As more connected cars come online, public officials and privacy advocates are becoming increasingly worried about cybersecurity threats, particularly from China.
OEMs are rapidly advancing the development of software-defined vehicles — and for good reason. McKinsey & Co. found that shared mobility, connectivity services and feature upgrades could expand automotive revenue pools by roughly 30%, adding up to $1.5 trillion by 2030. The growth, however, doesn’t come without its share of challenges.
“Vulnerabilities in vehicle software and even third-party applications further compound the risks. The dynamic nature of cyber threats also poses a significant challenge to the automotive industry; as technology evolves, so do bad actors’ methods and tactics,” said Samuel Goldstick, a data privacy and cybersecurity attorney at law firm Foley & Lardner, in an email.
Cracking down on connected car risks
In February, the U.S. Department of Commerce announced it would investigate whether connected vehicle technology developed by companies with ties to China poses national security risks. It also solicited industry feedback about regulating connected vehicles, including which technologies to address.
Under its proposed rule published in September, the Commerce Department would ban connected vehicles using vehicle connectivity hardware and software or automated driving software that could allow foreign entities, specifically China and Russia, to access sensitive data or operate vehicles remotely.
It would only cover on-road vehicles, including cars, trucks and buses. The software ban would take effect for model year 2027, and the hardware ban would take effect for model year 2030.
Ahead of the proposal’s release, Melissa Ventrone, head of the cybersecurity, data protection and privacy practice at law firm Clark Hill, said the automotive industry would begin to “take notice” when the department and other federal agencies set more stringent compliance requirements and provide guidance.
The proposed rule, however, may have a modest effect on national security because “there’s actually very little technology – hardware or software – in today’s connected vehicle supply chain that enters the U.S. from China,” said John Bozzella, president and CEO of Alliance for Automotive Innovation, an industry group representing automakers and suppliers in the U.S., in a Sept. 23 statement.
Still, some automakers will need to find new suppliers, he said.
“I’ve said this in other contexts, but it applies here too: you can’t just flip a switch and change the world’s most complex supply chain overnight. It takes time,” Bozella said. “The lead time included in the proposed rule will allow some auto manufacturers to make the required transition but may be too short for others.”
Additionally, the Cybersecurity and Infrastructure Security Agency in April proposed additional cyber incident reporting requirements for critical infrastructure owners, operators and suppliers. Under the forthcoming rule, covered organizations, including automakers, would need to swiftly inform the agency when they suffer a cyberattack or pay ransom to a bad actor.
The Alliance for Automotive Innovation said the proposal was too broad and should be focused on “reporting of incidents that have the highest impact on the nation’s critical infrastructure” in its comments on the proposed rule.
Automakers have said new restrictions on their supply chains could severely disrupt operations and raise costs by forcing them to change suppliers, the Wall Street Journal Pro reported in July. The typical automaker uses about 250 Tier-1 suppliers, with about 18,000 total suppliers throughout the value chain, a 2020 analysis by consulting firm McKinsey & Company found.
Ravi Puvvala, general manager of the strategic business unit at the Center for Automotive Research, said the U.S. could eventually adopt similar regulations to the European Union, which requires automakers to certify that their vehicles protect against 70 cyber vulnerabilities.
In 2021, the EU began requiring automakers to identify, assess, and curb cybersecurity risks throughout a vehicle’s lifecycle. Since July, automakers have also been required to ensure vehicle software updates and their associated management systems are protected against cyber vulnerabilities in the EU. The combined regulations essentially mandate automakers adopt a secure-by-design approach to cybersecurity.
Preparation is key to managing cyber risk
The automotive industry also faces cyber risks at the enterprise level. Recently, a cyberattack against CDK Global, which provides software to over 15,000 car dealers in North America, disrupted sales and other activities. It cost retailers an estimated $944 billion over three weeks, according to consulting firm Anderson Economic Group.
Every automotive OEM, supplier and dealer “has come under the threat of black hat hackers coming in and shutting them down,” said Brian Irwin, managing director with the automotive and industrials group at consulting firm Alvarez & Marsal. Last year, one of Irwin’s clients had its system hacked through a phishing email to an accounts payable clerk, he said.
“They had to pay ransom,” Irwin said.
Even in the absence of regulatory requirements, automakers and suppliers must improve their cybersecurity and data privacy efforts to keep up with bad actors, said Rocco Grillo, managing director with the disputes and resolutions group at consulting firm Alvarez & Marsal.
Automakers and suppliers should adopt an enterprise risk management approach, aiming to identify, evaluate and prepare for potential harms that could disrupt their organization’s operations or lead to financial losses, he said. Having a playbook for how to respond to a ransomware attack, for example, can help organizations mitigate their cyber risk and improve resiliency, Grillo said.
“If you were trying to be secure by being compliant, you're fighting an uphill battle,” he said.
