The Cavalry Rides Into Auto Industry With Security Proposal
To promote advances "where computer security intersects public safety and human life," a grassroots group published an open letter to the automotive industry, offering to help. However, the missive struck a sour note with Strategy Analytics' Roger Lanctot. "It's naïve -- and actually hilarious -- of these folks to think car makers and their suppliers are not working on security."
08/12/14 1:03 PM PT
A grassroots group calling itself "I Am The Cavalry" has published an open letter to the automotive industry offering its services in ensuring security and safety.
"Modern vehicles are computers on wheels and are increasingly connected and controlled by software and embedded devices," the letter reads.
The letter lists some of the associated features under development, such as vehicle-to-vehicle communication, driverless cars and automated traffic flow.
New technology "introduces new classes of accidents and adversaries that must be anticipated and addressed proactively," the group pointed out.
"The once distinct worlds of automobiles and cyber security have collided," the letter says, urging the auto industry and the security community to "connect and collaborate toward our common goals."
Riding to Automakers' Rescue
The group proposes five critical capabilities developed jointly with "leading cybersecurity researchers and others working in and around the automotive industry" in order to lay a foundation for safety.
They are safety by design, third-party collaboration, evidence capture, security updates, and segmentation and isolation of various features.
"We believe a compromise of non-critical systems like entertainment should never adversely affect critical/physical systems like braking," the group said.
The Cavalry is "eager" to start working with the automotive industry within the next 90 days, and it requests the industry unite with it "in a joint commitment to safety." It wants to help automakers "navigate this road to build greater protections for your customers and set a new standard for safety."
The Burr Under the Saddle
Here's the problem: Automakers been aware of safety and security issues for some years now and have launched their own programs to tackle these issues.
For example, the program for the second annual Connected Car Conference, held in June, had panel discussions on networked cars, self-driving vehicles, and privacy and security.
Meanwhile, Cisco is developing a secure end-to-end network architecture to optimize communication links and mobility services to and from connected cars.
The Intelligent Transportation Society of America's Connected Vehicle Task Force is looking at various issues around connected vehicles, including interoperability and security.
"It's naïve -- and actually hilarious -- of these folks to think car makers and their suppliers are not working on security," Roger Lanctot, associate director, global automotive practice at Strategy Analytics, told TechNewsWorld. "Multiple standards bodies and every supplier are engaged in securing automobiles."
The auto industry "overlaps with the defense and aerospace industries so don't be thinking that car makers have just been sitting around and bending metal," Lanctot growled. "If these guys want to make a difference, they have to start attending the meetings where the industry is working on this problem. They need to catch up."
Git Along, Little Dogies
It's difficult to see how and why the auto industry would entertain the organization's approach.
Take, for example, its suggestion that various features should be isolated to ensure that if one is compromised, others will remain safe.
"For nearly a decade, there have been a series of events that scared the industry, and, up until now, they have been keeping the connected parts of the car separate from the parts that drive, secure and maintain it," Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.
"Many of us don't think [automakers] are doing enough, but this group makes it look like they aren't doing anything, which isn't at all accurate," he continued.
Automakers "are likely to either brush off [the group's suggestion] or get a bit pissed at the implication that the auto industry is clueless," Enderle remarked. "If you want to work with someone, implying they are stupid probably isn't the best way to start."
The group's approach "is one step away from blackmail," Lanctot said. "As the Big Lebowski might have said, cluelessness abides."