Intelligence has become a recognized mainstream trend in the automotive industry, and has gradually embarked on the fast track of development. In order to highlight the progress of China's automotive industry in the field of core intelligent technology, Automotive Observation Media and the Automotive Industry Committee of the China Council for the Promotion of International Trade jointly held the "2022 China Automotive Intelligent Innovative Technology Selection" activity, and launched the special report "Wisdom Without Saying Anything • China's Automotive Intelligent Innovative Technology", in order to gain insight into the development status of China's intelligent automobile industry chain and show China's independent and original underlying core technologies through in-depth interviews with the heavyweight expert judges and outstanding enterprise representatives in different technical fields. Further promote the sustained and rapid development of automotive intelligence.
In the era of intelligent networking, automobile safety has been upgraded from the application of "Newton's Law" to the offensive and defensive way of "Sun Tzu's Art of War", knowing oneself and knowing the other, in order to survive a hundred battles.
In 2017, the hackers in the movie "Fast and Furious 8" illegally remotely controlled a group of self-driving vehicles to drive according to their wishes.
In reality, similar plots actually play out earlier. In 2014, hackers took advantage of a loophole in the car's digital service system to remotely open the door and affect 2.2 million cars; in 2015, hackers remotely invaded a car that was moving and made deceleration, braking and other controls, the automaker recalled 1.4 million vehicles because of the above loophole, and was fined 150 million US dollars; in 2016, a Chinese security laboratory achieved arbitrary control of the in-car equipment and driving of an electric vehicle brand through remote control...
The data shows that the number of malware in the past decade has increased from about 65 million in 2011 to about 1.1 billion at the end of 2020; according to the dynamic monitoring of the Internet of Vehicles by the Ministry of Industry and Information Technology, more than 2.8 million malicious attacks have been detected against vehicle companies, vehicle networking information service providers and other related enterprises since 2020. From 2016 to 2020, the number of incidents around automotive cybersecurity around the world grew nearly 10-fold. Obviously, the safety of the Internet of Vehicles has begun to move from the laboratory to the industrialization confrontation.
When cars evolved from "sofas on wheels" to "supercomputers and data centers on wheels", what changes have taken place in the connotation of car safety? How can we ensure the safety of intelligent and connected vehicles on the road? With these issues of common concern to users and the industry, Liu Xiaoyong, founder of Automotive Observation Media, conducted an exclusive interview with Dr. Du Yuejin, vice president and chief safety officer of 360 Group.
Liu Xiaoyong,Founder of Automotive Observation Media (left) Interview with Du Yuejin, Vice President and Chief Security Officer of 360 Group (right)
From "Newton's Law" to "Sun Tzu's Art of War"
As the automotive industry enters the era of intelligent networking, on-board hardware and software equipment has become more complex. According to statistics, today's cars have as many as 150 on-board controllers and about 100 million lines of code. Coupled with the fact that most intelligent connected cars are already online 24/7, these new changes provide consumers with richer features and a more convenient experience, while also providing the perfect target for malicious attackers. Because of this, the security of the Internet of Vehicles has received increasing attention, and the importance of the industry has become particularly prominent.
"The production of factories, the operation of vehicles have become data-driven, and when this data is threatened by security, individuals, businesses and even countries are endangered." Du Yuejin said.
For individuals, the increasing number of new features such as sensors inside and outside the car, and access to personal payment systems make users risk privacy violations and property losses, while smart driving functions make users risk life.
For enterprises, data security faces other issues. "First of all, data is itself an asset, if it is stolen or encrypted, the asset will suffer losses; second, data security will involve the security of production itself, the factory in the production process, the data is encrypted by others after the production will stop, the data is poisoned, the production of things are scrapped, the company will suffer huge losses; third, the company's planning, technical routes are stolen, will make the enterprise lose competitiveness in the peers." When this data is large enough, it can even involve national security. Du Yuejin introduced.
In 2015, intelligent connected vehicles were listed as an important part of the national strategic development of the mainland, and the mainland also carried out various work at the level of policies and regulations to ensure the safety of intelligent and connected vehicles. In June and August 2021, the Data Security Law of the People's Republic of China and the Personal Information Protection Law of the People's Republic of China came into force successively, and together with the Cybersecurity Law of the People's Republic of China, which was implemented in 2017, the mainland has initially formed a legal system framework in the field of network security protection.
But to ensure the safety of intelligent and connected vehicles, laws and standards alone are not enough. "Standards can only solve the most basic problems, so that the security of the Internet of Vehicles must be confronted with the extremely large number of hackers all over the world, so the ultimate state of car security is the confrontation between people and people." Du Yuejin thinks.
At the same time, Du Yuejin pointed out that on the basis of achieving the requirements of laws and regulations, it is necessary to take product safety as the basis, take operational safety as the goal, and focus on emergency response. In the early stage of automotive software design, safety should be taken into account, and safety precautions should be strengthened around the informatization of the vehicle itself. The standard can not be fully mature at any time, whether it is a problem with the product, or a problem in the process of operation, whether it can control the development of the situation with the fastest and most accurate response, and reduce the loss of the event is the most critical. Such rapid response is not what traditional car manufacturers are accustomed to, but it is necessary for intelligent and connected cars on the road.
"In the past, the physical defects that traditional car building needed to be confronted were unified under Newton's control, but now we still have to resist the malicious attacks of the enemy, and to do a good job of defense, we have to use the thinking of Sun Tzu's Art of War." Du Yuejin described.
Turning the technical level into industrial capacity
In the early stage of the development of intelligent networked vehicles, it was not fully considered to be equipped with sufficient network security functions. It was not until the frequent occurrence of vehicle network security attacks caused great social repercussions and threatened the personal and property safety of users and automobile companies that car companies began to realize the importance of vehicle networking security.
Around 2018, automotive enterprises and network security technology companies began to lay out automotive network security technologies to improve the network security level of intelligent and connected car products from all aspects. European and American automobile companies represented by Mercedes-Benz, and Japanese and Korean enterprises represented by Nissan have built a network security cloud platform to enable car owners to independently control the openness of vehicle data and improve the security protection of personal data. At the same time, we cooperate with third-party network security enterprises at the factory end to explore and repair the security vulnerabilities of intelligent and connected car products. Establish a R&D management system and information security platform within the company to ensure network security from the level of product development process.
Domestic enterprises are also stepping up their deployment in terms of network security protection, new car-making forces have begun to form network security teams, and cooperate with network security technology companies to establish a network security protection system with active defense as the core, and traditional car companies are also actively following up.
Du Yuejin pointed out: "In the development of intelligent and connected vehicles, China belongs to the first echelon. In terms of safety technology, we are not lagging behind, but whether we can transform technical strength into industrial capabilities is another matter. ”
"360 was one of the first teams to find the most problems in the field of internet of vehicles, which technically reflects our strength. At the same time, last year's italia produced two international standards related to intelligent network vehicles, which were led by 360 and can be recognized in the international professional standardization organization, which also proves our ability in this regard. Therefore, from the technical level alone, we are not weak, but the technical level is to become an industrial ability, and we still need to work hard. Just like the current epidemic, it is one thing to be able to make a vaccine, and to be able to hit everyone in time is another ability. Du Yuejin explained.
Global network security patent technology source countries
As Described by Du Yuejin, although the mainland's network security technology research started late, after rapid development in recent years, it has caught up with the progress of global network security technology development and become an important global network security guarantee force. The data shows that the number of patent applications in related fields in the mainland is close behind that of the United States, accounting for 38.36%.
But beyond the level of technology, the real gap is reflected in thinking and culture. "For example, in a formal security company like 360, the purpose of our vulnerability researchers to find the problem is to tell the car company to quickly fix it at the first time and prevent consumers from being harmed." But many car companies not only do not feel that they are helping him, but also think that you are endangering him. Like some companies in the United States, they have long offered public rewards to let people come to their own problems, not to prove that they cannot be broken, but to improve after finding problems, this culture has not yet formed in China. Du Yuejin gave an example.
In addition, automotive companies and even many IT companies have problems in the perception of security. Du Yuejin explained: "They are all positive logic, but the ultimate study of network security is the confrontation between people and people, just like in "Sun Tzu's Art of War" to understand the opponent, then your logic should be reversed, this is the collision of two modes of thinking, car companies need to make such a change." ”
Safety defines the car
Car safety is no small matter, but solving safety problems is not an easy task. The amount and type of data collected and processed by intelligent connected cars and the complexity of the scenarios they face are far more than PCs and mobile phones, and the security concept of the two has also undergone fundamental changes, the network security of PCs and mobile phones only involves property and privacy, but the security of the Internet of Vehicles involves the safety of life, and even affects the entire city and national security.
As a part of the automobile industry and a part of the Internet, the Internet of Vehicles is also a part of the Internet, and to do a good job in security precautions, we must learn from the mature experience of the Internet. "The Internet has given us two very important inspirations, one positive experience and one negative lesson." Du Yuejin said.
The positive lesson is that without enough openness, the Internet today would not have been what it is. The greatest value of the Internet lies in its interconnection with each other, and the future Of the Internet of Vehicles will inevitably become one. Therefore, from this point of view, it is necessary to learn the spirit of the Internet and be truly fully open.
The negative lesson is that the Internet of Vehicles should avoid the pits that the Internet has stepped on in the past in the design of protocols and standards. The Internet did not think too much about security in its early design, such as the "minimum enough" principle, not designing perfect things, resulting in today's patches becoming more and more complex, pressing gourds to float scoops.
"It was fine at the beginning, because in the early days of the Internet, no one carried out destructive attacks on the Internet, but now we have to face the real knife and gun destroyer directly." If it is still like the original Internet, the consequences are fatal. Therefore, spiritually we should learn from the Internet and do it in a truly open way, but in specific practice, especially in terms of security, we should consider it more fully from the beginning. Du Yuejin said.
Regarding how to improve the safety performance of automobiles, Du Yuejin believes that on the one hand, through the establishment of digital collision factories, to solve the product safety problems before listing and delivery, on the other hand, it is necessary to cooperate with high-level professional safety companies to solve the operational safety of products.
Nowadays, data is regarded as a new factor of production, and even part of the core competitiveness, many companies are reluctant to share with partners, but data sharing is to solve the gap that the security of the Internet of Vehicles has to cross.
"Comparing the data to oil and gold is not entirely accurate. If the data is not used in the hand, it is garbage and cost. 360 As the company with the most secure big data in the world, we invest a huge amount of money in big data every year. Big data must be combined with big data analytics to make it worthwhile. At the same time, the data of your own company is far from enough, you have to link up the horizontal and vertical data to analyze it to produce value. So there's no other way to do that, and that's the only way to keep data flowing and sharing while keeping it secure. This is technically solvable, and although it is not yet fully mature, there are solutions. Du Yuejin pointed out.
Detection rate of penetration testing problems of intelligent and connected vehicles in China Software Evaluation Center
With the development of technology, the operating environment of intelligent networked vehicles is becoming more and more complex, and there are more and more threats and risks, and car companies have to improve their safety capabilities to ensure their influence in the industry. In this regard, Du Yuejin put forward three suggestions to car companies:
First, improve the security of in-vehicle software. Product safety is the foundation, how to reduce software security defects in the research and development process, rather than patching after product delivery, which is a new capability for car companies.
Second, strengthen algorithm security. Algorithmic security and software security are two concepts. Algorithmic security is the robustness of the algorithm itself. In the case of intelligent driving, people have no opportunity to intervene, and can only choose to believe in artificial intelligence algorithms, but this is based on the premise that data and algorithms are not problematic, so the safety of the algorithm itself is extremely important and needs to be highly valued.
Third, focus on emergency response. All standards and prior work cannot guarantee that there will be no problems, and the most important thing in this case is emergency response capabilities. It is important to be able to respond quickly and fix problems in a timely and accurate manner after discovery.
Whether it is a hardware-defined car, a software-defined car, or a future data-defined car, solving the most basic security needs of users is an absolute prerequisite. The threshold for car building has been lowered, but the difficulty of creating a good car that meets the needs of users is increasing, and the new capabilities that car companies need to build are also constantly extending, and while new functions continue to be put on the car, car companies must stand on the basic foothold of "safe definition of cars".