DETROIT – As assistant attorney general for national security at the U.S. Dept. of Justice, John Carlin is on the front lines in the fight against cybercrime, terrorism and espionage.
As a featured speaker at this week’s SAE World Congress here, Carlin urges automotive engineers and executives to be vigilant and invites them to work with federal investigators in preventing hackers from infiltrating companies, stealing proprietary information and endangering lives.
“This is an industry on the cusp of not just an evolution but a revolution in how our cars operate and how they talk to each other,” Carlin tells the crowd.
“What we can see based on the threats we’ve seen to other industries and in other areas is that those who oppose our values, be they rogue nation states or terrorist groups, are going to look to exploit this change in technology,” he says.
Studies suggest more than 220 million vehicles will be connected to the internet by 2020. “Within each one of those cars will be literally hundreds of different systems which are essentially computers in the car and connected wirelessly,” he says.
The National Security Division, which Carlin serves, was created in the wake of the 9/11 terrorist attacks in 2001 to encourage the sharing of information between law-enforcement agencies and the intelligence community to prevent similar attacks in the future.
For instance, the agency investigates when a foreign entity buys a U.S. company to see if the transaction poses a national security risk, Carlin says.
He commends the auto industry for its ingenuity and rapid development of self-driving capability.
“These are ideas that fundamentally can save lives and help improve our economy,” Carlin says. “But at the same time, one thing we know is that there’s a determined adversary out there who wants to turn what you designed for good against us and exploit its weaknesses.”
Sharing more information between law enforcement and the intelligence community is a good start, but he contends it’s not enough.
“We have to go a third step, which means working with you,” Carlin says. “That means coming out to places like this and telling you what we see in terms of what the threat actors are and calling on your ingenuity to figure out ways to protect it on the front end.”
This new aggressive strategy has resulted in federal charges against five members of the People’s Liberation Army accused of pilfering corporate secrets from the nuclear, solar and steel industries.
“What they were stealing was what you were making: It’s the research and development and innovation,” Carlin says. “It wasn’t national security secrets.”
For example, the five conspirators were in the process of completing a joint venture to lease lead piping. Instead, the suspects are accused of stealing the pipe design. When the injured company retaliated with a lawsuit, Carlin says the suspects stole the company’s litigation strategy.
His agency wants to prevent such brazen crime. “If we are able to think about what the threats are on the front end and design your systems in the first place to protect against threats from terrorists or nation states or criminal groups, it’s less expensive and it doesn’t damage brands,” he says. “Right now, this industry has our attention.”
Carlin refers to two well-known corporate hacks that damaged the brands of Target and Home Depot. In each case, the vulnerability was not directly within the two companies but instead was the fault of third-party vendors.
“But nobody cares about the third party when the hack happens,” he says. When hackers strike a U.S. automaker, the victims “will be GM or it will be Ford,” even if an unwitting supplier ultimately may be responsible.
