From the U.S. Government Accountability Office, www.gao.gov Transcript for: Vehicle Cybersecurity Description: Audio interview by GAO staff with Dave Wise, Director, Physical Infrastructure Related GAO Work: GAO-16-350: Vehicle Cybersecurity: DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack Released: April 2016 [ Background Music ] [ Narrator: ] Welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. It's April 2016. You may not have noticed, but your car is turning into a computer on wheels. Software now controls things like braking and steering, as well as hands-free calling, and keyless entry. But if your car is like a computer, is it also at risk of being hacked? A team led by David Wise, a director in GAO's Physical Infrastructure team, recently reviewed cybersecurity issues that could affect passenger safety in modern vehicles. GAO's Eden Savino sat down with Dave to talk about what they found. [ Eden Savino: ] I'm familiar with some of the features in new cars, like built-in navigation and hands-free calling, but which features could be vulnerable to hacking, and how could that be dangerous? [ Dave Wise: ] Well Eden, as I'm sure you know, modern cars have gotten a lot more complicated compared to the old clunkers we used to drive around. And in recent years, they've become even more complex as they have incorporated Bluetooth and wireless internet. And so pretty much any interface can be vulnerable. [ Eden Savino: ] You mention all these new systems that are in the car in addition to Wi-Fi and Bluetooth. Are all of these systems connected to the same thing? Could each of them be a vulnerability to control something like say, braking? [ Dave Wise: ] Eden, that's a good question. There really are a variety of practices and technologies that are possible to use to identify and mitigate some of the potential cyber security vulnerabilities. You know, for example, one of the things we know to now report is that one of the key practices is for the automakers to locate safety-critical vehicle systems -- like for example, the brakes or the steering -- and non-safety critical systems on separate vehicle networks. This could limit the safety impacts of a cyber-attack. I think it's important to keep this in perspective, as you know, and as listeners may know, there was the well-publicized cyber-attack on one vehicle, I think it was last year. But we view that as, at the moment, kind of a one-off. We haven't heard of any since then. But obviously, the possibility is there. And most importantly there are implications for safety. That's what we're most concerned about. And of course one of the things the Department of Transportation's concerned about, is how does a possible cyber-attack have an impact on safety? [ Eden Savino: ] Your team spoke to a variety of people about the potential for hacking. Can you tell me a bit about who you spoke to, and what your team learned? [ Dave Wise: ] Yes, we spoke to a wide range of folks, both in the United States and outside the United States, because there are many countries that are concerned about cyber-attacks relative to automobiles. And so we spoke to a great number of industry stakeholders. We spoke to auto suppliers, and we talked to auto manufacturers. We spoke to automakers in Germany. And we had some phone conversations with a couple of Israeli firms, which are very active in cybersecurity. [ Eden Savino: ] So who's responsible for making sure our cars don't get hacked here in the United States? [ Dave Wise: ] Well responsibility for vehicle cyber security is really kind of a shared responsibility throughout the auto supply chain. There are basically three responsible parties, as we discovered in doing our work -- the automakers, the automotive part suppliers, and the National Highway Transportation Safety Administration, which is part of the Department of Transportation. [ Eden Savino: ] So all three groups need to work together to ensure cars can't get hacked? [ Dave Wise: ] Yes. Within the Department of Transportation -- NHTSA as we call it -- is really the primary agency responsible. But we see it's very important that all these elements kind of work together. And some of that's been happening through some organizations that the automakers have worked with the government to form. The auto industry is currently forming an organization they call their Information Sharing and Analysis Center, which is really aimed at helping the automakers and others share threat and other kinds of critical information. Other efforts include things like the development of guidelines, or key practices to enhance vehicle cybersecurity. So this is something that certainly the industry is very concerned about. And they work in harmony with the government, hopefully, to try to push these things forward. [ Eden Savino: ] But it sounds like from the recommendation in your report, more could be done in this area, and that maybe not everyone is working together as well as they could. [ Dave Wise: ] Well, almost every GAO report says something about more needing to be done, and I think this one was no exception. You know, the bottom line is though, that there haven't been really real-world attacks that impact safety. But that's not to say that they couldn't happen. And our recommendation was aimed towards getting a plan--certainly a kind of a response plan, which they don't have. And we felt that's important in order to mitigate some of the potential safety implications, or cybersecurity implications. We don't think that there's an imminent danger by any means. But again, cyber-attacks have become more frequent. And they've come in different manners. And to say that it hasn't happened in the past doesn't mean that it couldn't happen, because there are an awful lot of things that we didn't see happening in the past that have happened. And so that's why we're trying to be proactive in this report, and encourage the government to take a strong role in developing a plan that will help mitigate some of the potential for a cybersecurity attack. [ Background Music ] [Narrator:] To learn more, visit GAO.gov and be sure to tune in to the next episode of GAO's Watchdog Report for more from the congressional watchdog, the U.S. Government Accountability Office.