 Welcome to the Aerospace Village at DEFCON Safe Mode. My name is Kailin Trikon. I'm the Director of Communications at the Aerospace Village and Vice President at Rock Solutions, a public affairs agency where I lead the firm's cybersecurity practice. I am thrilled to be moderating this panel on hacking cybersecurity aerospace regulation. The aerospace industry is highly regulated with a great deal of focus on cybersecurity. Aerospace regulators play a key role in understanding risk and putting in place the legal frameworks in creating rules, regulations, and best practice around good faith research. Today's panel will look at how the aerospace industry is approaching cybersecurity regulation and its relationship to good faith hackers and researchers. We will look at how other sectors have approached regulation and partnered with this community to increase resilience and highlight vulnerability. Now I'd like to introduce our esteemed panelists. Niki, will you kick us off? Sure, so my name's Niki Keeley. I'm the Head of Cybersecurity at the oversight of the UK Civil Aviation Authority. So I work for the UKCA and as the UK's Aviation Regulator, we're responsible for overseeing the implementation of cyber requirements in regulation for regulated aviation organizations. So that could vary from airlines through to airports through to air navigation service providers or even drone operators. And it's really important for us that we have a proportionate and effective approach. And that, most importantly, we enable aviation to manage their own cybersecurity risks without compromising aviation safety, security, or resilience. Thanks, Harley. Hi, I'm Harley Geiger and I'm Director of Public Policy at Rapid7 with offices around the world. I'm in the DC area and I run Rapid7's public policy and government engagement activities. I've worked in privacy and cybersecurity technology policy and law for about 10 years and I'm excited to be here. Thanks for having me. Thanks, and Salo? Well, thanks, Katie, for the invitation. My name is Salo da Silva. I work for IK. IK is the United Nations Agency response for the regulatory framework of aviation on a global basis. I'm particular chief of the Global Interoperable Systems Section. It's a weird name. But basically what we do is take care of regulations regarding information management, operational and safety critical information management, including the aspects related to cyber safety and resilience. Basically keep the system going, no matter the type of problem that may happen coming from our new actors. Thank you. Thanks, Salo. All right, let's get started. I think it only makes sense to start with where the industry is right now when it comes to aerospace cybersecurity regulation. Nikki, I know that the UK has made significant strides when it comes to building bridges between security researchers and industry and how that helps drive regulation. I love if you could kick us off and talk a little bit about that evolution and where the UK is today. Sure, thanks. I don't know about significant strides. I think we are starting to build the bridge, which is positive. So in terms of lessons learned, I'd say the first hurdle that we really had to overcome was this misconception that all regular later wants to do is find people, which is absolutely not the case. At the end of the day, we're all here for the same reason. We know that our industry and good faith hackers ultimately want to make aviation safer and more resilient. So I think it's about breaking down that misconception. I think the second hurdle is around how do you actually report? What mechanisms do you give individuals and good faith hackers to actually report things? And we're lucky in one sense in Europe, there's a regulation, which is focused on what we call mandatory and voluntary occurrence reporting. So that's all about making sure that safety information is reported, that it's collected, protected, analyzed, so that appropriate safety action can be taken. And where there's a cyber vulnerability or a cyber incident, and that would impact on those safety critical environments, then we believe that it's really important that that information should be reported and acted on. And for organizations who aren't in scope of that regulation that I just mentioned, then we also have a whistleblowing option available in the UK under the Public Interest Disclosure Act. So that's all available on our website. So I think the starting to build that bridge was making sure that it was clear that we want people to get into contact. It's not about taking punitive action, it is about starting that dialogue and conversation and then showing that there's a mechanism for them to be able to do that and making those options available for contact. So I think that's really important for us. That's great, Nikki. Has there been any significant challenges in communicating that message to the community? Do you think that's where the hurdle lies? Yeah, I think it's, you know, all regulators are different. I can only talk about aviation, but different regulators might have different approaches and I think it has been about how do you get that message out there? And I think that's been developing slowly through our relationship with industry. We've started to build a really positive relationship with our industry. You know, we've tried to make it clear that we want them to engage with us and collaborate with us and that it's not the case of never having a cyber-instant. We expect that organizations will have cyber-instants and we'll find vulnerabilities. And it's more about, you know, following what we call just culture in the safety sense and reporting those so that they can be fixed. Thanks. And just keeping with, you know, laying the landscape out, Salo, from a global perspective, how do you think states are dealing with the challenge of aerospace cybersecurity regulation? You know, what are some of the greatest challenges you think the industry faces? Thanks, Kaili. You mentioned actually two important words here that regulations and a challenge. And I would put a little bit of spice and add one more that is interoperability that for us in the aviation industry is actually a bigger problem than just cybersecurity regulation. Is really, how can I say? It's a problem of diversions. So when we talk about unity aviation in IKO for the future, we need to consider the impact of this digital transformation that is happening and that we are living right now, this digital evolution. And it's something that comes because we have several economic drivers that are basically encouraging this digital transformation of the business. So this will happen if we want or not. And we have to be prepared for that. We have to have this increased digital data and information exchange. We know that this is necessary to guarantee not only safety, but also to improve the efficiency of the system. And of course, we know that everybody's taking actions to secure their part of the system. But as I mentioned before, it's a problem of diversions. So one example of a divergent digital process, we can say that, for example, manufacturers who needed to upload software critical parts onto their craft, they are doing everything they should do to secure, for example, the supply chain and to guarantee that they have a certified identity and the integrity of the data being uploaded. So if you, for example, want to connect to the cockpit of the aircraft, you will do the same thing. You'll take the actions to connect on a secure way. If you want to connect to the back of the airplane, also you're going to do things to connect to the back using a different certificate system. So if you are one manufacturer of avionics, for example, and if you are using different ways to connect it to the supply chain or to the equipment on board, we know, for example, also airports. Airports are also establishing their system to guarantee the security of the operation. So basically you have everybody doing what they think it's correct, what they need to do. So we are going to a point that we are finding ourselves with thousands of different certificates floating around the ecosystem with the LIRL or sometimes completely no compatibility. And that's when the issue of compatibility or interoperability comes. And we believe that these certificates, they like other things, they have to be maintained along hundreds of different process and procedures. And the big challenge is to create a convergence on all these important activities that are being taken nowadays. I don't want to say in an uncoordinated way, but in a very loose way. So the challenge for the States right now is to have a global harmonized regulations through coordination and cooperation. The coordination cooperation to face this challenge to have a global harmonized regulatory framework is really necessary because aviation is international by default. Airplanes do not recognize borders. I keep saying that we have checkpoints on the ground but we don't have checkpoints in the air. So cooperation and coordination to develop a harmonized set of regulations is a big challenge that States are facing right now. And that's a really interesting point is that challenge of it being so global and each kind of state having its own rules and regulations. That framework that you're talking about, are we currently in a process where that's being discussed and worked on or is it still in the stages of, it would be a nice to have and we need to work on it? From an international perspective, the International Civil Aviation Organization is working on that with the help obviously from the States because that's where the expertise relies and we have Niki here with us who is helping us a lot on that subject but this effort is already ongoing. It's not an easy effort as you mentioned we have a challenge because we have national security requirements, we have national culture, we have national ways of trust and when we have to expand this to a global environment, it keep us awake but we are sure that cooperation and coordination with the help from experts from the States like Niki who is here with us, we will face and we will win that challenge. We'll get this out, we'll get there eventually. Do you have anything to add to that? Just from your perspective? Yeah, I think Salo raises a really good point and sometimes it's easy to forget this. I did cyber for an operator back in the day before I joined the regulator and sometimes you can think of it just in terms of that one organization but when you're having to talk about regulations and international frameworks and standards and you have to think about what's proportionate and appropriate, not just for me as the state, all of the airports of all sizes that we regulate but then if you look at it from Salo's perspective, at an international level, for all the states, all the organizations, all the aviation entities, it does become a challenge but I think the work is well underway so I'm hopeful. That's great, thank you both. And I'm just turning to Harley, we've talked a little bit about building bridges between the security researcher community and regulators in order to help the disclosure process, help things become more transparent and safe and effective and can you talk a little bit just about the current disclosure process and environment for security researchers when it comes to this in this particular industry? Sure, so overall the security, like the security vulnerability disclosure environment is greatly improving. There's a lot more adoption of coordinated vulnerability disclosure within government agencies for themselves, recognition that it is valuable in industries in the different sectors that those agencies regulate and it is becoming more accepted as a basic cybersecurity practice both in the United States and I would say internationally and two great examples of agencies that are doing this are the FDA and the Department of Justice, CISA within DHS. Within the aviation industry, our experience is that it is not yet quite normalized. It is still somewhat difficult and there is a, I think in part because it is such a highly regulated industry and because the potential negative effects on the industry of undermining passenger confidence can be so negative, so catastrophic and unfortunately we have a media environment that when it comes to anything related to aircraft safety tends to sensationalize it but in part for these reasons, our experience is that aviation has a ways to catch up and it's unfortunate because there is a great deal of innovation that is happening in aviation right now and the systems that are put in place in the sky and satellites, a lot of them stay in place for many years as long as a generation and so you have rapid innovation where security issues might be missed and then you have this equipment that stays in operation for a very long time and then you have legacy issues with those security problems. So we think that this is an area where security research can really play a valuable role but it is important to integrate security researchers cybersecurity community into the manufacturer design and once they're deployed, the vulnerability disclosure processes. Thanks. You brought up a point about just sensationalization and how the media can catch wind or certain entities catch wind and kind of make this out to be something bigger than it actually is to kind of get the headlines and get the hype. Do you think that that is a barrier when it comes to wanting to disclose or do you think that there's kind of two tracks where people want the flash and they want the publicity? So they do kind of make it a little bit more sensationalized than it is or do you think there's also that I don't wanna say anything because I don't want that to happen. I don't want my words to be misconstrued and turned into this sensationalized like, oh, you can get into the TV on the plane and it's gonna crash down. So our impression is that it's both, it depends on the individual researcher, their risk tolerance and sort of what their goals are. If there is a legitimate vulnerability in an aircraft, I don't think that sensationalism is really necessary in order to get headlines. And if you're just disclosing it for flash purposes and credibility purposes, then question whether you're disclosing it for the right reasons. That doesn't necessarily mean that it's not a security vulnerability and that there's not a tension that should be paid to it, but it is really not the way to build trust. And it is, I think it is also very much a barrier to engagement with the industry and the agencies with the security research community. So I think that there's work that has to be done on both sides. I will say that, I don't wanna let the agencies off the hook and just say that sensationalism is the issue. I mentioned the FDA, DOJ and other agencies earlier. Those agencies have made great strides in the past couple of years to engage a security research community, including attending DEF CON and just working within those agencies, areas of jurisdiction like FDA for medical devices and DOJ. There'll be more transparent on things like coordinated disclosure, prosecutions and research to protection under DMCA. Shout out to Leonard Bailey and Suzanne Schwartz. But FAA and the aviation industry have a ways to go. I know that there's good work on cybersecurity being done at FAA like by Susan Kabler, but they're not really being clear, in our opinion, publicly clear that they care a lot about cybersecurity and that they wanna build relationships with the cybersecurity community. It's just not clear. Like it's quite difficult right now to find much cybersecurity specific guidance on aviation systems from FAA, both on manned aircraft and unmanned aircraft. Unmanned aircraft being a huge area of concern since that is consumer level devices. And there's even less information out about how security researchers can work with these agencies. So our advice is twofold. One, for researchers to work to gain understanding about the unique context and pressures that the aviation industry is under to be respectful, manage the media to avoid sensationalism and work to build trust. But our advice also to the FAA is to encourage the aviation community to build bridges with the security community and to actually facilitate that engagement. Make clear that you are making an effort to bring in experts from the cybersecurity community, not just the aviation industry for input on their guidance and their activities. Harley, thank you so much for that. You make a great point just about building trust and at the aerospace village, that is our core mission is to build the bridges of trust between the security researcher community and the aerospace industry itself to kind of formulate those relationships so that we can have these conversations. And so I'd like to kind of spend some time talking with you all about what we can do to forge those relationships in order to build that trust. Nikki, I know in a prior conversation we had talked about how in the UK industry has acted as a conduit between good faith, the hacking community and the regulators. And I wonder if you think this approach is sustainable or do you hope that that relationship evolves to where that community feels like they can go straight to the regulator? Because right now it seems like if you have that conduit, it's working. But I wonder if you hope that it evolves so that they go directly to you. Yeah, that's a really good point, Kaylin. And I think Harley's raised some really good points as well. And at the moment, we have had reports come to us largely through researchers or cyber specialists that have been asked by our industry to perform specific testing. And that's great because that shows that we're building that relationship with our industry that they trust us and wanna report to us about issues like that. But going forward, I'd absolutely love to have the research community feel like they can get in touch with us. And I think importantly, and Harley, you mentioned customer confidence and passenger confidence, which I think is so important. And I think the media and sensationalism element doesn't help. And I have to admit that as a safety regulator, we do get nervous when it's safety critical systems, we do get nervous. So I think it's about how the reporting is done and how that engagement works. But for me, my absolute perfect scenario would be to have early engagement with researchers. Like when you're planning on what research you wanna be doing, having a good conversation then, because sometimes there are aviation contextual elements that might be helpful for the researcher to know about because it might impact how they decide they want to do that research even. There's an air navigation service provider guy that I talk to and he always goes, well, I'm thinking that's not an issue because I can just look out the window. So sometimes there are non-technical but aviation contextual elements that could be helpful in that research. Which, so I think, you know, earlier the better and it'd be great to be part of that discussion about focusing on areas that need more research because either industry aren't able to do it themselves or we aren't able to do that. And we need that research community to help with that. But to have those good conversations early on between the operators and the manufacturers and ourselves and the researchers that that can be kind of well-planned. I was just thinking, so the Oxford University published a really great research paper on pilot reactions to hacked avionics and had a great conversation with the researchers afterwards and they were talking about ideas for the next research paper. And, you know, it's something we'd love to get involved in and help support and see how we can, at the end of it, end up with a safer aviation environment. So I think that would be great. Nikki, I'm so glad you brought up that talk as it is going to be featured or that research is going to be featured in the Aerospace Village. So if you are interested, there will be a discussion and a presentation on that. So thank you for the plug. Salo, I do know that, and Pete Cooper took me off to this, that ICO has released a cybersecurity strategy and in there there's a line about security researchers and how you'll work together and just kind of curious to your thoughts about how that will work and kind of what's being done to bring that to life. Thanks, Kaleen. And just before addressing that point that is, it's a good provocative question actually and I'm a researcher myself. So I like that point because I'm playing on both sides but just to add one point that Harley mentioned before, I think sometimes we don't have much information nowadays about aviation and the cyber aspects related to aviation because lots of the concepts and decisions are still to be made. There are lots of ongoing developments right now, lots of, let's call, like we call in ICO, some uncertainties and sometimes it's better not to spread some information that's not mature to the community because may create lots of confusions. So we try to spread the information. I'm not trying to defend FAA. I'm just saying that sometimes we do not spread the information just to avoid the creation of a situation that may actually not be helpful to our system. But coming back to what you said and I mentioned to you that it's a very provocative question and I can honestly, I hope I can be short in my answer, although I really think that this would be the specific discussion. I'm gonna talk about research and trust. It's a specific discussion that needs to start. It needs to have. And I would start just making a small statement or what you call an observation on how, and I think Nick mentioned that point or you mentioned too, and how trust affects that relationship between different stakeholders because this is really important to be aware. And we see trusts like a form of faith in the outcome of another's actions. So we have to think about that. It trust exists in a context of kind of imperfect knowledge but not mature or imperfect knowledge and also thinking about a possible future contingency. And I said, it is a form of belief despite uncertainties. That's how we see trust. And also in, since the beginning of the central but in all modern society, trust has been conceived as a mechanism that will help us to reduce the bureaucracy, the complexity and enhance obviously communications between or among different stakeholders. And also we can use the trust to reduce the need of a very strict regulation like a contract, for example. So in the international aviation, there is a very sensitive ecosystem. You know, aviation, it goes to the headlines. You know, aviation, the media does not forgive us. The small incident goes to the first page, goes to any media headline. So we have to be conscious that the ecosystem is really sensitive to that. And we see in aviation from an international perspective, the human element of it is the core, is in the core, at the core of cybersecurity. It is critically important for the international aviation community that obviously the civilization sector increases the number of personnel that is qualified and knowledgeable in both, and Holly correctly mentioned, that's not only aviation, but also aviation and cybersecurity. And this is a new area that is coming out. For example, I have to be honest, I'm 36 years in aviation, so I know a lot about aviation. I know a lot about aviation. But the last five years, that's when I start learning about cybersecurity actually. So I can't consider myself a cybersecurity expert. No, I cannot. I can't consider myself an aviation expert for sure, but not a cyber. And we have to have disqualified people in aviation and cybersecurity. And this obviously you have different process to achieve that through recruitment, through education, training. But one significant way to advance is to research. Research is very important. And that's why I decided to go back to the research community and I'm doing research to these days. And as such, as part of the IQ strategy, as part of the international strategy, we, the international civil aviation organization, we encourage all these states to set up the appropriate mechanisms for cooperation with what we call the good faith, the good faith research, which is basically the research activity that's carried out in an environment that is appropriate and is designed to avoid affecting what we, for us as a part of all that is safe, the security and like we are seeing now, there's the continuity of operations. So I can encourage states to do that approach. But obviously, again, we go back to the aspects of trust. They are different in different societies. There is different ways of cooperation. So we have to encourage and help the states to do that because at least from this area that we see nowadays cyber security research is the one who will allow us to advance faster and achieve the results that we want to keep safety and continuity of operations as we have been doing for the last a hundred years. Thanks, I think that's a great answer. And also gives me a lot to think about too, just in terms of how, the point about everybody thinks about trust differently in different communities. And so, when we say that, oh, it's important to build trust, what does that actually mean to the different stakeholders and the different groups? Harley, I'd be interested to get your thoughts on this as we talk about what needs to happen and where we need to go from your perspective. What are some things that the aviation industry can do to kind of build that bridge and that trust? So first of all, I think the aviation industry, there's a number of things, focusing just on the relationship with security researchers. Mentioned a few things before, but it would really be helpful to have guidance for researchers on vulnerability disclosure. And this can come in the form, perhaps ideally, in the form of model guidance from the FAA, essentially something that tells people what the FAA wants them to do in a situation where they have a vulnerability to disclose. Where, what is the mechanism for the FAA to know about a vulnerability since it is just the FAA that can decide whether a vulnerability is safety critical? And unfortunately, there's the alphabet soup of agencies in the United States kind of makes understanding what the agency roles are a bit difficult, right? So FAA is safety critical features in aviation, but CISA and DHS is the lead cybersecurity agency. So where do researchers go if they're trying to disclose? Is it both? This is not something that researchers who are focused on technical subjects and not necessarily on managing government bureaucracy should have to try to figure out on their own. There should be clear public guidance about that. And FAA in particular can play a great role in leading the charge on distributing that type of guidance and encouraging industry stakeholders to do it as well. A note of caution though for the industry as well as for the FAA is that there may be an impulse to say, well, aviation is special because there's safety components. Well, true, but that also exists for vehicles. It exists for medical devices. This has been done before it's not going to be viewed by researchers as being so special that they would willingly submit to a process that it's completely locked down, right? So if you are looking at having a vulnerability disclosure process and having it completely under NDA and restricting the ability of researchers to do anything with their research or to disclose in the event of a disagreement and so forth, that could very well backfire. I think the research is going to happen regardless. Many of these components can be purchased on the secondhand market. Certainly when it comes for unmanned aircrafts, those are increasingly easy to purchase. And so the research is going to happen. The key is going to be building an engagement that both sides can live with, not one that locks down researchers and then violates the trust that you're supposed to be trying to build in the first place. So I think you bring up a really good point about the secondhand market and the research is going to happen with or without the industry. And I wonder if, from my perspective, I feel like that should change and there should be this, we don't want you going to get older equipment or secondhand equipment that's already been used. We want you to get the stuff before it's being used to identify what challenges or problems vulnerabilities lie within. And I wonder, from both your perspective, where do you think that barrier comes from? And then from Nicky or Salo's perspective, why isn't industry or regulators approving? Oh yeah, we want you to take a look at these components before they get put into use. And I wonder if that's back to Salo's earlier point of digital transformation. It happened ahead of security. It appears in a lot of cases across many industries, but now we're trying to play that catch up. But is it a fear that, oh, we've been using this stuff and we don't want to know what's vulnerable? And so I'd love to get all three of your perspectives on what you think needs to happen to kind of stop that. Oh, well, we have to go somewhere else besides the source to get the information to do the research. So, Kaylan, just one thing I think that it's maybe important to note here. So, IKEA have published a cybersecurity strategy which was published fairly recently. Salo probably knows this better than I do. But one of the things that's clearly called out in there is that states should be enabling mechanisms so that good faith researchers can collaborate. So, IKEA have recognized the importance of that. Hopefully more states will be recognizing the importance of that. I mean, Harley, I get your point sometimes it is confusing and it's not always clear who you're supposed to report what to. But I think hopefully that's something that is a quick win, that many states can implement fairly easily to start kind of building at least the mechanisms we're reporting in. So, just my two cents on that one. Hopefully that's something we can move forward. So, I don't want to diminish the fine work of ICAO and others in producing those types of guidance. I mean, I guess part of the point is that states should implement that guidance. Yeah, totally agree, totally agree. Yeah, and now that Harley, you have a good point and it's, I don't wanna say from a global perspective we cannot enforce. We have to encourage the states to take actions and help them to take the necessary actions. That's what the International Seal Aviation does. But I may have a different perspective from you when we talk about cooperation and collaboration at a global level. As I'm saying, I'm a researcher myself and I see mainly in Europe, a lot of cooperation and a cooperation going on. A lot of coordination. I participate every year in some, what we call innovation days in Europe where we put all the research community together and we discuss several subjects. And last year I was there to talk about exactly this subject. And I see the community very engaged on that. I can't specify to you now to the community how this happens all over the world, state by state, because again, there are some regional difference. There are some national difference. There are some different ways to produce regulation and to deal with the research community. But from a global perspective, I can tell you that the cooperation is ongoing. Obviously sometimes there are some, although you may not agree with the, that aviation is a special industry, but I keep saying the same thing that thousands of people die on car accidents every day and nobody knows and nobody care. If you have one aircraft who crashes for a small thing that could be and kill 50 people, it will be on the first page of any newspaper. It will be on the headlines of any television channel. So that's what we call aviation as a special industry because we are doing something that goes against the nature, right? We are not made to fly, okay? We are not made to fly and we fly and we fly. We are doing something against the nature. So this call attention of the community because we're doing something that is special. We are flying and we are not made to fly. So that's call attention. So sometimes in the aviation industry, we try to be very conservative in our approach just to avoid people. I will use killing as an example. I don't want killing going or a holiday. I don't want you guys going to the airport thinking, oh my gosh, am I going to arrive to my destination today or not? We don't want you to think about that. I want you to go to the airport like you go today. You go there and say the maximum your word is, my flight is gonna be 30 minutes late, 10 minutes late, one hour late, but you never think about the safety of flight. You never think about that because you know that our industry has high level of safety and it's very conservative. I have to be honest to you and we are improving this but we are very conservative because of the attention that the industry attracts from the media when something goes wrong. But I think I see the research community coming very, very closer to the aviation. I stake holds and producing very good material and I always give the example of Europe, although I'm not European, but I always give the example of Europe because I can see the cooperation going there and I'm quite happy with the scenario that I see there in terms of cooperation, industry and research community. Just to clarify, so the comment about aviation not being special, that was more from the researcher's perspective on whether they're going to perform the research or not. I absolutely agree that the way the media handles safety issues with aviation is different from things like cars, like vehicles. And that is something that I think is important for researchers in particular to consider as they're conducting their research and I think it requires special outreach from both the researcher as well as whoever's facilitating the disclosure, whether it's FAA or CISA to help manage the media to avoid unnecessary sensationalism. And on the collaboration point, I don't wanna sound all doom and gloom. Remember, I open with saying that I do think it is changing, it is changing and it's changing in a lot of different industries aviation included, the fact that we have an aerospace village at DEF CON is proof positive of that. It's just, there is a sense that it is lagging behind in some other industries, I do think. Medical devices being a really good example. But it is happening, the collaboration is increasing and I do think that that's very positive. And Harley, I know that within, I believe the last year, your organization has worked with the aviation industry and the aerospace industry on a disclosure. And so I'd be interested just to get your perspective on that process and if it was what you expected or if it was better than you expected or just kind of talk us through that process because I do think it gives a good picture of where things stand now and hopefully where they'll go. Okay, well, so it's a happy story. It's a positive ending. And ultimately, vulnerability disclosure ought to be a positive thing. It ought to be a, hey, we, an independent genius found a security flaw and worked with the industry and worked with regulators and now it's fixed and everybody's safer. That's the ideal scenario. And ultimately, that's how it went for us. One of our brilliant researchers, Patrick Kiley, who is also a pilot, discovered a flaw in Canbus. So of course that's the network standard that enables control over vehicle functions. And he demonstrated that it was possible to send false messages through Canbus that could, among other things, display incorrect information to the pilots such as compass and altitude and engine data. And that can have a serious impact. So Rapid7 worked for about a year to coordinate the vulnerability disclosure with government agencies as well as the industry. There wasn't, you know, like a single manufacturer as Canbus is used so widely. And it involved a lot of collaboration with the FAA, with CISA and the aviation ISAC, and as I mentioned with the media. And honestly, our experience was a bit mixed. Initially, the ISAC and the FAA were inclined to dismiss the Canbus flaw because to exploit it required some level of physical access to the craft's wiring. But that could be done, for example, by compromising an existing device on the craft. But the ISAC and the FAA had argued that their physical security controls around aircraft prevented this from ever happening. And from our perspective, you know, this was us learning about this and learning more about the unique other controls that are around aircraft, but also deciding that they were right that physical controls reduced the risk, but that physical controls alone were not a complete substitute for a secure network design and that relying just on physical security was unwise. And unfortunately, to be real frank, at least in the early days, it felt like the priority was avoiding bad press with the industry. On the other hand, we found SISA within DHS to be excellent facilitators of the coordinated disclosure process. And they actually went out of their way to independently verify Rapid7's findings and to put out their own advisory on the Canbus flaw. And this lends additional credibility to the seriousness of our research, which was ultimately helpful in getting buy-in from the industry, from the ISAC, from FAA. And importantly, Rapid7, we are also very responsible as researchers. We worked privately with these entities and worked under embargo with the media long before going public in order to put the findings into context and to note that the risk was reduced because of physical security controls to avoid sensationalism and so that we could go out publicly when there was a greater understanding of what exactly the issue was and what medications were possible. And we recommend that researchers take a similarly cautious approach. And so in the end, in the end, after about a year of verification and coordination, the flaw was disclosed publicly in the white paper. There was not a ton of hype in the media, although it was acknowledged in the media. And we think it was ultimately a win for collaboration, coordinated disclosure and the value of security research in avionics systems. Thanks, Harley, for walking us through that. And in your experience, I am glad that we were able to end it on a happy note of success coming from a media communications person. So I do know how hard it is in the cybersecurity space, especially, it's hard to get the stakeholders at an organization to get on board with talking to the media and doing things like that. And then that only helps to build trust. I mean, there's a great core of cybersecurity journalists out there who truly wanna get the story right and they wanna get the facts out there and they're not about sensationalism. And so I do think that having that community is going to help this process in a lot more ways than once. I'm glad that you brought it up because I do think there are trusted media advocates out there that wanna get it right because they wanna see this happen more. They wanna see the communities working together, research being disclosed and then acted on. And so I'm really happy to hear about your process and the success that you guys had at Rapid 7. We're running up a little bit on our allotted time. So I just wanna make sure that each of you have, a few minutes to say any final parting thoughts. And again, just thank you so much for taking the time. It's been just a pleasure speaking with you. Well, Mila, Lakes first. Thanks, Sara. I was just gonna say, Harley, that's such a great example of Rapid 7's research and your own research and such a positive outcome. And I think, hopefully in future, it won't take a year. Hopefully in future, people on both sides will be more aware of the context and the environment and the requirements, the situation. So that those disclosures can happen faster and you can have an overall positive experience, not just like partially positive. But no, that sounds like really, really great work. And I just wanna say thank you to the aerospace village for having this panel today. I think it's really positive. And I'd also like to thank the good faith researchers out there. I think that their work is really, really important. We do need it. The aviation industry needs it. And the only ask that I have is that they don't give up on building those bridges and they do reach out and they do try to get in touch. Because I know we as a regulator, really do wanna have those conversations. So thank you. Just like to thank you for the opportunity to be here with you guys, with you guys. I really appreciate that. And we encourage the research community to come closer and closer to the regulators, to the, if you want, manufacturers and the aircraft manufacturers because they all need the work the research community does. For example, in IKL, we also need the only difference that papers presented to IKL most of the time, they are not scientific papers. They are more technical papers. So you have to adequate the language because the community is a very broad community that sometimes they will not get if you go on the scientific language. So I really encourage anybody to come to us and present whatever research you're doing. We are always open to receive information from different sources and we really appreciate that. And we need that. As I said, I'm a researcher by myself and I really appreciate when I have to cooperate with my peers in the academia and translate what they are saying into international civilization language and put to the community to be discussed. I really appreciate it. And thank you for the opportunity again. And they kind of said it all. So at the risk of repeating, but thank you very much for having us on the panel. Thanks for hosting the Aerospace Village at all and DEF CON, thanks for working so hard to build bridges between these different communities. Also thank you to the security researchers for the work that they're doing, the aviation industry for slowly changing, right? For changing and accepting this community. I know that it's painful and they're not always the easiest community to deal with. But and I guess one last thing I suppose, it's kind of poignant that we're doing this remotely. And that everybody is under a lot of stress and probably missing this annual gathering of such a unique and colorful community. So just much love to that community and stay safe. Thank you all so much. And yes, I hope to Harley's point that next year or the year after we can do this panel again and we can be in person and I can meet all of you. But thanks again from the Aerospace Village. We so appreciate your time and your insights and just have a great rest of your day. Thanks.