A government watchdog urged the Department of Transportation on Monday to ramp-up its cybersecurity efforts as the automobile industry continues to roll out computer-assisted cars that pose the possibility of being hacked.
The 61-page report published by the Government Accountability Office states that while the DOT’s National Highway Traffic Safety Administration has taken steps towards addressing cybersecurity issues raised by modern automobiles, the agency has stalled with respect to ensuring the nation is able to reel back from a hypothetical hack attack.
Computer programs that control features ranging from cruise control and climate to acceleration and brakes are increasingly apparent in modern automobiles, and it’s not rare for modern luxury cars to be powered with software consisting of more than 100 million lines of code, the GAO wrote in its report.
Despite the safety and convenience offered by technology, the watchdog determined that auto industry stakeholders, including vehicle makers and security researchers, agree that cars are increasingly becoming vulnerable to hackers by incorporating potentially vulnerable code.
“Modern vehicles contain multiple interfaces — connections between the vehicle and external networks — that leave vehicle systems, including safety-critical systems, such as braking and steering, vulnerable to cyberattacks. Researchers have shown that these interfaces — if not properly secured—can be exploited through direct, physical access to a vehicle, as well as remotely through short-range and long-range wireless channels,” the GAO acknowledged.
In addition to adding more potentially vulnerable systems embedded within automobiles, GAO said stakeholders it spoke with indicated a “lack of transparency, communication and collaboration regarding vehicles’ cybersecurity among the various levels of the automotive supply chain and the cost of incorporating cybersecurity protections into vehicles.”
SEE ALSO: U.S. airstrikes cost ISIS nearly $800M
Researchers have demonstrated since as far as 2011 that modern automobiles can be compromised, remotely or in-person, by exploiting vulnerabilities affecting diagnostics systems and in-car infotainment consoles alike.
Last year’s high-profile hacking of a 2015 Jeep Cherokee directly resulted in Fiat Chrysler recalling more than 1.4 million vehicles, and lawmakers on both sides of the aisle have demanded that the auto industry assure it’s doing everything in its power to prevent any future significant cyber-enabled incidents. Nevertheless, the GAO report argues that the DOT division tasked with addressing vehicles’ cybersecurity issues isn’t adequately prepared in the event that sophisticated hackers launch a wide-scale attack on American automobiles.
“NHTSA has made progress in many areas in an effort to proactively address potential cybersecurity threats to vehicle safety-critical systems; however, NHTSA has not yet formally defined and documented the agency’s role and responsibilities in the event of a real-world vehicle cyberattack and how the agency’s response actions would be coordinated with other federal agencies,” GAO warned. “Given that NHTSA and selected industry stakeholders we spoke with generally agreed that the threat of a vehicle cyberattack will increase as autonomous and connected-vehicle technologies are deployed in the coming years, such a response plan may be particularly important for NHTSA to develop proactively, before the threat environment significantly changes.”
“Until such a plan is developed, NHTSA’s response efforts — regardless of the threat environment in which an attack is carried out — could be slowed as agency staff and other stakeholders may not be able to quickly identify the appropriate actions that NHTSA should take,” the report concluded.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.