Hacking cars: cybersecurity regulations needed for new vehicles

Imagine driving your pickup truck off-road and suddenly having your airbags and seat belts malfunction because of an object striking the undercarriage. That causesa software error in your smart vehicle, causing the computer to incorrectly turn off criticalequipment that protects you.

Sounds far fetched?

It shouldn't. It's part of a recall notice that affected more than 200,000 Dodge Ram trucks in Canada and a million in the United States. Fiat Chrsyler issued the recall in May and is aware of one death and two injuries as well as two accidents that may be related tothe issue.

It's just the latest safety issue affecting cars and trucks made by a variety of auto makers over the past few years. The most stunning hack to date happened in 2015.

Two years ago security researchers demonstrated they could remotely hack a 2015 Jeep Cherokee over the internet and take control of its systems as well as disable its transmission and interfere with its steering and brakes.

After that hack was announced, there was a lot of talk about the need for new laws to regulate cybersecurity in vehicles. Unfortunately, it only ever amounted to talk.

Why are cars so hackable?

No one set out to make a hackableinternet-connected vehicle that could be turned into a weapon.

In fact, the first steps towards this disaster had nothing to do with connecting the car to the internet.

The first steps had to do with introducing entertainment technology in order to raise the perceived value proposition of a car made by Ford, Fiat Chrysler or GeneralMotors against the equivalent overseas-made car from manufacturers such as Honda, Nissan and Mazda.

The problem for Ford, Fiat Chrysler or General Motors is that before they even build a new car, they're already much more expensive than the equivalent import dueto legacy labour costs such as worker pensions, healthcare and other benefits. In 2005, these costsadded as much as $1,500 to the costof each car GM made.

That means, all things being equal, to make the same amount of money as a Japanese automaker for the same kind and quality car, the big three automakers have tocharge a price premium. That'sa tough sell given the brand perceptions around the quality of imported vehicles versus domestic ones.

What Ford realized in the late 2000s was that it could use low-cost technology to create additional value and justify part of the premiumneeded to grow its margins.

Ford realized that technology could not only attract younger buyers - the so-called millennial generation - but those buyers would be willing to pay as much as$3,000 more for entertainment and internet-connected hardware.

Pandora's digital box

Adding touch screen technology to the entertainment system of a car is one thing, but when you start connecting that entertainment system to the control systems ofthe car and then connecting those systems to the internet, you end up with trouble.

But why did the manufacturers hook these systems together?

Ironically, in most cases, it was about adding safety features. You can almost hear the brainstorming sessions in the late 2000s:Engineer A notes that wouldn't it begreat that in the event of an accident or collision, if your car was smart enough to turn the stereo down and call 911. Engineer B notes that wouldn't it be great too ifyou could track your car over the internet if it was lost or stolen. Engineer C adds that the car should notify you via the mobile app if it has aproblem, or send important data to your dealership.

Marketer A loves these new ideas, each of which can become a branded feature to help differentiate a car from competitors, but more importantly can help add valueto the car at little or low cost.

It's worth noting in this hypothetical scenario that there's no cybersecurityexpert in those meetings, which is likely pretty close to what happened in real life.

Fixing our smart cars

New regulations and oversight of smart cars would be good first steps. Those regulations should include laws mandatingsecurity updates and patches for thereasonable lifespan of the vehicle.We also need cybersecurity safety testing and ranking of vehicles by government agencies and insurers, just like we do for car front-end collision safety today.

Finally, we need to make sure car buyers and owners areaware these are some of the risks of their new smart and convenient cars so they can ask questions of the manufacturers and of government officials on how we can make them as safe as possible.