There is a growing need for cybersecurity tools to be more effective and for coverage to extend beyond older infrastructures to cover mobile and Internet of Things (IoT) devices. Some of these tool vendors will be well-known veterans of the personal computer / data center era and others will be startups, springing up to cover gaps in the market. A recent report by Gartner quantifies the growing threat to mobile devices - “by 2019, mobile malware will amount to one-third of total malware reported in standard tests, up from 7.5% today” .
Architecturally, many IoT devices are similar to mobile devices but their lack of screens, alerts and frequent updating can leave them out of sight and out of mind despite their huge and growing numbers. Typically, Information Technology (IT) is well budgeted and visible in organizations but the Operational Technology (OT) that “runs the plumbing” with IoT devices is neither. The Target Breach is often assumed to have begun with IT systems but instead began in OT, with the Heating, Ventilation and Air Conditioning (HVAC) systems being the “weak link” in security.
Our top 5 tips to mitigate phone and IoT device hacking ranges from hardware, to management, to threat detection, people and processes. Our tips are not simply a restatement of the well-known items found in Gartner reports, or in the quarterly updates of leading professional services vendors or data carriers, but instead focus on gaps in the market and new market entrants – skating to where the puck is headed, rather than where it was in the past.
Right tools for the job
Legacy cybersecurity tools such as Anti-Virus (AV), Firewalls, Intrusion Detection Systems (IDS) and a plethora of incident response systems were developed and deployed for the PCs, wired networks and data centers of the 1990s onwards.
Massive recent data breaches such as Yahoo, Equifax, OPM and even of buttoned-down Intelligence Agencies  underline how attackers have evolved to bypass legacy tools, or at least exploit gaps in their coverage.
In general, older tools are less successful at closing stable doors (i.e. delivering risk mitigation or avoidance) than detecting and analyzing how horses have bolted (i.e. facilitating risk acceptance or transference). Many vendors quietly admit that they cannot offer protection against so-called “zero day” attacks, i.e. protection covers only the types of attack that have been seen in the past
A key question to cover is -- among vendors, who is stopping attacks and who is simply detailing them for after action reports? Which tools are static like a “hammer”, changing little over the years, and which are in a constant evolution of capabilities?
The best tools are effective against a wide range of attacks, constantly adding capabilities, easy to use, automate and operationalize, with light infrastructure and personnel requirements. The worst are the opposite, difficult to use, relatively static, narrow in scope, with challenging setup and on-going costs related to their complexity and cryptic outputs both in compute and personnel resources.
Mobile and IoT device attacks
The last fortnight saw reports of phone hacking of NATO soldiers  and the Whitehouse Chief of Staff , highlighting vulnerabilities in a newer generation of IT infrastructure – mobile devices, wireless communications and cloud back-ends. The DYN attack that took down a chunk of the Internet last year came from simple IoT devices. IoT devices were once air-gapped but are now commonly connected 24x7x365 to the Internet.
Potential harms more than just data loss
The harms associated with attacks to mobile and IoT devices can potentially extend beyond data breaches, to ransomware, Distributed Denial of Service (DDoS), physical damages, injury, death and disruption of critical national infrastructure. It is unlikely those suffering one of these new types of harms can be fobbed off with a year of credit reporting to make them whole.
The poster child of potential new targets is the connected and automated vehicle. While fully automated vehicles (SAE Level 5) may be two or three years out, many of the cars and trucks on the road today feature computer control for predictive cruise, overtaking, parking and other Automated Driver Assistance (ADAS) roles. Vehicles are connected directly to the Internet, or indirectly via mobile devices.
Researchers Valasek and Miller showed how such vehicles could be remotely controlled back in 2015. That demonstration prompted a 1.4 million vehicle recall, the first automotive cybersecurity recall in history. Those news reports opened the floodgates for fast followers, with vulnerabilities were then shown in commercial trucks, police cruisers and right across OEM brands and tier 1 suppliers, underlining a sector wide concern and generating thousands of articles. Car thieves have been some of the fastest to exploit weaknesses.
Unsecured supply chains
The modern car, much like electric grid components, healthcare devices and smartphones, is also a great example of a complicating factor in mobile and IoT cybersecurity. Over 80% of the parts in a modern vehicle come from tier 1, 2 or 3 suppliers  around the word. A modern car has up to 100,000,000 lines of code spread across up to 100 ECU computers – more than are present in the world’s most sophisticated fighter jets.
The vast majority of cybersecurity tools offer little or no protection where malware has been baked into third party executables, frameworks, middleware, libraries, hypervisors, containers, OS, firmware, boot loaders, boards or the processing, memory or storage components themselves. Malicious components have even found their way into the supply chains of missile systems where literal armies of warfighters and contractors had the mission of keeping them out .
Return oriented programming attacks
This type of attack allow the existing code in a system to be repurposed and used as the attack itself. Return Oriented Programming (ROP) attacks occur where existing code is called out-of-order to then become a hacking script. Within a ROP attack, the text of the “Hunt for Red October” could be rewritten to become “Hamlet” by carefully “jumping” and “returning”. Many vendors offer no protection against it, or simply assume incorrectly that legacy tools like static or dynamic analysis (SAST/DAST), Address Space Layout randomization (ASLR) randomization and DX or do not execute flags alone are effective defenses for binaries.
Looking past “shiny padlock” solutions
Cybersecurity has an asymmetry of economics - defenders must defend everything but attackers need find just one-way in. If a mobile or IoT devices consists of a stack of hardware, firmware, OS, apps, communications and the cloud then all of them, “end to end” need to be protected. Security is not just the latest technology but also includes people and processes, including suppliers, the aftermarket and partners.
If we consider security as a chain link with a big shiny padlock in the middle, the whole is only as strong as the weakest among all the links. The padlock is often a highly publicized peak or set of peaks in the Gartner Hype Cycle, for example, Blockchain, Encryption, Multi-factor Authentication (MFA), Intrusion Detection Systems (IDS), Artificial Intelligence (AI), Machine learning (ML), Enterprise Mobile Management (EMM) or Mobile Threat Detection (MTD). That shiny padlock may be strong in its own right but if one of the other links is by comparison just a shoelace then it is that weak shoelace that defines the security posture of the whole system!
There is an analogous situation in the physical world. If the front door is strong with a good commercial grade lock with a lot of “curb appeal” then robbers search for a window to open or break, a duplicate key hidden nearby, or dropped off with neighbors, who might fall for a bit of social engineering.
Apple and Samsung have been the most prominent in meeting government and enterprise security requirements for devices, from the baseline of National Information Assurance Partnership (NIAP) certification, to secure booting through to offering enterprise configuration tools like DEP, Knox Configurator and Tachyon.
Outside of government certified configurations, device cybersecurity can be questionable – with many engineering teams able to deploy at least briefly a secure configuration for say a specific Android, Wi-Fi or carrier combination but then often struggle to keep that golden image and associated apps, communications and cloud back-end current.
Kryptowire last year identified several models of Android mobile devices that contained malware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers. Such built-in malware is not easy to detect since cybersecurity tools are typically run from user space and rely on trusting the device itself, which may be compromised. Only Kaprica’s Skorpion launched several years ago was able to verify devices externally, using a detection engine built into a micro-USB connected battery charger. Obviously, it’s not always possible to have a device checker for every device.
Many organizations are acutely sensitive to USB stick usage but ignore the potential dangers of other types of rogue hardware such as chargers, Wi-Fi access points, keyboards, mice and even monitors. Sepio’s behavior-detection software automatically detects rogue hardware connected into a network in the general case and mitigates its use.
Even legacy hardware can be improved without its having to be reconfigured or sunsetted. For example, Packet Viper sits outside of existing firewalls, reducing traffic, logging and alerts handling costs, protecting systems from flooding and DDoS attack, mitigating risks from bots and proxies while speeding threat detection.
Dark Cubed approaches the problem in a different way. It focuses on ease of use and operationalization for threat detection, side stepping the costs and complexities of traditional systems that confine their effective use to only the largest, well-staffed and well-budgeted organizations. This approach allows companies of all sizes to benefit from advanced analytics and threat detection techniques that have traditionally only been available to large enterprises.
2 Enterprise Mobility Management (EMM)
EMMs (previously known as MDM or Mobile Device Management) such as MobileIron, Blackberry / Good and IBM Maas 360 do a good job of maintaining specific configurations of whitelisted apps, major settings and data on a device where they are present. However, they may not be installed on Bring Your Own Devices (BYOD) and in any case their focus is management rather than cybersecurity. Along with Apple’s DEP, Samsung Knox Configuration and Tachyon, they are most useful in setting up and maintaining a baseline environment. EMM tools have a long history and some are reviewed in Gartners’ well-known Magic Quadrant .
3 Mobile Threat Defenses (MTD)
A newer generation of commercial tools marketed as MTD include SecureNow, Mi3, Zimperium and Lookout, focusing on cybersecurity that extends protection coverage beyond what is possible with EMM. However, that coverage is limited by what is detectable to apps in the user space, for example, examining app and network behavior.
Some of these tools are reviewed in Gartner's market guide for mobile threat defense solutions . The latest and potentially most interesting development in this area is Apcerto, which offers a risk-based NIAP standard framework against which to test such tools beyond comparing market collaterals or having to setup a bake off whose effectiveness relies on access to a comprehensive set of test data and deep expertise.
Perhaps the biggest bang per buck of cybersecurity risk mitigation and prevention is end user training. Cisco, for example, launches phishing attacks to its own staff as a training exercise . Shevirah’s Dagah tools allow simulation of a myriad of cyberattacks, which can be used to launch attacks for awareness training. Which employees do not realize that they can be phished via Bluetooth, SMS or WhatsApp? Which IoT devices can be taken over? How many folks will scan a QR code for a free dessert in the break room?
There are also specific trainings and qualifications around mobile devices. For example, CMDSP or Certified Mobile Device Security Professional covers mobile operating systems including Apple’s iOS, Microsoft's Windows OS, and Google’s Android OS.
Threats can come from insiders. InLitics applies Neuro Analytics (NA), a cognitive computing profile to focus on the neglected people side of cybersecurity protection. NA extracts thought processes to identify cognitive fingerprints and ultimately the persona(s). The results of NA are interlaced with other human disciplines to further interrogate the metadata to determine future expected behaviors. For example, in an automated car, NA can know who is at the wheel. Each driver has their own unique cognitive fingerprint when they drive and the system can be designed to recognize those patterns.
Process begins with a methodology, whether a simple checklist approach like Center for Internet Security (CIS) Controls or a more thorough and risk-based framework like NIST’s Cybersecurity Framework (CsF). In the Software Development Life Cycle (SDLC), the most neglected areas are typically unit, integration and acceptance testing, especially for updating and upgrading.
There can be immense pressure to add features, functions and ship, with end users as beta testers and a reliance on bounty programs administered by tools like HackerOne or BugCrowd to engage white hat hackers. Perhaps the worst case is where security executives and trade groups focus less on solving underlying issues than marketing reassurance to investors, lawmakers and customers.
More red teaming and pen testing is needed to supplement in-house testing. The secret is not more and more employee and contractor staff but better leveraging the people already in place with more effective tools and automation. Tool such as Shevirah’s can automate pen testing. Tools such as CyVision’s Cauldron can automate visualization and modeling of cybersecurity assessments, allowing the highest priority threats to be quickly identified and remediated first.
A well-known weak spot in the mobile and IoT ecosystem is the vetting of the software that goes into mobile and IoT devices. Legacy tools fall into two categories – external and internal. External tools include AV, Firewalls and IDS. Traditional internal tools are built into the code in Secure SDLC (SSDLC), featuring approaches like coding or re-coding best practices, secure libraries, instrumentation and layers of SAST and DAST inspection.
The challenges of external tools are numerous, from being by-passable, to their requirements for additional resources and monitoring personnel. Internal tools are best applied in new builds or re-engineering where time, budgets and resources permit but even there they cannot cover all vulnerabilities, especially not those associated with ROP attacks or a compromised supply chain. The vast majority of developers do not have access to source code from end-to-end. Instead, they focus on the 20% of the code that is controlled in their group or company, which does not prevent vulnerabilities being present in the 80% that comes from the supply chain.
A new approach takes a third path. RunSafe Security is an example of Runtime App Self Protection (RASP). It was developed with DARPA specifically to address challenges in hardening the millions of lines of legacy code associated with DoD IoT devices from military vehicles, to drones and medical devices. It works automatically with binaries, protecting against memory corruption attacks, ROP attacks and a compromised supply chain. Perhaps its greatest innovation is ease of use and operationalization with existing code.
RunSafe is simply a one-time transformation of binaries as part of the deployment or updating process, much like compressing or archiving files with Mac, Linux or Windows. Were RunSafe applied to distribution of a document reader, say version 17.01, every copy would be logically the same 17.01 functionality but different and unique to hackers, destroying their economies of scale.
A similar approach is offered by Virgil Security that provides cryptographic software building blocks that allow developers to add enhanced security (including password-less authentication, encryption, and cryptographic verification of data, devices, and identities) into their products. Again, Virgil’s greatest innovation is the ease of use and operationalization of the tools.
Following points 1 to 5 will mitigate phone and IoT device hacking. There is no magic bullet or shiny one-size-secures-all padlock. A comprehensive solution will layer defenses from many vendors, with a practical approach that does not assume unlimited time, budget and resources for IT and OT but is risk-based and emphasizes effectiveness and automation.
Deployment and updating of devices will at its best will include RASP, signing and encryption, fitting into secure devices, with EMM, MTD or their equivalents, where people and process factors like Information Sharing and Analysis Centers (ISACs) are given equal weight.
About the author
Simon is an industry recognized expert in cybersecurity, mobility and IoT, co-founder of Washington D.C. based cybersecurity startup RunSafe Security. He is a member of the Society of Automotive Engineers (SAE) IoT Cybersecurity Committee and a contributing author of their new book “Cybersecurity for Commercial Vehicles". RunSafe was developed as part of DARPA’s program of cybersecurity for military vehicles, drones and medical devices. Simon also worked with Apple and Samsung in hardening their mobile devices for DoD and government use.
Previously, he was VP of Sales at Kaprica Security (acquired by Samsung), Mobile Program Director, DMI, market leader in enterprise managed mobility and Director of Sales at Thursby Software, market leader in strong iPhone security. Prior executive sales and management roles in the US and Europe include Red Hat, HP, Capgemini, a $9B hedge fund, a $50MM dot com and a background in nuclear software engineering. He holds a BS in Physics from U-Manchester, England, a MS in Law & Cybersecurity from U-Maryland Carey Law, CISSP, CEH and CIPP/US cybersecurity and privacy certifications.
Cybersecurity has an asymmetry of economics - defenders must defend everything but attackers need find just one-way in … and it need not be one seen before. Attackers are updating methods more, attacking more and impacting more devices and people.
The harms associated with attacks are escalating from legacy data breaches, to DDoS and ransomware, to potentially physical damages, injuries, deaths or debilitation of critical infrastructure.
Likely you already have legacy solutions from FireEye, Symantec, McAfee and others, so already have in place the layers of defense that these established vendors offer.
Detailed below are a selection of 5 emerging tech partners that add to your security posture, complement existing infrastructure.
That these companies leverage automation is hugely important since even the most deep-pocketed DoD command, government agency, West Coast tech company or Wall Street Bank cannot simply keep adding cybersecurity staff or contractors to meet mushrooming cybersecurity needs.
CyVision Cauldron - Automated cybersecurity assessment visualization
New visualization and modeling technology automates a key aspect of enhanced cybersecurity assessments, allowing highest priority threats to be quickly identified and remediated first.
InLitics - Automated cognitive analytics
InLitics applies a cognitive analytics approach to the neglected people side of critical infrastructure protection. It automatically leverages and interlaces multi-discipline human dimensions for threat and vulnerability detection against such data as still photos, video feeds (images and/or voice), emails, text, or other data extractions.
Packet Viper - Automated network traffic control
New IP filtering technology sits outside of existing firewalls as an undetectable in-line bridge that can automatically reduce network traffic, logging and alerts up to 70%, protect from flooding and DDoS, mitigate risks from bots and proxies, with faster threat detection.
RunSafe Security - Automated cyber hardening
RunSafe is a pioneer in automated cyber hardening with the ability to make embedded system and devices functionally identical but logically unique. Its patented binary stirring technology automatically renders threats inert by eliminating attack vectors, significantly reducing vulnerabilities and denying malware the uniformity required to propagate.
Sepio - Automated detection of rogue and ghost hardware devices
Sepio works with the neglected physical side of cybersecurity. Its unique behavior-detection software suite automatically identifies all connected hardware devices in a network — including nefarious ones that compromise IT infrastructure.
About the author
Simon is an industry recognized expert in cybersecurity, mobility and IoT, part of a growing family of Washington DC-based cybersecurity startups including RunSafe Security and 202 Partners. He is a member of SAE’s Cybersecurity IoT Committee and a contributing author of their new book “Cybersecurity for Commercial Vehicles". RunSafe’s IP was developed as part of DARPA’s High-Assurance Cyber Military Systems (HACMS) program of cybersecurity for military vehicles, drones and medical devices. Simon also worked with Apple and Samsung in hardening their mobile devices for DoD and government use.
Previously, he was VP of Sales at Kaprica Security (acquired by Samsung), Mobile Program Director, DMI, market leader in enterprise managed mobility and Director of Sales at Thursby Software, market leader in strong iPhone security. Prior executive sales and management roles in the US and EMEA include Red Hat, HP, Capgemini, a $9B hedge fund, a $50MM dot com and a background in nuclear software engineering. He holds a BS in Physics from U-Manchester, England, a MS in Law & Cybersecurity from U-Maryland Carey Law, CISSP, CEH and CIPP/US cybersecurity and privacy certifications.
The bad news is that the last week has seen an unprecedented number of ransomware attacks around the world which have hit some large organizations very hard.
The good news is that these particular attacks are entirely preventable with some easy short term steps, which are cornerstones of a larger cybersecurity strategy that can prevent others.
The short term steps are
1) Install the latest updates for (in this case) Windows
2) Run backups and check that they are good
3) Keep doing the above steps and look at a wider cybersecurity framework.
The longer term steps are
1) CIS Controls
For a simple checklist approach, follow the "top 20" list of CIS Controls.
It is mandatory in the State of California
2) NIST CsF
For a more nuanced and risk-based approach, follow NIST's Cybersecurity Framework and the various standards that it embodies for your particular vertical.
It is mandatory for Federal Agencies, the preferred standard for US Critical Infrastructure.
The best news
The best news is that legacy desktop and server computers were the targets and not Internet of Things (IoT) systems where ransomware or malware targets infrastructure from traffic lights, to trucking fleets, to dams and the electric grid, with the potential to cause property damage, bodily injury, death and debilitation of national security.
Delivering todays's business outcomes requires hardware, software, services, processes and people.
In the past, many of these had to be procured and assembled separately, requiring armies of contractors
Today, the cloud and Software-As-A-Service (SaaS) bring together the hardware and software although their rough edges can still require armies of skilled staff to integrate, deploy and maintain them.
The best tools mitigate attacks directly, minimize their impact and facilitate analysis and response without also adding heavy expenses, long time lines and new staffing resources, or worse requiring re-engineering or rip and replace approaches.
Some emerging technology tools include:
- RunSafe Security - automatically makes embedded systems and device functionally identical but logically unique, taking away economies of scale from cyber attackers
- Packet Viper - sits on the network edge automatically reducing up to 70% of illegitimate network traffic, reducing loads on existing firewalls and network engineers alike
- CyVision Cauldron - visually models environments automatically as part of cybersecurity assessments, allowing highest priority threats to be quickly identified and remediated first
Simon is part of a growing family of DC-based cybersecurity, mobility and IoT startups including RunSafe Security and 202 Partners, and a member of SAE’s IoT Cybersecurity Committee. RunSafe’s technology was developed within the DARPA High-Assurance Cyber Military Systems (HACMS) contract, focusing on cybersecurity for military vehicles, drones and medical devices, and in testing with law enforcement, government agencies and commercial fleets.
Previously, VP of Sales at Kaprica Security (acquired by Samsung), Mobile Program Director, DMI, market leader in enterprise managed mobility and head of sales at Thursby Software, market leader in strong iPhone security. Prior executive sales and management roles include Red Hat, HP, Capgemini, a $9B hedge fund, a $50MM dot com and a background in nuclear software engineering. Holds BSc (Hons.) Physics from Manchester University, MS Law and Cybersecurity from University of Maryland Carey Law, CISSP, CEH and CMDSP certifications.
Click for video
Had the privilege of presenting at the Society of Automotive Engineer's 2017 World Congress.
Was a pleasure to hear and meet so many of the folks involved in cybersecurity for cars, trucks and commercial vehicles from SAE itself, to Auto-ISAC, to manufacturers, suppliers, cybersecurity specialists, academia and Homeland Security.
Had the opportunity to go-over all the progress that has been made and also to highlight 3 areas deserving of more attention:
- Systematically running pen tests with independent testers
- Updating for the forgotten ¼ billion vehicles already on US roads
Fleets are the most vulnerable.
- Reducing attack surface across the entire supply chain, mitigating weak links
Transportation critical infrastructure shares many of same vulnerabilities as energy, emergency response and other sectors when viewed end-to-end.
North Bethesda, MD, October 27, 2016, 202 Partners, a boutique enterprise software sales consultancy for startups and mature IT companies, today announced that Samsung Electronics has acquired the Tachyon enterprise mobile device configuration software developed by its client Kaprica Security. Tachyon will be integrated into Samsung’s successful defense-grade KNOX™ mobile security platform. Financial terms of the deal were not disclosed.
Prior to the acquisition, Tachyon’s users included Federal Law Enforcement, the Department of Defense (DoD), leading hospital systems and vehicle fleets in the US and Europe.
Doug Britton, CEO of Kaprica Security, shared that “202 Partners were instrumental in putting the strengths of our Intellectual Property into a buyer’s context, closing deals and building an 8-figure sales pipeline over the last two years.”
• Developed Tachyon’s go-to market strategy
• Presented to scores of enterprise prospects and ecosystem partners, including integrators, managed services providers, vendors, carriers, resellers, distributors, analysts and investors in the US and EMEA
• Closed key accounts and partner relationships in government, healthcare, automotive and general enterprise
• Obtained GSA Schedule 70 listing, Samsung Gold partnership and coverage by Gartner
• Represented Tachyon at MWC, mHealth, CTIA, ATARC, AFCEA and other mobility events
As the Tachyon product is absorbed into Samsung KNOX ™, 202 Partners will continue to assist Kaprica Security with its next generation vehicle cybersecurity product, RunSafe Security.
Simon Hartley, Principal
202 Partners LLC
12007 Galena Road
North Bethesda, MD 20852
About 202 Partners
202 Partners is a boutique enterprise software sales consultancy for startups and mature IT companies, focusing on product launches and growth hacking. 202 was founded in late 2014 by industry veterans Peter Laitin and Simon Hartley, together with decades of expertise and successful experience in cybersecurity, mobility and IoT sales hunting, marketing and product management. 202 specializes in emerging technology and early markets such as government, healthcare, finance and automotive. Customers include RunSafe Security, Kaprica Security, Spectrum Comm and others. 202 is headquartered just outside Washington, DC, in North Bethesda, MD. Learn more at 202partnersllc.com.
About Kaprica Security
Kaprica Security Inc. is an expert in mobility and security, providing hosted and on premise solutions. Kaprica was founded in 2011 by a team of cyber security experts from Lockheed Martin and Carnegie Mellon University, with the goals of delivering high quality cyber security services to a wide government and enterprise audience, and simultaneously developing easy to use and deploy software tools to support them. Today, clients range from DARPA, to the Department of Transportation, Lockheed, Intel and the University of Maryland. Kaprica is a Gold-Level Samsung partner and its enterprise software products include the Skorpion™, Tachyon™ and RunSafe™ lines and associated patents. Kaprica is headquartered just outside Washington, DC, in College Park, MD, with offices in Austin, TX. Learn more at kaprica.com.
About RunSafe Security
RunSafe Security is a vehicle cybersecurity company. RunSafe was founded in 2015 by a team of cybersecurity experts from Kaprica Security (kaprica.com), to focus on the delivery of high quality cybersecurity solutions to fleet managers across government, commercial trucking, law enforcement, rental agencies, taxi companies and developing embedded solutions for automotive OEM and suppliers. Clients and partners include DARPA, the US Department of Transportation and the Commonwealth of Virginia. RunSafe offers three levels of automotive security products, including Vehicle Guardian™, App Guardian™ and OS Guardian™, together with associated patents. RunSafe is headquartered in Washington, DC. Learn more at runsafesecurity.com.
2016 ended with retaliation for nation state cyber attacks to the elections, attempted infiltration of the VT power grid and Yahoo setting yet another sad "new record" for consumer data breach at over 1-billion accounts.
Last year saw the first fatality associated with automated vehicles but also promising milestones of AI winning against a human Go player and Google driving over 2 million automated miles.
With NHTSA statistics showing that 94% of vehicle accidents are due to human error, full vehicle automation (and the steps on the way to it) offers the promise of delivering more societal benefit than harm, especially for disadvantaged groups like the elderly and infirm, as well as transforming our roads, cities, the sharing economy and rebuilding Motor City into a modern Software & Services City.
However, pressing on the negative side of the scales are the potential for vehicle cyber attack, with consequences ranging from simple distraction, to ransomware based on detailed profiling, property damage, bodily injury, or death, even reaching national security impact given the potential for gridlock leveraging commercial vehicles.
Gating automation / AI deployment in vehicles and IoT infrastructure in general are increased cybersecurity needs around people, process and defense in depth layers of technology.
The commercial driver is one of legal liability and damages, with victims of crashes, outages and floods unlikely to be satisfied with remedies like a year's worth of credit reporting that were the weak market drivers for cloud, data center, PC and mobile security before the advent of IoT.