The UK government has stepped in to try and force the security question further up the autonomous vehicles agenda.
The new guidelines are designed to make security more of a priority in the development of autonomous vehicles, though you can probably expect a greater role from the government over the next couple of months here. The government is also looking at a broader programme of work announced in this year’s Queen’s speech under the Autonomous and Electric Vehicles Bill, aiming to create a framework for self-driving vehicle insurance.
While security is a massive concern everywhere, there should perhaps be a greater concern here. Hackers could target them to access personal data, steal cars that use keyless entry, or even take control of technology for malicious reasons. This isn’t just a bit of blackmail, hackers could essentially weaponize a lump of steal and tanker of flammable liquid. It’s a much bigger concern when you liken it to a real-life version of the GTA gaming franchise.
“Risks of people hacking into the technology might be low, but we must make sure the public is protected,” said Transport Minister Lord Callanan.
“Whether we’re turning vehicles into wifi connected hotspots or equipping them with millions of lines of code to become fully automated, it is important that they are protected against cyber-attacks.”
The guidelines themselves are a set of eight principles which should be incorporated into the production and management of any organization associated with the development of autonomous vehicles. The principles vary from organizational security, managing risk through the supply chain appropriately, software lifecycle management and putting into place fail-safes should there be an attack on a vehicle or a system fails.
The vast majority should be considered common sense, but there is one point which could be deemed as quite an important one:
This is something which we have not really seen in the industry to date, but the principle assigns responsibility. Security is something which everyone is responsible for, but because of this wide-berth, few have taken ownership. Such a principle will attempt to force organizations and individuals to take control of the situation. It’s a small change, but assigning responsibility makes security real and tangible.
The assignment of responsibility means that there is also accountability. Charges can now be brought down on an individual should negligence be provable. It’s an important little change which could ensure security is taken much more seriously.
Another area surrounds the management of data. Generally the government has said nothing of much use here, it is mostly generic fluff which sounds official, but the below principle is a good one:
The ownership of data is a complicated situation, especially when business models are built around the facility of that data. The government is essentially giving ownership of this data to the user, potentially getting ahead of arguments which we have seen in other corners of the connected world. It’s a good idea, though there needs to be more of a definition around what would be considered sensitive.
“The new cybersecurity guidelines will be a key step in achieving this goal, with the security of the car’s network paramount to the safety of the driver and those in the car’s vicinity,” said Raj Samani, Chief Scientist at McAfee.
“Driverless vehicles must be secure by design, and the government’s new guidelines will undoubtedly play a key role in ensuring that UK car manufacturers make that happen.”
This essentially goes back to the old argument of building security into a product, as opposed to adding on afterwards. The problem lies in the fact security is rarely seen as a USP during the R&D stages, with other areas such as efficiency or the bells and whistles, being deemed much more important.
Ideas like the self-driving car will change the world and therefore there is a rush to get products to market; security is not a sexy theme for advertising so will not be considered a top priority. Vendors, manufacturers and partners around the world will adamantly deny this, but evidence is on our side; security is such a massive topic today because it has been so easily over-looked in previous product-cycles.
Are we going to see a repeat of previous market revolutions such as the smartphone, or will the ecosystem take government initiatives seriously?