I Just Want to Help Make Flying More Secure: Not Work with the Government or How I Learned to Love a Govvie

okay can anybody hear me in the back row awesome so first of all tons of thanks and gratitude the fact that on day one of a vegas conference you came out to the coveted highly sought after 6 pm speaking slot and those of you that also thought ahead and brought a cocktail with you i really appreciate that so i expect lots of laughter and man that guy's amazing how do i get more so i appreciate that and winnie thanks for the introduction thank you to beau everybody that's involved that i am the cavalry track for letting me come in here and talk again second time last time i was here two years ago with with dave on a panel

and i'm super happy to be able to provide my experience the perspective that i gained from my time in the air force my time working in government hence the talk title and the idea of or how i learned to love a guppy i'm no longer there and i'll go through my background in a little bit but i want to be able to share that with you share it with the security researchers the hacker community to help you guys appreciate what goes on and motivate you to participate in all the different efforts that are happening their government efforts they're not always the best and not the way we want them but they're available and there's lots of good ways that you

can contribute your knowledge so the big thing that when i go through and talk about this that i want to bring out i was in the pentagon in 2014 it was my last assignment prison sentence in the air force and i left in the fall of 2017 so i saw both administrations i am not going to talk about politics i'm not gonna go there if you bring it up i'm gonna shut you down i don't care of what your thoughts are on either administration so i just put that out as a caveat so we don't have to worry about that okay with that let's get rolling so i'm an expert i'm up here talking bo

thinks i'm an expert but what makes me an expert so i want to dispel some rumor bo bo said i'm an expert that's why i'm going to keep using that because he's sitting right here but when i was making this talk i found this on uh standard on the internet on on twitter and there's a nice gentleman in australia and i thought it was perfectly fitting that something happened in australia and he was commiserating about the fact of oh great here comes another expert and my thought was uh oh i might be that guy at this talk so let me let me see if i fit this so a little bit hard to read i understand

but on number one here it says an old bloke with gray hair who used to work for casa which i believe is the australian version the faa i could be a little younger i'll give you that i keep my hair cut short so you can't really tell if it's gray and i didn't ever work for the faa so i don't fit that i i'll give you maybe a maybe on that at least uh worked in the terminal three at a gloria jean store as an employee nope i definitely didn't do that i'm not really an uber driver but i have two daughters and when they want to go somewhere there's no waiting so yeah i'm

definitely in that i'm on twitter i live near dulles i live near reagan in the dc area but not really so i'll at least say no there i'm not an australian comedian that that i'm 100 sure of and i don't have a book so when i talk about expertise at least i can give you that idea that i bring something that's what i used to do i don't get to talk about it much so at least i get to show a cool picture because i'm talking about airplanes and it was awesome that's an f-15 and that's no me there's not many of those so i'm like that's me that you can't tell that could be bo for all we know

but i'm telling you it's me i swear that's right so that's the only way you don't know so that was a mission flying over uh presidential protection i can't remember what country it was in europe but i'm like all right that's pretty cool and then that was an f-15 and then i moved over to f22 so that's my background when i was in the air force that's my nice corporate resume slide so you can all go yes steve's boss he really did give a talk and he really did mention that he works at t-rex solutions that's all i need from you so right there i'm covered but i'm a suso right now so i don't have

a deep security background leadership time in the air force things of that nature i am learning about what you all do i'm appreciating the hell out of it and i got some super talented guys on my team so t-rex solutions like i said sizzo we do federal i.t contracts we don't do anything with aviation cyber so everything i'm talking about is steve's opinion on things the other key thing to pull out other than that some things i'll point out i know it's hard to read but things i just want you to see is my time in the military all of it or a vast majority of it was flying had a great time with that

great assignments around the world my last three years as i mentioned we're in the pentagon working on cyber policy and that's where i really got into things and i will say back into things because previously working with the navy in 2006 when they were looking at 2030 and beyond when we talk about cyber warfare and i'm going to say cyber i'm going to say cyber security and i apologize for that because i hate it and information security is the correct thing but just the idea of when i described this is what the navy was working on and that's where i got back into understanding what's going on in the security community and then just staying with that

as i went into the pentagon working cyber policy so a lot of things interagency what's going on with dhs what's in fbi faa cia all the things associated with military cyber operations working with the national security council staff very interesting seeing how the sausage is being made in government so somewhat scary there too all the things on this slide what i really want to highlight is this bottom left corner namely schmuck on fire talk winner inspired by beau woods and some cocktails my friend alex romero and i gave a talk there so i will at least say having given talks having been here before i thoroughly enjoy trying to contribute to everything that's going on i don't bring the deep

technical background but hopefully again sharing those perspective and experiences that will help you guys understand what's going on and motivate you to help contribute to these efforts so as i go through i'm talking about aviation cyber security no surprise there what i want to do first though in the upfront portion of this is give you some background because i think there's so many things in when we talk about this it gets confusing well do you mean the airplane or the airport or the thing on the airplane or the thing over here and so it's just aligning perspectives and so it's the idea of what's going on and how do i approach it so that you understand you don't have to

agree but at least you can see the approach that i'm taking when i talk about these things so the aviation ecosystem you probably have seen similar charts to this before this is not anything original i can't remember exactly where i got it sure i'm stole it from somewhere but the idea is we typically talk about aviation cyber we read articles and we hear about things like the airplane the commercial aircraft the passenger airplane that you probably flew coming out here if that's how you got here there's the manufacturers there's the airplane itself there's the software on the airplane but then there's the airport the airport is its own ecosystem there are so many entities on an airport whether it's the

aircraft the airline companies the baggage people all the things that make an airport work they have their own little ecosystem of things as well as all the navigation systems both in space in the air on the ground and all of that has suppliers and chips and hardware and software and every single icon that you see up there every single arrow connecting those is where a vulnerability can exist a vulnerability that can be exploited so when i say the aviation ecosystem it's not just the airplane that we typically hear about it's the entirety of what we have to worry about in this very complex problem and when we're trying to talk about who's doing what and how are we going to

solve it another thing that typically comes up it helps having analogies you hear about ics ics systems you build something you put it in a electrical plant it sits there forever and ever it's remote you remote connect to it you run it you never have to go out and replace it some of that is valid when we talk about aircraft or a navigation system that's out in the middle of the country that i would use as i'm flying from where i used to be based in florida all the way out here to las vegas to do training up at nellis and there are out in the middle of desert these nav aids that nobody goes

to very often so again like ics they're made to last they're made to be monitored and not have a lot of interaction the same analogy holds true that we've learned with ics that's a terrible idea when we're talking about vulnerabilities that need to be patched and fixed so we're learning some of those same lessons in that sense where i will say that analogy doesn't work very well is understanding and agreeing with the idea that ics has impact on lives when it comes to power water things of that nature totally agree but i think where we get excited with airplanes is airplanes are up high and if something goes wrong on an airplane we're all going to drop and hit the

ground and die so it's not the same analogy i'm not saying that's the case with when i talk about aviation cyber but that's what i mean by we get excited when we think about those things so the other thing i want to bring up most like or most dangerous versus most likely and that's the idea that when we hear aviation cyber and we think about hacking an airplane and we think about how it can make an airplane crash we get very excited about it because we should it's a big deal people could die very directly very immediately so it's something as we're talking about that we should be talking about and it's also because it's exciting like

that that's what typically comes out in movies and so that's what i think in general that we all tend to gravitate towards and go well we got to solve this problem with the airplane because it's the biggest baddest most worrisome thing out there absolutely it's the most dangerous the chances of the technical capability the vulnerabilities getting exploited relatively low okay i won't say they're zero but i'm saying they're less than the most likely causes that they aren't as bad they're not as fun they don't make for a good movie they're boring and i'm talking about things like if we're messing with a pilot's navigation capabilities or interrupting their ability to communicate or we're making that

communication untrustworthy that i will tell you from my flying background is a big worry because i may not know that's happening and so what i'm trying to do is make sure that we appreciate the idea of we tend to think about these really really bad terrible things but on a daily basis this is what i worry about more it's that low level boring stuff because what i want you to imagine is i'm flying around my background in an aircraft all by myself that's where i used to work i long for the days so i get to at least say i remember that i was never in a commercial aircraft where i'm in there with somebody else

helping me out but the idea is when i'm trying to handle an aircraft problem and i can't talk to somebody and i can't navigate or i don't trust what's going on and now you throw in bad weather that makes my job harder so i have procedures to handle that i have training to handle that but it just makes it harder that's incredibly dangerous it's just not fun to talk about and that's a boring movie to show me flying around in clouds trying to handle a problem so again that's just an appreciation the differences there again i'll talk about the idea that if i was flying around by myself i'm always a part of a team right so

i've got other aircraft with other pilots there to help me out i can communicate to folks on the ground if i need them to help me out with a checklist help me fix a problem or understand the problem and hurry up and land translates over i'm not a commercial pilot i don't have that background but in a cockpit with multiple people in there where they can talk to each other the same concepts they can talk to their company they can talk to air traffic control they can get help solving those problems the ideas translate across even though it's different aircraft and the idea is that they can work together another concept that i i've heard about

every now and then i don't think it's taken hold and i'm glad is the idea that well we need pilots to understand hacking some pilots are a bunch of monkeys and the last thing you want them worrying about is hacking because flying's not that hard anybody can do it the idea that i need to learn how you do your hacking things and how that makes my aircraft do what it's doing that's not where the focus should be the focus should be i have a problem i know i have to hurry up and land i have to mildly tense up and land or eventually i have to land but i know i have procedures in place so

even in the example i gave you bad weather i can't navigate i can't communicate i have lots and lots of backup procedures so understanding and appreciating the hacking threat if we're going to talk about a malicious actor who's getting there and doing things totally with you on that but again some of the discussions i've heard have gone off on the rails of well we need to teach them all these things and and help them troubleshoot problems in the airplane i know how the gas pumps work with inside the airplane i know how they connected the engine i'm not going to fix that when i'm flying so again from a pilot perspective just wear on the scale of what i need to

worry about is what i want to pass on to you okay so with that when we talk about aviation cyber security this community any of these new pictures you've never seen before does anybody know who that is on the left what article that's talking about who is it nice how about in the middle chris thank you render man you're my plants you're done for the rest of the day how about this guy on the right that's right so if i talked about hey what's going on the aviation cyber world and render man i didn't have a good article for you so i did not leave you out on purpose my friend i promise this is what i think this community

would talk about i've given this talk before from the opposite side to a government audience and they're like who are these guys they had no clue we know who they are and i'll say we as somebody who likes to participate and help out but you guys with the technical knowledge you know what they're they're talking about and this is what what is presented out there what's pushed out in a talk or in a story it goes through the media filter and they do their best but they often come out very sensationalized whether or not that was intended so i'm not judging on the validity of these claims i'm not judging on what they wanted i'm

not talking about that but this is what's typically out there and my point in talking about this is the idea that i don't think this is the most effective way it makes perfect sense when you have no other avenue when companies aren't listening to you when the government is not helping you out this is the way to get attention totally with that i think there's a better way to do it i think things are starting to change in a way that you all have better ways better avenues to engage and get attention and get your expertise appreciated and used okay the other story that'll come out has anybody ever heard of this one november 17 yeah so there's a

crazy there's a government dude out there saying this is what's going on with hacking this is what's happening buy me a drink later i'll tell you hours and hours of stories because i was still around when this was happening but this one this one pissed me off because this isn't the whole story there are elements absolutely totally agree with you but there's a whole lot missing but my point is it comes out as sensational whether or not it was intended and it misses a whole lot so when my mom asked me do i have to worry about flying number one she doesn't because she doesn't even know this is going on so it doesn't affect the flying public

didn't work and its intended consequences or if she does no mom things are good we got smart people helping out to fix things and nothing changes so again i think there's better avenues than just using media and there's lots of ways to build on that i think it's been a force for getting things to change but there are other things that have grown and gotten better that'll be even more useful in the future so with all that being said what's really going on and what's happening through here so back in uh 2017 pete cooper uh connected beau woods can tell you when he was working at the atlantic council josh corbin was there at the

time also sponsored by talis wrote an aviation cyber security report i helped contribute a small part to that but it was a great report the first time of pulling all of that ecosystem and different representatives and getting their views to come together and talk about what are the real problems that we need to address here what are the things we're worried about and it got the concept out there that it's the flying public that we're worried about it's the fact that they trust what's going on and if you think about it just strictly from a u.s perspective the idea that's very important air travel to our economy to our security and the public's trust in that

we know airplanes crash but we still get on them and go fly right man flight is scary i get it but we still get on them as passengers so we want that same concept when it comes to cyber security things may be broke but we want the public to trust that it's going to get fixed the same way that we fix safety problems so i think that report did a great job of doing that and pete did a really good job of pulling all those different stakeholders together and representing that has anybody ever read this national you have holy crap there's two of us that's awesome thank you i only read it because i was putting this talk together

otherwise even in government i may not have so thank you well exactly had to do something so national strategy for aviation security this report came out in november of 17. this strategy came out december of 18. the strategy previous to it eight years old the first version of the strategy came out right after 9 11 and it was addressing aviation security issues the second iteration that came out eight years before this one didn't have a lot of cyber security but it was building on all those same mostly physical threats this version that came out was started and was being worked on even when i was still in government 2014 until i retired in 2017. then you had

the administration changes and then it had to get restarted and it had to have the new administration's twist on things like you would expect but it got published and it has better cyber security considerations in it they're not great i think they focus too much on things like airline ticketing systems and some of the more basic stuff that we typically hear about in media reports but in general it's an improvement i'm not telling you things are great it only took eight years to have this incremental improvement we're talking about the speed of government okay so that's the reality but the idea is it's getting better and so how do we push that along and how

do we help keep that get better faster from there other things that are being done in government early on when i got introduced to aviation cyber security while i was working at the pentagon so i'm representing dod equities when i'm sitting in the security council the staff meetings and taking things back getting my boss ready to go when he's talking at the higher level meetings but getting connected and working on a charter to get folks in the u.s government to work together to get dhs to get faa to get dod we agree to work together on this problem we're going to look at the policies we're going to look at the testing and what we can do to solve

these issues that aviation cyber security initiative has continued on it's grown and it is now a major initiative with those three agencies so they are looking at these problems they're finding ways to address these issues and help fix things again all the way from the policies on down to the actual testing it's not fast it's very ugly it is absolutely watching the sausage being made but it's getting better and it's continuing to get better from there so at least i can give you that as the good news story so with all of that in mind it's nothing but a rosy picture i know but the idea that it's a very complex system there's not any one

entity one agency that's running the whole thing and if you think about it what i showed you before that's the us version of things now connect that to the other countries and now we're talking a global issue so there's even a higher level of consideration to deal with there so there's a lot going on the stakeholders i primarily have talked about the government and industry side of this they don't always agree we had to have meetings to write a letter to agree to sign for three agencies in the same government all working for the same president to work together i kind of feel like that's embarrassing but that's how the bureaucracy works i appreciate that now

and what i also appreciate is being able to get the attention in the right place to get things done having seen it on the other side so i can at least give you that little glimmer of hope big picture yeah there's there's no doubt everybody agrees we want to get after this problem we want to fix things before it becomes a major issue that's that's the goal no doubt there and again the big things that you'll see come out whether it's iron the cavalry talking about it you'll hear about it at defcon a little bit is the idea we're looking at reliable safe trustworthy air travel and again go back to the report that i told you about

that pete wrote dealing with aviation cyber security it's the public's trust if we stop worrying about how each agency is doing things and we think about this is what matters to the public whether it's our friends and family whether it's us whether it's just the american citizens worrying about this and then how that translates to other countries absolutely and it's the resiliency of that trust of making sure that when something bad happens because it will that we can get it back quickly and so no doubt that that's happening from there so i told you before i had given this talk previously and the perspective that i chose was presenting that same background getting everybody thinking about it the same

but it was a government and an academic audience so before i go too far make any big assumptions i know a couple of folks in the audience who hears from government okay good yep i'll say former government awesome academic side of things student yep all right sounds good security researcher hacker community okay yeah it's a pretty good mix what other did i miss media media thank you awesome okay all right cool all right good so the audience that i talked to before i took them through and i said hey government people what do you think hackers look like here's the stereotype and then i took them through here's what they really look like so i'm gonna give you guys the

opposite of that and nice enough my friend brad haynes decided to join me today so he's a good example so i appreciate that so what's a government worker look like is that about right other than who's sitting in the room so you don't count that's probably okay what's the stereotype of government workers i can't say it because of what my company does but you guys can tell me what you think do they like to take company do they like to make risky decisions no not usually right what are other stereotypes that you think about when you think of a government worker anything for margin that guy he's awfully happy right there right right good cartoon the idea of what's going on

right another good movie standard dude in his briefcase okay look at this guy that to me looks like the perfect stereotypical government worker and anything that you have in your mind of what they represent and how they do things and what's going on so you can imagine where i'm going with this that's not necessarily the case okay i gave you some examples it's not pretty it's not fast we all want it to go faster there's a lot of different considerations going on but there are some good smart folks who are trying to work through these problems and i happen to have three of them these are my friends so and unfortunately they still look exactly like the stereotype

except for a nice monica over here so my friend steve over there on the left he's also retired air force both active duty then he served reserves and he retired from there he got brought back he was working in the pentagon and he was a large part of that aviation cyber security initiative that i talked about in getting connected where i worked at the time and then having a flying background that worked out conveniently saying good let's start working this and so he helped push a lot of these ideas along randy i showed you him he looks like a stereotype and i said randy i'm going to tell everybody you look like a stereotype and he's like yeah i know it's okay so

retired army helicopter pilot he understands things he's now leading the dhs portion of the aviation cyber security initiative that i told you about before he understands what's going on he is trying to help whether it's a coordinated vulnerability disclosure program or he's trying to find ways to smartly engage at a pace the government can be comfortable with the security researcher community so again he understands what's going on but he's pushing hard and he's trying to do good things to get you guys a big stakeholder in this problem because of the expertise you bring involved in helping to solve these again working with the government and then there's nice monica over here and she started off in dhs and then she was

on the security council staff totally gets it so when we went to her and said monica you're on the security council staff and we're trying to work this little insurgency over here we're trying to get our bosses to pay attention to what's going on the best way to get the boss to pay attention to what's going on is to have his boss call a meeting to talk about the topic that we're working on and that's when the security council started having these meetings talking about aviation cyber security that was a part of it they were doing some stuff that we helped nudge it a little further so i can at least say i'm proud of that

and which i want you to appreciate is this is at the time in that 2014 to 2017 period that you just had the north korea hacks with sony so we're worried about north korea we're starting to talk about what we think is russian entities on our critical infrastructure we haven't started talking about russian entities and election hacking yet we've been talking about chinese stealing our intellectual property there's a lot going on there's a lot of meetings it's some sweet action working in the bureaucracy to go to meetings all the time not really hence prison sentence when i was at the pentagon but understanding what's happening and making this a priority to get it to rise

to the level where things are getting done that's the good news story part of this so again what i want you to take away is that things are happening could be faster but they're moving along and that's good if you don't believe anything i've said i don't care what those people are doing i don't believe that they're actually caring i'll at least throw up one more example to try to convince you to believe my idea that good things are happening so the top half is written by one group the bottom half is written by another group i'll give you a minute to read through them

is there anything in either one of those statements that makes you go no way i'm supporting that do you see any big differences but to the between the two statements and what's written as if two groups that are off in different lands completely thinking about things differently are writing about them differently either you're all asleep or you totally agree and i'll take either one of those so some things i'll highlight from there where i think the similarities jump out how they're both looking at the different threats and the fact that we know somebody is trying to exploit them the fact that we know this is a big deal across the ecosystem to our economic security national

security passenger safety however you want to think about it does anybody know where that top set of statements came from what the source is government how about the bottom how do you know did you see my slides ahead of time all right you're right so no kidding right out of the national the national security strategy for aviation safety that i showed you before and when we were writing the statement of values for the aviation village that's going to be at def con in a couple of days that's the language we didn't look at the security strat i promise you we did not use that as a reference at all but it's the same idea we're all

working to the same goals we're all looking at the same thing we should not be talking differently and separately and not engaging each community with the good stakeholder and the capabilities they all bring to this problem so what can you do to get involved anybody know about hackers on the hill during b-sides dc yeah so bo walked out of the room josh i think they have been a big part of it because of the i am the cow where we work when you're in town for b-sides dc and they say hey who in the hacker community wants to go talk to the congressional staffers these are the folks that are writing and drafting the laws and bills that the congressmen are

voting on and they don't always have the technical background that you have but if they talk to you and they tell you what problems they have you can help them solve that and when you understand hey that person's not so bad they really are trying to do good work they're not the stereotype i thought they were then you're willing to engage with them also and that's a good thing so you're just getting to know each other if nothing else let alone actually working on issues and coming up with solutions and solving those problems what's that lead to i think everybody knows i kept pointing to bow and if there's any doubt at all the outrageous speaker demand that i asked

for that i completely forgot was beau woods in a vegas showgirl headdress so that's why he had that on i'm sad he's not here but please thank him for that so but that's bo on the left in the uh red shirt at defcon that's josh corman for those of you who know and you you may being a part of this track and participating in it but those guys helping out with hackers on the hill so in return let's bring the congressman out to defcon that's congressman langevin sitting down and that's congressman heard standing up came out here last year at def con to talk to you all to find out what your problems are to

tell you what they're working on to find out and ask for your help solving them and that's happening again i don't know the exact details and i don't know if it's these guys or not but i know there's congressmen coming out engaging to make sure that you know what's going on and they can and get your help so again another way that you can help solve these problems dhs coordinated vulnerability disclosure program that dude right there is doing some of that jay there'll be some folks talking about the aviation village about some of those things dhs is getting better and improving and when you want to get a company's attention when you want to engage with them because you

found something and you want to solve it they can help you with that it hasn't always been great it's getting much better that's where they're available to help so they're they're there for you hack the pentagon defense digital service if you've heard of hack the pentagon there's hack the air force there's hack the marines there's hack the army i'm sure hack the navy either i'm missing it or they're soon to jump in ways that you bug bounty can do bug bounty programs helping each one of the military services across a variety of things that they want your help finding the vulnerabilities some of these things and i'm i 99 sure and will confirm at the

aviation village some of this they have with hack the air force as far as aircraft equipment so you're in here hearing about aviation cyber you can talk to those guys if you want to focus on just that but again ways that the military and that bureaucracy is starting to understand there's ways to engage you and bring your talents in and get some good value and interactions out of it and then finally i am the cavalry that's the track here here and then i mentioned it before but i want to make sure the logo is up there and it's very very clear at defcon first time aviation village so renderman's gonna talk about adsb and how to create a what's it tell me

again i don't want to say it wrong just a receiver basically on how to get into uh listening pulling this data out of the air aircraft directly and so he's one of the workshops we've got multiple sets of speakers talking about a variety of topics increase your understanding of how aircraft systems work increase understanding of how the navigation systems work meet the defense digital service folks there's going to be lots of demos of some of the technologies and things that you can understand aircraft systems and if you want to do more work with them you can talk to them i'll be there as a volunteer if you want to talk more pilot stuff i can offer you

that perspective we've got some air force folks coming in that are doing things and if nothing else we have an f-35 simulator so if you just want to come in and fly something around it's pretty cool it's not an f-22 the best airplane but it's pretty darn good so lots of good reasons there and like i said again it's a chance to come in get engaged meet the folks that are involved in this and then help figure out where you contribute to those efforts so with that i am done i will gladly take your questions i also understand exactly what's happening between right now and the time that you clap and walk out and go to the bar so what

kind of questions do you have for me and there's bowen his headdress yeah i had to step out a minute but uh did you ever mention aviation isaac i did not not purposely leaving them out i thought of them more as industry and i focused on government and the hacker side of things versus trying to pick out industry because i'm wary i don't want to represent what companies are doing i don't want to talk about things i shouldn't be talking about so that was consciously and i put the ice hack in the industry part of that okay cool yeah because i had uh when i had gained access to boeing we're pretty worried about fixing it so

yeah absolutely and the isac i would say well dhs and isac are together because that's where the ice ax came from but lots of good cooperation lots of good talent and smart things there so absolutely another avenue to go to if you need help you bet

i just have a question regarding international cooperation um seeing as aviation is naturally an international absolutely kind of business yep is there any work with the iata or like transport canada because any standards that we you know improve upon yeah deployed globally yep so again i don't want to get into details of i'd rather the person i know who's doing that absolutely super smart folks similar backgrounds to mine that understand here's the issues here's the flying perspective on it here's the security research perspective on it and at those levels because like you said a lot of what we do in the us is because of what's done internationally because there's no reason to be different and we have to fit into that

entirety of that ecosystem so yeah absolutely that kind of works going on and that's also go back to your question about the aviation ice act the european version of that so absolutely all those things are being considered and there was a question on this side dave you can't ask me a question or can i so um steve i'm wondering if you have thoughts or suggestions for how lay people that is to say non-pilots non-aviation folks just cyber security practitioners or researchers who they've not focused on this specific issue but do you have thoughts or suggestions or perhaps others do about effective ways to get into the game so i would say i'm probably more in that

category just because i've flown an airplane doesn't mean i know jack about aviation cyber sorry to ruin the surprise but the idea that when i talked about before i know how to react to an aircraft emergency i know how to handle things there no matter what causes it right so but i can at least offer the perspective when i put on my security hat and what i know from that or the policy side so i would say there's plenty of opportunities depends on which one of those you want to pick so the way you describe it of if you're just a security professional you have those skills you bet you could be contributing on the

policy side you could be contributing talking to pilots going here's the focus here's why you're not going to know what's going on that's okay that's what the security folks are doing here you've got your procedures to fall back on so i think there are a lot of ways that aren't they're just not that obvious but they need to be talked about and that's where the contribution can come in to make sure that dialogue is happening to appreciate the extent of the problem or where it isn't really a problem depending on where it falls i've been if anybody else has thoughts on that too yeah

yeah for uh my research with adsb it was literally just sitting around reading public documents um going through parsing them realizing how the system worked and then applying uh the hacker mentality of okay i'm seeing a problem here unencrypted i'm authenticated bad words to be seen um and then like not finding that there was mitigations in any public documents and asking the questions um everybody in the industry seemed to be thinking a lot about oh yeah we built the system you know we implemented it now we'll move on to this other thing they never looked back and said oh well sdrs came out that's a game changer for a lot of things you know they never

look back with that critical eye so i think the more eyes you have on these these potential issues and it can be just as easy you don't need to have a you know cockpit worth of equipment or anything like that like i said everything i did was just public documents yeah i think adsb is a good example you know when i look at it the open architecture what it does to provide more information to more aircraft you can squish more together vertically so they can fly closer together instead of having to follow a highway like a car they can just go here to here to here because that's the best way to go and if

i can time deconflict as well as altitude or all of that's good so yes let's make it open let's share the heck out of it how did that work how did we how did that work when we had this nice open unsecure internet and now all the lessons we're learning we're kind of seeing some of that on the adsb side how much do we need to worry about it should we worry about it all of those questions absolutely so there's good perspectives that you can bring to that discussion

hey how's it going uh you mentioned congressional leadership coming in conferences like this to learn more about the topic two-part question one is that a recent evolution and two do you think overall congressional leadership is given the appropriate amount of information or attention to a topic like this so i'm the i'm going to answer because i have the experts sitting in front of me so yes i believe last year's def con when the congressman coming out two years ago sorry that's the first time that ever happened

in 2015 heard and swalwell came and did a talk at uh crypto privacy village um in 2017 uh josh and i brought members of congress um heard and then landed them out now for a bigger event given the tourists of the villages and things this year last year a bunch of congressional staffers came on a delegation from the wilson center this year i'm teaming up with wilson center to bring members and staffers and we're going to be over there aviation village is on the list of places to to stop buying look so there's an increasing amount of participation among congressional leadership or you know the grunts who do the actual work uh like the staffers

um and we're trying to get them the the bridges built so that they can have more direct communications with our community and that's i think the answer also to the second half of your question because i wasn't going to touch that one but it's the idea of getting the right people there because if you don't even have the conversation it's getting all that technical expertise up to them absolutely yeah other questions i'll be around sorry yep go ahead yeah i i wanted to go back a bit to the the new stories sensationalized news stories over there but do you think that actually i mean that needed to happen i'm not talking about the headlines or or the

presentation but even the the researchers work i know hugo and ruben uh they've not necessarily gone big from the start they started with small things and they got they kept getting ignored or downplayed and this is because obviously companies or or institutions go into defensive mode and say well this is not really uh that big of a deal and they say well no it is and next year they come with something even bigger to prove them wrong and i think that does help in in a way and in it like this to what we have now uh hackers having a challenge having to prove them wrong totally agree with that so please do not take away

any thought that that shouldn't have happened let me let me phrase it this way it shouldn't have happened because if industry and government were more responsive were more ready for it absolutely they would have gotten the response they were looking for but what i don't what concerns me is if that becomes that's the only thing that this crowd knows is going on because you don't hear oh the government did their job today stories who cares that's not exciting and i wouldn't read that story but you hear these other things and the tendency is they come out and become sensationalized so the idea is it shouldn't have been that way i totally agree with that i'm certain is

the p that started rolling down the hill and became a snowball and is now kicking everybody in the ass and things are happening that's awesome that's a whole nother talk debate and everything about all of that but here's where we are so hopefully i can at least offer the little teeny tiny glimmer of hope that i can of things are getting better people are listening uh you know getting past stereotypes like i said the example of you all are straight your media so you don't count but the idea that like i said you know render man who graciously said yes you can use my picture and i talk about it i go look here's this dude

render man he looks different he does things different he's tired of waiting on your and therefore he's going to do what it takes to get the word out and they're all like there there was it i think it was very well received as far as yeah okay i guess he's not all that strange right i was just asking questions yeah exactly my evidence please prove me wrong yeah help me help you fix it exactly so

yellow your motivation is this your whatever is that and i know there's plenty of media in the room i'm not bashing on you guys i get it you have a hard job it's a pain to try to translate and sometimes it gets sensationalized whether or not you intended it whether or not the person you're talking about intended it it happens but that's what gets picked up i showed you before that atlantic council report that got rolled out i think it was a wednesday and there was panel discussions and all this stuff was going on like i'm going to show my mom this picture this is great i got to be on a panel yeehaw thursday

government employee that talked about the hacking the article i showed you that was at a conference friday night that's on the nbc news there's no coverage of what we did steve can't show his mom what was on tv and why would you or it's just not going to make the news those are the things that get talked about but again it's knowing what else is going on out there and knowing there are other avenues that you can get things done and get engaged and get talking with the right people and the media is still there as an option and it helps the media know who to go talk to so i think to me it's good for everybody

knowing who's available and who to start engaging with correctly and to dig in and go find out more about these other things because there's a lot of good work and it'd be awesome to hear about and today the government did a good job that'd be pretty neat i'm not even in government anymore and i'd be happy to see that so the weirdest night was when that report came out from dhs basically it proved i wasn't crazy and the dhs has heard that [Music] what else okay i'll be around no kidding thank you last talk on the first day you're still here and you stayed till the end i really appreciate it so any questions i can answer anything else

otherwise have a good night