Fiat Chrysler Automobiles is the eighth largest auto maker in the world and the third largest in the U.S., but the company has been thrust to the forefront of the industry as the result of two recent events: the Jeep hack and this week’s report of a failed software update. Each event served as a defining moment for the industry to take action on two critical and related issues: cybersecurity and software updates.

The first event was the hack of an FCA Jeep two years ago by Charlie Miller and Chris Valasek, both of whom now work for General Motors after previous stints at IOActive and Uber. The Jeep exploit, which involved remotely controlling a Jeep which had been hacked in advance for the purpose, ended, once and for all, the general feeling of denial among auto makers that there was a cybersecurity problem facing the industry.

The Jeep hack exposed the lack of internal processes at most car companies for responding to a reported vulnerability, which further exposed the limitations of existing processes for correcting a vulnerability. That exposure cost FCA tens of millions of dollars in recall expenses while setting the stage for an extraordinary software update retrofit to the effected vehicles.

The hack also touched off a furious round of finger-pointing among suppliers including Harman, QNX and Sprint. To this day, emotions surrounding this minor catastrophe remain raw. Business relationships were tested by what was perceived at FCA as nothing short of betrayal. 

From that point in July 2015 forward, no automaker could ever again claim ignorance of the importance of addressing cybersecurity. In an instant, FCA was the global poster child for automotive cybersecurity failure. No other car maker wanted to be in FCA’s shoes.

Coincident with the hack, legislation was passed in the U.S. and the U.K. requiring automakers to address cybersecurity. The Auto-ISAC, created by the Alliance of Automobile Manufacturers, began operations coincidentally one month later in August 2015.

All in all, the industry learned a lesson from FCA, caught in the crosshairs of well-meaning hackers. At least they seemed to be well-meaning, right? FCA was neither the first nor will it be the last car company to have a vulnerability exposed in a high profile manner – but the publicity surrounding the Jeep hack was the determinative factor – with online videos and explanations from Valasek and Miller.

The latest event, was the software update failure reported by Jalopnik early this week and impacting MY 2017-18 FCA vehicles. A software update to the infotainment system initiated a process of system rebooting that reportedly repeats every 40 seconds.

https://tinyurl.com/y8gmwzrs - Jalopnik update on FCA Software Update Problem

Since the story is more of a customer satisfaction issue than a media event trumped up by clever hackers, the details have escaped the notice of general news reports for the most part. This is in contrast to a Toyota software update failure from three years ago that “bricked” infotainment systems and was reported by local news outlets.

No, the current event has taken place largely between FCA and its customers on social media and within the tech news reporting community. But the issue is no less seismic than the now infamous “Jeephack” which has practically become a new word for Merriam-Webster.

Tesla Motors has widely demonstrated the power and value of software updates for fixing bugs and adding or subtracting functionality to cars. It’s unclear precisely what the original purpose of the current software update was intended to accomplish, but the failure highlighted the fact that software updates are becoming a normal and necessary function of in-vehicle systems.

As in the case of the Jeephack, fingerpointing among suppliers has ensued in the wake of the update failure. The unfortunate reality for FCA, once again getting bad press for a technical issue, is that the company has multiple suppliers with software update expertise (QNX, Harman/Redbend) none of which appear to be implicated in the current event.

Since the update appears to impact mainly the SiriusXM application, for which FCA has had a longstanding software update capability in place, the expectation is that fault lies with SiriusXM. Neither Harman nor QNX had a comment in time for this report and a response from SiriusXM is pending.

Setting aside finger-pointing, let’s look at what we have learned. Software updating of cars is essential. But don’t take my word for it. Here are some thoughts from the leadership of the eSync Alliance, a new association focused on establishing standards for software updates and promoting the adoption of this technology in the automotive industry:

“Software is taking over every bit of the vehicle and unfortunately software problems and recalls are increasing dramatically. This is a problem that the industry has to tackle now. And not just updating infotainment but we need reliable updates and real-time data for every ECU in the entire vehicle right now.

“Over the air (OTA) software updates can provide a faster and more economical way for automakers to execute safety and efficiency recalls, but like any IT system it’s important to ensure updates don’t cause more problems than they solve.

“We think the automotive industry needs smart OTA systems that have the ability to gather real-time data before, during or after the update process. Here we mean not just error codes but actual operating parameters of the various devices, to observe the effect the update has on the system.

“If, despite all efforts in testing and verifying, some device in a vehicle was made worse instead of better by an update, the software can then be rolled back to the prior version. As we move forward to updating more of the safety critical systems in vehicles we will need these capabilities to ensure the highest levels of reliability and dependability which have been the hallmarks of the auto industry. Alliance members were showing this eSync capability in demos at CES.

“OTA is still a relatively new technology for the automotive industry. The benefits will be substantial, but as with any new technology there may be a learning curve. One of the benefits of a multi-company initiative like the eSync Alliance will be the opportunity to share best practices and information regarding future needs from a complete supplier and OEM ecosystem. Not every problem requires a technical fix -- sometimes it is just a matter of organizations learning how to use the technology, without each and every company tripping over the same stumbling blocks.”

In the end, whether it is a hack or a failed software update, it is the brand of the car maker that suffers. While the Jeephack was a clarion call to the industry to prioritize cybersecurity issues, let’s hope the update glitch inspires a similar effort to take on this technical challenge. 

There is a risk that car makers might take the update failure as cause to pause. The reality is that cybersecurity and software updates go hand in hand. These two applications will have to be resolved in concert.

As a final note, FCA has been leading in more positive ways as well. Where competing car makers turned up their noses at doing business with Alphabet’s Waymo subsidiary, news arrived two weeks ago of Waymo’s plans to buy thousands more Chrysler Pacifica’s from FCA. That’s leadership, too.