The cyberattack that shut down all of JLR’s operations at the start of September has been well-reported in the mainstream and trade press.  As with earlier attacks on UK retailer M&S or major dealer group Arnold Clark, JLR chose not to pay the ransom demand to the gang responsible, but to repair and restore the systems that had been damaged.  There was an original ambition to get everything back up and running  within a week, but as tends to be the way with such attacks, things turned out to be more complex than originally thought, and production only restarted this week. 

The focus of the press comment has largely been around the disruption to customers and suppliers, and the financial losses that would be incurred.  Financial guarantees have been provided by the UK Government to allow JLR to secure loans that can be used to make interim payments to suppliers.  The effect on retail is most significant in the UK as the supply chain is shorter, and largely reliant on JLR systems.  Given the brand positioning and high customer loyalty, it seems unlikely to me that many sales will actually be lost so revenue will more likely be delayed than lost if the company is able to work additional shifts, cut holidays and take other actions to recover the lost production volume in the coming months.  Customers whose cars have been off road due to delays in sourcing spare parts may be rethinking their next purchase, particularly if they were also affected by an earlier disruption when JLR introduced a new central parts warehouse.  Overall, to me it feels like a painful experience, but one from which JLR and most of their trading partners will emerge with bruises and some big lessons learned.

I am no expert on cyberattacks, but my understanding is that the criminals usually only need a single point of entry from which they can create widespread corruption in company systems, due to the highly integrated nature of modern enterprises.  Although relatively unusual, we have had instances where an attack on one company has been with the deliberate intention of spreading it to their trading partners through for example introducing a corrupted software update that is then downloaded by multiple customers.  Given how many applications are provided by manufacturers to both their suppliers and dealers, this must be a possibility for our industry, and one which we must take seriously.

There is however, a more significant threat.  Cars are increasingly connected wirelessly to their respective manufacturers, bringing great potential benefits in terms of making updates and upgrades available without the need to visit a dealer.  Manufacturers hope to create new revenue streams through selling product upgrades and online services to their customers.  Beyond that there is the potential for connectivity between cars and other cars or infrastructure to help in route planning, collision avoidance and improved autonomous driving capabilities.  These would bring benefits to drivers and to society at large.  However, it also creates more opportunities for malware to be spread to millions of cars.

My friend and fellow AM Awards judge, Professor Jim Saker, has raised concerns about the risk of Chinese Government exploitation of connectivity in Chinese cars.  He has suggested that if they wanted to create huge disruption they could send malicious instructions to all Chinese cars, or other cars incorporating key components sourced from Chinese suppliers, and instruct them all to carry out emergency stops, creating multiple collisions and gridlocking our roads.  With my 25 years’ experience of working with the Chinese in various capacities, and now working as a retailer of Chinese cars through Auto West London, my personal opinion is that the Chinese are more focused on commercial domination than they are on conquering the world in any military sense.

I think there is a much greater risk that cyber-criminals decide to change their focus.  Big businesses may decide that they can refuse demands to pay ransoms when it is only directly affecting their own operations.  They may still feel the same even if the threat extends to their trading partners.  But what if the threat was to disable tens or hundreds of thousands of customer cars?  It would be a brave CEO who asked his customers to bear with him or her for a month or so why they came up with fixes.  Whilst I fully recognise the great value that will be delivered by connected cars, is the risk of cyberattack by criminals rather than state actors, too great to make that a smart move?

Photo source: JLR