Open Source Autonomy - A Security Threat or Shield?
With StreetDrone advocating an industry-wide change to open-source led urban autonomy, does it follow that cybersecurity will be weaker if it is based on publicly available code?
StreetDrone, a leading full stack autonomous vehicle company based in the UK, has been a strident advocate for the benefits that a collaborative approach to autonomous mobility could deliver to slow-speed, city-based solutions. The company believes that open source provides a better and faster pathway to urban autonomy when measured against the closed solutions being pursued by car makers and the large self-driving companies. But what about the vulnerability of driverless cars if the code at the heart of the machine has come from a public, rather than private and secured source?
It’s a logical assumption to make that a driverless car powered by open-source software might be more vulnerable, especially since the sheer quantum of data a truly autonomous vehicle will generate and share with other vehicles and the surrounding infrastructure is huge. Early estimates from Project Darwin, a collaboration between Oxford and Glasgow Universities, Spanish satellite operator Hispasat, StreetDrone and the European Space Agency, suggests that the average connected and autonomous vehicle (CAV) will generate and transmit around 4TB of data per hour. That’s the equivalent of 83 filing cabinets of data being set free every minute, so the vulnerability to malicious attacks might, superficially at least, appear to be extremely high.
Add this threat to the highly complex AI engine that is seeing, identifying, predicting and planning the CAV’s operation, the safety challenges to realise autonomous operation could seem to the casual observer to be almost insurmountable.
Digital security, alongside the underlying technology, has therefore become a first order priority for autonomous vehicle operators. In May, 02, the UK arm of Telefónica, announced that they had completed an Innovate UK-funded project looking at the cybersecurity vulnerabilities of connected and autonomous vehicles and set up a blueprint to protect the UK’s self-driving cars from cyber-vulnerabilities. Brendan O’Reilly, CTO at O2 said, “If connected and autonomous vehicles are going to become a permanent fixture in our day-to-day lives, it will be critical that governments and the public feel reassured that this technology is secure from cyber-attacks. We’re proud to have worked alongside other sector leaders to create a cybersecurity blueprint that will help the UK lead the way when it comes to innovation in the intelligent transportation systems of the future.”
In order to assess whether the software is more or less resilient to cyber-attack depending on its origin from either an open or closed source, the closest inferences can be derived from large-scale open source platforms.
GitHub is perhaps the most significant convening point for scale application of open-source code, with over 26 million users working across 67 million repositories. Common practice across the GitHub community is a modular approach to code authoring which allows developers to re-use code blocks that perform standardised tasks, such as writing data to a database, in order to speed up routine code scripting processes. Security flaws in this generic code can unwittingly proliferate through this common practice, let alone the challenge posed by more active security attacks.
Following its $7.5b acquisition by Microsoft in 2018, GitHub made some significant application-led security upgrades to its platform, acquiring code scanning tool Semmle to automate security flaw scanning across code repositories. However, according to software auditors Veracode, it is precisely the same strength inherent in open-source collaboration that makes code resident on GitHub more resilient to attack. “The thing about GitHub is it’s inherently open, so something to improve the landscape of open source doesn’t have to be done by GitHub,” says Veracode’s CTO, Chris Wysopal. “There’s nothing stopping a third-party from scanning all of the GitHub repos, looking for vulnerabilities, and sending information to those project maintainers.”
As the world’s most pervasive open-source platform, the GitHub model is an exemplar of how collaborative solutions can actually enjoy better levels of security than closed ecosystems. Mike Potts, CEO of StreetDrone says, "Safety has been the foundation stone of everything we do at StreetDrone, so when we started considering the virtues of open-source to power slow speed urban autonomy, we had to question whether it was a cyber-safe pathway. Of course no solution is 100% watertight but because of the huge spread of collaborative investment in open-source solutions, there is an equivalent desire and capability to patch protect and defend code created through collaboration.”
With the safety debate closed, StreetDrone are now focussing on the best approach to harness the huge potential in collaboration to accelerate urban autonomy solutions - look out for more exciting news on this development soon.
If you like to chat to us, please do get in touch at firstname.lastname@example.org