Remarks from adam the cybersecurity and structure security agency, and a top official from the uk and israel. Welcome back everybody, did you get a good stretch, the home stretch of the program today. Again, there will be three panels coming up, followed by two towards them, as i talked about before, very special guest will receive a lifetime award today, so, you certainly will want to be here for that. The next panel is with the chief security Information Officer is the cyber leader panel, they are fortunate to have some great people appear to talk to us today, the moderator today is the Vice President of Public Sector. Joining him is the chief Information Security officer from the u. S. Department of justice. The chief Information Security information ist from homeland security, and a deputy cio for cybersecurity and the dod chief Information Security officer. And the chief Information Security up there and she privacy officer for the Export Import Bank of the United States. Over to you, frank. Thank you, please, have a seat. Thank you, panelists for joining us today. I know tom officially one of the panel because of the great help in together, my name is frank i run the Public Sector and for those of you that knows and our customers i would love to meet you and i will be here today, because you that do not know blanche we are a teacher, the next the software as well. A sure my time i thought we would just jump in. If i could just starting go down the line. Well talk a minute or two about your agency and security environment and some of the top childrens youre doing with today. Sure. So, they chief Information Security officer for the Department Justice the department is, we have about 100 to 2000 users, 2000 and points, lots of different types of networks we have to protect. Out of information as we do law enforcement, we do litigation, incarceration, the whole lifecycle of criminal justice is really what the department of justice does. I tried to protect the mission as i can. Some of the challenges looking at how we can adapt to the rapid pace of the changing missions and how we can support the better. How we really can integrate security in systems as we try to deploy the really quickly and, so, im looking at ways we can rapidly catch up, not catch up but keep up and be able to enable those missions especially want to be able to adapt and address these kind of problems. 20 years insider, we can never fast enough. Im trying to change things so we can do that, that is my goal is to really make security and enabler rather than try to catch up and tell everybody know all the time, i want to make sure we are helping them complete their mission and be successful. Thank you. Im Shayna Barney and the chief security Information Officer at immigration services. We are a component of homeland security. We are responsible for the demonstration of the ration system which is the demonstration of benefits citizenship, work permits, legal residencies, these type of things, we partner with other components in the agency on immigrants related issues. The mission is a large mission, a complex mission, there is a lot of moving parts, once in a blue moon you see something about it in the press. Maybe. But, no, the less capable reworking, you know, we are spread, offices rental real. About 190 some odd and points, economy, where the earlier office we have been caught about 10 years. About 85 maybe of the agency is called basic this point. Many more . We are still releasing and developing and doing the things. Staying on top of that, staying in front of that, while securing the cloud, securing against all the threats we have not even a note about you. It is a challenge, the mission. So, it definitely is the dynamic, neverending. Excellent. Thank you for sharing. So, good afternoon, i am the assistant dso, in terms of our side of the scope we have 3 to 4 million users, about 4 million and points managed 10 points and operating systems, if you look at Network Devices for the real cyber attack services, about 12 million implement. And as neil said, global scale, pretty big scope of what it is that we are responsible for, in terms of the biggest challenge, when you have attack surface that large, it is probably not that difficult to find a user on the 4 million doubleclick on whatever link you sent them and to kind of find the weakest link in the chain when you have that large of a chain, a big part of our emphasis is trying to look at converting the cost curve, right now, it is not that expensive for adversaries to be able to attack us and, you know, try and, you know, waste through our defenses, it is extensive for us to keep pace so we have to come it seems like we will find a new exploit, a tool to stop the particular exploit and the thing is to try something different. We try to find out what we can do to make the dod defense is a little bit more agile so we do not have to continue to buy new tools every time the adversaries pivot their capabilities. So, that is part of the macro level. Hearing about the size of your environment me anxiety. That is why you are here. I am stacy don from Export Import Bank of the United States, i am the official chief privacy officer. How many of you have heard about export import take of the United States . A fair number. But, there are some that have not. They are the agency that keeps jobs in the United States by providing credit and insurance and guaranteed products for companies exporting to other countries. We only have about 500 some odd users, so, our scope is quite different. But because we are a small agency, we have the challenge of being able to ward the tools that you have and are held to the same standards from dhs as the larger agencies. So, we have smaller staff, a lot less tools, but the same mission to protect data. Excellent. Thank you and thank you all for sharing. I thought we would start off talking about it modernization how it impacts your world and efforts of organizations, you are no stranger to the topic, i find it pick up on this question here. But, meditation is part of the Public Sector today, we are dealing with upgrades to the system, trying to meet objectives, resulting in the limited of the physical boundaries. Micro services is the Unstoppable Force taking over it today. How are we going about customizing your approach to cyber in the new ephemeral world . So, i will start off with that, the it modernization strategy, we casted the digital modernization, as easy as my boss, he has spent a year of the tenure honing in on how we need to modernize to keep pace with the challenges we face . I, theres four pillars to that strategy i hope i do not have a Holiday Express moment and forget. The first is clouds. That is one of the major efforts we have, trying to implement our dod Cloud Strategy trying to drive the department to make better use of clouds. The real intent is to be able to drive agility into the department to break new capabilities to the field faster. The second is Artificial Intelligence. We recognize just about every country in the world has a i to have the potential to revolutionize how the department of defense does information, we fight, how defend the country. So, that is a huge area of importance. An obvious intersection between cloud and Artificial Intelligence, making sure computing is available for the ai algorithms run with a joint Artificial Intelligence are i believe yesterday the general walked through a little bit what for the mission is and how they are helping to bring change to the department. The third pillar is command control and medication, basically, how we talk, integral to how we fight, modernizing department, so, everything from satellite to just your Standard Networks including 5g and all of that. The final is cyber, to get to your question about question a how do we keep pace. I really have two main functions inside of there. The first is how do we drive down risk for the department . How do we make sure that we can execute our mission in the face of some of the worlds best cyber actors that are trying to undermine our ability to succeed . The second major goal, though, is how do i support those other pillars of modernization. You could have the mote most agile cloud in the world, but if we apply the same technology, were not going to be able to deliver on that agile promise. Thats kind of the main focus from a cyber perspective as it ties to our modernization. Great. From my perspective, you know, both these gentlemen and actually you too are at an agency level, my focus and understanding of the problem is slightly different. Weve because weve been in cloud for as long as weve been in, weve had to start dealing with a lot of these issues. For me it kind of comes back to a saying, i was recently at the aws conference, which really kind of ties it all together is if infrastructure is code, then security is code. So for my perspective at an agency level, if i have a sock and my sock does not have developers on it, not only am i losing the battle, ive actually probably already lost the war and im not even aware of it yet. Having been in the cloud for as long as weve been in, weve obviously had some incidents, weve had interesting experiences with it. Learned a lot. Every single incident that we had, it was the twdevelopers wh actually came in, they were the ones who came in and helped us solve those problems and develop the new methodology and tools to help us deal with that. Cloud is evolving faster than you can possibly keep up with it. Having those developers in place as part of your strategy is critical and we started implementing this about four or five years ago. Its a really key aspect to this whole modernization approach. Yeah, and really, i mean, so we look at i. T. Modernization isnt simply just, i mean, it certainly is there to address needs and things like that, but also getting rid of some of that tech debt really can help improve our Cyber Security landscape as well. Its very difficult to update and keep up and patch and to everything you need to do for a system thats ten or 20 years old. How can you possibly secure those kinds of systems, really turning your Security Teams into developers, really migrating to that kind of model and embracing it, thats the way weve got to go. Weve got to be able to be fast. Weve got to use code, our security as code, and thats the way to success in my mind is if were not going to keep up, theyre going to go around us. With we need to get rid of these old systems and modernization is really the metsd to get there in my opinion. Stacy. Part of i. T. Modernization is finding everything that you have out there, and i think that thats a challenge because theres a lot of shadow i. T. , even in a small agency. All of a sudden well do a report, and well find out somebody east u somebodys using a system we didnt know about ask p we have to find a way to modernize that and make sure the networks protected at all times. Thats great. I love that phrase, security as code. Just a followup question, is that changing the profile and the skill sets you are looking for as you build out your staff . Is that evolving . Oh, yeah. Youi look at the contracts a the staffing models that were using. I redid my entire division thats responsible for Information Security and Cyber Security, and in doing so we redid the entire structure around that model, so weve done away, you know, part of what we have to end is a compliance mindset. Government loves compliance. With we love to create matrixes and add Little Things to it and assign colors to it and make it glow green and yellow and pink and purple. At the end of the day, somewhere up the line it makes people happy because its green, but it doesnt really make you secure. We get kind of lulled into that. When we redid it, i banned the word compliance and started thinking of everything in a risk model sense. Everything should be based on risk and risk assessments and mitigation of risk, and how do we go about doing that. In a cloud environment, its the Development Teams that come in and help us do that. So what its doing is changing the very dynamic of that work force. Whereas it use to be wed have a security analyst, youd have your compliance officers. Now youve got these high end unbelievably nerdy, you know, cyber specialists who can do Amazing Things and cant really, you know, talk in ones and zeros, theyre sitting with these Development Teams that are helping them build the tools necessary to drive forward your mission and to deal with the Security Issues as they arise. It should change it. It has to change it. Yeah. And so to even take that further, you know, thinking that were going to the same touch of skills. Network monitoring is different in these modern architectures, right . Youre not going to be a Network Security analyst. Youre likely going to be looking for developers, developers have to be part of your Security Team, your Security Team has to be part of the dev teams. So i do think that weve got to look at people that are going to have those kinds of skills, analytics, developing, scripting. Its much different than your traditional Network Security kind of view, right . You cant just look at p caps anymore. Sure, sure. If i could also ask you to follow up something you said jack. You mentioned a. I. For each of you, where do you see the role of a. I. Playing in cyber or your environment today . Is there one yet or is it still a developing piece of technology . So the good news is yes to both. It is definitely still developing and evolving. Again, i dont know how much general shanahan touched on this yesterday, but one of the Mission Initiatives that his organization is sponsoring for the department is basically leveraging a. I. To basically help with cyber defense, and i think that what we are certainly seeing trends where both the malicious cyber actors as well as now the defenders are looking at how a. I. Could be leverageed and really its probably more Machine Learning type stuff than true a. I. , but leveraged to be able to find and exploit vulnerabilities faster on the attacker side and therefore for us to be able to have the kind of agility, how do we leverage a. I. To be able to anticipate the types of moves they will make and then counter them. Im going to agree with jack on that, but the other thing is we need tools like a. I. With modern technologies that are coming like quantum computing and 5g so we have to prepare for the future because right now theres a deficit at cyber professionals, and we need tools to help us so we need to rely on things like a. I. Absolutely. Yeah, we have seen that theres incredible potential and opportunity in tools like a. I. And Machine Learning, and the foundation for that from what ive seen in my colleagues is im having pure large clean data sets. If only there was a Software Company that could help with that. Ill move on. I i want to talk about shared services. So shane, ill actually start with you. Naturally. The security executive order and the i. T. Modernization report have been encouraging Government Agencies to really increase the use of or consider increasing the use of shared services as well as Common Security frame works. How will shared Services Benefit you or your peers on the stage as you think about your approach to cyber and improving cyber across the federal government . So im kind of on the yes and no on the shared services thing. Shared Services Offer some really unique opportunities and framework modeling type thing. At dhs theres an entire sock optimization effort underway, and part of that is to adopt we adopted i think it was a d. O. D. Model of how to assess a socking and sock operations and then what elements are involved, and its going to allow us to go in and actually compare our different component socks, not against one another in a competition necessarily but to see who has a center of excellence in certain areas and then leverage that for those who dont have that center of excellence. That is a good use of the framework and use that to take it to another lefl, the Department Level is to say okay, this is what we understand the services are required based on our assessment and this framework, and we can now create a shared Service Model that will help leverage that. Theres cost savings and thats great. The danger for me, you get like a compliance mindset again. Now youre looking at it going oh, our sock is good. We hit all 17 points. Were rock stars. Greens all over the place. Were not even like kind of green. Were 100 green, and you know, thats where we get thats where the danger starts to creep in because then it makes an assumption that you have checked a box and youre not security. Security is a proactive game, you know, it involves far more than making sure that youve checked all those boxes. It does also involve making sure you have a solid pen test program, that youre actively engaged in doing bug bounties and youre always assessing all your risk and upnderstanding wht is critical and what is not critical so you can assess it appropriately. Theres those elements. The shared Services Models offers us the ability to save costs. So long as it doesnt become the standard by which we define ourselves. Its something important to do. For me shared services i think is a critical component to even attempting to win this fight in cyber because, i mean, how many federal agencies are there out there . Theres just the talent to be able to actually fight this war, you know, theres no way we can every Single Agency can possibly recruit all the best people and be successful here, so you know, thats one area that we saw as we did well in Security Operations, so we built Security Operations as a service and we offer that out to other federal agencies because we just think its really important to have good strong capabilities that can be leveraged across any agency, and we shouldnt be trying to hoard those things and keep them for ourselves. We need to share them with everybody else. Kwlo you know, the cost savings is definitely a piece of that. But i think it has more to do with how do we share the best capabilities that we have within the federal government. Leveraging pockets of expertise. Absolutely. I would extend that, actually, i agree. Its from my perspective it becomes id almost love to talk about like an api framework. Like we Start Talking i always get back to the data. A lot of these conversations that i would have with the department at my level, it always comes back down to that data element. Like we need to understand what youre doing when youre not doing it, when this is happening, when its not happening. How can we define that out. Api models within that framework would extend our capabilities and allow us to know where we have our shared fwgaps. I dont need Digital Forensics in my sock ever really. Im happy to push that off to somebody else, but there are things i do need that are unique to me that a shared Service Model doesnt always permit. Theres got to be a good balance is my view. And i would just offer part of our experience as we look at it, using the Defense Industrial base as an example, youve got the big guys that are pretty well situated. They understand how to operate a sock on down the line in terms of Cyber Security capabilities, but then you also have very small suppliers that are in and of themselves not going to be equipped to be able to handle the kind of nation state type attacks that are likely going to be directed their way depending on what theyre supplying to us. So the way that i look at it is that the most effective impact of a ha shared Services Mode el, if we can target the guys that are not going to be able to attract that Cyber Security talent to kind of build it all themselves but at a price point where they can afford it, thats kind of the optimal use of a shared service. And then how we applied that to the larger organizations, the administer sfophisticated organizations has to be tone with a lot more care. Yups you have to make sure youre not breaking things. Definitely as a small agency we rely heavily on the shared services and the economies of scale to get the prices down for some of those tools that we wouldnt be able to negotiate on our own with only 500 users. So its really important to have those shared services, and the staff to test those tools and to give us feedback on them because we dont have enough staff to create all of those Development Environments for everything thats out there. I think whats so great abouting have tabout having the four of you is we have such diverse environments, large agencies to small little ones like jacks. Stacy you brought up something that i think is really important for this audience. I thought id ask this question your way is about the Human Resource issue. So one of the Biggest Challenges ive heard from other government leaders and other scissors is the skills gap in cyber personnel. This is impacting everyone but more acutely government. How are you dealing with this, and do you see technology helping you address that challenge . I want to preface this with these are my opinions and not those of my agency and splunk did not pay me to say this, but its really hurting the small agencies to attract that cyber talent and the federal government is seen as a place if you come out of school, theyre old. Theyre backwards, they dont have the latest tools, and it takes so long to get something done, so the federal government as a whole has to look into modern technologies, keep modernizing, and bring in the work force and have them get challenging assignments, so we need the career progression path clearly defined for them, and we need to use other agencies. Mines so small, we need somebody thats at an advanced level, and we need tools like splunk so that we dont need as many humans. The Technology Helps us to fight the bad guys, and so its really important to stay on top of whats modern, use those tools, train the work force, and the way i look at it is if were in the government and one of the agencies trained somebody and they get a promotion to go to another agency, then thats better for the government as a whole. If we train them and they go into industry, its still better for our country, so we shouldnt not train somebody because were afraid that were going to lose them, but fwigiving them that training might actually keep them happy and retain them more. Thats great perspective. And ill add that essentially from a larger organizations perspective, we have a lot of the same challenges in terms of Cyber Security talent. My organization is the functional Community Manager lead for the signcyber work for. Were in charge of figuring out what are the standards and also of standing up the cyber accepted service, which is a tool Congress Gave us to help better attract hire, retain, train, our cyber work force, and so as we look at building that out, we have a huge advantage in terms of our mission. We give people an opportunity to go toe to toe with some of the best Cyber Warriors of other countries and but at the same time, theres a lot of jobs that have to be filled when youre an organization as large as ours. Even though weve got a really cool mission, we have a massive number of opportunities, and its just really difficult to find the good talent. So our team is heavily focused on trying to find ways to incentivize people, make sure we raise awareness and try and help connect the people to the opportunities. Excellent. Well, were running short on time, so im going to go to one last question, nick, ill start with you here. This is kind of my wild card question. The Investment Community has been rapidly funding cyber related startups for years, if not decades for now. You see many vendors popping up and new startups showing up at all of these cyber events. Have we reached peak cyber yet or is there still room for technologies and where would you like to see the investment world spend time on innovation . Well, i sure hope it hasnt because we still got a lot of ways to go in trying to fight this war. You know, weve got like jack mentioned, weve got attackers building a. I. Into their malware to attack us and i thithings li that, and were still playing cat and mouse. I sure hope it has not hit peak. I dont think we have. Some of the areas where i think we need to do better from an industry perspective is we have to have better methods and better ways to bake security into systems and rapidly get that stuff just built in inherently rather than trying to catch up, you know. It just needs to be there by default going into it in the front end and there needs to be more ways to easily get those legacy systems into those kinds of models, too. I think those are some big challenges. Its not easy to move a 20yearold system into a modern architecture, so you know, i think we need to see industry come up with better ways to move those things more quickly and being able to allow these oeld systems to become more agile. Sure, yeah, shane, any thoughts . No, we definitely havent reached peak. If thats the case were going to stop off the threats and were good to go, and then im out of a job. We definitely havent reached peak. Theres a lot of room for growth. A. I. Ops is definitely one of the growing fields. You know, the use of that, the nested algorithms and associated clusterings and swarming, those types of technology are really in their infancy. Supply chain, supply chains huge in different ways, in different methods. You know, supply chain is traditionally thought of as hardware. We think of hardware supply chain issues. You know, im mostly cloud, code, code is my problem. Code becomes commodity and it becomes a supply chain problem. We rely heavily on open source and all thats involved there, so supply chain definitely a had lot of growth there needs to be done ask a lot more advancements. So i think theres room to grow. Fortunately for us our adversaries are going to continue pushing that envelope. I have lots of thoughts on, that im looking at the time ticking down. Ignore that. Its optional. Okay. Excellent. The one ill leave with is complexity. We have a tremendous amount of complexity in our environment, and we need to find a way to drive some of that complexity out, so im much less interested in the new tool to solve the latest and greatest problem, much more interested in, you know, kind of what is that holistic picture that allows me to cover a broad swath of threats in a more agile manner and frankly, drive some of the existing capabilities that i have out of my environment so i can shrink down the number of people and number of tools. Stacy, any closing thoughts there . I dont think were close to being done with this. We are hitting new technologies like i talked about before with quantum computing, with 5g, and we dont know what we dont know yet, and we dont know what the adversaries know, and so we have to keep creating new tools and theres a lot of room for growth in this industry. Excellent. Well, i want to thank you all for your time and for your expertise today and thank you for the service to our country, and i hope this is valuable for anyone, so thank you so much. Thank you. [ applause ] thank you very much for our last panelists. The next panel is called the next frontier. Aerospace and Cyber Security panel. Id like to thank our moderator mr. Casey ellis, the chairman and Technology Officer joining casey on the stage today are mr. Brian connolly, Vice President , senior chief engineer of Cyber Systems at boeing. Mr. Roee laufer, head of Cyber Division israeli Airports Authority, and Eynav Haim Sayag head of our Israeli National cyber director. Over to you casey, thank you. Thank you very much. Good afternoon, everyone. Thank you for joining us for this panel. Very excited to be talking on this subject this afternoon. Just as a point of order, we do have q a cards being handed out by ushers at the moment. Well do our best to get to them at the end of the panel, but if youd like to ask questions as we go, have those in mind and hand them to the ushers and theyll come up to stage with us. Without further adieu, aircraft safety, Airport Security and Civil Aviation regulation, the whole idea of making aerospace secure for its users is a concept thats commonly understood, and its been around for quite a long time. The idea of aviation and aerospace Cyber Security on the other hand is comparatively novel, its comparatively new. There are a lot of people that have been working on it for a very long time, but as a socialized concept, its something that is, you know, comparatively new, and its interesting for us to talk about and understand. Thats why im really excited to have this group of people up on stage with me today. Weve got representation from aircraft manufacturing. Weve got representation from the airports, and weve got representation from the regulators that define Civil Aviation regulation and so forth, so well kick that off with introductions. Brian, do you want to lead that off . Sure, thank you, good afternoon, brian connolly, im the product Security Officer for the boeing company, responsible for security and resiliency of our end item products on the commercial aviation side, defense, space and our global services. Thank you, good afternoon, everyone. Im roee laufer, im the head of the division for israel airport authorities under the ministry of transportation. It controls and manages the international airports, domestic airports, land border crossings and one thing that is kind of unique that we also control the air space itself, meaning the air Traffic Control towers and the accs. This is kind of unique in the aviation landscape, and the Cyber Division is in charge of the entire operations. Hi, everyone Eynav Haim Sayag, lead Aviation Program direct rat, what we do is work with airline and airports and authorities in israel in order to enhance the resiliency. Very good. Kicking off the discussion around the subject, you know, where are we up to with aviation Cyber Security . Like this is something that we were discussing before just around the different, you know, innovations, improvements, initiatives that have been completed successfully, things that are ongoing, and then theres obviously gaps and areas for improvement in the future. Where are we up to with this whole thing . Roee do you want to kick that off . Sure. The Civil Aviation is undergoing tremendous changes these days. The numbers of global passengers is increasing exponentially. We see according to recent aci, Airport Council international study, its predicted to double in the next 20 years from around 7 billion today to almost 14 billion in 20 years from now. Now, this has tremendous impact on the way that airports operate, are doing their business. All the airports to cope with such tremendous growth, we see core processes. Now airports are what you might call in a traditional i. T. Environment, a lot of legacy systems. We have the latest and greatest, face recognition, yoiot and so and so forth. So we have this clash, and we see it in the way that the passenger does screening, the way the aircrafts interact with the airport, and whenever we have i. T. And the utilization, it equals an increased attack surface for cyber attacks, for cyber incident, and this is happening as we speak. Yeah, and just to add to that, i think from a manufacturer perspective, we look as an industry around cyber resiliency of the ecosystem, and so we cant just look at the airplane or the uav. We need to look at the totality of the ecosystem. We look at airplanes. We look at the airports, were looking at air to ground communications, air to air Communications Satellite communications, supply chain, maintenance interfaces into the aircraft, and really looking at from old to new, you look at the complexity of the actual vehicles in that ecosystem, the exponential increase in lines of code on our new aircraft. We look at the changes in communication, things that are moving to ip based communicatn brings a lot of capability, but also opens up a lot of Cyber Concerns and threat factors that were never there before in commercial aviation. So its really looking at increasing complexity, increasing communication and networking and im increasing that Digital Thread that flows all the way from our manufacturers and our supply chain all the way up through the development and operations of our aircraft. So its really stepping back and taking a hard look at the ecosystem and what do we need to do as partners across that ecosystem to drive resiliency into the way we define requirements, drive engineering, design, develop, and then deploy and maintain our platforms within that ecosystem. What you all are describing is, you know, similar or consistent with the Digital Transformation challenges that a lot of Different Industries are going through right now. I know from a policy evolution standpoint, how do you go about wrapping your arms around that as the whole thing . So regulators and aviation is a sector that is very much regulated safety wise, and now theyre starting to develop the new standards for Cyber Security and integrate them within the industry. This will take a few years. So meanwhile, take this time we both support development of those standards and promote taking action before, like before active and do what you can do. Use best practices that are already out there and implement them now even before regulation will be effective. So talking about some of the things that are being done well, you know, some of the Success Stories that we talked about, like how are you seeing that model of being explicitly focused on the areas that you are rollout worldwide . I got to say that from an airport perspective, i cant really say that its a success story. Its quite the other way around. We like to call the Key Stakeholders within the industry, the airports, the aircraft, the airlines and the aircra aircraft manufacturers. Today the current posture each stake holder is acting as a silo rather than acting as an ecosystem, which is echoing what brian said. It even goes deeper than that. If we look within each key stake holder, for example, the airports, so youll see that not a lot of airports have Cyber Programs at all. The ones that do have Cyber Programs are actually under resourced, not enough money power, and not enough resources, not enough knowledge. If you compare that to physical security, the proportions are really ridiculous, and theres no communication between the airports themselves. So each airport actually acts as they see fit. The ones that actually have Cyber Programs as i said, they do what as far as they understand the need, the challenges and the way to go about them, so its not really an ecosystem from the cyber perspective currently. And i think thats one of the main gaps and challenges moving forward. Sure. Just to add, i think that that has been identified, so 100 that need for a cyber trust framework across the ecosystem has been identified. Working it at multiple levels all the way up to iko which is a u. N. Level working it with the faa and others to drive what are technical standards around operating in that ecosystem, what does a trust framework look like . When we start to introduce thousands of unmanned vehicles for both passenger and for cargo in our u. S. Air space, what does it look like to ensure the resilience of that platform and were not going to have unwanted interactions between commercial transport, military aircraft, everything thats cooccupying that space. And on the regulatory side of that, whats the role of regulators and actually achieving that . I think we were just writing the book of Cyber Security for aviation developing that doctrine. What does it mean . Creating the skilled professionals to be working on airports and airlines, et cetera so from our point of view, what we try to do is to push forward that to push forward the Skill Development in order it will have those doctrines, it will have those Cyber Security procedures put in place sooner, the sooner the better. Is mostly collaboration between those entities. Its a government and industry collaboration. Its part of my work to create in order to build those this knowledge. Sure. So changing gear into what the future looks like in terms of the different aspects of this issue that you all interact with, what are the solutions, or what are the things we see potential for success, like the levers, the trends that youre observing . You know, what does the future look like over the medium term so to speak . Without throwing it too far into the future, thinking about whats going to happen next . So the like i talked about before, that framework and text standard, driving that, the industry and regulators together is key for both for boeing and for the broader industry. Driving cyber methodologies, resilien resiliency, System Security engineering deep into our engineering cycles is critical for us. So the paradigm of the cyber folks getting to look at Engineering Products towards the end of the life cycle l has changed. So our leadership all in on driving System Security engineering, survivability attributes back into our needs analysis, and pull that through our development and production lifesty lifestyle. Thats really the only way were going to be successful. So changing that culture, it takes a lot of effort, right . At times it was an adversarial relationship between the cyber folks and the development folks. Oh, here they come again, right . Theyre going to tell me what i did wrong. Now its getting those folks back deep into the far left of that Development Cycle and showing value, right . Showing more efficient ways to code, ways to develop hardware and really make a more resilient product in the end. Its interesting because youve partially answered and preeveryoned p preempted a question that just came in from the audience. How do you envision being agile in a highly regulated industry . So theres obviously the Development Feedback loop processes and the Different Things that i think we all struggle with in terms of build or break feedback loops and security people calling engineers silly and so forth. Beyond that, the regulation component, how does it fit . There have been a lot of good conversations, specifically with the faa around how do we become more agile and if we find issues going back through the process is long for a reason, right . There is rigor in the process, and so when we find critical vulnerabilities if there are any, how do we have a number one, a detective ops pipeline that can it raerate code and quickly make changes to become more resilient. Say a software example, but then how do you take that back through a thorough enough testing regime, and then get the regulator in there to validate that its good to go before you deploy to a commercial airplane, for example. The conversations have started. Its not an easy discussion. Its not the 90day paradigm that researchers have with a typical i. T. Industry, so i would say discussions are skrur underway and theres Good Communications going back and forth. Do you want to comment on that, like the idea of the role of regulatory flexibility and allowing dev ops a part of how this is solved. It seems like an interesting problem to evolve in. It is. Im a Software Engineer so moving into learning this aviation field, i just realized i think two years into it how slowly things develop, and we work closely the with Civil Aviation authorities, for example the faa and try to push forward best practices and development and secure Development Life cycle into this domain. I think it will take a while. Yeah. But really it does come back to the shared vision piece and the collaboration, viewing this all as an ecosystem. Especially its important to understand that its very complex. The systems are very complicated, and if i do an r d on a navigation or communication issue, im going to ask an Airline Pilot to join the research and Civil Aviation authority regulators from an airworthiness perspective to join the research. Cyber security expert cannot do this alone and surely not produce good results. For sure. Roee the question around what do you see the future looking like . Whats your thoughts on that . I think there are two things that need to happen and need to happen now, yesterday. One, our airports need to act. They need to think local and act global. Sorry, act local and think global meaning they need to come up with a Cyber Program, even though there is no Governance Framework yet, no best practices that have been drafted as we speak. They have to act local, they have to have a Cyber Program resilient enough according to best practices. There are best practices out there even though they are not specifically for the aviation sector, you might find some practices suitable for your line of business and the way youre conducting your operations, and this is this needs to happen now. What needs to happen on a government level is governments and the Civil Aviation authorities need to join forces and start to figure out the Governance Framework of this very complex and interconnected type of sector, and this needs to happen in parlay. We cant really wait until that happens. Thats why we need to, as i said, we need to act local and think global afterwards about data sharing, intelligence sharing, information sharing, and stepping up to the practices as the best practices as they come along. It does sound reich a bit of a chicken and egg thing going on there. It is. Stepping up. We try to be vigilant and faster than they are. What do you think in terms of the catalysts for the airports to step up into this . Like what are the things you feel could help them in the absence of regulation, which is being developed in parallel, actually encourage them to do that . I think we need to understand that Cyber Incidents within the Civil Aviation industry are everything. Theyre happening. Now these are supposedly very security aware environments, security and safety. The thing is that actually the one thing that makes adopting new technology and facing up the more dynamic and changing type of attacks is the safety issue. Introducing new technology into a very well certified orchestrated environment is difficult. So this actually is, again, the type of egg and chicken. But this environment is complex. Yeah, so its really about starting the journey. Its about starting the journey, exactly. And what else except understanding that incidents are everything. Theyre happening, and we need to tackle them now. Thats good, thats good input. So weve got a couple of questions that ill go through, and then well wrap up with a minute or so to go and land on, you know, your call to action. That is the theme of the billington, youve already had two, you get a pass on that one. Lets go with these. So what is the challenge with modernizing Legacy Technology and how do you help modernize legacy Business Strategies to yield success . So i think i mentioned it in my previous answer. The fact that temper with a very certified, strict environment that might potentially impact safety is very, very hard. Introducing new technology into that environment a complex and very might be a very long process. Until you get that done, there are already new type of attacks and new type of technologies out there, so this is a race that is very, very complex. Yeah, absolutely. You want to speak to that at all . I think from a legacy perspective, we look at defense and depth. We look at the entire platform also. So a lot of times updates legacy is an option, but it may not be the fastest option to ensure that an attack vector into a platform make it unviable. And so we do a will the lot of understanding the system, and understanding what the true attack vectors are across that platform to have effects on the mission that that systems supposed to take. And so the biggest part is understanding what our legacy capabilities are, so a good baseline from a cyber platform perspective, twwhat does the attack surface look like . What do the Access Points look like . And being able to manage that across a very come preplex plat i would add a thought on the focus. If all of the system, as most of them are, again, old and not always built with security in mind, but now in place and now operational, so i think the focus for us is to add visibility capabilities to this systems, to add money cyber health, money capabilities to these systems and develop from it the concept of defense. Start from the monitoring and youll see more and more socks in airports. Youll see more and more online and offline of logs and data, security logs and data, and this is a good point. This is what were seeing there in close years. Thats great. Im going to paraphrase this one slightly because its a bit of an essay as a question. Can you speak to how youre dealing with the Lessons Learned regarding aerospace and space Cyber Security and whether you have liaisons who are translate between these technical issues of what needs to be changed and c level executives that arent necessarily familiar with subject matter . The question is really how do you articulate the technical nature of the issues that were trying to solve to people that arent necessarily technical natives . I know at boeing its thats kind of my role, so part of it is being an Engineering Company helps, so most of our executives are engineers at heart, so a lot of those discussions arent not a lot of translations needed but a lot of bringing it up to what is the impact what is the impact of a cyber event on one of our platforms both from the actual asset but the brand, too. Understanding and quantifying why you should invest in things like modelbased security engineering. Why you should invest in the skill sets and the people to be within those teams building those components and those aircraft and integrating all of that from a business perspective and making that translation. So its ive gotten, you know, from my perspective our Leaders Within our Organization Get it, and the translations and the business cases havent been that hard to convince. Everyone understands we have to go do it. Its ensuring that we make the right investments for the right security pieces throughout our life cycle. Sure. I think that its supposed to be easy, but i think this question is true across sector. Its challenge to talk to management that is not really aware might not really be aware of the challenges. One of the first projects that we initiated at the Airports Authority is building a sock. Unfortunately its one of a kind. Im not familiar with any other airport that, Large International airport that has a sock Security Operation Center on premise. And the fact what capabilities this brings with talking to management is the fact that you actually show it will in real life. You can show the attempts. You have the ability to prioritize your projects because you understand what vector is being used against you the most, and you should invest there, and theres nothing like seeing it with your own eyes. And this is this visibility brings a lot more into the conversation with management rather than it having to be like very fluidic, very unstructured type of conversation. Its demonstrating proof and actually making demonstrating proof, showing real life, realtime attempts against the organization. I think its strong when you approach management. Thats speaking my language. Were nearly out of time. We are out of time. Eynav did you want to finish up with your call to action, your rally cry. Again, we discussed a thing collaboration. Its real issue, especially i think the aviation ecosystem, there are so many stakeholders and regulators and so on. And actually, were you asking about the threats, our concern as a government and of course airline has their financial motivation concerns, et cetera, but our concern is that the Critical Infrastructure is being more and more targeted around the world, and so its true for aviation sector. Its true for the electricity infrastructure, so we see this threatened. This is what we are focusing on, but of course the airport has stuff that is risk and airlines have their own risks, manufacturers as well. Brian. Just continue the collaboration and accelerate the collaboration and sharing between industry and government. Lets thank our panelists. [ applause ] thank you. Okay. Our next keynote will focus on israels cyber challenges in 2019. Yigal unna the incd. Mr. Unna previously served as a chief executive director of the cyber r d and technology unit. Mr. Unna has three decades of experience in Israeli Security apparatus in c
vimarsana.com © 2020. All Rights Reserved.