In November 2014, at an IATA AVSEC World conference in Washington D.C., I addressed the industry for the first time on the cyber threat facing aviation. During the presentation, I explained what the cyber threat was, its ‘advantages’ over the ‘traditional’ threats to the aviation industry, as well as what possible effects it could have against aviation, among other aspects. I also highlighted the importance of the industry being prepared, and the need to adopt a preventative approach to the threat, rather than a reactionary one.
I referred to the findings of the 9/11 Commission, which had highlighted an intrinsic failure of the industry – the failure of ‘imagination’. The commission had concluded that should the industry not utilise ‘imagination’, then policies are not created, capabilities are not developed and therefore, as a result, management is not trained on new forms of attack.
This, in my opinion, tied in perfectly with the cyber threat, and still applies today. This is because it is through imagination that we can try and foresee what the threats of tomorrow might be, and therefore, determine what we can do to prevent them, or at best, be resilient to them.
Six years on from the conference, the industry is indeed acknowledging that the cyber threat is real; such cyber threats have been deemed by ICAO to be ‘among the growing concerns for the aviation industry today and are expected to remain so for the foreseeable future.’
Essential elements in acquiring resilience to the cyber threat are the development of ‘awareness’ and the delivery of ‘training’. These are two key words that are being spoken about at an international level, and can be seen in ICAO’s Cybersecurity Strategy and the ICAO Cybersecurity Action Plan, the latter providing implementation guidance for Member States.
The strategy acknowledges that the ‘human element is at the core of cybersecurity’ and, therefore, it is important that the aviation industry ensures that personnel are ‘qualified and knowledgeable in both aviation and cybersecurity’. This is fundamental as the two cannot be seen as separate and distinct, but have now amalgamated and aviation industry personnel have to be aware of this and trained in this regard.
Therefore, increasing awareness of cybersecurity in aviation through training is important. Such training would foster a cybersecurity culture, which, in the author’s opinion, is essential for establishing an effective first line of defence and fundamental to cyber resilience.
By way of conclusion to this ‘Personal View’, I would like to thank Philip Baum for giving me the opportunity to be part of the Editorial Advisory Board of Aviation Security International, and for enabling me to share articles on various legal aspects pertaining to aviation security over the years, as well as to the rest of the team and other members of the Editorial Advisory Board. For all these years, ASI has indeed been an indispensable source of information on various aviation security topics.
Dr. Rebekah Tanti-Dougall is a partner with advocates Tanti-Dougall and Associates Law Firm based in Malta, specialising in the legal aspects of safety and security in aviation. She is a legal advisor on the cyber threat and is a member of ICAO’s Secretariat Study Group on Cyber, as well as chair and co-rapporteur of the legal sub-group of the SSGC. Rebekah is also the legal advisor to the Bureau of Air Accident Investigation in Malta. She has been lecturing on aviation law for over six years. She also provides training on various legal aspects of safety and security in aviation, including with the JAA TO on the cyber threat in aviation. She may be contacted on email@example.com.