In many business endeavors, a chief leadership function is cheerleading. And if your unit is doing particularly effective work, conventional corporate culture almost demands you “promote” that success.
It’s a little different with cybersecurity. Brag too much and you’ve potentially painted a target on your company’s back. And the back of General Motors, the world’s third-largest auto company, already is exceptionally broad.
Jeff Massimilla, who has been chief product cybersecurity officer at GM since the company initiated his unit in 2014, conceded in a recent interview with Automotive Engineering that although “you never want to go out there and say you have this all figured out,” he is convinced that GM—and the broad industry—has learned enough through an intensive few years of research and a variety of collaborations to feel as confident as is reasonable when your world is an ever-changing threat environment.
And here’s one you don’t hear much from big-company managers in the post-Recession era: “We’re very well-resourced and well-funded,” he added. “We have the right people and personalities on the board of directors to understand the importance of this.” The company’s investment in cybersecurity is deep and serious he said, because “you can’t separate cyber and safety.”
Massimilla said he has regular access to and interactions with GM’s board of directors regarding cybersecurity. He is the leader of the global group of about 90 in GM charged with of every aspect of cybersecurity related to the company’s vehicles. The role is an expansive one as GM, like many automakers and suppliers, is embarking on a multitude of new mobility business models—most of which invariably involve a communication conduit to the internet, cellular networks and satellite data streams.
An electrical engineer who started with GM in 2001 and served in a variety of posts that included global validation, Massimilla said there’s even another aspect his organization must consider: an increasingly aware and concerned customer. “Cyber is something customers are making purchasing decisions on,” he said, adding that the customer’s notion of a particular company’s cybersecurity proficiency is likely to become like many other competitive metrics when it comes to winning a spot on a buyer’s consideration list.
Spy vs. Spy
Massimilla’s group, like many others in the industry, doesn’t rely solely on its own expertise. The cybersecurity landscape is vastly too multifaceted to believe that any band of individuals, regardless of their spectrum of expertise and experience, can cover all the bases. So GM’s product cybersecurity group works with outside researchers, the military and yes, so-called “white hat” hackers, in an effort to stay up to speed with the latest developments in the often shadowy alleys that blend cyber and corporate espionage.
A formidable asset in this vein is AUTO-ISAC (Automotive Information Sharing and Analysis Center), formed in 2015 to assemble industry-related companies and entities in a collaborative, non-competitive effort to develop and share cybersecurity best practices. AUTO-ISAC currently has about 30 global OEMs and suppliers working to parry the black-hat element that continually probes, said Massimilla, for individual or structural weaknesses that may lead to serious or large-scale exploitation. Massimilla said awareness of the potential to disrupt automotive security probably came to a head in 2015 in the widely-publicized remote hacking of a Jeep Grand Cherokee’s major and minor controls.
The industry also collaborates in the traditional sense by forming new standards once a certain cybersecurity need is fully understood and agreed upon, he added. Standards, he said, remain the vital framework in which to deploy collective findings.
"And we have our own (internal) 'Red Team' to test and hack our system," he said.
Non-traditional talent and short of it
It takes engineers and other trained and experience personnel to research, collaborate resources, share learning, develop standards. Depending on your perspective, an organization of 90 may seem like a lot or a little to be devoted to cybersecurity, but Massimilla said one the auto sector’s chief problems is finding those qualified people. Not only are traditional engineering and technical schools only now starting to develop cybersecurity-related curricula and students, “Some of the best cyber experts are not the people who go through college and get a four-year degree,” he almost wryly reminds of the computer-expert stereotype that to a meaningful extent is based on reality.
“There’s a lot of activity to create more talent,” he said. Major universities are beginning to “work (cybersecurity) into engineering programs,” but accreditation of those tracks takes time, he lamented—and meanwhile, countless other industries are under the same pressure to find immediate solutions to for cybersecurity's maddeningly indeterminate threats.
For now, Massimilla said, he sees the “multi-layering” approach to automotive cybersecurity as the most effective structure available. “I think it’s a standard cross-industry approach—but how you deploy it across the connected ecosystem,” is where differences are injected, he contends.
And count on it to change, he insisted. “What we build today and what we build three years from now—there will be differences.”
Will it be all up to OEMs to deploy? Massimilla thinks so.
“I am a firm believer that the automaker is the only entity that can (effectively and safely) see their ecosystem end-to-end,” he said.