Speeches and Presentations

Is Cybersecurity Standing in the Way of Public Confidence?

2nd Billington Automotive Cybersecurity Summit Heidi R. King, NHTSA Deputy Administrator

Friday, August 03, 2018 | Detroit

Digital Technology Has a Critical Role to Play in Transportation Safety

Let me start at a macro level: Transportation moves our economy and is crucial to our global competitiveness. However, our transportation demands aren’t without risk – and the goal of NHTSA is to help save lives. There were 37,461 deaths in 2016 and over 6 million police-reported crashes. For decades, there have been remarkable improvements in crash safety and, up until now, most have come from occupant protection (survivability improvements). However, human behavior plays a role. The choices people make:

  • Not buckling up 
  • Speeding
  • Getting behind the wheel under the influence of alcohol or drugs

In recent years, as cars and trucks have better protected occupants, these safety gains have slowed down because of the human element. Drivers continue to make poor decisions. This is where advanced digital technologies come in – not only to change the way we drive, but to save lives. They help avoid the crashes altogether, or help avoid driver errors and poor choices by automating the driving. Not only are these technologies essential in getting us to the next level of crash safety, but we believe we cannot make significant advances in crash safety without the use of technology.

In automotive safety applications, we are talking about technology serving in the most important role there is: standing between life and death. When I speak about digital technology, I’m referring mostly to “innovative logic” implemented in “software” commanding physical “hardware” elements of a car to mitigate crash risks.

Vehicle cybersecurity is not new.

When you have electronics and software, you should think about cybersecurity. That doesn’t mean we always do. My first car was a 1981 Honda Civic 2-door hatchback. No frills, and the radio probably was the most valuable part of it, but it got me where I needed to go. The only electronics that I knew about were that radio – but there was likely some elementary software that helped operate that car. I had no idea. Even today, it is not immediately transparent to the most drivers that software plays a major role in cars. In fact, since 1970s, starting with engines, the use of electronics and software grew exponentially to make modern cars one of the most complex software-based consumer products today. 

So although cyber entered into vehicle platforms many decades ago, public awareness of “cyber risks” is much younger – maybe a decade old. This is not that different in various other fields, including the introduction of internet, medical devices, or vehicle systems. This poses a great challenge to all of us to educate the public and consumers. After all, how many of us across the public recognize the important role of users as one of the most important vulnerabilities, in all points where it matters?

Cybersecurity is broad; NHTSA is mainly interested in safety implications of vehicle cybersecurity.

When we talk about cybersecurity, the public has different mental images of what that means for each of us. Some of us think of it as “irritating popups” you can’t get rid of unless you reinstalled the whole windows operating system. Some of us think of it as credit card fraud; or risk of being tracked. We less frequently think of cybersecurity as something that can create imminent safety issues. It is true that “data security” and “privacy” are important considerations within the context of vehicles. However, when a car’s going 65 mph down the interstate, the possibility of software vulnerabilities potentially causing a crash or incident is something different – and we know that consumers think about that very differently. Safety is our mission here at NHTSA, and the reason why cybersecurity is increasingly becoming a larger part of our operations. To date, most vulnerabilities do not immediately result in “unreasonable risk” to the motoring public. In fact, only one resulted in a recall. Others point to areas of improvements, because while individually they may not pose unreasonable risks, in combination with future identified vulnerabilities, they might. That’s why it’s important that we learn from every incident – so we can prevent future ones and save lives.

Software risks differ from mechanical issues.

Many of you in the software business know this well: You write software, you introduce bugs. As the saying goes, “99 little bugs in the code. Take one down, patch it around; 123 little bugs in the code.

Transportation Secretary Elaine L. Chao told me something she heard during a visit to Stanford. One of the experts commented to her that we aren’t eliminating human error, we are shifting it from driver error to programmer error. The pursuit in managing cybersecurity should not be focused on eliminating all cybersecurity vulnerabilities. The tech is rapidly changing, and humans are writing software, so it is not practical and is likely not possible to achieve perfection.  

What is possible is strong risk management, not “magic bullets.”

We need robust risk-management processes and a cybersecurity culture that values “searching for and identifying vulnerabilities. A culture of openness to risks, potential vulnerabilities and bugs. A culture of open dialogue to make sure others know about those risk. Learning and improving thanks to what you’ve learned, we’ve all learned. And NOT hiding and covering up problems

Preparedness is important.

It’s not just for the Boy Scouts; preparedness is a vital part of cyber risk-management. Making informed, risk-based decisions, in identifying and implementing appropriate protections, and identifying indicators to monitor performance and potential attempts. Most importantly, it’s about anticipating the unexpected--being ready to pivot and react. No matter how good your cyber posture may be: things happen. You must be ready to contain and tackle remediation challenges. Incident response plans are important, and every organization needs to have one. It’s not about waiting until something happens, dragging out the binder, and blowing off the dust. Exercise those plans, sort out issues – all BEFORE that day comes when you need them. We at NHTSA follow the same principles and put processes in place and exercise them. We also participated in the latest CyberStorm exercise coordinated by DHS, as did many industry participants, including Auto-ISAC – which brings me to my next point. The challenge is not as daunting as it may seem. The challenge is significant, but there are many resources that can help. Cooperation between government and private sector is critical to share what we’re learning and identify new vulnerabilities.

The automotive industry has several initiatives, too. For example, the establishment of Auto-ISAC, which provides a central hub and safe harbor for industry to share cybersecurity information. I encourage you to learn more about Auto-ISAC – in fact, there’s a session about it this afternoon. Don’t be daunted by the work that lies ahead. We’re making steady progress, and by sharing lessons learned and possible threats, we can help each other stay safe – and protect the public.  

Public confidence is key to technology deployment. Is cybersecurity standing in the way? 

Rolling back to where I started, crash statistics: 37,461 lives were lost in an estimated over 6 million crashes. None of those fatalities and crashes are attributable to real-world cybersecurity issues. But, we can’t find comfort in historical data for this challenge. Past is not a good indicator of real risks. Not in cyber. We believe that technology, software-intensive innovation, are key to making significant advances in crash safety. But we can only do that if the public has CONFIDENCE in technology, in their vehicles, and in US. If cyber risks damage public confidence too much, technology deployment will be delayed, and its use will be limited. This will require a multi-pronged approach:

  • A culture of openness and awareness of risks
  • Educating the public
  • Owning up to mistakes instead of covering them up
  • Being transparent about our goals and remedies.

It’s up to everyone to make sure that technology is deployed safety, with appropriate cybersecurity measures, to ensure that the public buys in to what we’re doing. In doing so, we can make vehicles and the public safer – not only against cyber risks but crashes as well.

And that saves lives.