The aviation industry needs to prioritize information sharing and expanding public discussion if it wants to harden itself against cyberattacks, according to a report released by the Atlantic Council on Dec. 11.
The report, prepared by the Atlantic Council’s Cyber Statecraft Initiative, found that there is a growing need for global standards for aviation cybersecurity, trust and transparency improvement between stakeholders, and the industry must center itself around passenger safety.
However, while the report offered suggestions and paths forward for the industry, it did praise the work the aviation sector has already undertaken to strengthen its cybersecurity posture.
“What is clear is that, like many other sectors, the aviation sector faces a significant cybersecurity challenge, the nature and scope of which is only now becoming apparent,” said Pete Cooper, senior fellow for the Cyber Statecraft Initiative, CEO of Pavisade, and cyber strategy advisor for the International Air Transport Association. “But the significant milestones of the new [International Civil Aviation Organization] Aviation Cyber Security Strategy, international initiatives, and increased information sharing and dialogue show that positive change is happening.”
However, Cooper did note the importance of embracing the report’s suggestions, “Accelerating this progress globally, strengthening security and resilience, will not only take leadership, strategy, and vision, but also collaboration and building bridges across all stakeholder groups.”
Alan Pellegrini, Thales North American CEO and Atlantic Council board director, acknowledged the benefits of IT modernization for the airline industry, but said those technological advancements bring along cybersecurity concerns.
“While the aviation industry has reaped the benefits of digitization, we have to acknowledge the corresponding new risks, including social and technical vulnerabilities, never before addressed,” Pellegrini said. “By broadening the community of stakeholders examining cybersecurity in aviation, we will increase our collective security, safety, and resilience.”
The report offered up seven next steps for the aviation industry:
- There must be “global standards for a global industry.”
- Trust and transparency between industry actors must be improved. The report further argued that “all contracts between aviation stakeholders must include cybersecurity considerations, such as through-life risk management, vulnerability management, and data sharing.”
- The industry must focus on building bridges between stakeholders. Further, when implementing the report’s other suggestions, the industry must gather input from all of its stakeholders, as well as cybersecurity experts from a wide range of industries.
- “Cybersecurity information sharing must be approached in the same way as information sharing on the topic of flight safety,” the report notes. The industry needs to move towards a “learn once, share widely” model to “promote rapid visibility, mitigation, and management of risk across the entire sector.”
- In addition to improving information within the sector, the report stresses the need to improve aviation’s communication with the public. “Aviation cybersecurity is a critical and complex topic that is still little discussed outside the sector … Increasing external dialogue on the topic and helping create informed positions will go a considerable way toward increasing understanding and trust across multiple stakeholders.”
- As with most other sectors grappling with cybersecurity concerns, the report stresses the need for adequate cybersecurity staff. “Global, sector-wide, coordinated efforts must be made to increase the cybersecurity skills of those already in the sector, as well as to create pathways and incentives for those wanting to embark on an aviation cybersecurity career,” the report notes.
- Passenger privacy and cybersecurity must be a top-level concern for the industry. The report urges the industry to approach the topic proactively and with a transparent dialogue.