New auto group formed to prevent cyberattacks

David Shepardson
Detroit News Washington Bureau

Washington —Two auto trade associations are forming a new working group to help prevent cyberattacks on the nation’s 230 million cars and trucks.

The Alliance of Automobile Manufacturers and Association of Global Automakers have established a group to create best practices for the industry, The Detroit News learned Thursday.

The group’s new effort comes as Congress has raised concerns about the security of cars after Wired magazine in July showed how a 2014 Jeep SUV could be commandeered by a hacker. The report prompted the first-ever recall for hacking worries by an automaker, covering 1.4 million vehicles.

The group, which represents all major automakers, is in the early stages and may not complete findings until next year.

Alliance President CEO Mitch Bainwol said automakers are committed to addressing the issue. “Network security must be incorporated from design to roadway, and our auto companies are exploring the best ways to enhance cyber resiliency while continuing to be nimble and responsive to new developments.

John Bozzella, president and CEO of Global Automakers, said automakers are moving fast. “The industry is taking another important step to address issues related to cybersecurity through the development of best practices. This type of industry-led approach enables us to quickly adapt and respond to evolving security challenges surrounding the Internet of Things,” Bozzella said.

The move comes as Congress is considering efforts to require the industry to do more. On Wednesday, the House Energy and Commerce Committee unveiled draft legislation that would require the National Highway Traffic Safety Administration to create a committee of automakers and others to create cybersecurity recommendations.

The automotive cyber advisory council would include all automakers that sell at least 20,000 cars a year, the Defense Department, the National Institute of Standards and Technology, NHTSA and others. The bill would make it unlawful to hack into a motor vehicle to gain access to the vehicle’s controls and impose up to a $100,000 civil penalty.

Both Bozzella and Bainwol are scheduled to testify Wednesday before the Energy and Commerce Committee on auto safety legislation.

Wired magazine found hackers could remotely take control of some functions of a 2014 Jeep Cherokee SUV, including steering, transmission and brakes. Fiat Chrysler took steps to prevent further incidents by blocking remote access to certain vehicle systems. A software update was required for affected Jeeps, Chryslers, Dodges and Rams.

The two groups said earlier this year they are developing a voluntary group called the Information Sharing and Analysis Center. It will serve as a hub for sharing cyber-threat information and potential vulnerabilities. The groups said they expect operations to begin by the end of 2015.

National Highway Traffic Safety Administration Chief Mark Rosekind told The Detroit News in August that the groups needs to launch the center as soon as possible. The center is on track to open before Dec. 31, the auto associations said.

After the first recall in July, Transportation Secretary Anthony Foxx said that automakers and government must work closely together on cyberhacking issues.

In July, U.S. Sens. Edward J. Markey, D-Mass., and Richard Blumenthal, D-Conn., urged NHTSA to take “immediate action” to investigate the potential widespread risk of vehicle hacking, as they introduced legislation that would force the safety agency to set new rules to guard against the threat.

After the first recall of 1.4 million vehicles, Fiat Chrysler in September recalled about 8,000 2015 Jeep Renegades equipped with 6.5-inch touchscreens. Customers will receive a USB device which they may use to upgrade vehicle software. The upgrade provides additional security features. “The campaign — which involves radios that differ from those implicated in another, similar recall — is designed to protect connected vehicles from remote manipulation. If unauthorized, such interference constitutes a criminal act,” the company said.