" does not mean it is not part of a larger system. These cars act as part of a collective, integrated within the same network, linked to the broad ecosystem, with their systems and data overseen from a location far from where they are driving.

This collective interlinking enables self-driving vehicles to operate but also opens them to significant cybersecurity risks. Rather than compromising the steering column of one self-driving Tesla, a hacker could potentially access this collected network, therefore compromising multiple vehicles at the same time.

This type of attack could also be motivated by a hacker's ego or hubris. These individuals would love to be able to stand at a podium, proclaim that they were responsible for a recent hack that impaired Tesla or Google's self-driving operations, and reap praise and applause from other criminally minded techies across the globe. While a middle-class family in the Midwest would not usually encapsulate a sophisticated hacker's attention on a regular day, their ownership of a self-driving Tesla or some other notable, autonomous car brand places them within the sights of these criminals.

This isn't to suggest that if self-driving vehicles were ready for market on January 1, hackers would compromise this collected network and use dozens of cars to cause a fatal crash on January 2. But manufacturers and consumers must understand that the risks to autonomous vehicle cybersecurity extend beyond individual cars.

Threats Beyond Just Driving

Futurists and experts predict that if self-driving cars become widely adopted by the public, the vehicle itself will transform into something of an entertainment or leisure zone. Parents could watch animated films with their children on long drives. Executives could conduct presentations and hold conference calls en route to their destination. And if passengers traveling from out-of-town forgot to pack their razor or toothpaste, some casual online shopping from the vehicle's network will ensure that new grooming and hygiene products await them when arrive at their hotel.

For every instance of digital convenience a self-driving car may provide, there is an equal or greater cybersecurity risk associated with it. Hackers could manipulate a vehicle's AV system and disable screens or potentially stream malicious content. There may be an anonymous, unidentified viewer or eavesdropper on the executive's call taking note of confidential information, while also gaining access to other participants' computer systems and networks outside of the car.

And for that traveler, if they are not aware that the security of a self-driving rideshare vehicle has been compromised, the $5.50 they'd spend on a razor and toothpaste may end up costing them hundreds or thousands of dollars in credit card and identity theft.

Self-driving car
This photo taken on August 26 shows a NIO EP9 driverless car displayed during the 2019 Smart China Expo in China's southwestern Chongqing. STR/AFP/Getty

Solutions for Complex Problems

Computers have virus protection because malicious code has proved itself to be a threat to systems in the past. Software companies and tech organizations issue patches and updates to remedy pre-existing bugs. In tech, it's accepted that a problem has to first occur before it can be fixed. Still, self-driving car manufacturers can work to be prepared for future cyber threats.

This starts by not relegating cybersecurity to one specific branch or phase of a self-driving car's development but making it something that is continually emphasized and addressed throughout the end-to-end production process. This includes participation and cooperation from legal teams, supply chain managers and local dealers, where cybersecurity is always part of the conversation and many voices are offering input in decision-making.

Additionally, self-driving car manufacturers must be diligent regarding seemingly simple but crucial items such as software updates. The Equifax data breach that impacted nearly 150 million people could have been prevented had the credit bureau followed through with a software patch.

Self-driving car manufacturers who want to avoid a similar fate need to constantly and proactively detect and manage vulnerabilities from several sources. Adhering to risk management regulations and standards, they must automatically scrap and classify vulnerabilities and implement patches and updates in real time. Notification and alert messages on new vulnerabilities affecting fleets have to be communicated with passengers, based on total damage class score, to ensure their cars and personal data are protected.

Tamir Bechor is a clinical associate professor in Claremont Graduate University's Master's in Information Systems & Technology Online Program and is a co-founder of automotive cybersecurity company Cymotive Technologies.

The views expressed in this article are the writer's own.