GM to Hire Hackers to Find Bugs in Car Computers

Highly computerized cars could mean consumers’ data is vulnerable or the driver safety might be endangered if car companies aren’t prepared to cut off any data breach or threat to cybersecurity at the pass.

General Motors is taking no chances. It’s bringing in those exact people who might do the infiltration to help thwart it.

In the upcoming weeks, GM will bring researchers, some of whom are professional computer hackers, to Detroit to offer them a bounty or cash payment for each “bug” they uncover in any of GM vehicles’ computer systems.

“We’ll show them the products, programs and systems for which we plan to establish these bug bounties. Then we’ll put them in a comfortable environment, ply them with pizza and Red Bull or whatever they might need … and turn them loose,” GM’s President Dan Ammann said in a speech at the Billington CyberSecurity Summit at Cobo Center in Detroit on Friday.

After that, GM will send these cybersecurity pros home with hardware to continue their research over many weeks, he said.

The program, called Bug Bounty, will include about 10 researchers GM has hand-picked.

“They are white-hat researchers who we’ve established relationships with through our coordinated disclosure program,” Jeff Massimila, GM’s vice president of Global CyberSecurity, told reporters at the summit.

“White hat” is Internet slang for an ethical computer hacker or computer security expert who specializes in penetration testing or other testing methods to help protect an organization’s information systems.

GM started its coordinated disclosure program two years ago, Massimila said. He said GM was one of the first automakers to embrace the work of white hat researchers for its products and programs. The coordinated disclosure program was open to anyone, but GM did not pay those researchers for any contributions. Instead, he said, GM built relationships and identified the 10 it would pay to fix the bugs.

GM presently employs about 450 people working in the cybersecurity area, Massimila said.

The Bug Bounty program will start before the end of the summer, Massimila said. He and Ammann declined to say how much GM will pay the bug hunters or what it has spent on cybersecurity so far.

But Ammann said, “It is a top priority” for GM that its vehicles are safe from any data breach or threats particularly as it aggressively pursues development and deployment of autonomous vehicles, which it plans to take to market next year.

Ammann said GM has a broad perspective of where threats to information technology could come from.

“The overall threat level and so on is only going to grow from here, which is why we’re putting so much energy and resources into getting ahead and staying ahead,” Ammann told reporters at Cobo.

The work is not just happening inside the company, said Ammann, but GM is “taking advantage of third-party researchers, taking advantage of third-party expertise from multiple different places, working together across the industry to collaborate to make sure we have all the best minds working on this issue.”

Convincing consumers that GM cars are secure from any cyber threats will happen by meeting government regulations and having strong public communications, Ammann said, adding, “We’ll have work to do ahead of us on that.”