Terms like “security” and cybersecurity” have been around the commercial drone industry for many years now, but their ubiquity often facilitated misunderstanding. Was security something specific to data? Did taking proper cybersecurity measures mean investing in a certain solution? Many people interpreted these terms in different ways, causing some to believe they were either not at risk or didn’t have anything to worry about, even though the opposite was true.
Sorting out a better baseline and what it means to approach these topics in the right way was the focus of the Day 1 keynote at AUVSI XPONENTIAL 2023. Speakers talked about the importance of security and cybersecurity measures becoming a reality not just in terms of ability but also in terms of preparation and integration.
As AUVSI CEO Brian Wynne detailed, in the past, that integration was focused on the military/defense side, but first responders and professionals in many other industries are now seeing the implications of technology, which has literally saved lives. That impact was part of what compelled AUVSI to launch the AUVSI Trusted Cyber Certification, which is a voluntary cybersecurity certification for uncrewed systems. The program is designed to address the gap in the cyber security landscape that led to certain misunderstandings, but also provide support around corporate hygiene, product and device, supply chain risk review, and remote operations.
The importance of doing so is something that Alex Stamos detailed in a big way during his presentation. Stamos is a Stanford professor and former Chief of Security at Facebook, and he discussed why it is so essential for any and every company in the drone space to develop a framework for cybersecurity that will allow them to mitigate the risks of cyber-attacks. He discussed how and why cyber is a key tool of geopolitics, which means it’s something that can impact anyone and everyone.
Stamos framed these realities and vulnerabilities in terms of the war in Ukraine and how open-source intelligence gathering and autonomous systems have totally changed the game. Without a mass industrial base, Ukraine agents can pull off attacks. That leveling of the playing field has enabled opportunities that were previously unheard of, but it has also opened up vulnerabilities for companies operating from across the world without any direct involvement in such developments.
“Asymmetry of power can be neutralized by off-the-shelf-technology,” Stamos said. “What that means is that every company is now a defense contractor. If you're building tools that enable connectivity or autonomy, then you're in line.”
Stamos referenced the biggest cyber attack on the Viasat network by Russia, which showcased the direct role of cybersecurity in the war. In the attack, code was overwritten to knock out autonomous systems. It demonstrated that one of that ways you can establish dominance over these tools is with cyber. It’s something that the People’s Republic of China has taken to as well, as every single company has a competitor in the PRC. Hacking is a part of the competition.
So, what can be done about it? Stamos admitted that with the amount of resources available to certain hackers, the most realistic goal is to build and create an organization with flexible, resilient control. The risk continues to go up, but you can't predict when it will hit.
“It’s hard to convince people to invest in tech for a day that might ever come," said Stamos. “Cybersecurity is like the weather, because you don’t know when that fire or flood is going to happen.” However, the risk and likelihood of such events continues to become more prononced as the technology and geopolitical realities change.
To best prepare for such events, Stamos recommended installing things like technical controls, which include privileges, zero-trust controls, adaptive authentication, and adaptive authorization. It can also mean enabling cultural shifts that cultivate insider trust, treat staff as potential victims and an overall security culture. Finally, he mentioned the importance of verification and continuous improvement. Static defenses don't work at dynamic companies.
All of those realities shaped the creation of the Trusted Cyber Program, which AUVSI’s Chief Advocacy Officer Michael Robbins and Tobias Whitney, VP of Strategy and Policy at Fortress Information Security, further detailed. Created to help address cyber risks specific to uncrewed and autonomous systems and components, the program is somewhat ahead of the regulator, but does that make it necessary? Or premature? Answers there are debatable, but it's something operators and organization are looking for.
While those “security” and cybersecurity” terms are better understood and defined than ever, resources and support to ensure these topics are being addressed are as needed as they are appreciated.