Tuesday, September 25, 2018 | Detroit
So glad to be here for the second Auto-ISAC Summit. Over the year, since I last joined you, we’ve been busy growing together, working to strengthen our collaborative cybersecurity program. And now we are picking up speed together, to identify and mitigate the threats to our transportation system safety and security.
During the past year, we’ve all been busy.
- Auto-ISAC issued new best practices – congratulations!
- New members have joined the Auto-ISAC collaborative effort.
- SAE is pursuing voluntary industry/international standards with International Organization for Standardization (ISO).
- More transportation manufacturers were engaged at Blackhat and Defcon.
- And we are seeing that some in the international community are considering regulations.
- I was pleased to participate in the first ever joint exercise between auto industry and government: Cyber Storm.
- And now, last week, the White House released the National Cyber Strategy.
Today, I’d like to speak about these last two: Cyber Storm, and the National Cyber Strategy. And then I’ll share some of what NHTSA and the Department of Transportation will be doing.
Congratulations to all of you who participated in the Cyber Storm exercise, organized by the Department of Homeland Security. I know that I learned quite a bit, and I suspect that those of you who participated learned quite a bit also. These trainings are so important because, as I think you’ve heard me say before, when a bad thing happens, that’s not the time to figure out how to respond.
During an attack or a crisis, when there are lots of issues to assess to understand the magnitude and nature of the problem, and nobody is quite sure of the scope and implications, we don’t want to wonder who we should collaborate with – it should be muscle memory!
I want to share with you something I learned more than 30 years ago in the police academy, and have found to be true when working a crisis event. In a crisis, we all turn to habit. Even if taught to follow protocols, we tend to react with our habits. That’s why training exercises are so important. In a crisis, because we are all confronting and analyzing and reacting to a lot of new information, our individual brains and our organizational cultures will do what has become familiar and what is “habit” – cognitive shortcuts that we execute in the background when we are highly distracted.
An example that is taught in police academies involves officers engaged in a crisis – a shooting. Officers train for a shooting crisis on the firing range. And, training on the range, officers used to reload and put their empty shells in their pockets, or in a bucket, to keep the range neat, to take care of their facility. A crisis – a firefight – occurred in California in the 1970s, and it resulted in the deaths of several officers. They were found with their empty shells neatly in their pockets. Distracted by the events unfolding around them, they turned to habit.
Exercises like Cyber Storm are designed to help us improve our protocols, but also to build new habits. That is why I encourage all of us to train using exercises like Cyber Storm, and to make them as realistic as possible. As a result of Cyber Storm, I learned that we at NHTSA should improve interactions and communications with other agencies in order to respond quickly and effectively to a major cybersecurity event.
The event was intended to reveal these kinks in the system so that we can address the gaps and strengthen our preparedness before something happens that requires a smooth, seamless response to avert harm. You should be asking yourselves: What should we be doing with the lessons we learned from Cyber Storm? What other exercises can you use to train together?
You Don’t Have to Start From Scratch
Industry must be willing to implement playbooks or best practices, not just Auto-ISAC’s, but those of others as well. Lots of brain power and critical thinking was used in the development of best practices or response plans. As you and I know, we have some really smart people in our sector, and it would be a shame for an incident to occur, to later discover it could have been prevented by a play implemented from the playbooks.
But there are lots of smart people from other sectors as well, with lessons learned or response plan elements that industry can learn from – together, or alone. Other sectors have found the importance of incorporating cybersecurity into design, because a quick fix is likely to be circumvented and might not be cost-effective. And other sectors – aviation, trains, and critical infrastructure – have found that cybersecurity is best served by a variety of approaches to design, not just technologies, because no one “silver bullet” can eliminate cybersecurity issues.
We have a lot to learn from one another in order to be strong as a sector. So yes, while individual company interests are important, collective safety risk management through information sharing is vital. Because vulnerabilities will happen. And incidents will happen. The question is, how will you respond? Are you ready? What are you doing to prepare? Because your preparation now will determine the impact of those incidents. I’m very glad to see an incident response panel this afternoon and hope to continue to learn more as our collaborative efforts make us all stronger.
National Cyber Strategy
Less than a week ago, the White House released the Administration’s National Cyber Strategy.
I believe Derek Kan spoke about it this morning, so you are likely familiar with the fact that the strategy rests on 4 pillars:
- Protecting the Nation, including networks and critical infrastructure
- Promoting prosperity and ingenuity
- Preserving peace through cyber-stability
- Promoting an Open Interoperable, Reliable, and Secure Internet and International Cyber Capacity
If you haven’t read the strategy already, I hope you will do so soon. Private Industry plays an important role. In fact, industry must be the primary mover and leader in this field. We stand ready to support you, but I can’t emphasize this enough: it is you all who must be willing to act.
The Strategy commits that the United States Government will convene stakeholders to devise cross-sector solutions to challenges at the network, device, and gateway layers. Also, the Federal Government will encourage industry-driven certification regimes that ensure adaptable solutions recognizing the importance of adapting in a rapidly evolving market and an equally evolving threat landscape.
The Strategy recognizes that the transportation sector has become more vulnerable to attack. And the Strategy lists Priority Actions, including fostering a Vibrant and Resilient Digital Economy. Resilience is a critically important concept in cybersecurity. We must design systems that continue to function even in times of crisis. To be resilient, you must have the workforce ready to respond. And that’s another priority action: To strengthen a superior cybersecurity workforce. I know that staffing is a challenge – to find employees with the technical knowledge, skills and abilities in both vehicles and cybersecurity; we must find ways to attract and retain professionals in our field.
Here’s what NHTSA is doing to stay in step with you and with new technology:
- NHTSA is planning a Research Meeting to engage on areas of cooperation and see what we are working on. We’ve found that speaking with you about our research plans is the best way to ensure that our research is relevant and collaborative.
- We regularly hear from Auto-ISAC to share what we’re seeing and what they’re seeing, and we’ll keep that up.
- NHTSA is also preparing to release NHTSA Cybersecurity Research Plan – and we look forward to feedback/input.
- We look forward to hearing what else you think NHTSA should be doing to complement your efforts at Auto-ISAC.
Last year, we spoke about the Elements of a Strong Risk Culture. You are building this culture here. A strong risk-management culture requires:
- Commonality of purpose, values and ethics — the extent to which individual interests, values and ethics are aligned with the group’s risk strategy, appetite, tolerance and approach. This is what you are building here at Auto-ISAC.
- Adoption and application: Whether risk is considered in all activities, from strategic planning to day-to-day operations, in every part of the organization. This is what you are bringing from this meeting back to your organizations, to change your organizations and make them a part of the resilient system.
- A learning organization with commitment to continuous improvement — how and if the collective ability of the organization to manage risk more effectively is continuously improving. This is the work you will do together in the coming years, evolving and strengthening together.
- Timely, transparent and honest communications — people are comfortable talking openly and honestly about risk, using a common risk vocabulary that promotes shared understanding. This is how you build a resilient and reactive cyber secure automotive transportation sector.
I encourage you to continue acting on the steps toward building Risk Culture:
- Tone at the top
- Awareness: Where are we in the journey of building culture? Does the awareness evolve, or is it static?
- Culture of constructive challenge: Does challenge happen? Is it rewarded?
- Continuous improvement
We’ve all said to one another that an attack on one is an attack on all. To work together, we need to trust that we share the common purpose of a cyber secure sector. We all recognize that consumer confidence is the key to adoption of increasingly complex technology. Consumers need to trust that the sector is committed to working together to anticipate and mitigate cyber risks, and that industry will react quickly and effectively when incidents occur. Trust is what we are building together as we step together into an increasingly digital future. And trust requires open communication. I hope you take advantage of your time at this summit to build upon the successes of the past year. To expand upon the communication and to build upon the trust you’ve already begun to build.
The theme of the Summit is revving our engines and moving into the fast lane. I look forward to learning of the successes that come out of your time here today. And I look forward to the day when we come to the Auto-ISAC Summit, and we look at one another and say “we are ready.”
That day when we have thoroughly assessed the risks, and our companies have together but also independently each integrated cybersecurity into the design of resilient systems. When we’ve communicated potential vulnerabilities to one another, and trained to respond quickly and effectively to mitigate incidents. When our customers have been educated to avoid becoming a point of vulnerability. It seems a long way off, but it’s not. It can’t be. You are here. We can do this.