SAN FRANCISCO — General Motors is working on self-driving cars, cars that monitor heart rates and other vital functions, zero-emission vehicles and more – all underpinned by exceedingly complex coding and relying on ubiquitous connectivity. But there’s a problem. The cyber-talent gap is hitting the auto industry as much as it is any other vertical, if not more so – which could have ramifications for how quickly these transformational technologies come to market.
According to Mary T. Barra, CEO of the automaker, GM has invested $100 million into cybersecurity per year, including the hire of nearly 500 men and women. Speaking Thursday at RSA Conference 2020, she said that these employees include pen-testers, cryptologists, mathematicians, data analysts, program managers and “true hackers,” all tasked with developing in-depth defense monitoring and detection, and incident response capabilities.
That said, “we need millions more of you,” she said, referring to the car industry as a whole.
“We need more talent, a lot more,” Barra said, citing estimates for unfilled cybersecurity jobs that range from 1.8 million to nearly 4 million empty positions by 2022.
“Without the right people and the right tools, the security risks will increase in this connected world, and endanger the long-term success of virtually every business that exists within a digital ecosystem,” she said. “We must fill the talent gap. And not just with anyone but with everyone. Women and minorities continue to be severely underrepresented in the IT and engineering fields.”
To address the issue, GM has kicked off a comprehensive recruitment effort – involving outreach to kids as young as 10 to encourage them to pursue cyber-careers. In 2019, GM reached nearly 300,000 students and teachers across the United States, Barra noted, including with a Society of Automotive Engineers-led interactive cybersecurity challenge and curriculum for middle-school students.
“Guided by teachers and volunteers from the GM cybersecurity team, these students learned how digital information is transferred and protected in their everyday lives, as well as how these concepts tied to STEM careers, especially in [the automotive field],” she explained. “Beyond this program, our army of employees generously volunteered their time to support various STEM programs and local schools, presenting teaching mentoring and overall just getting involved. If we want to cultivate young people to be part of our future. We need to invest in theirs.”
Barra isn’t the only one at RSAC to call for new approaches to fixing the talent gap. Rohit Ghai, president of RSA Security, echoed the workforce theme in the conference’s opening keynote
“We must shift from a culture of elitism to inclusion and stop being STEM snobs,” he said. “Neurodiversity must be something to look at. These people are wired differently, and they can problem-solve in different ways. And, that’s a largely untapped talent pool whose unemployment rate stands at 80 percent.”
High Stakes Road Race
For GM, as with other automakers, the cybersecurity stakes are high. The industry is more than 100 years old, and is now facing an era of intense transformation. The level of investment already into emerging technologies is beyond significant, and no one can afford to have cybersecurity derail the proceedings.
“Our vision is to create a world with zero crashes, zero emissions and zero congestion. It’s not a pipe dream, we know it’s achievable,” barra said. “The critical technologies that will make it a reality include electric, autonomous vehicles and connectivity – and cybersecurity is foundational to all of these.”
Not just foundational, but also a function of basic risk-management. Last month for instance, GM Cruze introduced Origin.
“The Origin has no pedals, no steering wheel and backup human driver,” Barra said. “Using highly specialized sensors and computers it delivers superhuman performance, and at reasonable cost. It features multiple layers of protection designed from the ground up, like the vehicle itself.”
That will not be the only future-thinking release for the company. As Barra explained, “This year we’re introducing the first vehicle models from our with our all-new vehicle intelligent platform, or VIP as we call it. It supports active safety systems, over-the-air updates, 5G networks and enhanced cybersecurity protections. We think of it as the nervous system for our vehicles.”
Both Origin and VIP have billions of lines of code that perform the different computations that run hundreds of features – everything from something as simple as windshield wipers that automatically turn on when it rains, to a completely hands-free driving system. The VIP for instance puts out 4.5 terabytes of processing power per hour. And that’s a much larger attack surface for cybercriminals, Barra acknowledged.
“A criminal only needs to be effective once, but we must get it right, 100 percent of the time,” she said. “Before consumers invest their trust in us, they want to be assured that vehicles will operate safely and securely every time without being hacked by outside forces. A critical cyber-breach involving any one company will be an incident that affects everyone in this space. It could severely undermine the consumer confidence in this type of mobility and even delay the industry’s ability to share these benefits with customers and society.”
Barra also noted the need for industry-wide cybersecurity collaboration and shared solutions. The GM bug-bounty program with HackerOne is well underway, for instance, and works with tens of thousands of suppliers to establish baseline cyber-practices. It also just inked a cooperative research and development agreement with the U.S. Army Ground Vehicle System Center to strengthen their joint automotive cybersecurity expertise, with a plan to share key learnings with the Society of Automotive Engineers.
“We know this is a marathon, with no finish line,” Barra said. “We are bringing to market technologies and features that are radically changing what vehicles can do for people and to improve their lives. At the same time, customers are bringing more devices into the vehicle and expecting seamless integration. Part of our job is to ensure that our customers and their data are always safe and secure, and that privacy is an extension of security. We see cybersecurity not as an area we invest in for a competitive advantage – we see it as a systemic concern for our industry.”
For Threatpost’s complete RSA Conference 2020 reporting, please visit our special coverage section, available here.