Automakers form alliance to bolster cybersecurity

WASHINGTON -- By the end of the year, automakers will have a new layer of defense in the fight against would-be car hackers.

Through the Alliance of Automobile Manufacturers and the Association of Global Automakers, automakers are working to establish an Information Sharing and Analysis Center to act as a secure, industrywide clearinghouse for intelligence about cyberthreats to vehicles and their networks. It would also facilitate sharing of best practices for how to safeguard against and respond to threats.

Cybersecurity is a new issue for the industry, one handled by automakers in different ways. That varied and still-developing approach has fueled industry critics, including some lawmakers, who say the industry lacks a comprehensive solution to safeguard their customers.

The immediate threat of malicious hackers wreaking havoc on connected cars appears to be relatively remote. The researchers who remotely controlled some Jeep Cherokee vehicle systems -- as chronicled by Wired magazine in July and widely reported elsewhere -- were highly sophisticated security experts who spent years developing the tools needed to complete the hack.

Hackers seeking monetary gain have little current incentive to target cars. Even though vehicles can collect huge amounts of data, the auto industry has yet to monetize it in a major way, according to a recent white paper by consultancy Frost & Sullivan.

But that could change.

"Is it dire right now? I wouldn't say so, but now is the time to form the ISAC so the infrastructure and trust is there when they need an ISAC," said Denise Anderson, chair of the National Council of ISACs and a former vice president of the financial services industry's ISAC. "You don't want to be caught unprepared. Health care is being heavily targeted right now, but in the past they weren't."

Many other industries have launched such centers, known as ISACs, since the first were formed following a presidential directive decision by Bill Clinton in 1998.

The auto industry's ISAC is scheduled to be operational by the end of the year, Rob Strassburger, vice president of safety at the Alliance of Automobile Manufacturers, said in July.

Every major automaker will participate in the automotive ISAC, with suppliers and telecommunications companies expected to join down the road. Member companies will be able to share information about vulnerabilities and attacks anonymously through the ISAC. The auto industry's ISAC is expected to have a dedicated professional staff with analysts to diagnose and respond to threats, and disseminate information to members.

Executives from the Auto Alliance and Global Automakers say that many of the details of how the center will operate are still being worked out. But other ISACs provide a hint of the auto industry security hub's capabilities.

Financial institutions were able to respond to a rash of attacks that knocked the websites of dozens of major banks offline in 2012 and 2013 in part because of that sector's ISAC, Anderson said.

She said the center set up a dedicated portal where information about the distributed denial-of-service attacks, in which hackers seek to crash or disrupt a website by flooding it with traffic, was shared in real time and updated as attacks evolved.

Anderson says the attacks waned as the banks developed effective countermeasures. And one of the ISAC's members was able to thwart an attack well enough that its website was unaffected, she said.

As reported by Wired, security researchers Charlie Miller and Chris Valasek accessed a Jeep Cherokee's central computer that controls many vehicle functions via a loophole in the SUV's Internet-connected radio head unit. Fiat Chrysler Automobiles and Sprint, which provides cellular service to Chrysler vehicles, addressed the loopholes exploited by Miller and Valasek.

But before that, the two were able to crank up the Cherokee's radio, turn on the windshield wipers, blast the air conditioning and even disable the transmission by entering commands into their laptop from miles away.

These and other vehicle-system vulnerabilities are under mounting scrutiny in Washington from lawmakers and regulators alike.

Attacking a vehicle through its cellular data connection is one of 11 types of potential attacks facing modern vehicles that were identified in an October 2014 report by the National Highway Traffic Safety Administration. The report was one product of a 2012 reorganization of NHTSA's research arm to increase the agency's focus on vehicle electronics, including cybersecurity.

Recent legislation proposed in the U.S. Senate would direct NHTSA and the Federal Trade Commission to write minimum rules for cybersecurity. That proposal followed a February report by Sen. Edward Markey, D-Mass., that found the industry's cybersecurity measures to be inconsistent from company to company, calling the disparate approaches "for the most part ... insufficient to ensure security and privacy for vehicle consumers."

Meanwhile, the House Energy and Commerce Committee is conducting a review of its own. It is following up with automakers after receiving responses to cybersecurity questions sent in May to top U.S. officers at 17 automakers and NHTSA.

"With more-and-more connected automobiles on the road every day, members are looking to better understand the state of the market today and where it's headed in the years to come," an Energy and Commerce Committee spokesman said in a statement.

Absent a robust approach to cybersecurity by the industry, Frost & Sullivan says the government could push the industry toward a new set of regulations.

Said the consultancy: "The government appears to be taking action, while automakers are slower to respond. These roles must be reversed."