In the decade leading up to 1970, #hijackings were out of control. In 1969 there were 87 hijackings worldwide, with 40 of those occurring in the United States. For the #aviation industry, that was the final straw. How did the United States reduce hijackings? In 1970, it began screening passengers for weapons before they boarded the aircraft. Today, we find ourselves in the same situation. There have been enough #botnet attacks hijacking the internet to finally spur action to ensure all digital products “boarding” the internet be secure. Just as we screen passengers getting on planes, we need the ability to screen and recognize #internet traffic cruising with malicious intent. The solution must be multifaceted, from ISPs to companies making and buying IoT devices. Innovators must accept the responsibility to slow their race to the market and focus on delivering more secure digital products.
On January 5, 2018, the U.S. Secretaries of Commerce and Homeland Security published a “Draft for Public Comment” on Executive Order 13800: “Enhancing the Resilience of the Internet and Communications Eco-Systems Against Botnets and Other Automated, Distributed Threats.”(1)
The Draft highlights the risks posed by ever-increasing #botnets in size and speed of attacks. Insecure, and thus dangerous, IOT devices are being installed in homes and businesses on every continent and are expected to outnumber mobile phones in 2018. Aligned under 5 goals, the Draft proposes 23 #actionable steps to be taken by government and industry to move the botnet acceleration needle in the other direction.
We believe this report is a well-thought-out document and we commend the inclusion of actionable steps toward eliminating the impact of botnets. The calls to action underscore the importance of each company to understand their role in the shared risk of enabling the existence of botnets. Aviation companies, like those in all sectors, play many roles in the digital ecosystem that supports botnets: as the purchasers of IoT devices, in configuring networks, in addressing vulnerabilities, and in product design and development.
All industrial sectors need to understand the impact not only to individual companies in their sector but also to the sector itself. Since inception, we have espoused the concept of shared risk reduction. For example, both airlines and airports can be significantly impacted if one or the other becomes incapacitated due to a #cyberattack. Similarly, attacks on their supply chains, the global aviation communications networks and more, have the potential to cause a significant ripple effect.
The commercial aviation industry has a tremendous track record of continuously improving safety and #resiliency over the past decades. The report highlights the need for sector-specific and cross-sector information sharing. Companies with well-funded and established cyber programs must lead and share with the less cyber mature companies.
The Executive Order is looking for ways to incentivize security. Independent researchers will continue to find errors in #coding. We applaud researchers who work with companies under the model of responsible disclosure, thus giving the software development company time to issue a patch ahead of global awareness of the vulnerability. Market forces will likely drive litigation against companies for coding errors that resulted in vulnerabilities proven to be the root cause for loss due to a cyberattack. We recommend consideration to limit liability to companies who make swift public disclosures of vulnerabilities and quickly issue patches. This will incentivize two key pillars in reducing cyber risk: the independent researchers will be motivated to continue notifying companies of coding errors and companies will be incentivized to respond quickly to validate these concerns and act appropriately. This will drive companies to stay abreast of the security of their products.
Goal 3 in the Draft addresses the future: “Promote innovation at the edge of the network to prevent, detect and mitigate bad behavior.” As a global critical infrastructure, the aviation sector is poised to lead efforts in support of this goal. We intersect at many points with government infrastructures that manage air traffic controls, airports, and defense #airspace. We are rapidly growing and already have in place a worldwide network for aviation companies across the entire aviation ecosystem to share critical intelligence information.
We highlight the importance of Goal 4’s Action 4.5 “The cybersecurity community should continue to engage with the operational technology community to promote awareness and accelerate cybersecurity technology transfer.” Within the aviation industry, the OT and IT communities are on the cutting edge of innovation in safety and cyber security. We will continue to support and encourage the exchange of best practices in product development and design.
The Draft is a call to both industry and government to drive the pillar of security into the burgeoning IoT industry. We wholeheartedly support and endorse this effort and global exchange of best practices in our sector and across sectors to continue to make the global aviation market safe and resilient.
It is about time.