Insurance-Canada.ca - Where Insurance & Technology Meet

Following Closely: Cyberrisk and Self-Driving Cars

If you scan this blog, you will note that we have a high interest in autonomous vehicles.  Data demonstrate that there are reductions  in injuries and deaths, and improvements in transportation effectiveness. But there are new risks which need to be addressed. Is this an opportunity or just a large challenge?

There are impressive benefits

Autonomous vehicles – Self-driving cars – will improve safety by taking out the driver’s involvement. In a recent report , Celent’s Donald Light cites a US Department of Transportation report which found that driver error was the cause of 94% of accidents.

Not to mention injuries and deaths.  In 2013, automobile accidents in Canada caused over 2,100 deaths.

Since 2014, Google has been required to report all accidents with its car.  Based on 1.5 million miles driven by Google cars, the most recent report  (February 2016) advises:

Google has reported a total of 18 accidents involving its self-driving cars since the beginning of testing in 2010.  Half of all incidents occurred in 2015.

February 2016 saw the first incident caused by an (sic) Google AV, while its (sic) was in autonomous mode.

But autonomous vehicles bring their own risks…

Writing in The Wall Street Journal, Joe Kwederis, principal and Greg Boehmer, senior manager, Deloitte & Touche LLP write: “Since 2014, cybersecurity researchers have demonstrated multiple ways to remotely manipulate the systems that control braking, acceleration, steering, and other critical functions in various makes and models of cars.”

The possibility was validated back in 2015 when two white-hat hackers solicited a driver (who called himself a ‘crash test dummy’) to take a Jeep out for a drive while they tried to remotely break into the vehicle’s control system.

The experiment was successful – for the hackers.  The duo took control of the peripheral systems (air-conditioning, radio, windows, etc.)  to warm up.  Then took control of the accelerator, which took the Jeep from 70 mph to a ‘crawl’.  They also had the capability to disable the brakes, which resulted in the car going into a ditch.

Why are cars so vulnerable?

The answer, according to our crash test dummy, is simple:  “All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone.”  And, while the developers are busy putting the bells and whistles into the Internet based entertainment system, one vulnerable element allowed access to the vehicles controls.

The result was that Chrysler had to patch the software on 1.4 million cars.

But this isn’t about entertainment…

David Barker, business reporter at the San Francisco Chronicle, wrote an article which posits that hackers could turn self-driving cars could into terror weapons:

Picture those hackers ordering the vehicles to suddenly accelerate and turn hard to the right, flipping them over, killing many passengers and clogging freeways with junked cars.

Or envision a lone-wolf terrorist loading explosives into a car and programming it to drive to a targeted building or public space.

Deloitte’s Kwederis and Boehmer write that “The volume and complexity of the software running in cars today raises many questions about its quality, security, and reliability.”  They reference a  Frost & Sullivan study which  found that higher end vehicles could have systems with 100 million lines of code, compared to the space shuttle with only 40 million (emphasis mine).

What to do? 

There are a several governmental agencies that are developing protocols for automotive cyber risk management, including the FBI and the National Highway Traffic Safety Administration (NHTSA).  In addition, automotive manufactures are also developing cyber security technology.

As significantly, Kwederis and Boehmer have developed protocols for automotive manufactures and their partners which include cyber governance and monitoring.

Baker quotes Nidhi Kalra, director of the Rand Corp. Center for Decision Making Under Uncertainty. “It’s really about rethinking how we design autonomous vehicles so that cybersecurity is baked into the vehicle and not pasted on as an afterthought.”

I would think that the insurance industry could play a role in leveraging its product and risk management experience.  Possibly the insurance component could be embedded into the vehicle cost structure. This would be significant given that autonomous vehicles will put downward pressure on insurance premiums.

A Paradigm for IoT?

If there is a positive take-away, Telematics/UBI is a mature component of the Internet of Things (IoT).  Many of the applications that are following will have the same issues from a cyber security standpoint in order to get the applications into operation.

What do you think?

Autonomous vehicles offer substantial benefits for users and society as a whole.  But we need to ramp up our defenses substantially.

What do you think about the trade off?