The question of liability in cybersecurity attacks: Who's responsible?

In June, I attended the ESCAR 2017 event in Ann Arbor, Michigan, a two-day event focusing on collaboration and discussion regarding in-vehicle cybersecurity threats and potential countermeasures. The keynote speaker for the first day was Paul Rosenzweig of Red Branch Consulting. Paul’s talk was entitled “The Evolving Landscape of Cybersecurity Liability,” and there were many points of interest in his speech. First, the U.S. government is starting to treat cybersecurity as a national security issue. Second, the U.S. government is beginning to write legislation on automotive cybersecurity, in the absence of any significant input from the automotive industry about how it should regulate itself. But then I began to wonder – why is it that the government is so intent on getting legislation for cybersecurity in automobiles? And consequently, who would then be liable in the case of an attack?   

The Government’s Perspective: This is Serious Business

It’s easy to see why government bodies around the world are increasingly looking at the concept of connected or autonomous cars as a national security issue. This point becomes even more clear when considering the perspectives of policymakers in Washington D.C.   

Cars, while convenient, have the potential to be deadly, as evidenced by the increasing number of terrorist attacks using automobiles. Vehicles can be used to run over a large group of pedestrians. They can even be used as a way to deliver suicide bombs in strategic situations to maximize catastrophic damage. In other words, ways to utilize the automobile for deadly means are practically limitless, a dilemma that is only certain to grow more complex as cars get even more connected and eventually start driving themselves. An autonomous car under the control of a terrorist is reason enough to understand why government is trying to get ahead of the curve when it comes to clear, sensible, and effective cybersecurity laws.   

In the United States, like many other countries around the world, the government is desperate to make progress on the future of automotive cybersecurity. But the auto industry and all of its key players have not given Washington the kind of input its lawmakers are looking for. Ideally, the government would like for the automotive industry to build up a set of best practices, standards, and regulations to essentially police themselves. However, the automotive industry is busy enough dealing with the ongoing revolution of smarter cars year after year. As a result, the driving force of automotive cybersecurity legislation is the government, and not the people who actually make the vehicles. So what’s going on here? 

Automotive Industry Perspective: We Have Security, But Don’t Know Much About It 

Car manufacturers and suppliers have not yet set forth a common policy on cybersecurity issues because doing so can only change how they do business today. Earlier this year, I wrote an article about some of the business issues that OEMs have to face when thinking about cybersecurity in their vehicles. OEMs also do not feel they should be primarily responsible for cyberattacks because they have often brought some security solutions into place. However, this is a head-in-the-sand mentality: simultaneously being scared of attacks and not really knowing what to do about them. This, of course, infers that these individuals would not have the IT security expertise necessary to be truly responsible for attacks should they happen.   

Until now, it seems to me that the question of liability has been murky because of this very question: Are you responsible for what you don’t know?   

Asking the end-user (car owner) to be responsible for automotive cybersecurity is not feasible for the same reason that it isn’t for automakers, except the point is even more poignant. An overwhelming percentage of car owners will have no idea how the system even works. Even less will have an idea about how to block or mitigate attacks against their vehicles. It would therefore be problematic for this group to be held liable in the case of a cyberattack.   

Software Developer’s Perspective: Too Many Vectors to Audit 

From my perspective, only one group remains that could be held accountable for future cyberattacks – the people who write the software that enables connectivity. This logic states that since these are the people who make connectivity possible, they should also make sure the connections are safe and trustworthy.   

This is one of the reasons why government officials are now increasingly targeting software developers for liability. As such, industry associations such as Auto-ISAC are looking to establish best practice guides for parts of the automobile that pertain to connectivity or external communications. In addition, these associations constantly ask for industry participation to voice their concerns and interests during the collaborating process.   

But standards for software codes are likely to be difficult, if not impossible, to audit and enforce. Additionally, the vendors will need to write sound code that will be updated regularly. In other words, there are too many vectors to audit and assess to make this a viable option. It would be difficult for the government to enforce laws for software developers unless it invests a significant amount of resources to develop a cadre of IT security specialists within its ranks. From a pure viability standpoint, any implementation to promote automotive cybersecurity by focusing solely on the software developers would come up short. 

Conclusion: The Car Manufacturers’ Likely Burden 

Of course, strong cooperation between OEMs, top suppliers, and sub-vendors below the top suppliers would ideally result in some sort of a cohesive solution that would be palatable to Washington policymakers. But the extensiveness of such a collaboration is not currently realistic for the traditional paradigm of the automotive industry.   

The government is essentially threatening to impose strict legislation that can change the way the automotive industry functions in the future. While industry players like OEM and T1/T2 suppliers wish to have a voice in their industry's destiny, the government is asking the industry to come up with a solution against the kind of attacks that they know next-to-nothing about. Not coincidentally, the topic of cybersecurity would understandably scare the living daylights out of them as well. 

But the current state of things notwithstanding, it seems that automotive manufacturers will remain the largest target for liability. Brand power for automotive manufacturers is partially built upon the kind of safety their vehicles can provide. Also, if there was a cyberattack on a car, its owner is likely to fault the automotive manufacturer, even if the damage was the result of a third-party vendor. Even though the legal liability may be shared with other vendors, car manufacturers are most certainly expected to retain the social liability (from a brand damage perspective) in the event of a cyberattack. In other words, in the public eye, automotive manufacturers are likely to carry the burden of being one of the primary entities held responsible following an attack. 

A way that the automotive manufacturers can manage the risk of a cyberattack is to invest resources to grow their own knowledge about automotive cybersecurity issues. If building an automobile was a construction project, the automotive manufacturers cannot avoid its position as the general contractor, with multiple subcontractors serving underneath. The general contractor must manage the subcontractors to finish the project, and the most capable general contractors know enough about what their sub-contractors do to keep them in line and focused. In a similar way, the automobile manufacturers must manage their top suppliers, and in some cases, their suppliers’ suppliers.   

In order to accomplish a satisfactory level of control over its supply chain, automotive manufacturers need to close the knowledge gap between themselves and their cybersecurity suppliers to protect their brand, promote continued sales, and of course, ensure safety of their customers. This will allow automakers to mitigate the burden of liability that customers – and enforcing government agencies – will likely place upon them in the future.  

Jaeson Yoo, Chief Security Evangelist for Penta Security Systems Inc.

Image Credit: Karsten Neglia / Shutterstock