As medical devices and cars move online, we need to ask: who will be charged with making sure each update is safe and secure?by Ross Anderson / September 13, 2017 / Leave a comment
Cyber-security has disrupted politics, with the row about Russian interference in the US election being just one example. It’s also disrupted policing: most property crime and much hate crime is now online.
A third disruption is now at hand. As we start connecting not just our laptops and phones to the internet, but cars, medical devices and other things that can kill us, safety is becoming entangled with security. This will shake up many industries—and change the way they’re regulated.
What happens when your car starts getting monthly upgrades like your laptop? This has already started—Tesla rolled out its Autopilot as a software upgrade—and other manufacturers will follow within three years. There will be real benefits; we’ll be able to improve safety as we learn from accidents. It’s unavoidable, as modern cars have dozens of embedded computers and millions of lines of code in which hackers are finding vulnerabilities. We’ll just have to keep fixing them.
But who’s going to pay for the software maintenance? The tech industry has much fatter margins than the carmakers, yet Google supports phones for only three years while Microsoft supports laptops for about five.
Apply that to cars, and the first problem is sustainability. Carmakers would love you to scrap your car every five years just like your laptop, but the embedded carbon cost of a car is more than its lifetime fuel consumption. So if car lifetimes drop from 15 years to five, road transport CO2 emissions will about double.
The second is safety. At present, cars are tested thoroughly before they get type approval; a new model might have 200 prototypes crashed before it is launched. But as we move from pre-market testing to continuous improvement, how exactly will safety regulation work?
Cybersecurity is a political question
This is serious politics. At present, Europe and America have separate safety regimes, but Europe leads. For example, it requires testing by independent labs. Washington doesn’t; but almost all carmakers get their US models independently tested too, as “industry best practice” really matters in lawsuits. Brussels also enforces a right to repair: carmakers have to publish the specifications for car parts, to support a competitive aftermarket. Finally, Europe is also the world’s privacy regulator, as Washington doesn’t really care…