In the world of project management, the three sides of the “Iron Triangle” are Cost, Time and Quality. The age-old cliché regarding these: “you may pick two” to improve, but you can never have all three without reducing scope. In other words, if you want something to market quickly and cheaply, then something will have to give, e.g. quality.
Regarding automotive cybersecurity, the convergence of recent events — specifically the spreading coronavirus and the divisive post-election rhetoric – are making it so that automotive manufacturers who need to meet the new United Nations Economic Commission for Europe (UNECE) automotive cybersecurity requirements in the next eighteen months will struggle to sustain the three sides of the Iron Triangle. Outside forces will, in fact, want to shrink all three sides, and yet none of those are viable choices or tradeoffs.
So let’s look at the major influences – Increasing Coronavirus and Post-Election Conflict — and subsequently understand how the auto industry will need to consider such tradeoffs. And, to not be all doom and gloom, let’s discuss a possible solution that might deliver a win-win solution.
Increasing Coronavirus
In the past few weeks, another wave of Covid-19 has hit multiple continents with renewed force. The United States
USM
Effect on Time: In the European Union, the new regulations for cybersecurity will be mandatory for all new vehicle types from July, 2022, and will eventually become mandatory for all new vehicles produced after July, 2024. If manufacturers fail to meet the approaches laid out by the standard (ISO 21434) — which essentially require each brand to 1) manage vehicular risks, 2) secure the vehicles by design to mitigate risks along the value chain, 3) detect and react to ongoing risks and 4) provide secure software updates – they will not be permitted to sell those vehicles on multiple, participating continents. Given the historical difficulty in quickly ramping-up a qualified cybersecurity team, the path to meet timelines for many manufacturers would have been to hire 3rd party experts. However, Covid-19’s surge shall likely freeze 2021 budgets in Q1, which will make meeting the deadline all the more difficult.
Effect on Cost: Given that likely decrease in time, the manufacturers will likely need to pay employees or contractors “premium time” to complete the same work in a reduced period. Even before the pandemic, the UNECE foresaw that the need to strengthen automotive cybersecurity would trigger a $4.8 billion USD investment by 2030, but decreasing the time to achieve it will only increase that outlay. That said, budgets will likely be slashed due to the reduced revenue of lesser manufacturing, so budget and price will likely be heading in opposite directions.
Effect on Quality: A way to overcome the time and cost hindrances could be to internally relax the quality imposed by the standard by either hiring a substandard, under-qualified cybersecurity team or shortcutting solutions for providing secure updates. This might afford the manufacturing some time regarding a regulatory “check the box” exercise, but carries significant risk with real-world threats.
Post-Election Conflict
In the months leading up to the Presidential Election in the United States, Donald Trump and pollsters sensed impending doom for the incumbent. As a counterattack, the POTUS began a verbal war against mail-in ballots and the voting process which culminated in the hours after the election when he declared victory and stated that illegal votes were being counted and his opposition was “trying to steal the election from [him].” For Trump’s loyal followers, this has been heard as a call to action, and in places like Phoenix and Detroit there have been vehement protestors suggesting to “Stop counting the ballots.” Meanwhile, as stated best in the NY Times, “… what Trump has already done is what the Russians have always tried to do: cast doubt on American elections and destabilize the United States.” On Ajlazeera’s network, there are discussions entitled “Has The US Presidential Election Led To Further Divisions” and that wonder, like many networks and politicians, if the social division isn’t demonstrating a civil unrest and weakness to foreign opposition, thereby emboldening cybersecurity hackers from Russia and China.
Effect on Time: In theory, automotive manufacturers should have until the imposed deadlines of UNECE to fully design against risks to their vehicles, but the increased probability of nation-state attacks might decrease the timeline. The Federal Bureau of Investigations (FBI) previously warned that dealerships are “key targets” for hackers given valuable data, and with a 99% increase in automotive cyber incidents in 2019 there was already tremendous pressure to improve timelines. Emboldening global opponents will only shorten the available time.
Effect on Cost: With enough budget, any defense can be overcome. Nation-state attackers typically have the greatest funding, so whipping up additional, foreign attacks only increases the costs of cybersecurity defenses.
Effect on Quality: Again, the only way to meet shrunken timelines and decreased budgets is to skimp on quality, thereby hoping that the hackers select the competition as its target. This strategy likely would work for the majority of start-up, electric vehicle companies since a nation-state hacker won’t attack Rivian or Canoo vehicles due to low volumes in 2021-22, but major manufacturers like Ford, GM and FCA would be gambling their entire suite of brands.
Potential Solution
The U.S. Congress will resume stimulus bills in the weeks following the resolution of the elections. Previously discussions have centered around employment, small businesses, and various other condition precedents for receiving stimulus checks. One possibility would be to provide funding to address various forms of cybersecurity in order to bolster the nation’s defenses and, at the same time, increase spending throughout a huddled, sheltered country. Automotive cybersecurity would be only one such usage, but would allow manufacturers and key suppliers to for hire the experts needed to help with threat analyses, detection schemes, secure downloads and penetration testing.
Getting such a bill passed would signify the “U” once again stands for “United”.