Secure Cars, but Not Phones? Government Doublespeak on Cybersecurity

PRIVACY ADVOCATES SAY government officials are talking out of two sides of their mouths when it comes to cybersecurity. The latest case in point: Assistant Attorney General John Carlin calling for super-secure, hack-proof cars at an automotive conference on Tuesday, even as FBI Director James Comey continues to pressure phone manufacturers and technology companies to roll back their security to allow for law enforcement access.

“There are things you can do to mitigate the risk, protect yourselves and your companies, and ultimately, the cybersecurity of the United States,” Carlin said at the SAE 2016 World Congress conference in Detroit. “First, design with security in mind.”

But driving a car in 2016 is not totally different from using a cellphone — and protecting either of them against hacking raises the same issues. These days, dozens of networked electronic control units manage things like braking and accelerating by communicating with each other, and more and more cars are connected to the internet, or accessible via Bluetooth. Securing the conversation between your brake pedal and your brakes is a lot like securing your banking app or your intimate phone conversation.

While Carlin is telling car companies that bulking up their cyber defenses is key to their long-term success, Comey has publicly suggested that phone manufacturers and communications providers like Apple, Google, and WhatsApp, who provide their customers with unbreakable encryption to secure their communications, should rethink their business models.

“It’s ironic to see the head of the FBI pressing companies to deploy less encryption at the same time the Justice Department’s top national security lawyer is highlighting just how important and hard it is to secure our devices and networks in an increasingly connected and hostile digital environment,” Kevin Bankston, director of the Open Technology Institute, wrote in an email to The Intercept.

“You can’t listen to Comey and [NSA Director Michael] Rogers get up and say cyber is the No. 1 threat while at the same time asking companies to weaken security without seeing some hypocrisy,” Amie Stepanovich, U.S policy director for digital rights group Access Now, told The Intercept.

Comey wants companies to design their products securely, she explained — but not so securely that law enforcement can’t get in. And that’s not compatible with the needs of every company.

Plus, encryption poses no existential threat to law enforcement for several reasons, a panel of experts at Harvard’s Berkman Center for Internet and Society concluded in a February report.

Meanwhile, hackers have already shown they can take control of a moving car in the middle of the highway, as demonstrated in a widely read story in Wired by Andy Greenberg last year.

Sen. Ed Markey, D-Mass., commissioned a report in February 2015 on the privacy and security risks of internet-connected cars. It concluded that the auto industry, as it currently exists, is extremely liable to dangerous cyberattacks, especially as it gathers more and more information, like geolocation data.

Indeed, the same law enforcement officers who want access to cellphones to gather evidence might soon wish our cars were less secure, too. “They take in quite a bit of user information that law enforcement may want access to,” Stepanovich said.

If the DOJ had managed to force Apple to weaken its security to hack into a phone belonging to San Bernardino killer Syed Rizwan Farook, she said, the “case could have been used as a precedent to apply to cars in the future.”

Top photo: A driving demonstration in a prototype Acura RLX sedan in Detroit, Sept. 9, 2014. The car has cameras that monitor lane markings, multiple radar sensors, a beacon that uses laser beams to scan the car’s surroundings, and GPS to help it stay on a previously mapped course and follow the speed limit.