Amid the chaos of CES last week, General Motors made an unusual announcement. The auto giant went public with its plans to launch a security vulnerability disclosure program, which promises not to take legal action against hackers that come to GM with security flaws they discover in the company’s cars. These disclosure programs are common practice in Silicon Valley, but are extremely rare in the auto world—only Tesla has a similar program.
The executive behind the disclosure program, GM chief product cybersecurity officer Jeff Massimilla, has a complicated task: Gearing up GM, which just entered into a pioneering agreement with Lyft, for the future world of self-driving cars…and making sure that GM’s cars, which are more and more dependent on computers, are free of security vulnerabilities that could cause poor car performance or much worse. I spoke with Massimilla over the phone at CES, and he told me a little bit about the challenges and opportunities GM faces.
Massimilla, who’s responsible for ensuring that Chevy, Buick, Cadillac, and other cars aren’t enticing targets for hackers, oversees a team of approximately 80 employees.
"We are obviously securing our ecosystem—and securing is a relative word as there’s no absolute security—and employing layers of defensive measures in our vehicles and services. When we talk about that," he told me when I asked about cybersecurity, "It's a defensive posture and the ability to not only detect and monitor but to respond."
GM had a fairly recent cybersecurity headache of its own. In 2015, researcher Samy Kamkar found a vulnerability that could let hackers turn on the engine in a car or open the vehicle through the company’s OnStar RemoteLink app and the automaker’s OnStar service. Although it didn’t attract criminals—there are, after all, much easier ways to steal a car in 2015 America than fiddling with a smartphone app—it did give GM a wakeup call on the importance of security.
When I asked Massimilla about GM’s takeaways from the OnStar hack, he paused. After a few seconds, Massimilla told me something interesting:
We learned the importance of programs with researchers leading us down the path to today (from the incident). We're in process of building a connected program, having defense in depth across systems, and the ability to detect and monitor and respond. It was a great experience that gave us interactions with researchers and to learn the ability to adapt systems and close vulnerabilities identified through response, and to put things in place to detect things ahead of researchers finding it.
In other words, GM seems to have learned the importance of detecting these sorts of vulnerabilities in-house, or at least learning about them discreetly from outside researchers, as quickly as possible. And the auto giant surely has Volkswagen’s current troubles on its mind; faulty software in Volkswagen’s cars which appears to have intentionally created inaccurate emissions data has caused a public relations nightmare. Not only did customers lose massive amounts of trust in Volkswagen because of the software problems, but it also caused the automaker significant financial harm.
Like it or not, connected and computerized cars are high stakes.
If future security vulnerabilities are found in cars—and, statistically speaking, they’re almost certain to occur—how will they be fixed? Will GM send out updates automatically to the 4G antennas automakers are marketing to customers? Do you have to bring it back to the garage for an awkward cable connection to a server? Or is the future of car software updates something else entirely?
Massimilla said something interesting. If possible, the company could update apps from a back office and remotely disable the old version of the app and push a new, fixed version to customers—similar to the way regular smartphone apps work. If the vulnerability demanded a response from a telecom carrier—GM has an agreement with AT&T for its OnStar service—the process would be streamlined as well. But, he added, "If the vulnerability existed on the vehicle, it depends on where exactly it was—we could either send a software update to the vehicle or have customers visit the dealership to get it resolved."
Tesla, for its part, grapples with the same issues.
In ensuring that its cars remain free of security vulnerabilities and hackers can’t cause harm to drivers (or embarrassing media scandals), GM and other large automakers are forced to collaborate with a large community of "white hat" hackers who find vulnerabilities in their products independently. Two of these hackers, Charlie Miller and Chris Valasek, attracted a significant amount of media attention last year when they hacked into a Jeep for 60 Minutes and remotely controlled the car while it was on the road. The pair were later hired by Uber.
GM’s security vulnerability program is an effort to maintain open relations with these security researchers/hackers. It’s a challenge—the anarchic hacker subculture doesn’t always jibe culturally with the auto industry’s conservative ways. In our conversation, Massimilla praised GM’s partnership with bug disclosure platform HackerOne multiple times. HackerOne, whose investors include megafirm NEA, Salesforce CEO Marc Benioff, Russian tech tycoon Yuri Milner, and Dropbox CEO Drew Houston, effectively serves as a middleman between GM and the larger hacker community.
By using HackerOne as its preferred platform for outsiders to inform them of security vulnerabilities, GM is able to create a buffer against a larger unpredictable hacker subculture that makes executives nervous.
Cybersecurity is also an issue that forces intensely competitive automakers to collaborate with each other. Massimilla is the vice chair of Auto ISAC, a cybersecurity information clearing center that also includes executives from nearly every major automaker on their board. A product of the auto industry’s two major trade groups, the Alliance of Automobile Manufacturers and the Association of Global Automakers, Auto ISAC is designed to help automakers identify security issues and create best practices.
In the meantime, auto manufacturers are gearing up for a world in which cars are more about software than components. And, like it or not, that world is just around the corner.