Cybersecurity for increasingly software-dependent autos largely voluntary

The Biden administration wants to shift cybersecurity burdens from individuals, small businesses and local governments to automakers and other big companies.

The White House's national cybersecurity strategy calls on "organizations that are most capable and best positioned to reduce risks" to take on that responsibility.

The end result, according to some industry observers, will make cybersecurity for increasingly software-dependent autos largely voluntary. That is because the White House's strategy amounts to recommendations and not mandates. But as more sophisticated software-defined vehicles come to market, the auto industry says cybersecurity responsibilities should be shared by companies, industries and government agencies in this evolving sector.

"Vehicles are increasingly integrating into a broader ecosystem of connected infrastructure, devices, and features — many of which are beyond the control of the auto companies themselves," Hilary Cain, vice president for technology, innovation and mobility policy at the Alliance for Automotive Innovation, said in a statement. The alliance is a trade association that represents the interests of automakers and their suppliers.

Software-defined vehicles, like smartphones, collect user data and offer features that can be updated over the air. Those features include digital keys that allow drivers to start their cars via mobile phones and systems that monitor users' heart and respiration rates.

Regulation needed?

Automotive cybersecurity in the U.S. is governed by a voluntary regime. NHTSA first published its Cybersecurity Best Practices for the Safety of Modern Vehicles document in 2016. Those standards were last updated in 2022, when the agency warned automakers to protect against the potential manipulation of data produced by the lidar and radar sensors that are used in self-driving and advanced driver-assistance systems.

The agency called on automakers to protect against lidar- and radar-jamming, GPS spoofing, remote road sign modifications, camera-blinding, and hacking methods to get artificial intelligence in these systems to produce data with false positives.

When it comes to automotive cybersecurity, the U.S. auto industry needs regulations instead of recommendations, said Moshe Shlisel, CEO of GuardKnox, an Israeli auto cybersecurity company.

"In America right now, regulations on this are not mandatory," Shlisel said.

Shlisel said U.S. automakers are not scrutinizing the applications they put into their vehicles adequately.

The U.S. should follow the European Union and the 58 members of the United Nations Economic Commission for Europe, which have enacted stricter regulations, Shlisel said.

The EU's General Data Protection Regulation protects personal data linked to individuals. The commission's Regulations 155 and 156 govern vehicle cybersecurity systems and protocols for software updates. The regulations require automakers to defend their vehicles' software systems and customers' personal data against cyberthreats, along with creating processes to document and manage cyberattacks.

Historically, hardware and software were largely intertwined in the auto industry's business model. But automakers are moving to a software as a service model for features in their vehicles, such as those that use artificial intelligence to learn a driver's comfort settings or that provide a customer with live traffic information, to potentially unlock billions in revenue.

Billions at stake

Globally, the automotive software market will grow to $80 billion by 2031 from $31 billion in 2019, according to consultancy McKinsey & Co.

In recent years, automakers have rolled out features customers can add to their vehicles for additional fees. Those include driver-assistance systems and infotainment systems that integrate music and video streaming.

GuardKnox and other such companies also have a vested interest in the emerging auto cybersecurity industry.

In 2022, that global market was worth $3.2 billion. That is expected to grow to $22.2 billion by 2032, according to Market.us, a market research firm.

'Lack of specifics'

The government should impose cybersecurity standards on the auto industry, said Michael Brooks, chief counsel at the Center for Auto Safety, a Washington, D.C., automotive consumer advocacy group. Although the Biden administration's guidance sets the stage for a cooperative partnership between the U.S. government and industry players, it is far from definitive, Brooks said.

"There's an incredible lack of specifics. They're not proposing a cybersecurity standard or upgraded prevention standards at a minimum," Brooks said. "There's not any directives on actions that need to be taken to specifically protect vehicles and all sorts of other transportation from these cyberthreats."

American automakers do not want to be forced to certify that they're meeting a strict code of standards, and they oppose the U.S. Department of Transportation regulating automotive cybersecurity, Brooks said.

Brian Weiss, spokesperson for the Alliance for Automotive Innovation, said the organization supports the voluntary cybersecurity standards that NHTSA and the Automotive Information Sharing and Analysis Center, a different trade group, have developed.

"Since the cyberthreat is dynamic and ever evolving, we have concerns with prescriptive and inflexible regulatory standards. A public-private partnership model coupled with voluntary guidance is the preferred path," he said.

And even though the U.S. is not a signatory to the U.N.'s cybersecurity regulations, which go into effect for all vehicles in July 2024, American automakers are expected to comply with them.

'The right thing' for customers

General Motors' chief cybersecurity officer, Kevin Tierney, said the country's largest automaker believes that organizations bringing products to market should be responsible for their security.

"GM has for a long time taken a leading position and has invested in cybersecurity without passing cost on to the consumer," Tierney said in a statement to Automotive News. "We will continue to be a leader in this space and doing the right thing for our customers."

Tierney is on a federal advisory committee that provides guidance to improve the nation's cybersecurity. He is also vice chair of the Automotive Information Sharing and Analysis Center, known as Auto-ISAC, a group of automakers that shares information about potential cyberthreats, vulnerabilities and incidents.

Stellantis views automotive cybersecurity as a more collaborative endeavor.

"Stellantis is a customer centric company and we take cybersecurity for our products and operations very seriously," a spokesperson said. "Cooperative interaction among multiple interested parties can lead to robust cybersecurity strategies."

Ford, Hyundai and Toyota referred Automotive News to the Alliance for Automotive Innovation.