Cybersecurity and the Real Future of Fully-Autonomous Vehicles

The evolution of driverless vehicles is, in my opinion, a transitory phase that is strongly encouraged by current automakers and software companies to preserve and grow their existing businesses and/or redefine themselves and their business initiatives. However, as with the transition from horses and carriages to horseless carriages, we are witnessing an initial shift from driver-controlled to interim driver-assisted cars. The next stage will be fully-autonomous vehicles, if the automotive industry has its way. But is that the direction that we really want to go in? Are there other choices that might serve us better? And are envisaged vehicles and infrastructure up to the job.

These and other related topics were contained in a talk with the title “Cybersecurity Challenges of Systems-of-Systems for Fully-Automated Road Vehicles,” which I delivered on November 8, 2017 at the 2017 CEWIT (Center of Excellence Wireless and Information Technology) Conference in Stony Brook, New York. My paper with the same title should appear on IEEE Xplore shortly. Following the talk, a young man approached me to ask whether he will be forced to give up his car, the driving of which is a major source of enjoyment. I told him that he would not see a critical mass of driverless cars for decades to come and that he should enjoy his car in the meantime. Also, if today’s cars become obsolete, then he might relive the excitement of driving through virtual reality and driving simulators.

In preparing my presentation, I had originally conceived of a somewhat standard treatment of cybersecurity threats, attacks and defenses but, in trying to keep up with all the articles in the press and professional publications touting smart cars and intelligent roadways, I came away with a somewhat different perspective. I began to realize that the path along which the automakers were guiding (forcing?) us may not be the one that we will ultimately follow. In fact, I think that where we’re heading is towards some form of virtual railroad tracks, shipping lanes and/or flight paths, superimposed on current roadways, along which autonomous ground vehicles would travel, guided by command centers in the cloud rather than by electronics in the vehicles. However, I don’t expect that this model of ubiquitous control of road-travel by some dominant cloud platforms, such as Waymo, Lyft and Uber, will happen for decades. (Breaking news … Uber just announced a deal with Volvo to acquire up to 24,000 self-driving cars. Perhaps I should reduce my estimate of decades to years—or even months!)

I then came across an article in The Wall Street Journal of November 11-12, 2017 by Randal O’Toole with the title “It’s the Last Stop on the Light-Rail Gravy Train.” O’Toole describes the dire straits of light-rail systems in many cities around the U.S. due mostly to a fall in ridership and cities’ taking on mountains of debt. We now can envisage the potential proliferation of a major technology that will disrupt current highly-subsidized, less-utilized rail systems. It raises questions about the viability of autonomous vehicle systems in the face of dropping ridership statistics. The economics will likely demonstrate that it is cheaper just to jettison current light-rail plans and proposals. A more in-depth study of this topic appears in a white paper by O’Toole for the Cato Institute with the title “The Coming Transit Apocalypse” which is available at

Given all these issues and future directions, we should first consider what is happening today. Automakers are developing complex in-vehicle systems that augment or take over driver functions with a goal of vehicles that operate without driver involvement … so-called SAE Level 5 automation. But are we really going to end up with robotic cars in which automation emulates a human driver with all his or her foibles? That’s not what happened with horses and carriages. After a period during which a person had to walk in front of a horseless carriage waving a red flag to warn of a car’s arrival, the model of transportation has changed completely—hay was replaced with gasoline, and manure, which has some benefit as fertilizer, was replaced by noxious fumes that are detrimental to our health.

Today the internal combustion engine and gasoline are slowly being replaced by electric motors and batteries, which effectively transfer polluting gases from cities roads to urban power plants, battery manufacturing plants, and waste dumps. Today’s transition vehicle-control model is one of upgrading current road vehicles with software that increasingly takes over driving functions. This well suits the automotive industry since, under this model, they will continue to produce many tens of millions of vehicles a year and reap handsome profits from features that appeal to buyers who are reluctant to give up total control.

But what if the model changes as drastically as it did from horse-carriage combinations to current road vehicles? What if cars as we know them are replaced by driverless vehicles that conform more to other forms of transportation—such as planes, trains and ships—where there are physical tracks or virtual lanes (flightpaths and shipping lanes for air and sea travel respectively) and vehicles are managed completely by central control systems with little or no help from anyone inside the vehicle. An excellent review of these possibilities is in an article “If Autonomous Vehicles Rule the World: From Horseless to Driverless” in The Economist, dated July 1, 2015, and available at Also, the tech and design issue of The New York Times Magazine of November 12, 2017 is totally dedicated to autonomous cars under a “Life after Driving” title. It is really worth reading in its entirety as it discusses many of the social and behavioral issues that need to be addressed.

It could just happen that all vehicles will operate without drivers or pilots or captains or locomotive engineers. But, of course, there will be strong resistance from traditional car manufacturers and their suppliers, as well as cab and truck drivers, chauffeurs, recreational drivers, parking garages and valets, car washes, and others directly or indirectly affected by the changes. After all, how much do we really care if the bus in which we are sitting is made by Mercedes or GM? Or that your fully-autonomous shared vehicle is a BMW or a Yugo? Well, you might worry about the Yugo. There will always be the status-conscious who are willing to pay more for prestige but, in general, if passengers equate these vehicles to public transportation, much of the panache and bragging-rights of expensive brands will likely disappear.

Also, rather than having vehicles sit idle in driveways, parking lots and garages perhaps 96 percent of the time (per The Economist), we could see individual vehicle utilization rates jump up to above 75 percent, which could reduce the number of vehicles required by, say, 50 percent (recognizing that additional use reduces the lifetime of a vehicle and assuming that total miles travelled per person remains about the same as before) which is certainly not where auto manufacturers, parts suppliers, auto repair shops, and professional drivers wish to go.

So, if we discount the power and pressure of today’s manufacturers, we could well be heading for a transportation environment where there are dedicated roadways or in which technology produces virtual roadways and manages all vehicles travelling on them from command centers. Uber, Lyft and others are already proposing urban designs to accommodate autonomous vehicles.

Let us consider what this will mean to everyone and particularly to cybersecurity professionals. By taking the human driver out of the mix and eliminating most in-vehicle decisions, the profile of vulnerabilities changes. Yes, in-vehicle systems could be hacked, but for what purpose? Surely it is much more likely that someone, or some group, wanting to disrupt traffic via denial-of -service attacks, say, or gain financially using ransomware, will go after local, regional and global control systems rather than on-board in-vehicle systems. Under such circumstances, it becomes more important to protect ex-vehicle systems from cyberattacks. Also, as the recent attack on Uber’s driver and customer data illustrates, there are, and will be, serious privacy issues to be addressed as more and more sensitive personal data on individuals and their travel habits are collected, analyzed and used for bona fide commercial purposes and well as nefarious activities.

Consequently, we need to understand the vulnerabilities of such systems and their potential for being attacked, malfunctioning, and failing, and we must protect against those threats. That isn’t where researchers are focusing today, but tomorrow isn’t that far away, so it is time to start thinking about how to protect those ex-vehicle systems that may well dominate future road transportation.

Post a Comment

Your email is never published nor shared. Required fields are marked *