While there is always a risk that shared information will be misused by a recipient, the experience has been that the benefits of sharing security information within closed communities far outweigh the risks. Strength comes from working together – smartly and securely – utilising the digital engagement technology that exists today.
Eugene Hoeven, President & Founder, EH&A Management Consulting shares his thoughts about Information-sharing in aviation:
As organisations around the world and in all sectors, are fast discovering, cyberattacks have now become the ‘new normal’. It is no longer a matter of if an organisation will be attacked. It is a matter of when. And, the time to prepare is now. Hardly a day goes by without news of a major security breach. And the attacks are getting larger and more sophisticated.
Critical infrastructure such as power and water supplies, banking and financial services, and transportation, systems critical infrastructure serves as the backbone of the economy, and is essential to the functioning of modern society. Protecting such critical infrastructure from cyberattacks is now a global issue that requires governments and industry to work together.
The economic impact of a coordinated and sustained cyberattack on critical infrastructure is incalculable, but is estimated to easily run into the tens of billions of dollars. One UK study sponsored by Lockheed Martin and released in April 2016 found that a cyberattack on the power distribution network in South-East England under the basic scenario that the UK is able to recover quickly – within 3 weeks – would see roughly nine million people hit by blackouts, alongside disruption to 800,000 train and 150,000 air passenger journeys each day. In the most extreme scenario, this impact would rise to 13 million people affected, and one million train and 330,200 air passenger journeys cancelled.
For many States, cyber threats to critical infrastructure has now become a top security issue alongside international terrorism, war, and natural disasters, due to their disruptive capability. Protecting critical infrastructure is a national security concern, and due to the interconnectedness of infrastructure, it’s about global security in a global economy.
Organisations that make up the aviation system are being encouraged to develop and implement cybersecurity strategies to become more secure, vigilant and resilient. This will involve more than just adopting good security policies and implementing technical fixes. It also requires that organisations collaborate more and acquire new intelligence about cyber threats through the sharing of information within and across industries. Governments have an important role to play to ensure the right conditions exist that will make this happen.
The importance of collaboration and information-sharing
It is widely recognised that no one organisation can have complete awareness of every security threat, vulnerability, and incident that it may face and the assets and processes that need to be protected. However, organisations in the same or similar business sectors that work in comparable environments often have the same security concerns, and sharing security information among each other can help protect their individual organisation and increase the effectiveness of the community’s collective response to security attacks. Accurate, relevant, real-time data and conversations, combined with considered analysis of security threats and risks maximises both awareness and understanding of, and readiness for any form of crime.
We must not lose sight of the fact that cyber criminals share information and collaborate over the dark web and adapt quickly when their methods are discovered. In 2013, the United Nations reported that upwards of 80% of cybercrime originated from some form of organised criminal activity. To combat cybercrime, businesses and governments must therefore improve their strategy around cyber threat information-sharing and collaborative communication. The more information organisations have about cybercrime techniques and technologies, the better they will be in understanding how cybercriminals operate and what behaviours to look for.
In 2013, the Obama Administration took the step of issuing a Presidential Policy Directive on Critical Infrastructure Security and Resilience that strengthened the partnership with industry and encouraging new information sharing programmes such as the creation of the Information Sharing and Analysis Centres (or ISACs). The National Institute of Standards and Technology (NIST) was also tasked with the development of a framework for improving cybersecurity of critical infrastructure, which would incorporate as much as possible international standards, practices and procedures. The current Trump Administration has also pledged to get tough on countering cyberattacks against the United States.
As of the aviation sector, a Civil Aviation Cyber Security Action Plan was signed in December 2014 by ACI, CANSO, IATA, ICCAIA and ICAO, which committed to information sharing and the development and promotion of best practices in combating cybercrime. These were well-intentioned actions. However, putting information sharing to practice has been difficult. Many organisations have not moved past the discussion stage. Information is not adequately being shared for a variety of reasons, with organisations citing legal difficulties or business concerns as the main factors. The reality is that despite the willingness to share critical cyber information, even on a voluntary basis, businesses are apprehensive in doing so. This may be due to law, regulation, or contract, which can create obligations of secrecy and expose a company to legal liability risk if information is shared. There are also concerns over reputational risk, as a company that discloses its vulnerabilities may cause concern for its customers and shareholders. Further, disclosed vulnerabilities may even encourage further attacks.
These issues are complex, but must be overcome since the sharing of information offers clear benefits in better protection, detection and response. Key to information sharing is the will to help others while at the same time being careful to respect the arrangements on information disclosure and use. Consideration must be given to the information to be shared, its timing and the audience – anonymization, redaction, obfuscation, and delay in the release of the information must all be considered as part of the technology solution to minimise individual or collective vulnerability, yet still inform recipients.
Striking a balance between privacy demands related to personally identifiable information and the industry’s need for strong liability protection has been the source of much debate in the US Congress, which ultimately led to the introduction of the Cybersecurity Information Sharing Act of 2015. Such political debate is needed and is a necessary step forward in addressing the concerns related to information sharing. Businesses need to better understand how they can share information safely and effectively while preserving privacy, and how they can realise the benefits from information sharing. And, building secure peer-to-peer information sharing communities that can be enabled through the employment of digital engagement technology is a way forward.
Comprehensive Information Sharing – Technology Enablers
In simple terms, digital engagement technology employs digital tools and techniques to facilitate conversation and mobilise a community around an issue. It can cover all types of conversations over multiple communication channels and facilitate the sharing of data and information, knowledge articles and case studies. It can involve blogging, broadcast platforms, chat or discussion forums, on-line conferencing, incident reporting, news feeds, audio/video clips and webcasts.
The most powerful, flexible and secure technology environments are based on “cloud” hosting facilities and a browser-user experience. However, to provide the full range of easy-to-use information facilities that are needed to create and sustain a vibrant information sharing community and address their pressing needs requires both considerable business experience and technology capability. Of vital importance are the security technologies to be employed, that will provide in-depth defence of the information being shared.
The benefits from participating in a digital information sharing community will also need to be realised quickly. The functionality of the technology platform should provide members with the ability to engage, share and learn of best practices and insights. Value-added content such as statistics, trend analysis and intelligence reports provide additional benefits. Further, having agreements in place for cross-sector sharing will allow the community to learn from other industries’ experiences and lessons learned from cyberattacks that may not yet have manifested in the aviation system.
The platform, technologies and resources needed to support the information sharing community will need to be funded through an appropriate business model to cover the operating and ongoing development costs. This could range from a member cost recovery model to one that is part funded through sponsorship or donor monies.
The creation of such information sharing communities could in turn help develop the collaborative relationships with government agencies to provide and be provided with cybersecurity threat information that will help all organisations – public or private – to prevent, detect and respond to threats in a more timely and effective manner.
What does “good” information sharing practice look like
In the transportation domain, the maritime industry has already pioneered a voluntary online and secure information sharing community. CSO Alliance – www.csoalliance.com was launched to tackle organised maritime criminals, active in over sixty-three countries through real time intelligence sharing and to promote a coordinated approach to maritime security – from piracy to smuggling, illegal boarding, theft and corruption, as well as cybercrime.
The chief security officer (CSO) is the key person in this online community, with responsibility for the security of ships, cargo and crews as well as for reporting threats to the company management and board. The exchange of information and ideas provides CSOs with a 24/7 picture of the true risks their crews face and how to better defend ships, cargo and crew. The military and NGO maritime crime reporting centres such as the IMB Piracy Reporting Centre all have access to the platform for rapid crime verification and information sharing.
The valuable human interactions that are facilitated through this secure online members-only platform help to enhance “security through community” (like a neighbourhood watch organisation), and this same philosophy and approach can be explored for similar platforms in the rail, port and aviation sectors.
Another good practice example is the Gloucestershire Safer Cyber Forum (GSCF). To step up the fight against cybercrime and prevent internet fraud and online bullying, Gloucestershire’s Police Constabulary launched the UK’s first Safer Cyber Forum. The GSCF has been designed to provide advice on cybercrime prevention and to share cyber threat information. It also provides a secure environment for Gloucestershire businesses to engage directly with peers and the Gloucestershire Constabulary on incidents or concerns around cybercrime, along with the ability to report it anonymously. The platform is provided for and is driven by the community, with the public and private sectors working collaboratively together to tackle a common problem.
To share or not to share – that is the question
While there is always a risk that shared information will be misused by a recipient, the experience has been that the benefits of sharing security information within closed communities far outweigh the risks, especially when the digital engagement technology and process environment supports the relevant levels of functionality, security and privacy that are needed by the community. Strength comes from working together – smartly and securely – utilising the digital engagement technology that exists today.
This article was published on ADB SAFEGATE with permission of Momberger Airport Information.
The article is written by Eugene Hoeven, President & Founder, EH&A Management Consulting. Eugene Hoeven has an extensive background in corporate and industry affairs in the aviation sector, having worked for an airline, an aircraft manufacturer, airport consultancy and two industry associations (IATA and CANSO), which included industry representation at ICAO. This included participation in the ICAO Aviation Security Panel and cybersecurity policy work with industry partners. As a strategy and business development consultant, he works with leaders at aviation organisations to improve performance and drive profitability by managing reputation and risk”.
ADB SAFEGATE is a leading provider of intelligent solutions that deliver superior airport performance from approach to departure. We partner with airports and airlines to analyze their current structures and operations, and jointly identify and solve bottlenecks. Our consultative approach enables airports to improve efficiency, enhance safety and environmental sustainability, as well as reduce operational costs. Our portfolio includes solutions and services that harmonize airport performance, tackling every aspect of traffic handling and guidance, from approach, runway and taxiway lighting, to tower-based traffic control systems and intelligent gate and docking automation. ADB SAFEGATE has 900+ employees in more than 20 countries and serves some 2,500+ airports in more than 175 countries.