How Automakers Can Inspire Trust in their Software
Four reasons why automakers should consider becoming CVE numbering authorities (CNA)
As vehicles become increasingly connected and reliant on complex software systems, the risk grows of cyber security vulnerabilities that can negatively impact the customer experience and even lead to physical harm. The software in automakers’ mobile apps, vehicle head units, and web applications increasingly define the consumer experience of owning a vehicle. Like any maker of software products, automakers should consider becoming a CVE Numbering Authority (CNA) to better communicate vulnerabilities that inevitably arise and to publicly demonstrate a commitment to security.
First, let's define what a CNA is. A CVE Numbering Authority is an organization authorized by the CVE Program to assign Common Vulnerabilities and Exposures (CVE) identifiers to newly discovered vulnerabilities.
Here are the key reasons why automakers should consider becoming a CNA:
- Manage the narrative: Becoming a CNA ensures the people who know their products best (i.e., the developer) are the ones naming and describing the vulnerabilities. CNAs have the benefit of publicly disclosing the CVE on their preferred timeline and by being able to define the severity of a CVE, automakers can appropriately calibrate stakeholders’ response to vulnerabilities.
- Collaboration and Information Sharing: Becoming a CNA allows automakers to collaborate more effectively with the cybersecurity community, including researchers, vendors, and other CNAs. This collaboration fosters information sharing, best practices, and collective efforts to address industry-wide security challenges.
- Compliance and Regulatory Advantages: As cybersecurity regulations for the automotive industry continue to evolve, being a CNA shows a proactive approach to security, which can be advantageous when dealing with regulatory bodies and audits. This visible dedication to cybersecurity and willingness to take responsibility for the security of their products enhances their credibility and trust among customers, regulators, and industry partners.
- Competitive Differentiation: In an industry where cybersecurity is becoming a key differentiator, being a CNA can set automakers apart from their competitors. It showcases their commitment to security and can attract customers who prioritize the safety and security of their vehicles.
None of the reasons above are necessarily specific to automakers. They exist for any organization that produces software products. That’s the point: automakers make important software products and for that reason alone should consider becoming CNAs. The less-good news is that as of this writing in June 2024, no major automakers operating in the United States participate in the CVE program. The good news is that the opportunity to demonstrate leadership as a first-mover exists for all of them.
Some clarifications
Don’t automakers already report their vulnerabilities?
In 2022, the United States National Highway Transportation and Safety Administration (NHSTA) stated in its non-binding and voluntary Cybersecurity Best Practices for the Safety of Modern Vehicles that “the [vulnerability] response process should include reporting all incidents, exploits, and vulnerabilities to Auto-ISAC as soon as possible” and that “incidents should also be reported to CISA/United States Computer Emergency Readiness Team (US-CERT) in accordance with the US-CERT Federal Incident Notification Guidelines.”
Automakers should absolutely participate in Auto-ISAC if not already doing so, and practice vulnerability reporting as described above. These are table stakes in the year 2024. Becoming a CNA is the important next step because the broader vulnerability management community is informed and because the vulnerability details come from the organization best positioned to accurately triage and assess the severity of the vulnerability: the automaker.
Is the level of effort in becoming a CNA significant?
It’s no secret that cybersecurity budgets are stressed in large organizations. Some automaker leaders may worry that becoming a CNA will cause excessive impact on the resources available. However, becoming a CNA in the CVE program can be “right sized” by beginning with a narrow scope, there is significant help available from mentoring organizations that already participate in the program, and there is no cost to participate.
Next steps
As the importance of automotive cybersecurity continues to grow, becoming a CNA is a strategic move with low level of effort that every modern automaker should prioritize. The CVE Program is sponsored by the U.S. Government Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). CISA is the Root CNA for industrial control systems (ICS) and medical devices; CISA recruits vendors to become CNAs in order to develop stronger, more transparent vulnerability disclosure programs across these critical systems worldwide. Interested manufacturing vendors, including automakers, can contact CISA to learn more.
Meet our team
