AUVSI Xponential is taking place in Denver this week.  This morning, the keynote sessions kicked off, including a conversation on cybersecurity issues with AUVSI’s Chief Advocacy Officer Michael Robbins and Tobias Whitney, VP of Strategy and Policy at Fortress Information Security.

Cybersecurity for Drones is a critical topic in the drone industry today.  A series of government policies banning the use of Chinese drone technology for government use has resulted in the GSA approved list being limited to the Defense Innovation Unit’s Blue sUAS platforms.  States, including Florida and Arkansas, have followed suit in banning drone platforms from “listed entities,” including China, in an effort to ensure that drones purchased with state funding meet cybersecurity needs.

While well-intentioned, these government and state policies have not always helped US drone manufacturing or the public safety agencies or government workers in the field.  Florida’s policy gave public safety agencies no time to replace and retrain on their fleet.  The DIU’s Blue sUAS list is limited in scope, and it can be difficult for platforms that don’t fit into a Department of Defense need to get through the system and get on the GSA approved list.  Many US-based, NDAA-compliant drone manufacturers have been left without a clear path to providing government solutions.  Government buyers who need platforms outside of the short-range reconnaissance type included in the first Blue sUAS list have struggled with navigating an exemption process to purchase solutions not listed on the GSA website.

In addition, there are significant unanswered questions surrounding these efforts to ensure that drone data is secure.  What cybersecurity standards should drone manufacturers meet?  Should cybersecurity be focused on technology, or country of origin?  How can government agencies outside of the Department of Defense, state agencies, and public safety departments evaluate platforms for cybersecurity?

The Significance of Cybersecurity in the Current Geopolitical Landscape

Before Michael Robbins and Tobias Whitney took the stage, cybersecurity expert Alex Stamos, Stanford professor and former Chief of Security at Facebook, took the stage to discuss how cybersecurity is a critical piece of the geopolitical landscape.  Stamos points out that while the war in Ukraine is in some respects a historical throwback, this current war is being carried out in a totally new way due to the technology available.  Autonomous systems have been a key part of both the warfighting and the information gathering that has been significant to the war.  “[Ukraine]…without having a massive defense industrial base, now has agents able to pull off… spectacular attacks,” says Stamos. “The asymmetry between the worlds of [military power] can be balanced with smart use of technology.”

“The entire world is watching… and every company in this room is now a defense contractor,” says Stamos.  The result of these new and spectacular uses of technology, Stamos points out, is new and significant efforts to fight through cybersecurity, including Russian attempts to knock out Viasat in order to disrupt the operation of autonomous vehicles.

Stamos also states that the growth of the People’s Republic of China has impacted the landscape in cybersecurity and offensive attacks, particularly in the area of industrial espionage.  “Whatever your business is, you have a competitor in China,” says Stamos, who believes that the PRC allows hacking as a legitimate tool of competition.  “There are people whose job it is, all day long, to work on hacking into U.S. companies,” says Stamos.  In addition to corporate intellectual property theft, Stamos says that the People’s Liberation Army (PLA) has placed significant resources towards hacking and cyber attacks.

Given that backdrop, Stamos feels that US-based companies must be concerned about cyber attacks and cybersecurity.  In his view, recent efforts to protect government and public agencies from possible Chinese cyber attacks and intellectual theft are critical.

“Cybersecurity is like the weather,” says Stamos.  “You know that climate change exists, but you don’t know when a fire or a flood is going to happen.”

“…The level of risk in certain industries is ramping up and up and up.  That doesn’t mean you are going to get hit tomorrow, but it’s something that you have to keep in mind.”

Cybersecurity in the Drone Industry

AUVSI has recently developed an initiative to try and fill the gaps left by the Blue sUAS program, with a program they’ve called Green UAS, or AUVSI’s Trusted Cyber. Today, Michael Robbins and Tobias Whitney discussed how the Trusted Cyber program works – and what it offers the industry.

“It’s important for us as an industry to try to stay ahead of the threat, and ahead of impending government regulations,” says Robbins.  While safety has always been the focus of the drone industry, Robbins says that it is time for the concept of security to be elevated.  “That threat is urgent, and is very real.”

Whitney has been instrumental in developing the specific protocols that go into the program.  “There is a blueprint for what we’re trying to do here,” says Whitney.  “We’ve looked all across industries for the best practices… we want people to know when they purchase a drone, they are meeting security standards and best practices across many different industries.”

Whitney describes the four pillars that go into the Green UAS certification program as it develops:

1. Command and Control, with appropriate encryption and security protocols;
2. Supply Chain Visibility, or where components are manufactured;
3. Product Security, or how easy would the vehicle be to take over?
4. Cyber Hygiene, or the foundational expectations of how companies manage security generally.

Customers can be certified appropriately on the aspects that are most significant to their businesses.

“We don’t assume that we know what’s best,” Robbins says.  “We’re taking input from all over the industry.”

While the Green UAS list is designed to help companies that were locked out of the Blue sUAS program, but AUVSI has worked closely with the DIU in order to create a pathway for manufacturers to move from the Green UAS list to the Blue sUAS list.

Robbins points out that they have gotten some push back from the industry, as some feel that the program is not necessary in advance of specific government regulations.  That’s not necessarily the case, he says: “When you talk to your customers, you find this is what they are looking for.”