View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 20, 2021updated 21 Sep 2021 3:09pm

Tesla and other carmakers have yet to face their cybersecurity day of reckoning

Elon Musk has pledged to work with regulators on data protection as legislation struggles to keep pace with connected car technology.

By Matthew Gooding

Elon Musk has said Tesla will co-operate with regulators around the world on data security to ensure that information collected by the company’s vehicles is stored and processed safely. The growing number of connected vehicles on the roads means cars are increasingly being targeted by hackers, but a lack of strong legislation means many automakers have yet to prioritise the issue.

Connected vehicle cyber security

Tesla boss Elon Musk says his company will work with regulators on cyber security (pic courtesy Shiela Fitzgerald/Shutterstock)

Speaking via video link at the World New Energy Vehicle Congress on the southern Chinese island of Hainan, Musk said Tesla stood ready to work closely with regulators in China and beyond. “With the rapid growth of autonomous driving technologies, data security of vehicles is drawing more public concerns than ever before,” he said.

While Musk’s comments were probably driven at least in part by some scrutiny Tesla has faced in China, they speak to a bigger challenge facing car companies in the era of connected vehicles.

What data does Tesla collect?

Earlier this year Tesla announced it would be storing all car data generated in China at local data centres. Reuters reported this followed fears about data privacy, with staff at Chinese government agencies told not to park their Tesla’s in office car parks due to the cameras on the vehicles.

Though Tesla does collect data on driver activity, Roger C Lanctot, director of automotive connected mobility at Strategy Analytics, says it holds relatively little personally identifiable information (PII) when compared to other carmakers. “A lot of competing automakers are obsessed with collecting contextual data so they can deliver contextually relevant information to drivers,” he says. “Musk and Tesla aren’t really into that. What they do want to capture is a whole payload of data around features like autopilot or battery performance so that they can analyse it, particularly in the event of something catastrophic like a crash happening.”

While this data can be valuable to hackers, it does not put drivers personal information at risk, Lanctot says. “It’s the sort of information that can be easily collected and stored securely within a geography,” he says. “There have been enough examples of Tesla drivers going beyond cellular coverage and not being able to unlock or start their vehicles to tell me that they’re not collecting a great deal of personal information about drivers.”

Cybersecurity for connected cars: regulation required

With 470 million connected vehicles expected to be on the roads by 2025, it is no surprise they are proving popular targets for cybercriminals. Cloud servers, where data is stored and processed, were the second most popular vector of attack for cybercriminals targeting vehicles in 2019, according to a report from auto cybersecurity company Upstream Security.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

This risk means automotive cybersecurity is big business, and the market is expected to be worth $4bn by 2025. Despite this, regulation in this area remains scarce, and Lanctot says car companies remain under few obligations when it comes to how they collect, store and use customer data. "It's a real legitimate problem and I'm not sure the regulators are up to the task [of dealing with it]," he says. "It's something of a Wild West right now when it comes to PII - it's ill-defined and there's an assumption that not a lot of it is being collected, and that there are sufficient opt-in procedures in place, which I would question."

Carmakers in Europe, Japan and Korea are bound by rules set by the World Forum for Harmonization of Vehicle Regulations (WP.29), a UN working party designed to put vehicle standards in place around the world. Its rules on cybersecurity mandate that all carmakers must monitor connected vehicles 24/7 from a vehicle security operations centre, so that action can be taken in the event of a breach.

The US has not signed up to this rule, though many of its car companies comply with it anyway for reputational reasons, while China also remains outside its remit. However, last week China's industry ministry published a notice asking carmakers to increase cyber and data security oversight over connected vehicles, suggesting Beijing recognises the severity of the issue.

Lanctot says until more regulation is put in place, he doesn't expect carmakers to prioritise data protection and security. "If you're an automaker you're going to prioritise things which generate revenue," he says. "This is not revenue generating, it's more of an obligation, which is why it will probably require regulatory intervention. I don't anticipate a solution coming soon, but there is a recognition [at policy-making level] that a problem exists."

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.