They’re non-traditionalists who wear white hats. They are the now well-known “whitehat” researchers who help identify and catch cybersecurity vulnerabilities. While the general public might call them hackers, many in automotive’s cybersecurity army just refer to them as researchers. These “freelance” researchers are a key cog in a General Motors program aimed at ferreting out computer-system attacks.
“The bug bounty program is our way of paying researchers that we know have skills and capabilities – based on the relationships we’ve developed with them – to help us test our systems,” Jeffrey Massimilla, Vice President of Global Cybersecurity for General Motors, said in an interview with Automotive Engineering. Massimilla spoke with AE following a WCX’19 roundtable discussion titled, “CyberSecurity, Do We Feel Good Enough To Be Just A Little Paranoid?”
GM’s whitehat researchers are another layer of cybersecurity that support GM’s internal “red team” and its third-party testers. In the fall of 2018, GM brought the whitehat researchers to GM’s Technical Center in Warren, Michigan, to learn about GM systems from the red team. The endgame for the whitehat researchers: help identify cyber-bugs.
“From our perspective, we get a lot of great input about our systems from all the researchers on the things that they find,” Massimilla said. The current project for the whitehat analysts involves the testing of a GM infotainment system that includes a connected radio system; GM and third-party researchers also are testing that infotainment system.
Massimilla said he views GM’s bug-bounty program as an extremely important undertaking. “It’s an invitation-only private program. This won’t be our last one. We may use the same researchers, or we may develop more relationships with other researchers, but we’ll continue to do these programs in critical parts of our ecosystem going forward,” he said.
Vehicle consumers are the big benefactors. “We look so far left [on the development] process to put all of the controls in place that we think we need,” said Massimilla, noting that the confirmation activity is done with in-house people and third-party vendors. “But getting that other [whitehat] group of people to confirm that the system is appropriate, that it’s secure and safe, and that the data is going to be kept private, that’s the value to the end user.”Continue reading »