As medical devices and cars move online, we need to ask: who will be charged with making sure each update is safe and secure?by Ross Anderson / September 13, 2017 / Leave a comment
Published in October 2017 issue of Prospect Magazine
Cyber-security has disrupted politics, with the row about Russian interference in the US election being just one example. It’s also disrupted policing: most property crime and much hate crime is now online.
A third disruption is now at hand. As we start connecting not just our laptops and phones to the internet, but cars, medical devices and other things that can kill us, safety is becoming entangled with security. This will shake up many industries—and change the way they’re regulated.
What happens when your car starts getting monthly upgrades like your laptop? This has already started—Tesla rolled out its Autopilot as a software upgrade—and other manufacturers will follow within three years. There will be real benefits; we’ll be able to improve safety as we learn from accidents. It’s unavoidable, as modern cars have dozens of embedded computers and millions of lines of code in which hackers are finding vulnerabilities. We’ll just have to keep fixing them.
But who’s going to pay for the software maintenance? The tech industry has much fatter margins than the carmakers, yet Google supports phones for only three years while Microsoft supports laptops for about five.
Apply that to cars, and the first problem is sustainability. Carmakers would love you to scrap your car every five years just like your laptop, but the embedded carbon cost of a car is more than its lifetime fuel consumption. So if car lifetimes drop from 15 years to five, road transport CO2 emissions will about double.
The second is safety. At present, cars are tested thoroughly before they get type approval; a new model might have…