Automobiles have crash ratings. Do they need ratings for cybersecurity, too?
Jacob Olcott, vice president for development at BitSight Technologies, which develops rating systems to assess IT security, says the industry is looking at two types of ratings: one for use by consumers, which would reassure drivers about the security of autos' IT systems, and the other for use by automakers, which would rate the security of their IT supply chain.
A rating system would help "folks within the supply chain, from a hardware and software standpoint, [to provide] assurances to the automobile manufacturers that they are creating products that will stand the test of time inside an automobile," says Olcott, who will moderate a session titled Do We Need Cyber Ratings for the Auto Industry? 8 a.m. PST on March 2 at the RSA Conference 2016 in San Francisco. Panelists include Chan Lieu, senior legislative adviser at Venable, and Tadayoshi Kohno, a computer science and engineering associate professor at the University of Washington.
In the interview with Information Security Media Group (click on player beneath photo to listen), Olcott:
- Contrasts crash ratings with prospective cybersecurity metrics;
- Discusses potential industry-federal government collaboration in designing and implementing an automotive cybersecurity rating system; and
- Addresses congressional interest in developing cybersecurity standards for automobiles (see Car Hacking Spurs Automakers to Share Threat Information).
Olcott says cybersecurity ratings will become a more critical issue when automakers begin to manufacture driverless cars. It's critical for industry and the government to be transparent and accountable in developing security metrics for driverless cars to ensure consumer trust and confidence, he says.
Before joining BitSight, Olcott managed the cybersecurity consulting practice at Good Harbor Security Risk Management. Previously, he served as legal adviser to the Senate Commerce Committee and as counsel to the House of Representatives Homeland Security Committee. He completed his education at the University of Texas at Austin and the University of Virginia School of Law.