GM prioritizes cybersecurity with internal training and bug bounties

CEO Mary Barra shared the company's commitment to security at RSA 2020.

GM is working with industry colleagues, company engineers, and middle school students to make cybersecurity a cornerstone of the auto industry, according to GM Chairman and CEO Mary Barra. Barra spoke at RSA 2020 on Thursday and explained the company's sophisticated strategy to improve cybersecurity now and in the future.

Barra said that GM's commitment to cybersecurity is deep, broad and well-funded with hands on engagement from the board, citing a $100 million annual budget for security efforts.

"Cybersecurity is a systemic concern for our industry," she said.

Barra said this collaboration among carmakers is important because a critical breach at one company will impact the entire industry. Here are three things the company is doing to improve security in the mobility sector.

Designing for security

GM has moved to a secure-by-design process, a popular call to action in the industry.
Barra said the company has re-engineered the vehicle development process to make sure security is part of the early stages of design.

SEE: Vendor risk management: A guide for IT leaders (free PDF)

Barra also described the company's Vehicle Intelligence Platform as the nervous system for GM vehicles.

"This system allows us to offer active safety systems and over-the-air updates," she said.

The platform and the electronic system in the car can process 4.5 terabytes of data per hour.

Barra said the company practices enterprise-wide "cyber hygiene" by training all software developers in secure coding.

Working with HackerOne and NIST

GM launched a bug bounty program in 2016 with HackerOne and expanded the project in 2018. The security researchers have access to GM products and systems to find vulnerabilities. As of January 2019, HackerOne's status page on the GM partnership lists 33 reports received in the last 90 days and 438 hackers thanked.

GM has contributed to the NIST framework and uses it to guide development and production phases of the vehicle lifecycle. GM also contributes to Auto-ISAC, an industry collaboration that shares and analyzes emerging cybersecurity risks to the vehicle and works to improve vehicle security among supplier, original equipment manufacturers and the commercial vehicle sector.

"We have to work with the public and with policy makers because the trust factor is equally important as the tech factor," she said.

Supporting STEM education

Finally, the company supports STEM education programs for middle school students to build a pipeline of future engineers, mathematicians, and data analysts. These programs reached 300,000 students and teachers in 2019.

"We have an interactive student cybersecurity challenge and a curriculum for middle school students so young people can see a path for themselves in this work," she said.

Also see

gm-rsa-vehicleinfoplatform.jpg

GM's Vehicle Intelligence Platform is the nervous system of GM vehicles and can process 4.5 terabytes of data per hour. 

Image: Veronica Combs