Meet Boeing Senior Technical Fellow Tom Bui, who develops the company’s strategy for R&D investments made in cyber technology systems, software and architecture
Q: Hacking and cybercrime are dominating the news these days. How has the global cybersecurity landscape changed?
A: The benefits of digital systems—notably scalability, programmability and ubiquity—are increasingly leveraged in the design of new network systems. For example, a vast majority of vital functions in our military and commercial airplanes are performed by networked digital systems versus roughly 30 percent just two decades ago.
As one would expect, the number of vulnerabilities in the system that could be exploited for nefarious intent grows as technology progresses, providing a number of ways an attacker might compromise the information or system. Attackers, organized or not, have access to hacking tools and financial resources. In addition, there is no or little penalty for attackers, while their rewards are generally significant.
Q: What can the cybersecurity community do about it?
A: Cybersecurity threats are dynamic and unpredictable. The traditional approach to cybersecurity has been more like a bolt-on implementation after functional features were designed, instead of the preferred baked-in-from-the-start approach that we now undertake. We’re shifting from a reactive architecture to a proactive one where we anticipate an attack by knowing our attack surfaces and understanding the attackers’ strategies and tactics. So, our response is quick and effective.
To counter the increasing speed of successful attacks and the wide range of attack vectors—and to improve on the often long delay between the launch and discovery of attacks—cyber defense systems need to collaborate in near real-time. They can do this through sharing and learning via trusted communities and working toward a cyber-ecosystem where risk decisions are automated by machines with human oversight. Advances in machine learning, large scale data analytics, and standards like the Trusted Automated eXchange of Indicator Information (TAXII) and Structured Threat Information eXpression (STIX) play a role toward this capability.
Q: What are the opportunities for Boeing?
A: Boeing has unique opportunities to address these challenges on many fronts. Our research and technology arm is advancing technology beyond a proactive architecture to a resilient cybersecurity where our systems adapt to new threats. We invest heavily in advanced technologies and products to protect our airplanes from current and anticipated future threats.
One example of this is Boeing’s collaboration with others in industry and academia on DARPA’s High Assurance Cyber Military Systems (HACMS) with the aim of creating cyber-physical systems that are functionally correct and meet appropriate safety and security properties. Such systems are less vulnerable to remote attacks.
As Boeing’s products span frontiers from undersea to air to space, we have also developed unique cybersecurity capabilities such as the key management security protocol and architecture for Delay/Disruption Tolerant Networking (DTN) for NASA’s interplanetary missions and submitted for standardization with the Internet Engineering Task Force.
Q: What are the unique challenges for Boeing?
A: The short turnaround time between discovering a vulnerability and mounting an attack necessitates frequent patching of in-service products. This poses a challenge to the longer update cycle for our commercial products (due to the certification process).
On top of that, governments are introducing legislation and issuing guidance for compliance at the product and corporate levels, and extending our responsibility beyond our traditional enterprise boundary to include our suppliers.
Q: What’s a misconception people might have about cybersecurity?
A: Thinking that technology will solve all cybersecurity problems. We do have the technology and systems in place to mitigate cyber risks, but the weak link is arguably still with the users—phishing attacks via email messages being the quintessential example. Cybersecurity awareness and cyber hygiene can help avoid many attacks. A robust cybersecurity culture is an essential component of a successful cybersecurity strategy.
By Will Wilson