Talking cybersecurity and cyber threats

Tom Bui

The cybersecurity community is moving “from a reactive architecture to a proactive one” that anticipates attacks, said Tom Bui, Boeing Senior Technical Fellow. Photograph by Paul Pinner

Meet Boeing Senior Technical Fellow Tom Bui, who develops the company’s strategy for R&D investments made in cyber technology systems, software and architecture

Q: Hacking and cybercrime are dominating the news these days. How has the global cybersecurity landscape changed?

A: The benefits of digital systems—notably scalability, programmability and ubiquity—are increasingly leveraged in the design of new network systems. For example, a vast majority of vital functions in our military and commercial airplanes are performed by networked digital systems versus roughly 30 percent just two decades ago.

As one would expect, the number of vulnerabilities in the system that could be exploited for nefarious intent grows as technology progresses, providing a number of ways an attacker might compromise the information or system. Attackers, organized or not, have access to hacking tools and financial resources. In addition, there is no or little penalty for attackers, while their rewards are generally significant.

Q: What can the cybersecurity community do about it?

A: Cybersecurity threats are dynamic and unpredictable. The traditional approach to cybersecurity has been more like a bolt-on implementation after functional features were designed, instead of the preferred baked-in-from-the-start approach that we now undertake. We’re shifting from a reactive architecture to a proactive one where we anticipate an attack by knowing our attack surfaces and understanding the attackers’ strategies and tactics. So, our response is quick and effective.

To counter the increasing speed of successful attacks and the wide range of attack vectors—and to improve on the often long delay between the launch and discovery of attacks—cyber defense systems need to collaborate in near real-time. They can do this through sharing and learning via trusted communities and working toward a cyber-ecosystem where risk decisions are automated by machines with human oversight. Advances in machine learning, large scale data analytics, and standards like the Trusted Automated eXchange of Indicator Information (TAXII) and Structured Threat Information eXpression (STIX) play a role toward this capability.

Q: What are the opportunities for Boeing?

A: Boeing has unique opportunities to address these challenges on many fronts. Our research and technology arm is advancing technology beyond a proactive architecture to a resilient cybersecurity where our systems adapt to new threats. We invest heavily in advanced technologies and products to protect our airplanes from current and anticipated future threats.

One example of this is Boeing’s collaboration with others in industry and academia on DARPA’s High Assurance Cyber Military Systems (HACMS) with the aim of creating cyber-physical systems that are functionally correct and meet appropriate safety and security properties. Such systems are less vulnerable to remote attacks.

As Boeing’s products span frontiers from undersea to air to space, we have also developed unique cybersecurity capabilities such as the key management security protocol and architecture for Delay/Disruption Tolerant Networking (DTN) for NASA’s interplanetary missions and submitted for standardization with the Internet Engineering Task Force.

Q: What are the unique challenges for Boeing?

A: The short turnaround time between discovering a vulnerability and mounting an attack necessitates frequent patching of in-service products. This poses a challenge to the longer update cycle for our commercial products (due to the certification process).

On top of that, governments are introducing legislation and issuing guidance for compliance at the product and corporate levels, and extending our responsibility beyond our traditional enterprise boundary to include our suppliers.

Q: What’s a misconception people might have about cybersecurity?

A: Thinking that technology will solve all cybersecurity problems. We do have the technology and systems in place to mitigate cyber risks, but the weak link is arguably still with the users—phishing attacks via email messages being the quintessential example. Cybersecurity awareness and cyber hygiene can help avoid many attacks. A robust cybersecurity culture is an essential component of a successful cybersecurity strategy.

By Will Wilson

    Securing an increasingly connected world

    The U.S. Department of Homeland Security recently released “Strategic Principles for Securing the Internet of Things (IoT), Version 1.0.” The principles cover areas such as incorporating security in the design phase and prioritizing security measures according to potential impact. As part of the DHS mission to work with the private sector to drive cybersecurity, the principles target IoT developers, IoT manufacturers, service providers and industrial and business consumers, including governments and infrastructure owners. The principles can be found at

    The U.S. National Institute of Standards and Technology (NIST) is requesting public comment until April 10 on its draft Cybersecurity Framework Version 1.1, released on Jan. 10. The draft and instructions for submitting comment can be viewed at

    The United States Commission on Enhancing National Cybersecurity’s “Report on Securing and Growing the Digital Economy” focuses on the need for international cooperation and public- and private-sector partnering. The report is available online at

    The Association of Southeast Asian Nations held its first Ministerial Conference on Cybersecurity in Singapore. As part of the conference, a new ASEAN Cyber Capacity Program was established, with the aim of funding training, expertise and resources for the region’s nations to defend against cyber threats.