Titus Melnyk, the senior manager of security architecture at FCA in the U.S., said cybersecurity threats require a cross-functional, multidiscipline approach from an automaker.
He said his IT team consists of security researchers and experts and former hackers who consult the “vehicle side” of operations, helping electrical engineers understand cyber threats and how they could hurt the vehicle.
In working with Bugcrowd, Melnyk described hackers as a “passionate” bunch -- a word not often associated with them.
“People that like to hack or people that like to test and write things -- they do it because they love it, and they want to communicate and get recognition for what they’ve done,” Melnyk said. “They found ways to reach out to us and, again, we said let’s go forward [with a bug bounty program].
“While it’s unusual for an automotive company, at this point, it shouldn’t be. We should all be doing this. We should all have a way for people to find things and a way to report them to us, so that we can address those risks,” he added.
Bugcrowd CEO Casey Ellis agreed, saying hackers and the auto industry need to get on the same page: “What we’re looking at is two groups of people that really need to have a conversation but are slightly terrible at getting along.”
He said lumping in the “good guy” hackers -- or white hats -- with the bad ones -- or black hats -- distorts their image as a whole. And that persisting negative view of hackers may prevent companies from picking up bug bounty programs, which will soon be a necessity, he said.
“I see five years time, in this room, everyone is going to be [using a bug bounty program] in some fashion -- and it’s not going to be because it’s cool or because of any sort of pressure or anything like that. It’s going to be because you’ll realize that this is the most efficient way to get things done,” Ellis said. “We’re actually in a position where we’re going to be pretty poorly off if we don’t adopt it.”