When it comes to the Internet of Things and security, it seems individuals and organizations keep making the same fatal mistakes – over and over again – because we continuously see it as a technology problem. It’s not. It’s a business strategy failure. Whether it’s insecure hospital devices, hackable power grids, or lethal connected cars, the same root cause can be found in nearly every IoT or critical infrastructure security failure. Security isn’t baked into the product. It’s not part of the organizational DNA, and if it's thought of at all, it’s often too far in the development cycle to be truly effective. Take the now famous case of the 2015 Jeep Cherokee Hack. The most important lesson from the 2015 Jeep Cherokee hacking story has nothing to do with the specific vulnerabilities that were exploited to turn an SUV into a potential weapon. The most important lesson is how cyber insecurity starts at the earliest stages of planning and architecture when organizations don't think through the possible intended and unintended consequences of new technologies. Sadly, this critical lesson seems to have largely been ignored despite its applicability to the future of connected cars. Interestingly, 1993’s Jurassic Park, which had many important lessons regarding technology and biology, also had a host of critical cybersecurity lessons that we’ve largely ignored – at our own peril One of my favourite lines from 1993's Jurassic Park comes from mathematician Dr. Ian Malcolm, an expert in chaos theory, during a debate with the park's founder John Hammond:
“(Y)our scientists were so preoccupied with whether or not they could that they didn't stop to think if they should." – Dr. Ian Malcom, Jurassic Park (1993)
To be fair, Malcolm was referring specifically to technology that enabled the cloning of extinct animal species, yet that line still resonates when looking at all the factors that led to someone being able to remotely hack into an SUV over the Internet with the potential capabilities needed to kill its passengers and others.
The road to lethal cars was paved with good intentions
No one set out to make a hackable Internet-connected vehicle that could be turned into a weapon. In fact, the first steps towards this disaster had nothing to do with connecting the car to the Internet. The first steps had to do with introducing entertainment technology in order to raise the perceived value proposition of a car made by Ford, Fiat-Chrysler, or General Motors against the equivalent overseas-made car from manufacturers such as Honda, Nissan and Mazda. The problem for Ford, Fiat-Chrysler and General Motors is that before they even build a new car, they're already much more expensive than the equivalent import due to legacy labour costs, such as pensions, healthcare and other benefits. In 2005, these expenses added as much as $1,500 to the cost of each car GM made. That means, all things being equal, to make the same amount of money as a Japanese automaker for the same kind and quality car, the big three automakers have to charge a price premium, which is a tough sell given the brand perceptions around the quality of imported vehicles versus domestic ones. But then, the manufacturers discovered a partial solution. What Ford realized in the late 2000's with their Sync initiative was that they can use low-cost technology to create additional value and justify part of the premium needed to grow their margins. They realized that technology could not only attract younger buyers or the so-called Millennial Generation; they also found those buyers would be willing to pay as much as $3,000 more for entertainment and Internet-connected hardware
Pandora's digital box
Adding touch-screen technology to the entertainment system of a car is one thing, but when you start connecting that entertainment system to the control systems of the car and then connecting those systems to the Internet, you end up with trouble. But why did the manufacturers hook these systems together? Ironically, in most cases, it was about adding safety features. You can almost hear the brainstorming sessions in the late 2000's. Engineer A: "Wouldn't it be great that in the event of an accident or collision, your car could turn the stereo down and call '911'?" Engineer B: "Wouldn't it be great, too, if you could track your car over the Internet if it was lost or stolen?" Engineer C: "It'd be great, too, if your car could notify you via the mobile app if it has a problem, or if it could send important data to your dealership." Meanwhile, Marketer A loves these new ideas, each of which can become a branded feature to help differentiate a car from competitors but can also add value to the car at little or low cost. It's worth noting in this hypothetical scenario that there's no Cybersecurity Expert A in those meetings, which is likely pretty close to what happened in real life. There was likely no Ian Malcolm-type in the room to question whether some systems should be integrated together just because they could.
But we've turned a corner, haven't we?
You'd think after the Jeep Cherokee hack that a strong enough wake-up call had been sent to all manufacturers or – if not the manufacturers – lawmakers and safety regulators. You'd be wrong. In the US, a bill to kick off a study on car cybersecurity that could lead to laws was introduced in November 2015, and nearly a year later, it's still stuck in the committee stage. Granted, the National Highway and Transportation Safety Agency in the US is actively trying to wrestle with the complexities of automobile cybersecurity, but the reality is that it's a reactive approach that needs additional legislative support to move towards a proactive focus. As the recent Mitsubishi Outlander hack shows, automakers still aren't taking these kinds of issues seriously. And if they’re not taking it seriously, you can bet most if not all other IoT manufacturers don’t get it, either. Until there’s a greater understanding and consequently, a greater emphasis on integrating security into business strategy, horror stories about dangerous or insecure IoT devices will only continue to mount. About the Author: David Shipley is the director of strategic initiatives at the University of New Brunswick’ s Information Technology Services. He is also the co-founder and CEO of Beauceron Security Inc., a new start-up focused on strategic cybersecurity management and the human aspects of cybersecurity risk and defence. He writes frequently about cybersecurity issues and has spoken at regional, national and global cybersecurity conferences. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
