Internet-connected and driverless cars could be targets for hackers—potentially including terrorists and hostile nations—so the automotive industry must ensure vehicles have built-in cybersecurity protection, a top U.S. Justice Department official said.

“There is no Internet-connected system where you can build a wall that’s high enough or deep enough to keep a dedicated nation-state adversary or a sophisticated criminal group out of the system,” John Carlin, U.S. assistant attorney general for national security, said Tuesday at an auto industry conference in Detroit.

The burgeoning market for cars connected to the Internet is expected to be valued at about $42 billion by 2025, with more than 220 million vehicles on the roads. Companies are expanding investments in telematics, which combines computers and wireless technology to provide services such as infotainment and real-time traffic updates to moving vehicles. Toyota Motor Corp., Google, Ford Motor Co., and Baidu Inc. intend to introduce driverless cars in as soon as five years.

“If you were able to do something that could affect a large scale of an industry—like 100,000 cars—you could see that being in the arsenal of a nation-state’s tool kit as a new form of warfare.”
U.S. agencies and regulators are trying to make the auto industry more aware of cyber threats and quicker in acting to plug security gaps, Carlin said, and agencies can share information about threats with companies.

“This will be the next battlefront,” Carlin told reporters after his keynote speech at the SAE 2016 World Congress. “Right now what we have is this combination of carrots and sticks, and there’s not a one-size-fits-all protocol that’s been mandated by statute.”

Questions about the auto industry’s responsiveness were raised last year when Fiat Chrysler Automobiles NV waited 18 months to tell federal safety regulators about a security flaw in radios being installed in more than a million vehicles that security researchers exploited in July, seizing control of a Jeep just to show it could be done. The episode led to the recall of almost 1.5 million vehicles—the first auto recall prompted by cybersecurity concerns.

Carlin said government agencies and companies across different industries are in the “early days” of dealing with rapid technological change and with laws and regulations on cybersecurity that are “very unsettled.” For the most part, the government encourages companies to take steps voluntarily to secure their products and services.

U.S. officials also want the auto industry to be aware of threats that other industries face and think about ways to work together and with the government to safeguard emerging technologies, according to Carlin.

Hackers of all varieties could try to do harm through connected cars, he said.

“If you were able to do something that could affect a large scale of an industry—like 100,000 cars—you could see that being in the arsenal of a nation-state’s tool kit as a new form of warfare,” he said.

“We’ve seen rogue nation states try to assassinate those that do not share their beliefs,” Carlin said. “If they were able to do it remotely through a car, I don’t see why they consider that a safe zone.”