Jeff Massimilla was named chief product cybersecurity officer of General Motors (GM) in 2014. His appointment, one of the first of its kind in the global auto industry, underscored the crucial importance of cyber safety for the coming generations of fully connected cars. Massimilla spoke to automotiveIT at the Detroit auto show in January.
Massimilla, in an earlier role at GM, demonstrates the Cadillac CUE infotainment system at the 2011 LA Auto Show (Photo: Steve Fecht, Cadillac)
What was your brief when you assumed your current role two years ago?
Jeff Massimilla: The brief was really to look across the entire connected automotive ecosystem and make informed risk-based decisions. At GM, we had had online systems since 1997 and we had cybersecurity in all parts of the company. But all these things were starting to come together, which made a comprehensive approach a priority.
Cybercrime is arguably one of the biggest risks to the digital transformation of the auto industry. Given the omnipresence of the threat, is it actually possible to protect connected cars?
It’s very clear that there is no such thing as absolute security, but at GM cybersecurity and the security posture of our products and services is foundational. It is embedded throughout all our processes and we design with security in mind. My role is to protect the vehicleÂ ecosystem. I’m optimistic because the amount of dedication we bring to the task at GM is so very strong.
Cybersecurity seems to be an area where you cannot really go it alone. Is the global auto industry adopting some kind of global approach?
I am vice chairman of AUTO-ISAC, a global organization for sharing and analysing information. Of real value here is our sharing of vulnerability information. We don’t just share this information, but we also look at how a threat manifests itself and how it is resolved. The idea of collaboration is very new in this hyper-competitive industry, but there’s an amazing amount of energy from the member companies going into AUTO-ISAC. I don’t think we’ve ever had competing companies interacting with each other at this level in this industry. At GM, we don’t view cybersecurity or security as a competitive advantage. It’s the cost of doing business and you’re seeing this in the entire industry. We all have to keep our customers safe.
By insisting on a high degree of security, are you slowing down innovation? Or do some people in the company feel that you play such a role?
My organization consists of 80 people globally with a different sets of talents. These people are embedded in all the different GM entities: autonomous vehicle programs, regular vehicle programs, OnStar, infotainment systems. They make sure we design and develop with security in mind. And if we architect our products securely with defensive measures and layers in place and if we go through the right checks, the resulting products will have the appropriate security posture and the right capabilities. If you don’t operate that way, you may, in the end have to say “We cannot launch a product because it’s not positioned well.”
Is protecting a connected car comparable to protecting a home computer?
I would not draw the analogy between a connected automotive ecosystem and a computer. There are a lot of IT and information security elements that apply particularly to a vehicle. A key element is preventing people from uploading unauthorized software. At home, you make your own decision how to protect your computer, but we feel that, with the car, it’s our responsibility to provide the appropriate security posture and manage vulnerability over the life of the product. Being able to securely deliver software to the vehicle and provide patches over the air (OTA) is an important part of that.
Won’t autonomous driving mean even more connectivity for the car and thus more vulnerabilities you have to deal with?
The task will become more complex but the basic principleÂ remains the same. We’re still talking about connected vehicles and we still need to protect information systems and vehicle systems. It’s just more connections we have to deal with.
Interview by Arjen Bongard