Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 16 submissions in the queue.
posted by FatPhil on Wednesday August 09 2017, @01:16AM   Printer-friendly
from the but-what-if-secure-means-rot-13 dept.

I must have banged my head and woken up in an alternate universe as something apparently reasonable seems to have emerged from inside the British government. It has issued a guidance on cyber security for "intelligent" vehicles:

[...]
Smart vehicles are increasingly becoming the norm on British roads – allowing drivers to access maps, travel information and new digital radio services from the driving seat.

But while smart cars and vans offer new services for drivers, it is feared would-be hackers could target them to access personal data, steal cars that use keyless entry, or even take control of technology for malicious reasons.

Now new government guidance will ensure engineers developing smart vehicles will have to toughen up cyber protections and help design out hacking. The government is also looking at a broader programme of work announced in this year's Queen's speech under the landmark Autonomous and Electric Vehicles Bill that aims to create a new framework for self-driving vehicle insurance.
[...]

The guidance contains eight key principles:

  1. Organisational security is owned, governed and promoted at board level
  2. Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain
  3. Organisations need product aftercare and incident response to ensure systems are secure over their lifetime
  4. All organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system
  5. Systems are designed using a defence-in-depth approach
  6. The security of all software is managed throughout its lifetime
  7. The storage and transmission of data is secure and can be controlled
  8. The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail

Each principle is fleshed out in slightly more detail and they also point out that the list is not intended to be exhaustive.

Now, dear Soylentils, what would you add to the list to come closer to completeness?


Original Submission

Related Stories

Autonomous Vehicle Legislation Soon to Appear in House 24 comments

United States House Republicans expect to introduce bills later this week that would bar states from setting their own rules for self-driving cars and take other steps to remove obstacles to putting such vehicles on the road, a spokeswoman said.

The legislative action comes as major automakers are joining forces with auto suppliers and other groups to prod Congress into action.

Last month, a US House of Representatives Energy and Commerce subcommittee held a hearing on a Republican draft package of 14 bills that would allow US regulators to exempt up to 100,000 vehicles a year per manufacturer from federal motor vehicle safety rules that prevent the sale of self-driving vehicles without human controls.

[...] GM, Alphabet Inc., Tesla Inc., and others have been lobbying Congress to pre-empt rules under consideration in California and other states that could limit self-driving vehicle deployment.

As the number of self-driving cars on the road grows, will drivers proceeding on manual game the self-driving algorithms and lead to a ban on non-self-driving cars?


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Disagree) by Snotnose on Wednesday August 09 2017, @01:23AM (3 children)

    by Snotnose (1623) on Wednesday August 09 2017, @01:23AM (#550871)

    Smart vehicles are increasingly becoming the norm on British roads – allowing drivers to access maps, travel information and new digital radio services from the driving seat.

    Last year we had 0, now we have 3. It's an exponential increase.

    But while smart cars and vans offer new services for drivers, it is feared would-be hackers could target them to access personal data, steal cars that use keyless entry, or even take control of technology for malicious reasons.

    I've seen the F8 of the Furious, and make it rain scares the crap out of me.

    Now new government guidance will ensure engineers developing smart vehicles will have to toughen up cyber protections and help design out hacking.

    Our bureaucrats and bureaucracies will keep you young geniuses in line.

    The government is also looking at a broader programme of work announced in this year's Queen's speech under the landmark Autonomous and Electric Vehicles Bill that aims to create a new framework for self-driving vehicle insurance.

    We're trying to figure out how to make money off it.

    --
    Bad decisions, great stories
    • (Score: 1, Offtopic) by Snotnose on Wednesday August 09 2017, @01:27AM

      by Snotnose (1623) on Wednesday August 09 2017, @01:27AM (#550873)

      Place your bets folks. Will this be moderated funny or insightful in 12 hours?

      --
      Bad decisions, great stories
    • (Score: 5, Insightful) by davester666 on Wednesday August 09 2017, @05:37AM (1 child)

      by davester666 (155) on Wednesday August 09 2017, @05:37AM (#550958)

      There's be a addendum, requiring all data to be funneled through UK gov't computers and the keys to decrypt all the data must be provided.

      • (Score: 2) by Unixnut on Wednesday August 09 2017, @08:21AM

        by Unixnut (5779) on Wednesday August 09 2017, @08:21AM (#551014)

        That is already governed under the "Government wants backdoors in all software/encryption" laws they are trying to push through. They are doing it right, and making sure the law is as broad as possible, so it can apply to "smart" cars, "smart" phones, "smart" meters, or anything else that has "smart" in its name and/or is connected to the net. The futility of asking for secure systems in one breath, then demanding government backdoors in another, is lost on them of course.

        Just means you have to avoid anything "smart" or net connected (that you don't have full control over). I foresee a future of the masses in gilded tech prisons, and a minority of people living on the edges of society as free men, but as social and tech outcasts.

        Basically, like those cyberpunk dystopias in sci-fi stories.

  • (Score: 2) by kaszz on Wednesday August 09 2017, @02:28AM

    by kaszz (4211) on Wednesday August 09 2017, @02:28AM (#550889) Journal

    I must have banged my head and woken up in an alternate universe as something apparently reasonable seems to have emerged from inside the British government. It has issued a guidance on cyber security for "intelligent" vehicles

    I propose two reasons..
    (0) British government people don't want their car jacked and subsequently crushed with them inside?
    (1) They neither want their vehicle stolen. Usually because said employment results in expensive cars.

    Self interest 101 at play? ;-)
    This might actually apply to government decision makers in other countries too.

  • (Score: 2) by darnkitten on Wednesday August 09 2017, @03:11AM (6 children)

    by darnkitten (1912) on Wednesday August 09 2017, @03:11AM (#550906)

    1) A robotAn autonomous vehicle may not injure a human being or, through inaction, allow a human being to come to harm.
    2) A robotAn autonomous vehicle must obey the orders given it by human beings except where such orders would conflict with the First Law.
    3) A robotAn autonomous vehicle must protect its own existence as long as such protection does not conflict with the First or Second Laws.

    • (Score: 0) by Anonymous Coward on Wednesday August 09 2017, @03:25AM (2 children)

      by Anonymous Coward on Wednesday August 09 2017, @03:25AM (#550917)

      But omagerd what if the car has to choose whether to swerve left into a group of male orphans or right into a group of female orphans! Or backwards into a volcano!

      • (Score: 2) by kaszz on Wednesday August 09 2017, @03:38AM

        by kaszz (4211) on Wednesday August 09 2017, @03:38AM (#550926) Journal

        That one is easy. The vehicle must let the instrument panel robotic arm out and grab the driver for intimate detection. And then choose left or right accordingly and step on it. Once completed, immediately brake and load your newly acquired harem. ;-)

      • (Score: 2) by Wootery on Wednesday August 09 2017, @08:24AM

        by Wootery (2341) on Wednesday August 09 2017, @08:24AM (#551015)

        This never struck me as all that hard. Just roll the (virtual) dice.

        Lottery voting [wikipedia.org] isn't popular in politics, but it seems fine to me to use it for this kind of decision making.

    • (Score: 2) by kaszz on Wednesday August 09 2017, @03:35AM (2 children)

      by kaszz (4211) on Wednesday August 09 2017, @03:35AM (#550924) Journal

      Correction: :P
      1) An autonomous vehicle may not injure the human driver or, through inaction or allow the driver to come to harm. Anyone outside can f--k themselves.
      2) An autonomous vehicle must obey the orders given it by the driver except where such orders would conflict with the First Law or drive up the insurance payout.
      3) An autonomous vehicle must keep its maintenance costs as low as possible as long as such protection does not conflict with the First or Second Laws.
      4) The vehicle must under all circumstances resist any remote firmware downgrade on diesel gussling.

      In short: Me, me and my money.

  • (Score: 3, Insightful) by dltaylor on Wednesday August 09 2017, @08:46AM

    by dltaylor (4693) on Wednesday August 09 2017, @08:46AM (#551023)

    It is nearly always the case that management gives no priority (budget, development time, testing) to security. Breaches and other failures are just "a cost of doing business", often covered by some form of insurance, but never real consequences for them.

    If there is ever to be real security, anywhere (autonomous vehicles, IoT, web sites, databases, ...), then there have to be real, personal consequences for management. I'm suggesting felony convictions and jail time for all CxO at the company, as well as anyone from (US titles) Director, Vice-President, and President in the management chain. This will give them the justification to Boards of Directors and shareholders for the costs and schedules.

  • (Score: 4, Informative) by Gaaark on Wednesday August 09 2017, @10:48AM (4 children)

    by Gaaark (41) on Wednesday August 09 2017, @10:48AM (#551051) Journal

    Should this not be for EVERY company?
    Security first, instead of security as an afterthought and just apologize when your customers info is stolen?

    Why only this one category?

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    • (Score: 2) by cafebabe on Thursday August 10 2017, @05:03AM (3 children)

      by cafebabe (894) on Thursday August 10 2017, @05:03AM (#551471) Journal

      Perhaps the UK could apply those eight rules to the NHS before they consider applying them to autonomous vehicles. Officially, the WannaCrypt malware only affected the NHS for a day or so. Unofficially, Microsoft sent patches almost daily for two weeks. Apparently, some patches were tested before they were sent and only one batch file was sent with UCS2 encoding.

      --
      1702845791×2
      • (Score: 2) by kaszz on Thursday August 10 2017, @06:33AM (2 children)

        by kaszz (4211) on Thursday August 10 2017, @06:33AM (#551497) Journal

        Microsoft products shouldn't be relied on in a hospital or any mission critical setting. That is where the mistake was done from the beginning.

        • (Score: 2) by cafebabe on Thursday August 10 2017, @09:04AM (1 child)

          by cafebabe (894) on Thursday August 10 2017, @09:04AM (#551530) Journal

          We've got a situation where hospitals, emergency services, the nuclear power industry, military and governments all claim that they're buying best-of-breed commodity components from reputable suppliers. (And by reputable, we means such fine, upstanding corporations such as Microsoft, Cisco, Oracle and Google.) When this monoculture fails, for example, through virulant malware, people are surprised, like it was an act-of-god or something. For example, Michael "Offensive Cyber [soylentnews.org]" Fallon said [www.gov.uk]:-

          A stronger password here, a Windows update there, and we would have stood an even better chance of warding off the Parliamentary and Wannacry attacks.

          I don't know who he's been talking to but he's a complete idiot if he thinking that applying 100% of available patches to 100% of computers contributes to a mythically secure computer network. There should be ample evidence that it is a really bad idea to use the same commodity hardware as bedroom hackers, oblivious idiots and stingy businessmen. But, hey, if it doesn't work, do more of it.

          --
          1702845791×2
          • (Score: 2) by kaszz on Thursday August 10 2017, @06:27PM

            by kaszz (4211) on Thursday August 10 2017, @06:27PM (#551791) Journal

            Since Michael is the Defence Secretary, it means he's government and we all know how well politician knows actual facts. So either the Prime Minister hires someone that knows their stuff or have some adviser associated with the Secretary. Why this won't happen is likely the answer as to why they won't have security.

            Another angle is that people that know their stuff may not get into a position that makes a difference or don't want to deal with the political environment. Which also gives some answers as to why security can't be had. If the political environment and technically skilled persons are like oil and water that will be a problem.

            Any ideas?

  • (Score: 0) by Anonymous Coward on Wednesday August 09 2017, @09:06PM

    by Anonymous Coward on Wednesday August 09 2017, @09:06PM (#551297)

    1 ) No, they don't even know enough to know what they don't know. At most, one might say that the board will be held responsible for breaches - at which point corporate board memberships touching anything electronic will be a punishment duty. The documented details suggest that this may be delegated. You bet your bottom dollar it will be, and whoever gets the delegation turns into Sacrifical Lamb A.

    2) This isn't guidance. This is buzzword bingo. Who decides what's appropriate and proportionate? Theresa May? QA dude no. 357 in some chinese factory? And their further guidance is so open-ended that it might as well require full tempest hardening for all vehicles.

    3) And the criterion for being secure is ... no breaches? Or? And the lifetime is ... as long as some classic car enthusiast in 2175 runs a vehicle made by a long-vanished company? This is wide open. The most that the guidance really supports is that it should be auditable. Great. I'm sure that the government won't ever use that for nefarious purposes.

    4) Right. Right. Because saying so will make it happen. As per point 2. And in 4.3 it specifically calls out the ecosystem. Wow.

    5) Right. Who gets to decide how much depth is enough? Or is it retroactively insufficient after all layers have been penetrated by some 15 year old fungus with a keyboard? Inquiring minds want to know. There's no criterion for success defined.

    6) Again, as per point 3, lifetime is a very fuzzy concept. Or does lifetime stop 6 months after it is off the lot? The further guidance is as useful as teats on a bull. The whole thing can be updated, but also returned to a known good state? Read: black hats (state sponsored or not) can rewrite it to whatever the hell they want and you'll be none the wiser.

    7) Again this vague notion of what security constitutes. Controlled by whom? Under which criteria? No answers here.

    8) If the defences failed, it's because the driver is a filthy commie spy who undermined the copy protection. The vehicle locks up, deploys airbags, and screams for Judge Dredd.

    Only a bureaucrat, and an engineer blind to bureaucratic methods, or in cahoots with them, could have come up with this worthless pile.

(1)