Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and this week I have the privilege to sit down with Sherry Caddy. Sherry is the former Deputy Assistant National
Cyber Director at the National Cyber Director's Office in the White House. She was also serving as a Senior Technical Advisor at the Department of Energy where she oversaw a $50 million budget on R and D matters and prior to that was the Executive Director at the National Security Agency for the Enduring Security Framework initiative. She has 30 years of government experience in foreign policy, national security and intelligence matters, and dare I
say, is a Senior fellow of the McCrary Institute. Really excited to sit down with Sherry today to talk autos and to talk about connected vehicles. Millions of Americans are going to be jumping in their cars over Thanksgiving and it's a good time, I think, to take stock and get an appreciation for what some of the concerns are around connected vehicles and what some of the solutions are going forward. Sherry, so happy you could join us today. Thank you. Thanks so much, Frank. So I thought we'd
start before we jump into automobiles in particular and vehicles more generally. And I think it is fair to say they're basically computers on wheels these days. I think every car manufactured recently has up to 100, 200, 250 ECUs, which are in essence mini computers. They run on thousands of semiconductors, at least a ousand, up to 3,4000, and millions of lines of code are going through that. So basically they're computers on wheels.
But before we jump into some of the cyber related issues there, I know you've done some very good work over the years on it ot convergence. I had the privilege of working with you when you were at DOE on a particular matter on cyber informed engineering. But let's start with to set the stage sort of where it ot convergence is. Yeah, that's a great question. So of course in our new connected
world, everything's becoming digitized, automated, interconnected, and that includes things in the physical world like vehicles, many other things. And so we have to look at the cyber vulnerabilities of all of that, the implications. It changes your cyber risk. There's a lot of great capabilities that come with being connected and automated. But we have to think about the cyber risk. And people don't normally think about a lot of the physical devices that
they use every day as being part of that cyber risk. So we have to look at these converged architectures where we're layering on that connectivity because anything that's computer of course has cyber vulnerabilities and concerns. So I've really been focused in the last couple of years on those cyber physical threats. That's where a lot of our interesting
cyber vulnerabilities and threats are coming through. Of course, a lot of our critical infrastructure, whether that's electrical infrastructure, pipelines, transportation systems and of course vehicles, all of these things are being interconnected and driving towards evermore, no pun intended, driving, no pun intended, towards ever more automation. So again, that's fantastic. That's going to do a lot for us as a society. But we have to think about the cybersecurity implications of that, the
data implications of that. You know, as we think about, you know, all of the data, all of the places that you go in a vehicle and all of the information that is collected about you. And especially if you take your cell phone and you pair it with a vehicle, you know, that is actually a really, a lot of potential privacy concerns people don't fully understand and aren't necessarily addressing. So first and foremost we're looking to raise awareness of hey, your car has always been something in
your environment, but now it's a computer. As you say, it's software defined and you have to treat it with all of the cyber implications of being a computer. Excellent
point and I'm really glad you painted the broader context because when I poorly teed up vehicles and automobiles, that's just the automobile itself. It is connected to a much bigger system of systems and, and broader ecosystem which I think is what makes the it OT convergence issue so challenging because they, you don't know where one starts and the other ends. Certainly. Yes, absolutely true. The car itself of course is becoming ever
more automated. There are more capabilities in the car, so you have things like voice activation, hands free driving. That's a wonderful capability for safety. But like any other voice activated computer, that means there's constant microphone on and recording of all of the in cabin audio. Modern features are also including things like video to determine, well, if the driver looks away or nods off, the car beeps at you. Hey, that's a great
safety feature. But that means that there's constant video being recorded in the cabin and being saved on that computer. So there's a lot of. Do you bicycle to work? I don't, I don't. But after, you know, working in this area, I kind of, I kind of want to. And as you mentioned earlier, any car that's less than 10 years old really is a whole bunch of computers and increasingly more computers and working towards future of being a software defined vehicle that is a single computer connecting
everything, all the systems in the vehicle. So vehicles themselves have a bunch of systems. Increasingly, vehicles also have a lot of sensors. So, you know, it's great that we have the little light that comes on on the rear view mirror that shows you if somebody's in your blind spot or helps you with a backup camera. Those are wonderful capabilities. But of course that means that all of the censoring that's around the
vehicle is being recorded. You have GPS, you have great things like OnStar, we have Wi Fi, Bluetooth connectivity, great features. But there are a lot of cyber implications to that. So there's a lot of data being collected and stored in the vehicle. And
we have to think about, well, what happens to that data? Well, you know, a lot of like any other data collection activity that's happening in our modern world, there are lots of folks in the commercial world that are monetizing that data to determine, well, how can we advertise more services to you as a consumer? And that could be great. But there's also privacy implications, security implications that need to be considered and
thought about. A lot of the regulation that happens for vehicles is really focused on safety, cybersecurity, data privacy. These are still emerging areas of policy. And like so many other things in the cyber world, the technical capability is out there well before the policy catches up with the cybersecurity and data security aspects. And I'll definitely
want to pull that thread some more. And we've seen this movie in other environments where safety may have trumped security initially. I don't think they have to be either or propositions. They can both be part of two, two sides of an important coin, but you need to pay attention to it. And one of the things you brought up, regulations and a lot of discussion around regulatory harmon on these issues. What does that look like in, in the vehicle environment? So yeah, as you say, we've had
a lot of focus certainly in the national cybersecurity strategy from last year on regulatory harmonization and really getting all of the different elements in the distributed risk environment to think about harmonizing how they regulate that makes a lot of sense. As a, as a technician, I'm looking at this from a. How do we look at the technical
standards that are underpinning all of this? And when you have an ecosystem like a vehicle and that traditional vehicle that could include a regular, traditional internal combustion engine vehicle, an electric vehicle, trucks, all these kinds of different ground Vehicle modes, you know, they each have different regulatory regimes. But the ecosystem, the interconnected, digitized ecosystem, now includes lots
of different stakeholders. And what we might think about in cyber as traditional sectors, it's not just the transportation sector, it could also be the energy sector, electricity, if it's an electric vehicle, the communications sector, because these vehicles are all connected. Been some news
on that these days too, right? Information technology, major end users like the defense industrial
base, all of these different sectors are implicated and some of them are regulated, some of them are not. I don't know that we're going to get even with policy thrusts towards regulatory harmonization. I don't think the intended end state there is regulate everything. So we need to focus not just on the regulatory requirements, that's kind of the one end of the mandate spectrum, but we need to focus also on all of the standards and guidelines, all of the other things that are short of a hard
statutory regulation. All of that entire body of policy comes into play. And especially as we're looking at these blended ecosystems with all of these different stakeholders from many different sectors, we're not going to have a set of technical standards that rule everything. So how do we, how do we focus on integrating the different standards regimes? How do
we. That is literally an Alphabet soup. Almost every agency and every sector, risk management agency, SRMA responsible for various critical infrastructure environments, is touched. Right? Correct. Yeah. So how do we get, how do we start peeling back that onion? So I think, you
know, the first, the first step is to help raise awareness. I think, you know, the, one of the big challenges in cyber, because it's absolutely everywhere. It's still far too typical to find people that just aren't aware of the cyber risk that they are holding and need to be responsible for in the environment. So we're talking about an ecosystem with connected vehicles of stakeholders that don't necessarily come together. There's not a
governance structure that brings all of these entities together. It's a novel combination, if you will. So we need to look at starting to create the places where transportation, energy, communications, it, all of those different sectors, sector industry participants, you know, their government partners, the research community, all of those different entities can come together and talk about issues of mutual concern. There is no, there's no cyber problem. That's a single sector anymore.
So very few. I think that's, you know, as, as we look at specific topics like regulatory harmonization, there's that, there's that broader need to find the ways to bring together these new and novel groups of stakeholders and help Them understand their risk and how it affects others in the ecosystem. And do so in a way where the
cure isn't worse than the disease. Right. I mean, you don't want to stifle innovation, but at the same time you need to recognize what that attack surface looks like. And I just, I'm curious because when you start looking at automotives and let's just focus on that sector of vehicles, there are other countries that are, no pun intended,
again, driving some of the future in terms of vehicles in that environment. So as hard as this is within the just getting both ends of Pennsylvania Avenue, then getting government and industry on the same sheet of music, this will have broader implications overseas, won't it? Of course, all of our, more so. Than some of the other cyber related issues. Well, all of our supply chains are now global. Well, we're going to
talk supply chain in a second. So whether that's, whether that's software, whether that's digital
goods, physical goods, everything, and you mentioned microelectronics, everything is global now. So we have to look at it in that context. Certainly the technical standards for security, for interoperability, for cybersecurity are global and we have a lot of emphasis on improving and making sure our presence in global standards organizations is really robust as we look at autos. But yeah, the global implications of thinking about safety and security related to autos is
huge. And one of the things to think about globally is that this new ecosystem
that modern vehicles operate in is very much a data ecosystem. It is. So as the car that you're driving is collecting information about the environment that you're in, the sensor information of where the, the vehicle is, the, the, the location, the activities that are occurring in the vehicle, whether that's, you know, sound auto, other conditions related to the vehicle, all of that data are being collected and, and they're being, a lot
of it's being shared back with the original equipment manufacturer that enables that manufacturer to help with the performance of the vehicle, understand how it's being used, understand where do
things like predictive maintenance. These are all, you know, legitimate good business capabilities. But you know, we have to ask ourselves, all of the data, all of the very, you know, sensitive personal data that's being collected from that vehicle that reveals a lot about you and everything that you do is being sent back to that manufacturer if that manufacturer is overseas. What are the privacy implications of all of that data going overseas?
And I do want to pull that thread as well. So from a global supply chain perspective, that is a vexing set of issues, and we're just beginning to get our arms around all that. But to ultimately know ET is not phoning home, even when it is intended or not intended. Any concerns in particular you have from a supply chain perspective? I think it's like all of the things we're concerned about with
cyber supply chain of just understanding and increasing the transparency, of understanding what are the components that are in the system and the software that increasingly drives vehicles. Where did the data go? What data are being shared from a paired cell phone with a vehicle? And do those data go back to the OEM and what's happening to it? And to what extent can the end user control some of these functions and features?
I think we've seen plenty of instances of wonderful new technological capabilities that come out. And then after the fact, people start to think about, well, you know, what about my data? What about, what about my data in 23andMe? So we want to try to make people aware. That's really where we're at now is the awareness of, hey,
this is something that we really think we need to be concerned about. There are a lot of different stakeholders implicated and what is the appropriate way forward that's going to preserve, optimize the capabilities that users want, but then also provide some of the cybersecurity and privacy features that users want as well. And you know, the ability to
potentially turn things on and off. That's, I think one of the key discussions with manufacturers is features are great, but the ability to turn them off is also potentially very important to end users that are privacy conscious? And not just privacy, but even
from a national security standpoint, we're talking about projecting power, deploying forces, and I want to, I do want to pull that thread, but from a personnel security, are there any issues here, the federal workforce, with connected vehicles? Do you see a day where you can't necessarily bring in a car that is a computer made in Gotch knows where into an intelligence facility or a military base or something? So there are a
lot of concerns there that, you know, we need to address. Again, vehicles are giant sensor platforms recording everything. What are the security implications of, you know, taking a connected vehicle onto a sensitive facility and what are the implications? And then how do we, how do we work to mitigate those? I think that is very much an open question. And you know, one of the reasons that I found focusing on vehicles out of all of the other things that I've done in cyber so interesting is that
they're hyper ubiquitous. Everybody, you know, has vehicle fleets. Every organization, you know, most of your employees have vehicles. They're bringing their own device onto facilities, whether that's a sensitive facility or, you know, a civilian facility. We can't necessarily control the individual devices that, that, not just employees, affiliates, you know, visitors bringing on to federal facilities. So, you know, how do we, how do we think about this? How do we start to
develop policies and procedures that are going to help mitigate some of the risks? And it has to be done at the enterprise level. So because vehicles are so ubiquitous, everybody's got them. The status quo now is that all these different organizations, entities are
looking at different aspects of connected vehicles. We need to make sure that we're driving a lot of that consideration, especially as we're looking at policy to an enterprise level that, you know, it doesn't make sense for, you know, the Department of Energy to restrict vehicles, but then the Department of Defense doesn't. We're all, and we cohabitate in quite a few facilities. So we need to have some consistency across certainly the federal
space. But I would, I would say any organization does because, you know, we all face the same issues around the ubiquity of vehicles, vehicle fleets. So getting to the enterprise level, getting everyone on the same page is a huge issue. So from a
corporate perspective, if you do have a fleet of vehicles and so many companies do, how would you. Who should be driving this effort? Again, is it. And I know it has to be at the enterprise level, but this is in a very real world, how cyber and physical sort of come together. And, and you need to have both teams. I think it's a great question, because anything that's a computer, you know,
organizations reflexively say, oh, well, that's the chief information security officer. That's the, the people that do it. But, you know, the, the manager of the vehicle fleet is probably somebody in logistics that may not have a relationship with the people that control the cybersecurity for the business IT systems. And when we think about some of the fleet management solutions that are out there, they're a bridge between some of the corporate IT
systems and those individual vehicles. So this is an issue that you need, again, this novel set of stakeholders coming together corporately. If you think about roles, you need the chief information security officer, you need the logistics team that's managing the fleet. If you have electric vehicles and charging infrastructure, that's usually part of buildings and facilities. So you
need those people to come together. You need, of course, procurement to make sure that you're buying a solution that has the cybersecurity MITIGATIONS and concerns addressed as you want them. So again, these aren't people that necessarily normally talk to one another or come together. So I think this involves developing a novel governance structure to look specifically at this ecosystem. But again, because it's so ubiquitous, it's necessary. Well, hopefully there are some
use cases and best practices we can be pulling from the corporate sector. I also think DoD has massive fleets and they can. And if this became part of the mission assurance sets of issues, I think perhaps you could move the needle that way too. Right. I think that holds a lot of promise and I think even more
compelling for some defense use cases, because our key manufacturers don't make a completely different vehicle for DoD use. They don't, you know, our aerospace manufacturers don't make a completely different plane for dod. They don't make a completely different vehicle for dod. So. Unless
the specs are there. Unless the specs are there. But about half of, you know,
the baseline of the makeup of a vehicle is the same for commercial as it is for military uses. So a lot of these capabilities that are being driven by commercial use cases are also present in the baseline of what's being offered for military, law enforcement, defense purposes. So there's a lot of different equities there that need to be addressed for those more secure missions. Awesome. And why do you think this has
been overlooked, by and large, the cybersecurity issues? You know, I don't want to say
that it's overlooked. Certainly the vehicle community has been looking at security features and vehicles for a while. I think really it's bringing together the different, different stakeholders. I think we've, we've built a lot in cybersecurity. Manufacturers are doing a lot to, to meet the regulatory requirements. But, you know, this is just a different set of stakeholders that
don't come together. They haven't had a reason to come together before. And especially when you start to look at electric vehicles, that's just a whole nother set of stakeholders with, you know, logistics, people, building people, electrical infrastructure. You know, it just makes the problem more challenging with more stakeholders in a lot of ways. And I would add,
in addition to electric vehicles, autonomous vehicles. Absolutely. Pulling all that, that's going to have even more of an attack surface. Yes. As we're moving towards more automated features. Again,
that's fantastic that you have some of the capabilities that we're seeing come into commercial vehicles. We're looking at, you know, more automation, you know, future, you know, a future of automation that enables less and less driver interaction. You know, that's that's great but if we don't think about the cybersecurity foundations for that now, that's, that's going to be problematic in the future. So when I think about some advanced manufacturing auto it
is a big universe of actors that are, that are playing in this show and how to, how to herd all those kittens is not going to be very easy. But it, but it has to happen but one and I'm not going to let you escape without having a discussion around cyber informed engineering. 1 no matter what we're looking at if we start thinking about this and I'm not going to steal your good work here but cyber informed engineering and cyber and secure by design thinking around
some of this is essential, is it not? Absolutely. We're never going to really address
some of the technical debt without looking upstream. Shifting left to how do we get security features into these, these devices, these vehicles by design. And so really the, the National Cyber Informed Engineering Strategy is aims to do just that. You know, as you know was directed by Congress in 2020. We published it, the Department of Energy published it in 2022. And and really the aim is to get to a non traditional
yet really important set of cyber stakeholders and that's engineers. And in certainly in autos we have engineers that are designing these, these vehicles. Increasingly they're software engineers designing these vehicles. We need to get them to think about cybersecurity at the design phase because dealing with bolting on cyber after the fact is is just not practicable especially for
ubiquitous device like cars. If you have a cybersecurity bolted on solution that requires touching every vehicle, you know, it makes it really hard to implement that in an effective way. So that is definitely part of the discussion. We are working on developing some initiatives implementing cyber informed engineering with vehicles with some of the microelectronics that go into vehicles. So again, security by design is really a big feature of how we think
about moving forward and improving on the status quo here. This may be a naive
question and forgive me if it is, but there seem to be many more ECUs or minicomputers in automobiles than there are on airplanes. And when you look at aviation, why. There'S just I think a lot more consumer features in a vehicle features than
there are in an airplane. Not that airplanes don't use GPS and they're connected. There's a lot of similarities for those different modes. But you know, vehicles are as you noted, an area for increasing automation applied machine learning. There's so many more sensors, data Collection points, capabilities than one might see in a typical aircraft. So I think it's just there's many more features that are present, and there are more vehicles than
there are aircraft. True that, but not all in one place. But I'd also be
curious. I mean, what would you be advising your friends and family as they get on the roads for Thanksgiving or they're renting a car in wherever they're. They're visiting? What. What would be some personal recommendations? That's a great question. So I think, again,
back to awareness of some of the cybersecurity implications. One of the things that I advise everybody with vehicles, especially rental vehicles, is never, ever pair your personal cell phone with a rental vehicle. I promise you, vast majority of our listeners and watchers probably
do. And it's because. Yeah, it's because the data on your cell phone can. A
lot of the data are pulled into the vehicle. Whether that's, you know, text messages, phone numbers, photos, more than you think, flows from that, from that personal device onto that vehicle. And it's challenging as a user to delete all of that. And a lot of people have rented a vehicle and, you know, pull up the infotainment system and they see numbers and text messages from the last. How many users. So you
want to safeguard your personal data. Don't, don't connect your phone, your personal phone with a rental car. It's just a best practice for cybersecurity. And also thinking about charging your phone. A lot of people like to charge their phone in their car. If you've got a charging cord, that's, you know, USB device that you're plugging into a phone or plugging into the car, recognize that if you're connecting via a USB port,
data is also flowing, not just power. Now, if you're using the connection, I don't even know if they make cigarette lighters anymore. You know, the one that's just the. In the lighter, that's. That's not a data flow. But anything that's using a USB connection into the vehicle, data. Data are flowing. So just be aware of it. It's just something that you want to think about as. Especially as you're moving around for the holidays this year. Just be, just be cyber safe and aware of where your
data is going. Jerry, what questions didn't I ask that I should have? There's so
much in this field, and it's an emerging set of issues. It is an emerging
set of issues. And again, why I've ended up, out of all of the cyber things that I've looked at over the last many years of focusing on cyber. This is just such an interesting area of converging of all of the exciting cyber things, from supply chain to applied machine learning to data standards and integration. There's just so much here we're not done with innovating in vehicle technologies. The vehicle supply chains are
becoming more global. We're transitioning to electric vehicles and that has implications as well. So just awareness of all of these issues. Again, all of the things that we have to deal with in cybersecurity now we have to think about those relative to vehicles as well. They're computers too. So I think that's a big theme to take away.
Also the need to get all of the right stakeholders in this ecosystem in the same rooms and having discussions to talk about these shared interests, the shared cyber risk that we're all dealing with. We can't just talk to manufacturers, we can't just talk to communications providers. We have to have all of them in the same discussion. So I think that's going to be really critical going forward. And we want to solve
these kinds of issues at an enterprise level. We can't have every single organization, every single agency trying to cope with cyber implications of their vehicle fleet and then individual devices bringing your own device to places. So we need to think about this, certainly for the federal government, at a federal scale. But, you know, also societally, everybody has this problem, this concern. Even if you don't own a vehicle, you probably ride a
bus or other things, you benefit from trucking and shipping of goods. There's, you know, concern for everybody here. Our entire economy, our entire economy is, is very much implicated, as well as elements of law enforcement and national security. Law enforcement officers, they all have vehicles. So, you know, it just. Medic, cms, ambulance. Exactly. So this is something that we need to think about because it's so pervasive. Sherry, thank you for spending
so much time with us today and for your public service for all these years. I hope there'll be receptive ears on, on so many of these issues and this one in particular, because I don't know what, I don't know here, but I'm glad you're on it. So thank you for joining us today. Thank you. Thanks. Thank you for joining us for this episode of Cyberfocus. If you liked what you heard, please
consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you'd like for us to host. Until next time, stay safe, stay informed and stay curious.