 Good morning, Ben. I'm Pete Cooper, Director of the Aerospace Village and on behalf of the team, welcome to the Aerospace Village at VirtualDeafCon28. Not quite what we all thought was going to be the plan, but let's face it 2020 is trying to throw as many curveballs at us as possible. So while we're all trying to stay safe and healthy, we've got an amazing three days of virtual content lined up for you, irrespective of you being completely new to this or whether you're a seasonal act match holder. Aviation is really a cornerstone of the global infrastructure and economy. And while passenger safety is an all-time high, the increasing adoption of connected and digitized technologies is exposing aircraft, airport, satellites and the interdependent aerospace ecosystem to new types of risks and threats. And the consequences of asylum security failure in a ground, air or space-based system can impact human life, public safety and even a crisis of confidence in the trustworthiness of air travel, which could undermine economic international security. And as those traditional domains of aviation safety and security increasing overlap, the more we can collaborate to an all-stake holder to ensure that we're going to be safer and sooner together. The Aerospace Village is a non-profit set up and led by a volunteer team of hackers, pilots, engineers, policy advisors who come from both across the public and private sectors. And why have we done this? Because we want to build an inclusive community around the topic of aerospace security. It's by you to get involved in one of the most amazing and growing areas of research that's out there and promote and build aerospace security knowledge and expertise. And through the Aerospace Village, the research community really is inviting everybody, be they industry leaders, researchers, academia, anybody interested in aviation space security, safety and resilience to come in, understand, learn and collaborate together. Because empathy and understanding is going to build common ground. Any sort of acts and words looking to increase division between the communities is going to undermine the efforts that I've worked together. So we're looking to welcome anybody and everybody who's wanting to move aviation space, security, safety and resilience through positive and productive collaboration. This isn't just a cool topic with a huge scope of cool tech. There's loads of research on the topic already, but it's a global topic and it's only becoming bigger and there's so much that is out there that is great to look at and explore. Last year we had the Aviation Village at DEF CON. It was our first year and we had great activity across airports, air traffic management and aircraft and great engagement. It's all massively interconnected and interdependent and we start building out bridges across the community and industry. Since then on the importance of such efforts, there's been some great progress. For example, international initiatives, the UN body for aviation, which is like CAO with 193 member states published late last year there first, cybersecurity strategy for aviation, which specifically called out that states should give adequate protection to good faith researchers. And that's more and more recognition that such research like this is a positive thing and it needs to be encouraged as well as protected. And additionally, there's also industry initiatives. For example, Boeing standing up an industry cyber technical council that actually incorporates the research and hacking community working with the team there. So this year we've evolved into the aerospace village. Aviation is critically dependent on space and the sector is really the aerospace sector. So yet we rolled into space and we've now got a security community that's stretching from earth into orbit. And a big part of that effort this year is to hack that CTF, which is pretty much the coolest CTF that isn't on the planet. And more of that later. It's amazing the support that we've got this year to help put on an amazing event for you over the next three days. And that support stretches from the USAF, DDS, CISA, Boeing, the American Institute of Aeronautics and Astronautics, both the aviation and space ice acts, TALAS, Cathal Tech University, California Polytechnic, Pentes Partners, I'm the cavalry rapid seven and even astronaut Pam Melroy is here and more. All looking to try and give you as great an experience and learn as much and play with as much as you want over the next three days. We've got everything from topics on aircraft, airports, air traffic management, so air traffic control, aircraft and space, everything from satellites to ground stations. And we've got talks, panels, workshops and CTFs and everything from beginning to advanced. So please find our website at aerospacevillage.org, which has got the schedule and more content about what's on and what we're doing both now for DEFCON as we're going forwards and subscribe to us on YouTube and follow us on Twitter at Secure Aerospace. And finally to really pull together and drive this amazing event it takes an amazing team. And it's an honor to be a part of that amazing team. So when you're please floating around the virtual village, looking out for the village leads and those team members say hi and thanks. They are the most awesome group of people that pull this together. So next up are two guest speakers that are going to help us open up the aerospace village this year. Partnerships are going to be really important to help build out this community and build trust between the hacking and research and community and industry and government. So it's great to have them here speaking at the opening. So the first is CSER director Chris Krebs and this is the conversation that I had with him. Thank you. So welcome everybody to the aerospace village and I'm honored to have director CSER Chris Krebs with us to help with the opening. So good morning Chris. Hey Pete thanks for having me good to be here with you and the aerospace village formerly the aviation village. It's a journey it always is. So you came to the aviation village last year we've got the aerospace village this year and I know that you and the CSER team working really really hard on the aerospace sector. But what's unique do you think about the aerospace sector when it comes to some of the challenges that we're facing across the security perspective? Yeah I think it's representative of almost everything else in the kind of almost the industrial or life safety space. Things that historically have not been connected or relied upon overly networked systems, IT systems that either touch the internet or have passive entry. That's different than it was 10 plus years ago. You know when a plane used to lose the contact with the earth it also lost contact generally speaking with communications channels. So what we're seeing now though is due to various customer demands other navigation requirements that yeah there are pathways into a plane and frankly what's at stake and we're really truly talking about lights here. So you know when I look at both aviation but more broadly aerospace it's not just about the things that are moving around in the air it's the things that are going through the infrastructure itself. You know look at what's happened here in the US over the last year or so it's the establishment of space command. Why? It's because the space-based infrastructure is that critical to just day-to-day operations when you talk about P&T, when you talk about satellite-based communications. It really is a incredibly critical slice of not just our infrastructure but of frankly our economy. So do you think that the threat actors are different to the other sectors or is this still the same sort of threat environment that we're looking at here? Well I do think that there are a couple different things you got to think about with the threat actors. So yes they're absolutely threat actors that are focusing in on this aerospace ecosystem and not that it's been a steady-state thing. I think it's increasing your their understanding the ability and the capability particularly when you talk about functional disruptions. You know the future of warfare is not necessarily going to be on the planes of Europe. The first strike capabilities that you would see launched through against our infrastructure are things we need to be thinking about and that's you know from an elections perspective, election infrastructure perspective. That's what I've been talking about now for years. What was so dramatic or significant about the 2016 interference with the US election was it was almost a Sputnik moment. Take us back to 1957 and the Russia or the Soviets at the time put you know Sputnik in the lower orbit. It wasn't that they got to space first. It was that they had an ICBM. They had this capability to overcome geographic distancing and reach out and touch us. Why was this was 2016 the same is because cyber could be used as that tool to reach out and touch us and destabilize democracy. I think the future again of conflict is going to be using these infrastructure aspects against us to undermine our confidence, undermine our ability or undermine our willingness to do the things that need to be done. And thanks Matt. And so it shows that really that this is touching on pretty much all the themes about trust and resilience across all of the other sectors as well. But for those that are sort of new into the aerospace sector and we've got loads of researchers and hackers that are now really engaging on the topic. What's the key challenge for yourselves on trying to look at the safety and security aspect of it because it's a safety critical industry. So we've got the FAA and also CESAR in the frame as well. Can you try and help explain to the audience out there is actually how does that balance work on working through safety and security with the different partners are out there? So oh wow. So you know they're the technical aspects of it actually getting access to the equipment. This is not kit you can typically just find out they're hanging on eBay. So there are some proprietary systems that you've got to be able to get access to and in work in an environment that's trusted. I think that's the second aspect. Beyond the technical, it's the relationship piece and the trust. This is I think that constant struggle that constant tension between the research community and the owner operators or the vendors is how do you have an effective, a meaningful conversation about security and trust when you add life safety. Same things for the medical device community too. Unfettered access and go piece of equipment that has life safety implications is not something to be toyed with and you want to make sure that you've got open lines of communication. You're not just dropping a ball into the open market without giving the folks that are maintaining those systems the appropriate time to control or to implement. But that also you know when you talk about these proprietary systems there are some DCMA and other issues that really restrict the ability or the access. So we have looked over the last several years to help really foster those conversations to bring the security researcher community together with the vendor community and it's been a journey. You talked about the journey from the aviation village to the aerospace village. It's really been a journey and I am so incredibly you know impressed by a number of the bigger companies out there that you know a year and a half ago weren't particularly interested for instance in participating in the village but now they're meaningful full bore full-throated supporters and members because they get the kind of force multiplier aspect. I'd rather have you on my team been working against me. That sort of mentality has really taken root and we're proud to be a part of that effort to keep driving forward. Thanks and it's that challenge of trying to make sure the dialogues there because the perspectives are different and it feels like trying to fit a really small then diagram together and just getting that common ground in the middle. But what do you think Cesar I mean and partnering with us on the village is great but what do you think we the village and the community and Cesar would want to be doing in the next sort of year I mean how do you think that that can work better across all of those stakeholders and and also as well what message would you be giving to industry across that as well. Yeah so last year for instance we were kind of silent partners helping again facilitate some of the conversations but not a financial supporter not a you know really staffing supporter. We had folks there last year in Vegas this year much more engaged in the planning bringing the partners together working with the information sharing and analysis centers working with the vendors. I think going forward I really want to see you know assuming we and hopefully we get through this this current pandemic where we can get back together physically really would love to see more practical environmental environments that we can bring researchers in to take you know start shooting holes and things figuratively not literally but you know we've been working in our industrial control systems initiatives to develop environmental laboratories so our seller program where we've got control systems environments that that folks can mess around with if they can either conduct research on we can tailor them to specific environments like water but also I think aviation is a great opportunity going forward where we can continue you know it's almost like democratizing security for the control system space and including the aerospace environment you know again it's just making these these partnerships more accessible to everyone and much much more open and again you know the concept here really more than anything is it let's democratize this it does not happen overnight so we've all got to be patient keep plucking away and yeah sometimes various parts of the community raise their voice and get a little frustrated with others but keep working on it and the more we work on it the more trust will build and the more we'll be able to do in the out years and is this the same journey that you've seen across the other sectors as well I mean from what we're seeing across the the research and hacking community and the dialogue that we've got with with industry and regulators and and everybody is that actually this is a journey that has its ups and downs and and it's it's not always an easy path because there are so many different and quite strong perspectives out there yeah but but it it sort of feels like this is a journey that other sectors have gone through as well yeah absolutely and and again I'll make second elections if somebody's got the Chris Krebs bingo card if I don't mention election security like six times in any speech even if it has nothing to do with election security and I failed but election security is a great example so in 2016 when when it first started becoming apparent with the the Russians were trying to do there wasn't an established vibrant community of practice and election security yes there was a security research core team that was looking at these issues but it hadn't really gone mainstream you didn't really have the vendors on board you didn't have the operators of the the systems the practical operators of the system but over the last three or four years we really worked hard to bring all those partners together and again create that vibrant community of practice and so as we look into 2020 election feel much more comfortable much better about where things are the security state of various systems do we are we where we need to go oh hell no I mean there is still work to be done absolutely but by coming together all aspects of the community we have ensured or at least we're working towards that additional level of assurance that we're we're doing the right thing we're doing we're defending democracy and you know again the 2020 work you know should be the most secure election in history so so again you got to break it down like why did we get there like what led or what contributed to the progress we've made over the last four years I kind of you know I've stolen this from General Mattis who who I think adapted his leadership style from General Washington President Washington and it's basically four things listen learn help lead so we're still I think in that learning phase of of leadership and understanding the community in transitioning well I think into the help space but here in the in the aviation aerospace world there's there's opportunities for leadership and so we're looking at those I see what we can do again to to bring this community together bring this practical research and sharing of ideas and information last thing I think I'll mention is you know I think it I think it goes in in just about any other discipline within the security research community is is is vulnerability coordination and how do you do that in a way that gives the defender an opportunity to to close out any gaps before the bad guys have a have a proof of concept we've seen it in the election space we've seen it here you know there there are opportunities to help the defender before managing the the the offensive security side of the offense of the threat actors so to the extent that we can continue to build those partnerships between the security research community and the vendors I think we're going to again we're going to continue advancing towards a defensive advantage position thanks and that touches on so many different areas I think one of the things that you've been talking about there from the democratization of it for the amount of research and hackers that we've got contributing to the village through either breakers yards or buying stuff off the internet and things like that and actually they're doing some really great research on on what they're finding and it's trying to make sure that those pathways exist to be able to talk about some of those findings and go through it because that then sparks a dialogue that actually allows engagement to happen and actually those that progress to be made so yeah so there's loads of lessons across to be perfectly clear here I'm not casting any aspersions or judgment on any part of the community right now whether you're on the vendor side of the security research community I think everybody's got you know they've you know we talk you talk about ups and downs everybody I think has some some has made some good strides forward over the last couple years and we want to continue making those but it's got to be an open conversation it's got to be forward thinking and progressive that's the only way we're going to we're going to get where we need to be yeah and actually and and look at the scale of the challenge I mean you touched upon the elections on if you just sort of sat back said let's just protect the elections I mean that's a massive task if we look across the aerospace sector with everything from airports the air traffic management aspects the aircraft and then space be that ground stations are on the all the on orbit assets the scale of that is huge and it's a massively interdependent sector as well how do we how do we scale this from your perspective looking at this nationally and also internationally with all of the international work you and the team are involved in but how do we how do we make sure that we don't do this in in lily pads of excellence well and that's I think that's that's exactly what we've been doing over the last couple years everybody's got their their normal partners that they work with and and that really became clear to me last year we were going through a process working with the department of commerce trying to understand across the telecommunications sector the ICT folks where really the most risk lies in terms of supply chain vulnerabilities not vulnerabilities but risks really more than anything and what we found is we didn't have a really strong relationship with the satellite satellite community industry and it was an area that that I think they realized as well that they didn't really know what we were doing what our role was so to get to those those elements of scale I think it's got to be these broader conversations talking both within government but also with industry and understanding what the respective lanes in the road are and you know something I've said a couple times now but you know really you know it goes back to that the mantra of you know to improve something you've got to be able to measure it well to really scope the problem you have to understand who the players are and what their roles are and how we can all work together so that's what that's what we've really been focusing on in part through an effort that we we have called the national critical function so it's moving away from a 16 sector based understanding of US critical infrastructure but instead distilling it down to what are the the actual services what are the functions really a systemic risk approach to the economy and then identifying who the the key providers of those services are and in doing so we'll get that better understanding of risk better partnerships built and then better solutions against the the risk that we need to manage and against those risks would you be expecting those critical service providers to be working with the research community and actively engaging with that community as well I yeah I mean look this is this is part of our force multiplier here as defenders the security research community has proven time and time again that it can help I am you know I'm in a similar situation honestly to the security research community a lot of respects all the things we do here at CISA tend to be voluntary public private partnerships and in the security research community working with vendors is is similar that's a partnership so you do that by building trust by understanding what the kind of the needs are and then putting a capability or putting a resource or service against that need and both sides benefit that's how we operate and I think that's again going forward that's that culture that community that that we really look forward to being a part of but also fostering no thanks and I think that everyone's actually I mean the momentum that we're building up on all of the dialogue across the aerospace a security researcher and the head community is is building in a really nice way and actually the engagement we've got from vendors is great as well and I think it's from dialogue such as that for yourselves and the other industry leads really it's making a huge difference and when we're talking about sort of all of the challenges and the scale of it how do we try to sort of not see that necessarily through a work partly through a workforce lens but there's a lot of organizations now that are really throwing a lot of effort now onto securing or putting more bandwidth on their security therefore how do we spin up the workforce on this from a national perspective because getting that getting that crossover between aerospace and cyber security and security is really hard getting those people that can understand both worlds is a challenge right I you know I think I think the ongoing conversations about the gap in cyber security work in those cyber security workforces is ultimately a little bit it's almost nihilistic right it's like we're always going to fail it's secure code and secure deployment and I think you've already touched on it a little bit but you know I think the more opportunities for STEM STEAM or whatever you want to call it at the the K-12 level is going to generate a workforce that's more technically savvy and if we can start folding in rather than bolting cyber security expertise on to the after the fact and start building it in through a through a whether it's dev sec ops or or a security development or software development lifecycle those sorts of approaches I think are what we're going to have to adapt so it's not about building a cyber security workforce the future it's it's a security minded engineering and technical workforce to the future let's let's close out these issues before we even get to them and that's really kind of the mantra that we've got here at the agency it's defend today secure tomorrow what does that mean so today we're dealing with patching yesterday's bonds the stuff that you know whatever company dropped let's learn from all these examples and figure out how for the next generation the next iteration of infrastructure deployments we just don't make things better by design better by deployment let's make our lives a little bit easier and I mean frankly it'd be great if we could put ourselves out of business that's never going to happen but it's not a bad thing to shoot for so I you know I tell you what this is an issue workforce education that that's you know personal to me I got five kids here in DC that that are in the public education system and I just see day in day out the kind of dearth of you know as I see appropriate technical education we've got to overcome that so there are a number of initiatives that we're working here at CISA that are intended and designed to again overcome those shortfalls and it's not going to be about universities it's not going to be about colleges I don't think that's the solution I think again we've got to have better k-12 we have to have better trade school type education at institutes it's again it's it's about putting the tools into the hands of the future workforce and not four-year or post grad programs and last thing I'll say on this front is we also need to be smarter about the way that we bring people into the workforce and in part that's through our hiring practices it's through how we advertise for jobs the Aspen Institute cyber program last summer announced a couple of different you know just different ways to approach hiring one is don't overspec your PDs don't overspec them not everybody needs you know 15 different certifications and 10 years of experience for coding language it's only been around for four uh just be useful as well then yeah I did that was a good one and then it also use um you know ungendered or gender neutral terms uh you know unconscious bias is a thing and how do we get away from that how can we have a more diverse and inclusive workforce that diversity and lack thereof in cybersecurity and technical fields is absolutely a thing and and I think it's on us as leaders and voices in the community to to drive for drive for for change now and then hopefully that'll be the way as we go forward and again it's something that we're seeing through the the village is actually just trying to bring on that that next generation to really get engaged on it and a lot of the the the activity that we've got in the villages is really at that crawl walk type activity to really have that on have that on ramp for um for not necessarily the the um uh any sort of specific demographic for anybody who wants to get involved and start engaging and learning about this sort of stuff um that this is it's an open and engaging community and that's what makes it so great so I you know just to kind of rip on this for a second you know and I think about the way that the federal government here in the U.S. hires and it's you know it's it's a a college degree and three years of experience and you too can qualify for a gs9 position um but that sort of experience I see kids going into college at 18 having six seven years of code coding experience of in some cases development experience certainly of of you know research experience so how do we bring those types and reward them for their experience and recognize that experience and not just say oh you don't have a cssp so you're not qualified it's absolutely wrongheaded and backwards but we have to change that and so there are a few things again that we're doing here in the in the government they're trying to change that there's one probe there's one a hiring regime that we're putting the final touches on the cyber talent management system that'll do just that it'll look for experience practical experience and reward that through the hiring process rather than saying you need that four-year degree and you need three years of you know working in a call set so we've got a couple things I think we can do here it's just a matter of implementation that sounds really great um now before we move on is there anything that um that that from your perspective um we haven't touched upon but you'd want to sort of like pitch out or or um engage with on the community around the aerospace cybersecurity well you know just to kind of do a self-serving promo here uh just on the last piece you know we are hiring at sysa um there are a lot of positions that we have that don't require top secret clearances um the either the secret or the the no no security clearance level I am looking for practitioners I'm looking for people that know the community that can work with the community I think we have a unique offering in a unique place within the federal government that's really the closest thing to the private sector the closest thing to the security research community so check us out at sysa.gov slash careers uh we are always hiring okay well we don't normally do commercial pictures but I think I'll let you have that one um Chris uh many thanks for your time uh thank you for joining us at the kickoff for the aerospace village and uh and hopefully once we get through um COVID then look forward to seeing you again in person thank you very much hey thanks Pete it's great to be with you if I was on room rate or I'd probably give you about a four out of ten you'd get probably five or six for all your badges but your lack of art and any potted plants probably set you back up to you so yeah I'll make sure I kick the cat out so I'll give you a few extra points thanks very much so our next guest speaker is Dr Will Roper and I'm honored to have him here this morning so Dr Will Roper is the assistant secretary of the US Air Force for acquisition technology and logistics um and he and his team along with DDS were great supporters of the village last year and have been again this year as well um as you can see from the efforts that we've got through the hacksat uh CTF and and also the workshops that they've brought along to the village to support us this year um they've they're showing a huge amount of passion in the topic and uh and it's great to have him here so Dr Will Roper Hello everyone and welcome to the aerospace village at DEF CON 28 safe mode I'm Will Roper the head of Air Force and Space Force programs and it is a privilege to be at DEF CON for my second year last year I came and was blown away by the technical talent that DEF CON has in this community of creative inquisitive investigators of all things software driven we brought a live hacking opportunity with one of our F-15 fighters and yes this community was able to get in we left with a lot of great understanding about how to be better in the cyber domain and we're back this year with an amazing opportunity that's going to teach the community and us how to take good cyber practices into space orbiting overhead right now is a satellite that hackers are going to have access to to see if they can apply their skills to get in they're going to have to understand complicated physics how satellites communicate with the ground and how we communicate back in order to overcome this capture the flag challenge but seeing the talent that's here my money is on that they will succeed now how cool is that that winning teams are going to get to have their code run live in space and what we'll learn is how to make this new area of defense and commercial innovation more cyber secure in the long run you know if you back up and you look at how the Air Force engaged we really sat behind our high walls and fence lines and we use secrecy as a way to keep our military systems safe that doesn't make sense in today's world with so much technology happening commercially we've got to get outside of our bases and fence lines and be part of this community that continues to push innovation forward so we are here to share we are here to learn and to make openness and transparency part of our equation for being secure thank you for being here as part of the aerospace village thank you for being here to participate in hacka sat and next year when we're back with the next round of the thing we bring to expose to the community i hope you'll share your thoughts about what opportunity would inspire you to help us learn how to be a better cyber warrior for the 60 billion dollars of airplanes and satellites and cyber technology that we produce each year the cutting edge comes from software everything we learn about making that cutting edge more secure makes our men and women in uniform this nation and our allies and partners and all who work with us safer so we are proud to be part of this community and can't wait to see what's ahead