With Cyber Security Month several weeks behind us, it can be easy to lose sight of the lessons learned from these efforts—somewhat like how our New Year’s Resolutions get a bit fuzzy come March. But security is a key component to our industry’s success. It impacts public perception and trust, government contracts, data integrity, national security, and so much more. Incidents that lead to critical breaches in our data can cast a shadow over whether drones are a technology that can be trusted to be utilized commercially whether that is to capture data of critical infrastructure, participate in public safety and emergency services, or provide surveillance of our assets. At an end-user level, it can lead to questions as to whether they can be trusted with personal data. This is why security is an ongoing topic that needs to be discussed often and kept in the news throughout the year—to remind each other not to lose sight of this critical aspect.
To drive home just how important cyber security is for our industry, Commercial UAV News spoke with Jeff Horne, Skydio’s new Head of Security, to talk about his new position with the company, what security culture is and why it is important, the impact security has on trust, how governments are looking and thinking about security, and more.
Danielle Gagne: What led you to join Skydio as their new Head of Security?
Jeff Horne: I’ve been incredibly fortunate to have worked on several interesting projects with great teams. I’ve previously worked on securing autonomous vehicles and I’m also an avid FPV drone enthusiast. When I heard that Skydio was looking for a head of security I was immediately interested. Security is a paramount concern in the drone industry that is often the deciding factor in which drones customers can use to meet their needs- an exciting chance for a security professional to be mission-critical to the company’s success. As small camera drones have expanded in scope from being consumer toys to critical tools for national security, we're seeing a shift in the market from manual drones made by companies based in China to AI-enabled autonomous drones made in the United States.
Skydio is leading that charge, and I knew I wanted to work for a company that had a great, easy-to-use product that could help keep people safe and make their work more efficient. From my very first meeting with Skydio it was evident that the team also had something else that means a lot to me—passion. Along with being highly skilled and technical, the teams are passionate about their work, dedicated to making the products better and committed to truly helping our customers unlock the promise of autonomous drones.
In your opinion, what are some of the biggest cyber and physical security threats facing the drone industry?
Drone security is somewhat new. Originally drones were seen as either offline or simple Internet of Things (IoT) devices that just needed internet access to download updates. Drones have now evolved into flying autonomous computers backed and operated by cloud services. I feel the biggest threat to the drone industry currently is the actual safety and security of the device.
There are several facets when it comes to securing an autonomous flying computer that overtly touch on aspects of privacy and safety. Skydio is leading the industry when it comes to autonomous drones, and I want to make sure that we are also continuing to lead when it comes to cybersecurity.
In your previous interviews, you’ve spoken about how security needs to be at the core of a company’s culture. Can you talk about what that looks like practically?
I believe making security a part of a company’s culture starts with instilling the understanding that security responsibilities extend to everyone in the company. Beyond general security awareness training I feel it is important to both educate employees on common attacks that companies face every day and to incentivize reporting any potential security issues. I believe social conformity to bad security practices is a major issue in a lot of organizations and educating employees and incentivizing them to ask why or report a potential risk is a way to break that cycle.
Practically this entails regularly educating employees and being transparent about what risks your company faces, as well as details on the incidents and security issues the organization has faced. However, I believe it is also important that all employees become security stewards and empower and incentivize people to raise potential security issues. Sunlight is the best disinfectant.
As you look to build your security infrastructure, a great place to start is with the fundamentals: Single Sign-on, Multi-factor authentication, enforcing encryption both at rest and in transit, regular patching cadence, vulnerability discovery and remediation, and security awareness training. All of these are absolutely needed to both pass common security compliance (e.g., SoC2 Type II) and thwart basic attacks.
In addition to protecting your organization, you can continue to protect your customers by injecting security culture into your product culture. Our Skydio X2 is designed to deliver enterprise-grade cybersecurity, offering signed and encrypted vehicle firmware, encrypted storage and data link encryption.
What can happen if security isn’t part of a business’s culture?
If security isn’t a part of a business’s culture there is an increased risk for simple security issues not discovered in time, and leading to a breach. If you look at the history of the security breaches you will find that the vast majority were not some complicated hack with 0day exploits found in vulnerable code. Instead most breaches were seemingly basic security oversights like; compromised passwords on external services, leaked private keys in source code, social engineering employees, and misconfigured databases on the internet, and so on.
A good example of this was the supply chain attack on an American IT company last year that was attributed to Russian nation-state actors who have advanced capabilities but were able to access the target’s network through an internet connected file server whose password leaked onto the internet months earlier. To make matters worse, this breach had been reported to the company months before the attack by an outside security engineer and was never corrected. A culture of urgency around cybersecurity would have pre-empted this basic vulnerability using basic information security techniques.
Beyond an individual business’s security culture, there is a lot of back and forth among various government agencies about security that is impacting this industry right now, what are the primary concerns of these agencies?
My main concern for US government agencies is their ability to keep up with new technologies and adopt the proper controls to use these technologies securely. I have a lot of experience with various government agencies and a ton of respect for the men and women working at these agencies, but I worry that bureaucracy slows their time to adapt to new technologies and the best security practices associated with these new technologies and they are instead implementing the same stale security controls that wall them off from private sector innovations.
How can we navigate, address, and plan for these governmental security concerns as an industry?
I think the private sector needs to quickly implement security controls mentioned in newly proposed security frameworks and regulations (e.g., CMMC, the Cybersecurity Maturity Model Certification, NIST800-161 Draft) and other security legislation well before the deadlines. The private sector historically sits back and watches government cybersecurity proposals go back and forth and wait for the dust to settle before planning to meet the implementation deadline which is sometimes years away. I personally feel that the important risks are clearly outlined today for areas like software supply chain and I’d like to see more companies be proactive in thoughtfully closing those gaps.
A major topic that gets brought into conversations about adoption of drone technology is trust. What is the relationship between security and trust in the drone industry?
I strongly believe that trust in the drone industry is predicated on safety and security. An organization will not trust a UAS company if their system is perceivably unsafe and insecure, or if the manufacturer is beholden to governments that do not value the privacy of the end customer’s data. A lot of the cyber security work being done on trust involves supply chain risk management. Code used on UAS is not always solely developed by the UAS company and can include dependencies on other code, or other applications from third parties. I believe on-vehicle security is paramount and something we take very seriously at Skydio.
What are your final thoughts or takeaways about cybersecurity in the drone industry?
The only way to trust a connected device is to trust the manufacturer and the legal framework in which they operate. Skydio’s products have earned the trust of the world’s most exacting customers. The U.S. Defense Department has concluded that Skydio’s defense and enterprise products satisfy demanding supply chain security requirements required by Congress in the National Defense Authorization Act (NDAA). For these reasons, Skydio X2 was selected as a trusted drone platform for the U.S. Department of Defense as part of the Defense Innovation Unit’s Blue sUAS program.
To learn more about Skydio and how they are addressing security check out their website here.