Assistant Attorney General John P. Carlin Delivers Opening Remarks at the SAE 2016 World Congress

Thank you for your introduction and for inviting me to speak today.  I commend SAE International for making cybersecurity an integral part of its programming at this conference.

Cybersecurity is a pressing topic for the auto industry.  Not long ago, we could hardly imagine cars opened by fingerprints, driven by themselves and shut down through the push of a button anywhere in the world.  Or cars that could pull over and call paramedics when the driver has a heart attack.  But in many ways, we’re already there.

According to one estimate, by 2020, 75 percent of new cars shipped will have internet connectivity.  There could be 220 million so-called “connected” cars on the road, each with more than 200 sensors.  These cars will allow drivers to stream music, look up movie times, get real-time updates about traffic and weather conditions and much more.

And the innovation keeps coming.

Another study estimates that by 2022, driverless cars will be able to navigate crowded city streets, and that by 2025, the driverless car market will be worth $42 billion (excluding the base price of cars) – up from practically nothing today.

It is amazing to think that 15 years ago, most cars did not have GPS, and 30 years ago, most didn’t have CD players either.

Many of these innovations are designed to make our roads safer – and we welcome those improvements.  Safety technology, such as forward-collision warning and automatic-emergency breaking, reduces human error, promotes public safety and saves lives.

But the same innovations that revolutionize the auto industry create vulnerabilities if not carefully deployed.  Connectivity creates access.  Potential access to vehicle control systems could be used against us to undermine the very safety the technology was designed to provide.

As this audience is surely aware, last year, security researchers successfully hacked a sports utility vehicle, gaining the ability to shut down the engine, disable the brakes, affect steering, and control turn signals, door locks, the tachometer, radio, HVAC and GPS.  That incident resulted in a recall of nearly 1.5 million vehicles.

It doesn’t take much imagination to see how similar vulnerabilities could be used against us by our adversaries to bring about horrific results. 

Recognizing this grave risk, just last month, the FBI, together with the Department of Transportation and the National Highway Traffic Safety Administration, released a joint public service announcement warning the public of the real dangers of remote exploits of vehicles on our streets.

So the stakes are high, and the timing of this conversation could not be more right.

SAE was created in 1905 to address common technical design problems, develop engineering standards and promote a free exchange of ideas among technical experts in a burgeoning industry.

And today, nearly a century later, you are doing just that, but with a modern twist.  The 22 plus hours of cybersecurity content featured at this year’s conference allow us to learn from one another on issues that, when SAE was created, no one could have seen coming.  And, earlier this year, SAE published the first-ever best practices for integrating cybersecurity into vehicle systems.  This kind of industry-led work is vital.

We are here to discuss steps we can take to best protect ourselves and our nation against the cybersecurity threats that affect our privacy, our safety and our economic vitality.  These threats present collective risk; disrupting them is our collective responsibility.

You are on the front lines in the fight for a secure Internet and secure cars, defending against attackers who can hack your systems and steal your information.  No one is immune.  As the saying goes, there are only two types of companies: those who have been hacked, and those who don’t yet know they’ve been hacked.

So these issues are all of ours.  Nearly everyone in this room has been touched by cybersecurity issues – and if you have not, it is only a matter of time. 

I am happy to be here today, because our nation is most secure, and our privacy and economic vitality are best protected, when the government and the private sector work together to develop strategies for secure information access, threat detection and incident response.

The Role of the National Security Division

At the National Security Division, we focus on tackling cyber threats to the national security – in other words, threats posed by terrorists and state-sponsored actors.  It is not fair to let you face these adversaries alone.  The government ought to help, and we do.

The September 11th terrorist attacks showed us that putting walls up between foreign intelligence and law enforcement makes connecting the dots of a plot very difficult.  So a decade ago, Congress created the department’s first new litigating division in almost half a century, the National Security Division.

We ensure unity of purpose in the department’s number-one mission – to protect against terrorism and other threats to our national security.  And we unite prosecutors and law enforcement officials with intelligence attorneys and the intelligence community to ensure that we approach national security threats using every tool and resource available to the federal government.

In the years since National Security Division’s creation, it is increasingly clear that the factors that motivated our creation and guided our efforts to combat terrorism are equally true in our efforts to protect our valuable national assets.

As with counterterrorism, we realized that prosecution is only one of the many tools the U.S. government brings to bear.  So the National Security Division restructured and adapted to support a whole-of-government approach to national security cyber threats.  Criminal prosecutions, sanctions, trade pressure and diplomatic options are just some of the responses available to us as we combat online threats to the national security.

These tools allow us not only to defend against and disrupt attacks, but also deter them in the first place – to fundamentally change our adversaries’ cost-benefit analysis.  Our attorneys, as well as our national security partners in the FBI and elsewhere in the government, live by the all-tools approach.  We ensure that we have the necessary expertise no matter who is behind the threat, what their motivation is or what tool we need to use.

The Threats We Face

This enhanced focus on information security is critical as we face new online attacks threatening a wide variety of disruptions, from compromising data and personal information to inflicting physical damage.

As a result of the proliferation of technology – and the myriad ways to exploit it – we face a changing world order in which lone hackers, organized crime syndicates and nation states are all increasingly able to harm our shared networks and our livelihood.  Every sector of the economy is a target – infrastructure, financial institutions, entertainment, agriculture, energy and yes, the auto industry.

And hackers come in all shapes and sizes.  The attackers we face range in sophistication and their aims are varied.

First – destruction and damage.  We have seen foreign, state-sponsored actors wage destructive attacks intended to coerce and intimidate.

For example, in the 2014 Sony attack, North Korean-sponsored hackers damaged computer systems, compromised valuable information, released corporate data and intellectual property at significant cost and threatened employees and customers.

Last year, the Department of Homeland Security warned about infections targeting industrial control systems with malware like “Black Energy.”

And, just last month, we announced the indictment of seven hackers affiliated with the Islamic Revolutionary Guard Corps who conducted distributed denial of service (DDoS) attacks against the financial sector, costing tens of millions of dollars in remediation costs and resulting in hundreds of thousands of customers being unable to access their accounts.  One of these defendants is also charged with obtaining unauthorized access into the Supervisory Control and Data Acquisition (SCADA) systems of the Bowman Dam in New York, which allowed him to obtain information regarding the status and operation of the dam.

A second goal – theft.  We have also seen state and non-state actors using the Internet to steal our intellectual property, export-controlled information and personally identifiable information at unprecedented levels.  And it seems anyone is fair game for them – intrusions have targeted the federal government’s Office of Personnel Management (OPM), the healthcare industry, airline passenger travel reservations and so much more. 

And third – terrorism.  And now, we see ISIL crowdsourcing terrorism – using cyber intrusions to obtain information or resources that, when placed in the hands of terrorists, could prove deadly.  But more than that, they use online tools to their advantage – leveraging social media to call for sympathizers worldwide to conduct attacks and facilitating their operational planning through encrypted communications using mainstream technology.

With these three primary goals in mind, you can easily see how the auto industry makes for a valuable target for hackers of all stripes.  You have valuable information and infrastructure that they want.

Our Collective Response

So consider yourself on notice.  We are all targets. 

As I said before, I bet everyone in this room has, in their professional or private life, been affected by a cybersecurity breach.  At best – a minor inconvenience.  A re-issued credit card.  At worst – devastation to your company’s reputation, loss of customer trust and injury to your bottom line.

But what can you do to protect yourself?

Most importantly – know your enemy and know your weaknesses.

You may have excellent cyber defenses, but recent experience has taught us that we are only as strong as our weakest link.  Hackers will use any available route into your system, and today, the most efficient path may be those you let inside otherwise excellent defenses – third party trusted vendors, subcontractors and others who may not share your standards.

Vulnerabilities to third-party vendors are how malicious actors got into the networks of Target and Home Depot.  And these are the same vulnerabilities that exist in the auto industry.

For example, in 2015, security researchers demonstrated that they could remotely hack into – and control – the vital functions of a sports utility vehicle by using a cellular connection to the car’s entertainment system to gain access to other systems.  As has been widely reported, by exploiting wireless communications vulnerabilities in the radio module produced by a third-party manufacturer, the security researchers were able to remotely control the air-conditioning, radio and windshield wiper, and, more dramatically, bring the car to a stop while it was being driven on a highway near downtown St. Louis.

In the past two years, we were introduced to significant software vulnerabilities, some now so famous that they have their own dramatic brand names: Heartbleed, Shellshock and Stagefright.  But it’s not just the big names you need to know – the Department of Homeland Security’s Computer Emergency Readiness Team recently published a list of 30 “high risk vulnerabilities” that are exploited in as many as 85 percent of attacks on critical infrastructure organizations.

Perhaps the scariest thing about that list is that several of the vulnerabilities were disclosed years ago, one as far back as 2006.

So it is not just zero-days we need to worry about – companies must continue to shore up defenses against already-known weaknesses. 

Without taking proper steps, it is a question of when, not if, a major public breach will happen to you.  And with that will come questions about whether you did enough to protect your company, your customers and your information.

Have you thought ahead to the day when you will have to face your customers, your employees, your board and your shareholders?  When you will have to notify them that someone has infiltrated your company and stolen your most valuable or private information?  If that day was today, could you tell them that you’ve done everything in your power to protect your company’s future?  Would you be able to say that you minimized the damage?

It’s a pretty daunting scenario.  So it is no surprise that surveys identify cybersecurity as the number one issue on the minds of executives today. 

This is a risky business.  We know that we will never achieve impenetrable defenses, and that we will remain vulnerable.  But there are things you can do to mitigate the risk, protect yourselves and your companies, and ultimately, the cybersecurity of the United States.

First, design with security in mind.  As cars are increasingly connected to the outside world – via cellular, Bluetooth and other exposed entry points – control systems must be engineered from the outset with security in mind.  That means building cybersecurity into all phases of product development, beginning with the concept and product design.

It will be far cheaper to invest in securing your automobiles’ systems today than to pay for a recall and patch systems tomorrow.

Second – equip and educate yourself.  Make sure you have a comprehensive – and comprehensible – cyber incident response plan.

And review it.  I have spoken with many CEOs and general counsels who have said they have not reviewed, or cannot decipher, their company’s plan.  We must do better.  These are C-suite decisions.  You cannot manage your corporate risk if you do not understand it. 

Third – know that your business contacts create risk.  Malicious actors can exploit your outside vendors – no matter how resilient you think your defenses may be.  Consider guidelines to govern third-party access to your network and ensure that your contracts require vendors to adopt appropriate cybersecurity practices.

Fourth – protect your bottom line.  Companies are increasingly considering cyber insurance, and you should consider how this may fit into your risk management strategy.  Cyber insurance may offer financial protection and may also incentivize companies to audit their system’s defenses.

Finally – do not go it alone.  We are safer when we work together to track and share cyber threats and to identify trends and common weaknesses.  I commend the industry for recently establishing its own sector-specific information sharing and analysis center – the Auto-ISAC – which serves as a hub for the industry to share, in real time, cyber threat information and countermeasures.  Just as with ISACs in the financial services, information technology and energy industries, the Auto-ISAC will hopefully become a central resource for proactively and uniformly addressing cyber threats to the automotive industry.

The government is also here to help.  Some of our attackers are linked to deep state military budgets.  And when they are, it’s not a fair fight for you to take on alone.  We must work together.

Public Private Partnership

Working with us can be one more component of your risk-management strategy.  Collaboration between government and the private sector is critical to our ability to successfully prevent, investigate and attribute cyber attacks.  As more breaches are publicly acknowledged, the public will ask how quickly and effectively you responded.

As leaders, you will have to answer to your shareholders, board members, customers, the media and the public.  You will want to say you did everything you could to mitigate your financial loss.  Your company’s bottom line and your financial reputation will depend on it.

And we can help.  We can provide you with information to protect your networks, and we may be able to take actions to disrupt and deter the attackers that you cannot take by yourself.  So you are on the front lines of these battles, but we are with you.  We are committed to working with you to protect your networks, identify perpetrators, disrupt their efforts and hold them accountable.  At the Department of Justice, this is among our top priorities.

Just last December, the President signed the Cybersecurity Act of 2015, which provides companies with certain liability protection when they share indicators of cyber threats with each other and with the government.  The government also shares sensitive information with you so you can defend against or disrupt attacks before they happen or in real time.

This type of united front between the government and the private sector is critical because the threat you face includes hackers with the full support of their governments and hackers that are part of sophisticated, international criminal syndicates.  They have backup, but so do you – we are here to help.

When faced with a breach, your customers, employees and investors will want to know whether you did everything you could – and increasingly, they see working with law enforcement as a necessary step.  You can satisfy them by working closely with us, and in so doing, you will make our nation safer.

We understand that the decision whether to call law enforcement is difficult.  Companies must weigh numerous considerations that can seem to cut in opposite directions.  What are the ramifications of publicizing this breach?  Will employees be embroiled in lengthy legal proceedings?  Will the government treat my confidential and proprietary information with the care and discretion it deserves?

We understand that you have these questions, and we will work with you to try to allay your concerns.  We also understand that it can be easier to pick up the phone if you are calling a familiar face.  I encourage you to talk to us now, before an intrusion.  We are prepared to meet one-on-one with you and your in-house legal teams, executives and security professionals to develop a relationship and build trust.

No company is immune from malicious cyber activity, and no network wall is high enough to keep a determined, sophisticated actor out of your systems.  When attackers are linked to deep military budgets and resources, it is not a fair fight for the victim to face alone.

The pervasive mentality of blaming the victim needs to change.  We need to focus on action, not blame.  And we can work together on how to respond.

The cyber threat is real and growing, but we are fighting back.  To do so effectively, all of us – in the private sector and in government – must cooperate.  I ask each of you here today to join us in these efforts.  Our collaboration is essential to keep our nation secure, to protect the privacy of our citizens, to enable our businesses to compete fairly in our global economy and to ensure that they are resilient in the face of cyber threats.

Thank you again for inviting me to discuss this critical issue with you today.