At this year’s RSA Conference in San Francisco, those brave enough (or foolish enough) to travel despite warnings about COVID-19 were treated to something a little different: A keynote address from the CEO and Chairman of GM, Mary Barra.
It’s unusual for the CEO of a traditional automaker to address one of the biggest cyber security conferences in the world, but Barra came to deliver a message: The 100-year-old industry is betting its future on technology, and it needs help from security pros and developers to make that happen.
One reason is obvious: The millions of lines of code needed to create autonomous and electric vehicles might ensure greater safety and efficiency on the road, but it also means an expanded attack surface and more vulnerabilities to protect against hacking.
“There are virtually no industries today that are not vulnerable to cyberattacks and the auto industry is no exception,” Barra said. “We are bringing to market technologies and features that are radically changing what vehicles can do for people and improve their lives. At the same time, customers are bringing devices into the vehicle expecting seamless integration. Part of our job is to ensure that customers and their data are always safe, secure and private.”
Right now, Barra says that GM is investing about $100 million annually in cyber security, which not only covers the development and safety of its vehicles, but the company’s back-office infrastructure and internal data, as well.
This spending also includes 500 men and women working on the security team, with a range of jobs from penetration testing, to cryptography, to mathematicians, to data analysts, to program managers and even in-house whitehat hackers.
In addition, GM has adopted the National Institute of Standards and Technology Cyber Security Framework, a program designed to help companies prevent, detect and respond to various cyber-threats. And on top of that, it has been involved in whitehat bug hunting programs for the past four years.
“We need a lot more talent,” Barra said, while making a pitch for more women and minority candidates to join the cyber security and developer ranks. “Without the right people and the right tools, the security risks are increasing in this connected world and endanger all of us. For the long-term success of virtually every business in the digital ecosystem, we must fill the talent gap.”
GM Wants Security and Development Teams
Like many of the other big automakers, GM has begun to transform itself more and more into a technology company rather than a traditional car-maker. Other big firms, such as Ford, have been touting this transformation for years; meanwhile, upstarts like Tesla are betting the future on fully-connected vehicles that receive over-the-air updates and take advantage of advances such as 5G. (But does Tesla pay more than GM? That's a question worth exploring.)
GM wants to be no different, and wants to emphasize safety as well as code. While Barra didn’t use the term “DevSecOps” to describe the process, she notes that the company has trained thousands of its developers to bake industry-standard security practices into the development cycle to help ensure good cyber-hygiene: “[The] development process from the earliest stages of vehicle design includes multiple layers of protection to defend the vehicle and its systems.”
This approach is exemplified by a new GM project called the vehicle intelligent platform, or VIP, which will include new safety features, over-the-air updates for vehicles, 5G networks and additional cyber security protections. This project will require massive computing power, and will use 4.5 terabytes of processing power per hour to help cars navigate the road and even turn on the windshield wipers when it starts to rain.
With all this code, however, comes concerns over cyber security, since it opens up a much wider attack surface for hackers to take advantage of—one reason why GM and other car-makers are looking to fill not only cyber security positions, but also want developers who can take security into the development process.
While companies such as GM are looking to invest more in the security process, it’s important to consider how these security tools are used in order to achieve the right results, suggested Harrison Van Riper, threat research, team lead at Digital Shadows, a San Francisco-based provider of digital risk protection solutions.
It also helps to know the industry that a company is trying to protect. “When it comes to security, organizations should first understand what their ecosystem looks like as a whole, determine the existing and potential vulnerabilities, and develop a threat model and plan to address them,” Van Riper told Dice.
“This could include buying a new tool, but it should also include getting the right skillset in an employee to implement that tool,” he added, echoing Barra’s call for children in middle school to start getting interested in STEM studies.
“Organizations can do this themselves to address a talent or skill shortage by creating their own talent pipeline using things like internships or apprenticeship programs, co-op programs, or even things like public bug bounties to help organizations target individuals with those specific skill sets that they’re looking for,” Van Riper concluded.