Is contributing to a good infosec cause worth working for free?

There is no doubt cyber attacks will have life-threatening consequences over the next few years, especially if the escalating cyber security problem remains unchecked.

Small and important steps are being taken to mitigate the problem - such as Intel taking the lead for the car industry by setting up the automotive security review board (ASRB).

But for the infosec professionals being asked to provide their expertise to the board free of cost, it's a tricky area to navigate.

The backstory is that many of the big names in car manufacturing have been demonstrably vulnerable to cyber attack over the past 12 months, given networking connectivity is becoming more pervasive across all models.

The likelihood of a successful attack is increasing exponentially and Jeep, Land Rover, Chrysler, General Motors, BMW, Ford and Toyota have all been in the firing line.

It doesn’t take much imagination to consider what could happen if an attacker were to hit your brakes at 100km/h on the freeway in rush hour.

So it is encouraging to see that Intel has established the ASRB to research methods and best practices for improving automotive security, with a focus on products and technology.

ASRB researchers will perform "ongoing security tests and audits intended to codify best practices and design recommendations for advanced cyber-security solutions and products to benefit the automobile industry and drivers".

Areas of focus include the engine and transmission, remote access, smartphone interconnect, steering and braking, and of course, the entertainment system.

I’m also heartened to see that Intel is advising a traditional, layered approach to security architecture including hardware security modules, hardware services and software security services.

The approach includes the building blocks of enterprise security architectures we already use today, such as anti-malware, containerisation, network enforcement, identification and authentication, cryptographic services and patching, but also includes some of the principles of control systems security that aren’t as commonly considered in enterprise networks.

So on one hand, I applaud Intel on this initiative and feel it’s really encouraging to see big IT investing their own time and money in helping big industry address their cyber concerns.

However, I am a cynic at heart.

Where I have a problem is that once again the professional security industry only gets traction when we work for free.

Altruism is a noble cause, however, why can’t the automobile companies pay for this work themselves?

The question I ask is, can this be a truly charitable initiative or are we gullible and innately curious security guys being exploited for our good nature?

Intel will undoubtedly take the best of the ASRB research, productise it and take it to market, licensing it back to the automobile industry to make a tidy profit.

If this were the medical industry, big pharma would invest millions in the research, but they know it’s worth it, because the pills and treatments that come out the other end would be worth billions in the global market.

Like many of these things, I guess only time will tell, but I encourage you to do your own research before commit all your research cycles to something that will ultimately line pockets of a large multinational that should really be paying for your intellect and experience.