Eight months ago I published my concerns about how autonomous vehicles could be weaponized at scale via cyber-attack. (For those who missed it, here’s the gist: Due to the all-or-nothing nature of certain classes of cyber-attack, self-driving cars and other autonomous systems can be utilized by hostile actors to create a coordinated mass attack.) It’s time for an update.
At a closed-door Q&A session at the software hacking conference DEF CON, Elon Musk said that a fleetwide attack was Tesla’s “nightmare scenario” and announced that they were going to open-source their security modules so that automakers could work together to secure a safe self-driving future. (He later announced the security open source initiative on Twitter.) Musk’s announcement is a great start, and I’m encouraged, since an open source initiative is the single most important step to securing autonomous vehicles. But there have been other developments as well.
At an offensive cybersecurity conference earlier this year, former GCHQ information security specialist, Matt Tait, presented the keynote. (Lawyers know Tait as a Lawfare contributor and hackers know him as @pwnallthethings. It’s fun and strange when worlds collide.) One of Tait’s concluding remarks was that there are now numerous strategic threats to the world from a mass cyber-attack. Military planners call nuclear weapons and other weapons of mass destruction strategic threats because they impact military planning at the level that concern the national defence strategy. Tait used the specific example of a hijacked Windows update since it could wipe out complex logistics chains, or the power grid. The same type of strategic threat exists for autonomous devices as well. Tait then implored his fellow cybersecurity researchers to be careful with the consequences of their actions. To illustrate this, he displayed a mushroom cloud as the slide’s background image.
Which brings us to the present. Bruce Schneier is the most well-known cybersecurity professional in the world, and for decades, he’s been regarded as an even-keeled, sober, and nuanced thinker. This September, he released a new book titled Click Here to Kill Everybody. In it Schneier covers the all-or-nothing danger of certain classes of cyber-attack and specifically mentions the risk of mass cyber-attack on computerized automotives.