Cyber Security specialists have recently demonstrated how a commercially sold car can be effectively taken control of by a remote “Hacker” leading to disastrous consequences.
This article in Washington Post graphically sketches how a hacker can cut off the engine or disable the brakes or even turn the steering wheel by hacking in to the Jeep Cherokee marketed by Chrysler. What is more alarming is that this is not a “Google Car” meant to be remotely driven but a conventional car with the infotainment connected to the internet and perhaps independent subsystems that are managed by electronic sub systems in the car.
Apparently, the hackers have gained access to the infotainment system through the internet and once into the subsystem within the Car’s electronic system was able to jump across to other subsystems taking control of each one of them.
It is obvious that malicious hackers can exploit similar vulnerabilities and cause death and mayhem on the roads.
While Chrysler in response has reportedly recalled about 1.4 million vehicles and also issued a patch to plug the vulnerability, the risk of cars being vulnerable to hackers is staring all Car manufacturers as well as Car users.
The biggest beneficiary of this demonstration is however the info-sec community as it opens up more critical job opportunities for them in the automobile sector. But the automobile users will now remain under constant threat of being exposed not only to risks of mechanical failures but also the technological failures and additionally, the cyber criminals.
In the context of Cyber Insurance that we are discussing through these columns, it now appears that a Car accident can happen due to such hacking incidents and the Insurance companies may have to deal with claims of accidents that cannot be logically attributed either to a driver’s mistake or to any identifiable external reasons. The claimants will have a lot of difficult to explain the cause of an accident as finding evidence will be extremely difficult. Perhaps the damage assessers need to be not only mechanical engineers who check the mechanical failures but also “Cyber Forensic” specialists who will check the log records of all electronic systems in the Car.
The question that arises in settlement of the claim is whether the policy which covers “Mechanical Failures” will also cover “Electronic Failures” and “Cyber Crimes”. Ideally the current policy should cover damages occurring due to malfunction of a mechanical part whether it is because of internal defect or an external hacking, unless the risk is specifically excluded.
The publicity now generated to the hacking event should be sufficient to consider that the Insurance company is aware of such risks and hence if the risk is not specifically excluded, it should be considered as “Included”. In other words, the Insurance companies will have to accept the uncomfortable truth that the current Vehicle insurance policies are also “Cyber Insurance Policies”
The problem demonstrated in respect of the Chrysler automobile is also relevant to the managers of Digital India who need to manage an environment which includes “Internet of Things”. With a similar argument we can say that the current insurance policies that insure damages of white goods or other properties should be also considered as covering risks arising out of electronic component failure either due to natural causes or through hacking.
While the manufacturers of internet exposed devices need to worry about the information security aspects, the Insurers need to worry about how they would cover these risks.
The future of the Cyber Insurance industry appears to be exciting.