Aviation Has A Software Problem
EPISODE TRANSCRIPT
Paul Roberts: [00:00:00] Welcome back to another episode of ConversingLabs podcast. My name is Paul Roberts and I am the host. This is ConversingLabs, a regular podcast from the team here at ReversingLabs, where we dig into the latest developments in malware and threat analysis, as well as software supply chain risk.
And I'm excited to have in the studio with me, Jiwon Ma. Jiwon is a senior policy analyst at the Foundation for the Defense of [00:01:00] Democracies, or FDD as we'll refer to it going forward. They are a Washington based nonprofit organization, research Institute, and they're focused on policies that will strengthen US national security, reduce or eliminate threats posed by adversaries and enemies of the US and other free nations.
And at FDD, Jiwon works at the FDD Center on cyber and technology innovation, and she's the author of a FDD report released in April and titled Turbulence Ahead; Navigating The Challenges of Aviation Cybersecurity. And that's what we're gonna dig into today. Jiwon, welcome to ConversingLabs podcast,
it's great to have you here and we're thrilled to be able to speak to you.
Jiwon Ma: Hi Paul. Thank you so much for having me. I'm very excited for this conversation. I was telling my bosses that I'm happy to spread the Gospel of Aviation Cybersecurity whenever I get a chance, so thank you for having me.
Paul Roberts: Yes, there's a lot of [00:02:00] work to be done spreading that gospel which your report gets into. Before we dive into the report, Jiwon, could you just tell our listeners who might not be familiar with you a bit more about the work that you do at FDD, and your background.
Jiwon Ma: Sure. As senior policy analyst, I lead a lot of research on a cybersecurity landscape of the critical infrastructure.
So this year, our team has been focusing on military mobility. So as a result, we're looking at the transportation sectors. So maritime, aviation, rail, trucking, and a host of a bunch of other things, also including lifeline sectors like water and wastewater utilities, healthcare, K through 12, and other social issues like workforce development, how to get people into government working in cybersecurity policies.
Just paving the path for folks who haven't [00:03:00] had the opportunity to really get into this field. So we do a lot, we work with policymakers, a lot of practitioners. We also have a technical wing of our center, and Dr. George Shea leads the effort and it's been incredible just to be able to tap her and say, Hey, I really need to understand how GPS systems work,
do you have 15 minutes? And she breaks it down so well, and I always say one of her best talents is that she does it in a way that does not make you feel stupid and also walk away from that having a good conversation. We do a lot of the cross sector research and also just examining the technical aspects in addition to the policy work.
So that kind of highlights the work that we do at CCTI, the acronym you can use, which is easier to say than our center's name.
Paul Roberts: The FDDC CTTI. Is that what you're referring to?
Jiwon Ma: Yeah, exactly. [00:04:00]
Paul Roberts: Okay. That's a lot of letters. So, just to throw another acronym out there, one of the other things that you do at FDD is contribute to the CSC 2.0.
That's a Cyberspace Solarium Commission. Really interesting kind of federally backed program. Talk just a little bit about the work that you do with CSC the Cyberspace Solarium Commission.
Jiwon Ma: Sure. So my boss, Mike Montgomery, used to be the executive director for the Cyberspace Solarium Commission when they were active.
Once that commission sunset, they wanted to preserve the work that they've been doing. They issued a report that contained about 80 recommendations just improving cybersecurity policies all around. There were a lot of sectors that touched this, and also they published additional white papers, pertaining to certain topics like disinformation, supply chain, [00:05:00] workforce, etc. As a result, we're basically continuing this momentum that the Solarium Commission created, and it's fantastic. Maybe I'm a little biased, but they've had about 85% success rate at getting policy implemented at a certain level in some degree, and I know that's very challenging to do in the policy world. So it's been very motivating oftentimes when cybersecurity can be very disheartening to see, especially in the policy realm. So we're tracking the implementation of the recommendation. So if this year actually marks the fifth and the final year of the CSC 2.0 assessment reports that we've been publishing.
We do wanna continue working on the solarium commission's work, but I share with mixed feelings that this will be our final assessment report. But the work doesn't stop there because there's plenty to do as it's an incredible mission. [00:06:00] I'm happy to be part of it.
Paul Roberts: Yeah. And a lot of really interesting recommendations.
And I felt like forward looking recommendations came out of that cyberspace solarium commission. So let's talk about the turbulence report, turbulence ahead. This is the report you released in April that you were the author of on cybersecurity threats to the aviation industry that we all rely on.
What brought this about, what got you looking into threats and risks in the aviation industry? Cyber risks in the aviation industry?
Jiwon Ma: So about a year and a half ago, I actually authored a report on maritime. So something very similar to our aviation report.
And we begin that with the thought of focusing on military mobility, so looking at logistics, how do we project power, but also how do we utilize civilian infrastructure? So these dual use infrastructure to do that while protecting [00:07:00] civilians, moving goods and people, and also projecting power.
So that was the motivation for our military mobility projects and aviation is certainly part of that. I think that originally we were looking at avionics cybersecurity. We said we can't have planes falling outta the sky because of a cyber attack. That would be terrifying. And then as we dug into that, we realized this is maybe less serious of an issue compared to what the national airspace is going through right now. I know there are a lot of traffic delays, a lot of cancellations, a lot of near misses, and oftentimes it has to do with something related to cybersecurity or technology. So we thought, hey, maybe the practitioners looking at avionics, cybersecurity and security could be better people to handle that and let's deal with these policy issues, provide recommendations for folks to really change the landscape so our [00:08:00] air travel gets a little bit more safe.
Paul Roberts: The difference being, the avionics focused stuff is really security researchers like Chris Roberts digging into, the deployment of, let's say the entertainment system for the cabin versus the cockpit systems that control the flight and of the plane, and looking at risks that exist in the way those either in the software itself or how it's deployed.
And there have been a lot of reports going back more than a decade, highlighting some real risks there. But as you're saying, those are pretty relatively obscure risks or problems. And not really causing the types of disruptions that we're seeing on a day-to-day basis.
Jiwon Ma: Yeah. And I think that, aviation engineers, software engineers do a fantastic job, especially when thinking about air worthiness. So I felt like I felt more confident in their abilities to keep us [00:09:00] secure. And as we were looking, I found a lot of fragmented oversight. There's insufficient funding. While there is a lot of funding, there is insufficient funding for modernization and cybersecurity, and there's this workforce shortage, both for like airport security, but also people who are modernizing and dealing with the cybersecurity issues. So frankly, the industry is really struggling to keep pace with just the evolving threats and that gap between, the importance and the protection is what really motivated this report.
Paul Roberts: So one of the data points you called out was, that aviation broadly, so this could be airports or suppliers to airlines, were increasingly targeted by ransomware. I think you said that the increase was 600% in 2023.
And that was from an executive at Boeing, [00:10:00] and that the aviation industry is basically experiencing some of the same things that other industries are, which is more ransomware attacks, more cyber criminal attacks. Is there any indication that it is being singled out either by cyber criminals or state actors, that it is particularly highly targeted?
Or is this just we're seeing the same thing in aviation and we're seeing across the economy.
Jiwon Ma: Yeah. I think it's more of the latter. I wouldn't say ransomware is necessarily the single biggest threat. It certainly is, and I don't want to undermine that. I think it's more accurate to say it's most visible manifestation of the deeper systemic risk and the vulnerabilities that the aviation sector is facing. So the real issue is that the aviation infrastructure have just become so modernized and so digitized and interconnected without always building in the adequate security from ground up. And so [00:11:00] ransomware exploits those underlying issues, and we have seen a lot of nation state actors, target supply chain, and other sophisticated threats. So, I think the Boeing statistics really highlights how attractive the aviation industry has become as a target. The fundamental challenge is really building that cybersecurity, the resilience across the threat landscape.
Paul Roberts: Yeah. And one of the things you point out, which maybe is a little bit unique to the aviation industry, is how much old infrastructure and old software they're relying on some of it, according to your report, 60 years old ,a lot of it, 30 years old. And as you point out in the report, even the newer software that they're using in terms of when it was released might still have significant cybersecurity risks with it. Talk a little bit about what the aviation supply chain looks like [00:12:00] right now.
At least from the research you did.
Jiwon Ma: So I know that some things are built to last, so even if it is 60 years old, maybe if it is functioning, we don't have to change it.
If it's not broken, why fix it? But these things seem to be broken, which is the big issue here. So I think the weakest points in the supply chain tends to be where legacy systems meet the modern connectivity requirements. So many aircraft and airport systems were just designed in an era where cybersecurity wasn't a huge concern, but now that it is very interconnected to networks and internet facing systems,
it is a huge challenge and now you know, we're seeing FAA go through the Next Gen program trying to modernize its systems. So you have this challenge where software updates and patches have to go through extensive safety certification processes that [00:13:00] delay critical security fixes.
And just the way that the aviation supply chain is laid out is really based on just in time production. But at the same time, creating these parts take a lot of work, and there are specific engineers who are capable of doing that. And, if systems are 60 years old, a lot of these engineers are retiring.
So it's difficult to find the workforce to really address these issues or even to update some of the parts. I think that's very challenging, but also there's another layer of other agencies also regulate pieces of technology being used in the aviation supply chain. Like the FCC regulates all equipment that transmits data.
And those things are also embedded in part of the aviation systems. So there was a lot of different components where we can fail and those things are embedded into the aviation system. [00:14:00] So I think that's the challenge of the aviation supply chain.
Paul Roberts: And security researchers might make the argument of hey, if you've got software written in Cobalt back in 1970, that's probably a harder nut to crack for a cyber actor than some web application written in the last five years as internet connectivity. But as you point out, maintaining updating not only the software but the equipment that it runs on is becoming increasingly difficult 'cause many of these, components are not manufactured anymore, and people who really understand what the software does are either retired or even deceased. And so there are all kinds of motivations to get that software replaced and updated.
Jiwon Ma: Yeah. There are a lot of inputs.
So third party vendors really are another major subset of vulnerability points.
Paul Roberts: Absolutely. But as you point out in the report, the FAA's effort to program, to [00:15:00] update its technology, has stalled to use an aviation term. Can you talk just a little bit about what you found?
Jiwon Ma: Yeah. Just to give listeners a little bit of a background, the FAA has launched a project called Next Gen, and it is to modernize the aviation systems. And this is a Bush era project. And so it's been like five administrations at this point, and no presidents have been able to solve this.
So I know that oftentimes these things get politicized, but it's not a Dem or Republican issue, it's just a security issue. And so at this point, the FAA has been investing billions of dollars and they're late by years on end. They were supposed to have finished this modernization effort already but timeline keeps getting pushed down the road and that [00:16:00] is a big frustration on many levels.
So I was looking at some of the data and what Next Gen was promised to fix. So it's supposed to fix on time flight disruptions, and that has to do with the national airspace systems. But when you're actually looking at the data of flights that are on time, basically that statistic remains around the same level, so that hovers around 76%.
And this is even pre COVID numbers and it's still true today. So that's been at least seven years in the making. And it's still not big. So, that's very challenging. I say this very carefully because I understand doing a modernization project of this caliber is very challenging, and just updating software in your house is a lot of work.
So imagine updating the entire [00:17:00] aviation airspace systems. So I do understand the challenge I do wanna be cognizant of FAA's work. They have a lot of their hands. But yeah it's been a big frustration for sure.
Paul Roberts: Yes, and given a decade and a half and tens of billions of dollars.
You'd think, this is a problem that should be solved. Manufacturers and large corporations do these types of tech renewals, all the time, and I doubt very much they're being told the timeline on that is about 15 years. They would be like, wait, what?
Jiwon Ma: That would not be okay. In the private sector, for sure.
Paul Roberts: So I think one of the other interesting things that I picked up in your report is, one of the problems with this Next Gen program is because its roots are back, three or four administrations ago, the GW Bush administration, early two thousands, cybersecurity was actually not necessarily a focus of Next Gen. It was about updating [00:18:00] technology, updating capabilities, but cybersecurity was not necessarily a priority when it was initially envisioned, and so that's almost had to be bolted on.
As I understand it more recently, and so what has happened with Next Gen in terms of its focus? Is cybersecurity now a key element of this Next Gen program?
Jiwon Ma: So I can't say with confidence that cybersecurity is a key element, that is one of the recommendations that we were pushing in the report.
Yeah. I looked at the FAA's fiscal year budget for 2026, I did see that they included $35 million for cybersecurity enhancements on top of the cybersecurity budget that they have. While that is great, and I do appreciate that they're at least thinking about these things, I put it in the context for people that is still only 0.16% of the FAA's budget.
So I [00:19:00] don't know if they are prioritizing cybersecurity. I don't think I could say that confidently if I see those numbers. And last week I was actually presenting about our report at a conference called Defend the Airport. This was hosted by the Technological Advancement Center called TACH.
There were a lot of people in the room who are the policy makers, who can sway the decision, change the game, how we deal with this. So a lot of them are aware. And they are in agreement. I think there's a component where it's cultural. It's difficult to change how an agency has been operating for decades on end, and it's difficult to change the line items, how they sort themselves with their budget.
And I say this because this is a government agency, we do have to remember that there's a lot of bureaucratic challenges for the government to really do a full [00:20:00] re-envisioning of how they spend their money and their strategy. So I understand that people care, it's difficult to undo a lot of the bad work and also keep pushing for the good work.
$35 million I'm happy to see, but also it being less than 0.5% is also devastating to see, so I will leave you with that.
Paul Roberts: Yeah. The numbers with the federal budget are all so big that those percentages actually really matter. Oh, $35 million. That sounds like a lot and it's- look at how much you're spending on other stuff, right?
And where that falls into their expenses. And generally it's very small. So one of the things that you highlight in the Turbulence Ahead report that you released in April ,Jiwon, is attacks, either targeted attacks or inadvertent disruptions that have resulted in, delays, flight [00:21:00] delays and disruptions to the aviation system.
You called out one, which was an attack on Jefferson, which is a Boeing subsidiary that does flight navigation and operation planning tools. So that was a target of a ransomware attack, that organization. And then of course there was the disruption we all know about resulting from the CrowdStrike endpoint detection security update that was flawed and caused all these windows systems to just crash. And had huge impact on certain airlines, particularly Delta and resulted in thousands of flight delays and cancellations and things like that. Talk just a little bit about what you learned about how the aviation industry is managing what we call third party risk management.
TPRM. 'Cause obviously their supply chain is incredibly diverse. Is this something that there's a lot of attention to within the aviation industry [00:22:00] or not so much?
Jiwon Ma: I think there is a lot of attention to it, for sure, but I think oftentimes we don't see the results because we see failures that resulted from the CrowdStrike incident, so I think the CrowdStrike incident was the perfect example of how just one single point of failure in this software supply chain just can cascade through the entire aviation ecosystem. Even though it wasn't a malicious attack, it just demonstrated how dependent the industry is on third party software providers and how quickly operational disruptions can take place.
I think this was like a very wake up call moment for airlines. I think they do have a very significant third party risk management problem. The industry has just evolved to rely heavily on specialized contractors and vendors for critical functions from software development to maintenance, security [00:23:00] services.
But I think the cybersecurity governance and the oversight of these relationships often hasn't kept pace with that operational dependency. So I think also what makes it very particularly challenging is in aviation, is the complexity of this regulatory environment. I know I mentioned earlier about FCC, how it regulates some of the equipment that's being used, but you also have the FAA safety regulations.
You have the TSA security requirements and various cybersecurity frameworks that they have to follow. There's specific ones for third party contractors to meet as well. So while you think the security layers are there, they don't often always like align seamlessly when it comes to third party risk management.
So I think a vendor might meet aviation safety standards, but have significant cybersecurity [00:24:00] gaps or vice versa.
Paul Roberts: Right.
Jiwon Ma: So I think that's a really big challenge. I think that tech vectors we've seen increase, basically target these third party relationships because adversaries recognize that they can often just be easier entry points than going directly after primary aviation companies like Delta.
So, when you compromise a vendor that has access to multiple airlines or airports, you can potentially just impact this entire ecosystem much larger than you would've if you just targeted one company.
Paul Roberts: We saw that with the hack of SolarWinds right? Back in 2020. Tech supplier to both high security government agencies, fortune 50 firms and thousands of other organizations, this is a Russian state actor. We've seen, as your report points out state actors, target specific facilities, airports, and so on. Do we [00:25:00] have any sense whether there's an interest in SolarWinds type campaign but targeting a supplier for the aviation industry?
Because as you point out, that could be a very powerful tool in the tool belt of a state actor if they wanted to cause disruption in the event of a conflict or a pending conflict.
Jiwon Ma: I'm not aware of a very aviation specific one. I know that there have been issues with Volt Typhoon and Salt Typhoon and the telecommunication networks, the transportation systems. And I don't know if it is just aviation specific. I think that adversaries are really just prepositioning themselves. So they can exploit these vulnerabilities at the time of their choosing. And I think that aviation sector is not immune to those things.
And I also think that the CrowdStrike incident, even though it wasn't a cybersecurity incident, really just highlights how little [00:26:00] visibility these companies have into their software dependencies. Even though many of these organizations were affected, I don't know if they realize how dependent they were on CrowdStrike until the outage really hit. I think that idea can apply to aviation cybersecurity as well. So if they don't have accounting for the vulnerabilities that they have, the risks that they're facing, it's difficult to know how to protect themselves from cyber threats that they have no idea which ones are going to hit them.
Paul Roberts: And of course, the prevailing logic for the last 25, 30 years has been, you want to get those patches out and applied as quickly as you can. You don't wanna hesitate because attackers could, target vulnerabilities that those patches address.
The SolarWinds or the 3CX incidents, put an asterisk on that and say yeah, but you should also be checking those for [00:27:00] updates for security risks that might lurk inside them, back doors and things like that. And that's something that ReversingLabs is very
focused on helping people do. But it is a little bit counterintuitive to say, yeah, don't rush that patch out because it could actually introduce a bigger problem than fixes. The point you make as well about just these overlapping jurisdictions.
TSA, FAA, FCC, DHS, the vendors themselves, the airlines, the aircraft manufacturers and their suppliers are really burdened by these. Being impeded by all these overlapping regulations, and don't have a strong sense of are we compliant or are we not?
So they're raising alarms about this. Any effort underway, to harmonize or simplify the responsibility and the enforcement of security protocols around aviation?
Jiwon Ma: I don't believe there is an effort being taken for harmonization, but [00:28:00] I have heard from industry that TSA has really stepped up and
how they think about working with the industry. So, they are approaching it so that industry can really work with them and create regulations that actually work in real life and have practical use. So we're not trying to make cybersecurity a more challenging thing for industry to meet in terms of standards.
It's more like how should we think about cybersecurity and the context of your systems, and how is it helpful for you to stay safe, and how could we provide that oversight and the safety guardrails so that you can continue doing your business, so you can continue serving people and helping, and working with the government to project power when needed.
So I know that [00:29:00] TSA has been very cognizant about how they approach security standards, not even just in aviation, but elsewhere for their transportation and whatever sectors that they're looking at so I think one of the. One of the recommendations we made was to harmonize these standards.
And again, it's easy for me to say that from where I'm sitting, but it's difficult when you understand that TSA is really focused on the physical safety of airports and FAA is concerned with the regulations of the safety of the avionics and the avionic systems. I don't think there is an effort to streamline the things at the moment.
But the thought is there, they're trying to be more thoughtful about it. So I think that's a first step.
Paul Roberts: Yeah. And you call out in the report that your recommendation is that the TSA should work closely with the FAA and CISA on some kind of comprehensive cybersecurity [00:30:00] vulnerability and risk assessments. For example high value and high risk airports. There are thousands of airports across the country, but there are much smaller number are critical to our national infrastructure. Could you just talk a little bit about the kind of the vision that you have on what might be an effective way for those three agencies to work together on this fairly concrete, very fairly focused problem?
Jiwon Ma: Let me go back and talk about the TSA, FAA, CISA collaboration. So I think that recommendation is really just about creating more holistic approach to cybersecurity risk assessment.
So right now you have TSA focused on transportation security, FAA's focused on aviation security, CISA is focused on critical infrastructure protection, but cyber threats don't necessarily fall pretty into these three buckets, right? So they don't respect those organizational boundaries, so we shouldn't either.
So by conducting this joint comprehensive [00:31:00] assessment, they are able to get a complete picture of how cybersecurity vulnerabilities might affect both the safety and the security operations. And what we mean by high impact airports is, often the ones that are heavily used for dual use. So whether the military needs it for high projection, moving equipment personnel, but also hubs that people really rely on to just travel. And I think for software supply chain security specifically, this would mean evaluating not just whether software meets individual agency requirements, but how software dependencies and third party relationships create the systemic risk across the aviation ecosystem.
So these assessments could really also just be helpful to find those and identify the common vulnerabilities across multiple airports and just develop [00:32:00] some sort of standardized approaches to software supply chain risk management that could be scaled industry-wide. I just don't think that we have insights to what vulnerabilities that we're dealing with right now, and I think that is a big step forward to just take accounting of all the issues that we're dealing with, and that was the primary focus of this recommendation.
Paul Roberts: Sure. And we know that there are efforts in the broader federal sector to have more transparency and accountability around software. The CISA guidelines around software bills and material and things like that, so that government agencies can have an idea of what's in the software that they're getting from suppliers.
But obviously that's a much different problem in the aviation sector than it is in just your general enterprise environment. Is it your sense that some of the big players in the aviation industry are obviously private sector firms from manufacturing through to, software support, any sense that they are upping their game [00:33:00] and changing their behavior to address some of these supply chain risks and cyber risks that have been called out?
Jiwon Ma: I think it's mixed. I think major airlines and airport operators have made significant investments in cybersecurity capabilities especially after high profile incidents.
But, I don't know. I can't say that with confidence when we see that FAA is investing so little on cybersecurity enhancements and I do wanna give credit to a lot of the airport operators and people who are working on the ground because they do work very efficiently with their law enforcement agencies when incidents strike. But there is still significant disparity in cybersecurity maturity across the industry. Smaller regional airports and airlines often lack the resources for [00:34:00] comprehensive cybersecurity programs that just creates vulnerabilities that can affect the broader ecosystem.
So I think that's challenging. I think the industry has also just made progress in collaborating initiatives, like sector specific information sharing with aviation ISAC, the information sharing knowledge center. They are one of the players, but to be a member of the aviation ISAC, you do have to pay, which means that smaller airports can't afford $14,000 to be part of this threat intelligence information sharing community.
So there are some joint threat intelligence efforts happening. I think industry is definitely talking to each other. They're trying to do coordinated response planning, but I think we need more standardization coordination. I think TSA, FAA, CISA all have to show and like lead with the fact that they're role models of [00:35:00] trying to do cybersecurity better for the industry to follow suit.
Paul Roberts: Two more questions . So obviously I'm interested in what response you got after the report came out in April. Did you hear from any entities within the aviation industry or on the federal side about conclusions and the recommendations that you have for your report?
And maybe if you could give us a high level view of some of the recommendations that the report had.
Jiwon Ma: Sure. So I think people tend to be nice, especially when they disagree. So I haven't heard a lot of negative feedback or pushback really. I think that there have been questions of why didn't you include X and why didn't you include Y?
But I think that when I've talked to private sector industry members looking at the cybersecurity challenges of aviation they were very happy to see that we were talking about their regulatory needs, the oversight needs. So the [00:36:00] cybersecurity vendors are aware and they are supportive. I think this report could have been very difficult to base if you are a TSA or FAA person. But I think they do acknowledge the fact that there's more work that needs to be done, and I do appreciate that they didn't take it personally. It's not an attack. I do just want things to be better and safer for Americans. And it was good that people weren't in disagreement, that there are issues, because I really think is this first step that we can take to start addressing these issues.
So, I think the overall high level picture of the recommendations we've made were, recognizing that it's expensive to fix cybersecurity, so we need to provide smaller airports help in order to do this. We can't just tell them, Hey, go fix all of your issues. They're like we're trying to, but we just don't have the money to, and then we have to recognize that [00:37:00] is a challenge.
Paul Roberts: Now they're called the security poverty line, right? That cybersecurity is a function of wealth, for many companies, right?
Jiwon Ma: It really is. And I also think another general high level analysis of like our recommendations is that agencies have to work with each other.
It's difficult to take the lead when there are three different groups involved in managing one sector. And I think that it's one of those issues where you have a group project that you have to do and one person gets stuck with doing all the things when everyone should really be participating and sharing the burden.
That can be challenging, and at a certain point you get exasperated, you get burnt out and you just operate with what the status quo has always been. So we're trying to push that. We're trying to reinvigorate the sector to care about cybersecurity and that they're really leaders in this field and they could make change, even though Next Gen hasn't seen a lot of success, it [00:38:00] doesn't mean that it just needs to fail.
Maybe we could ditch it. I don't know, maybe that's a hot take. But I think if we think about cybersecurity investments, the way that private sector is thinking about for government agencies, it's okay if we fail. We can cut those things out and it's not starting from scratch.
We've had a lot of lessons learned. We know where to invest money into things to make it better and how to restructure these things. There's a lot of historical knowledge that the government agencies have gained out of this. The private sector, third party companies and also airline companies, airports, they've learned a lot.
And when I speak to industry folks, I learn so much from them, every single conversation. So I know that the information is there. I know that the passion is there. So we are really just nudging the industry to work together, listen to the private sector. This is not about making it difficult for them to implement [00:39:00] cybersecurity requirements but just really to create a safer ecosystem. So, that is my hopeful and optimistic vision for these recommendations. So hopefully people are more willing to, speak to one another, work with each other, use each other's expertise, and not take it as a encroaching boundaries of certain organizations.
That was the dream there.
Paul Roberts: Final question, obviously a lot of changes in leadership and policy and focus. Do we get a sense with the new administration and new Congress that this issue around cybersecurity in the aviation industry is a priority and anything bubbling up on Capitol Hill or elsewhere that that might move the needle on this?
Jiwon Ma: Yeah. So I know that ears perk up when we talk about transportation, so I know people care, congressional members are aware. I do anticipate there being more transportation [00:40:00] focused provisions in the national defense, the NDAA authorization Act.
I think that TSA will reenvision the way that they approach cybersecurity requirements, especially just on trends with how they have been improving the way that they approach working with the private sector. Especially under David Koski, he was the previous TSA administrator. And, I think the challenges still remain.
I do hear Secretary Duffy talking about how the aviation system is safe and then there are a lot of redundancies in place to keep this critical infrastructure going strong. But, I do wanna challenge him on that notion when there are a lot of legacy systems that are still not modernized. They don't have the cybersecurity enhancements that they need.
It's difficult to really say that there are redundancies, redundancies can't be paper and pencil. It has to be [00:41:00] systems that air traffic controllers can really work with and support their work, not necessarily have the controllers hold up the infrastructure, because that's essentially what they're doing.
So I really hope that this issue gains some more traction. And I hope that congressional members are listening. I know a lot of them do care. I just want them to follow through with how much they care to actually make some policy changes. So, I'm gonna try to stay optimistic just like I was in my report.
I am hopeful, but we shall see.
Paul Roberts: Jiwon, is there anything I didn't ask you that you want to say before we break?
Jiwon Ma: No, I think these questions are great. I really enjoyed this conversation.
Paul Roberts: Jiwon Ma, senior policy analyst at the Foundation for Defense Democracies. Thank you so much for joining us on ConversingLabs podcast to talk about your report, Turbulence Ahead, and we'll provide a link to that in the post when we post this [00:42:00] podcast online, and thank you for all the work you're doing.
Jiwon Ma: Thank you so much.
Paul Roberts: It's really important, and really enjoyed reading the report and hopefully something positive will come out of it.
Jiwon Ma: Yeah. I am hopeful. Thank you so much, Paul. This was great.
Paul Roberts: Thank you. And we'll have you back. Thanks everyone for joining us again on this episode of the ConversingLabs podcast.
Stay tuned. We've got more ConversingLabs podcasts coming up in the weeks ahead and some more great people to be talking to. Stay tuned for our next episode.
