The Threat From Within: Automotive Ramps Up Cybersecurity But Must Understand Hiring Better

A storm is brewing.

Legislators around the world have rightfully begun to protect the public from international, cybersecurity threats via explicit regulations and mandated certifications. Organizations like the United Nations Economic Commission for Europe have established operational requirements that mandate manufacturers sufficiently detect, protect and update products against ongoing threats well after sale of the car or face the inability to sell that vehicle in regions around the world. Billons of dollars of revenue. And looming deadlines that ramp-up from 2022 to 2024 as the final ISO standard has not even been released yet.

This has ignited a hiring frenzy with the automotive sector for cybersecurity expertise for everything to upfront design to penetration testing to incident response. Those resources are typically hired in one of three ways: 1) staff augmentation companies with low-cost, typically-offshored heads usually without strong expertise, 2) consulting companies with higher-cost experts equating to a worthwhile, temporary shoring but not a long-term solution or 3) long-term, full-time, medium-cost, dedicated employees that are devoted to the brand’s success. The latter is suddenly in very-short supply, especially with the desired automotive embedded-design experience. So posting, pilfering and pillaging has ensued with completion dates getting accidentally snowplowed further into time, and the resource situations inadequately solved.  

Now let’s couple that with what is known about cybersecurity attacks: insider threats are a significant risk, especially those employees or contractors deemed as “privileged users” since they control critical elements such as key management or detection algorithms. Per Forrester, the frequency of insider data breaches will increase another 8% in 2021 with the Ponemon Institute finding approximately a 40% increase of insider threats frequency with a 31% increase in average cost per threat from 2017 ($8.76M) to 2019 ($11.6M). The most common of those, of course, was “Employee or contractor negligence” (a.k.a., human error) with frequencies rising from 10.6% (2016) to 14.5% (2019), but “Criminal and malicious insider” also rose from 3.0% to 5.4%.

And so automotive companies should want to hire slowly and carefully, but are instead are thrashing within the perfect storm and being forced to hire quickly.

A Quick Job Posting Study

In January 2021, Kugler Maag conducted a study looking at thirty (30) job postings for automotive cybersecurity and another thirty (30) for government cybersecurity (albeit frequently private sector companies) with various job descriptions ranging from “Cybersecurity Planner” to “Manager of Functional Safety, ASPICE and Functional Safety” to “Cybersecurity Strategist”. The market capitalization for the automotive companies alone exceeded one trillion dollars ($1T USD), so the table stakes for that strategist or manager were significant. Despite that, the language of the postings reveals some significant differences, which tends to highlight either the aforementioned hiring-fever or complete ignorance regarding insider threats.

· Trustworthiness: Almost 77% (or 23 of the 30) government-related postings either mentioned a required security clearance, permissions for background checks or statements such as “[Must have a] team-first attitude and impeccable ethics and integrity.” The latter isn’t by any means a difficult bar to overcome for a malicious interviewee, but such statements still create an expectation of trustworthiness on both sides of the table. In contrast, only 7% (2 of 30) of the automotive positions mentioned some threshold of credibility, and one of those was a legal counsel position requiring “Active membership in good standing in the bar of at least one U.S. state/jurisdiction.”

· Communication: The cliché is that cockroaches don’t like the light. Therein, attackers will want to stay in the dark and communicate as little as possible. Although many of the 60 postings discussed communication (83%), the automotive postings were more likely (10% versus 0%) to have isolation-statements such as “Strong ability to work independently and as a member of a diverse team” or “Has considerable latitude for unreviewed action or decision.”  

Recommendations

Given this difficult position, there are a few ways to quickly pivot and avoid the perfect storm:

· Hire Slowly, Fire Quickly: This should always be the hiring mentality, but for positions where the brand could be at stake there should be extra caution. If that means temporarily hiring out some of the less sensitive work, so be it. Cleaning-up a global attack and retooling public perception would be much more expensive.

· Look for Recommendations: Any top-notch consulting company being used to temporarily augment the team should have some references of other brands they’ve served under Non-Disclosure Agreements (NDAs). If they cannot guarantee the integrity of their people, they cannot help you.

· Background Checks: Make it clear upfront that applicants must pass a security threshold. Just such a pronouncement will create a self-selection of more trustworthy candidates.

· Peer Reviews and Communication: There are volumes of white papers that already document the significant return on investment from peer reviews for defect cost-avoidance, but it also decreases the likelihood of a cockroach hiding in the shadows.

· Train, Train Some More, and Retrain: At the 2017 Cybersecurity Summit at the Cobo Center in Detroit, an anonymous automotive executive blurted out, “I cannot design out ‘stupid’ when talking about employee negligence or errors. In some fashion, that’s certainly true, but consistently training on key topics, communicating about the operational KPIs, and suggesting how employees can help will certainly improve the likelihood of success.