Why Carmakers Struggle to Attract Cyber-Security Talent

You don’t need to be a computer nerd or security wonk to realize that our world needs better defenses against cyber-attacks.

Nearly every month, it seems, there is another high-level breach putting the data of millions of people at risk (witness the late 2018 hack of hotel giant Marriott, which apparently compromised the accounts of roughly 500 million guests). Most of us are well aware that connected cars have been successfully targeted by hackers numerous times. Some of those hackers who, thankfully, had good white-hat intentions, even managed to gain full control of their target car’s operation. This illustrates an obvious and very worrying truth – there are far too few vehicle cyber-security experts defending against potential onslaughts.

It’s playing out in a world where there’s ever more to secure. “The more features automobiles add, the wider the attack surface is,” says noted veteran hacker Samy Kamkar. “The fact that many features of vehicles are wireless now makes the attacks also less risky to employ as it’s not even obvious someone is trying to attack something.” Kamkar should know. In 2005, he became notorious for developing an effective, albeit harmless, worm that invaded then-popular social media site MySpace. Then earlier this decade he designed a product called OwnStar that allowed its users to hack into GM’S OnStar service. Yet ,much of his work these days, some of which covers auto cyber-security, is better-intentioned – it aims to increase general cyber-security awareness.

Annemarie Pender, communications director at the Association of Global Automakers, believes the shortage of qualified cyber-security experts isn’t down to ignorance or inactivity on the part of carmakers and solutions providers. “Automakers recognize that as vehicles become more connected and offer more safety and automated technologies, cyber-security must be job one,” she said. “That is why the industry is taking proactive steps to ensure the security and integrity of vehicle systems.”

She concedes that there’s a lack of hack, so to speak, in the car manufacturing business. Pender says, however, that: “The challenges in finding cyber-security experts are no different for the auto industry than they are for other industry sectors. There is high demand for expertise.”

As an example of the industry being proactive about this, she pointed to the Automotive Sharing Analysis Center (Auto-ISAC). This is a partnership comprised of major auto industry players that exchange knowledge and strategies about auto cyber-security throughout the vehicle and component making sectors. Auto-ISAC commenced operations at the beginning of 2016.

According to Faye Francy, Auto-ISAC’s executive director, the organization is also ramping up its efforts in the education sphere. “Examining ways to support training and learning,” she said. “We hold routine cyber exercises and trainings from our strategic partners. We are also working on a project to do cyber-security certified training for our member analysts in 2019.”

That’s all well and good but the need for experts is immediate and acute and it’s not coming cheap. These days a talented and (perhaps) seasoned white-hat hacker can command a pretty penny. Research indicates that, in the US, the average base salary for a so-called “ethical hacker” is roughly $80,000, not counting bonuses and profit-sharing. This is almost 25% higher than the average pay for those in the broader “professional occupations” category ethical hacking is a part of. Of course, that’s just for the average white-hat hacker salary; an individual with experience and a proven track record can collect well in excess of $100,000.

So, what does it take for a carmaker or solutions provider to attract good cyber-security personnel? Is it only a matter of money? Longtime hacker Kamkar doesn’t necessarily think so. “I think culture fit would help the automotive industry find more cyber-security talent as the cultures sometimes appear to clash.”

This could be a problem, as most automakers have been in business for many decades and have corporate cultures and structures that have become fairly rigid over time. Hackers, on the other hand, tend to come from a somewhat anarchical background that often eschews hierarchies and authority; it’s not all that easy to reconcile the two.

Also, says Kamkar’s peer good-guy hacker and car cyber-security expert, Eric Evenchick: “Automakers do have challenges when recruiting. Based on my observations, they are restricted in the salaries they can pay and the office locations they provide. This makes it difficult for them to compete for established talent.”

Most likely, the companies that can be most flexible in their hiring and employment practices – at least in regard to hackers – would stand the better chance of attracting top cyber-security team members. What will also help, of course, is a willingness to devote some their considerable financial power to enhance salaries, bonuses, profit sharing, etc.

In many cases, that might require a shift in thinking and/or established corporate culture but we’re quickly barreling into a wide open world full of vehicles that will only become more connected. Securing all those connections is vital, as is effectively drawing the talent to provide that security.

Leave a comment

Your email address will not be published. Required fields are marked *