Podcasts

#7: Cyber Resiliency — Preparing for the New Frontier with IATA’s Matthew Vaughan

About This Episode

🔒 You can’t expect to be lucky every time. Understanding what the next phase looks like and being preventive is key for security, compliance, and risk management.

 

Welcome to this episode of the JumpSeat with host Chris Glass and guest Matthew Vaughan, Director of Aviation Security & Cyber for IATA. In this episode, Matt shares his background in security and cyber, as well as his previous experience as Head of Security for Etihad. Matt comments on the nature of cyber resiliency and how it is different from physical security, and that the industry needs to develop cyber resiliency before wrongdoers realize the vulnerability. As digital evolution continues, Matt also expresses the need for cyber literacy education for younger generations, which is just as important as Math, Science, and Literacy.

Don’t want to miss out on the next episode? Follow us on your favorite podcast platform or subscribe to JumpSeat! As this series of the JumpSeat podcast continues, we are always looking to share the most recent and impactful topics to share with our listeners.

 

Link to IATA’s new open-source data collection tool, IATA – AVSEC Insight.

 

 


Podcast Transcript

Chris: 

Hello everybody, It’s Chris again with the JumpSeat Podcast, and I am with Matt Vaughan, Director of Aviation Security & Cyber for IATA. Welcome to the pod, Matt.

Matt: 

Thanks, Chris. Thanks for having me.

Chris: 

Now you’re calling us in from Montreal, via Geneva.

Matt: 

That’s correct.

Chris: 

So, how is Montreal today going for you?

Matt: 

Really good. It’s not too cold. The ground is dry, so that always helps. And, the construction is never ending.

Chris: 

Yep. That’s the Montreal I know and love, and pretty much all of Canada at the moment, they work on all the roads and all that. So, you have a very interesting background, coming from Australia, can you talk about how you got into security? What was your start?

Matt: 

Yeah, absolutely. I left the island about 15 years ago, actually, probably longer than that now. Cut my teeth on security and in law enforcement and was lucky to see the world before 9/11 in terms of national security, law enforcement, what the priorities were at that point. Australia is just an island nation, so they weren’t necessarily the security challenges of the Middle East and North America and stuff like that. But Australia is also part of the Five Eyes intelligence community type coordination, so I got to see a bit of that before 9/11. And then, kind of the line in the sand, which we all know, 20 years last year, which is just incredible when you think, right? “Where’s that time gone?” and then, post-9/11. And that’s a different career for a lot of people in security that started with traditional law enforcement or military or sort of government service type roles. And very quickly, through no fault of my own, the nature of the work sort of went down that counterterrorism path. And, given that I was a 6-foot white guy that couldn’t speak anything else other than English, counterterrorism and being able to sort of culturally cross through a number of different communities around the world – which, again, lucky and fortunate enough that Australia is quite diverse and has a very good cultural mix of now Australians, following WWII and the way that most of these colonial countries have evolved. I soon realized that my perspectives of the world just weren’t cutting it. How could I legitimately be talking about security issues in a foreign part of the world that I’ve never even been to, or tasted the flavor of.

Chris: 

So, you’re telling me your days as a spy ended then.

Matt: 

Given that this will be public, and someone might be watching – certainly not. But, the long and the short of it is that I needed to kind of get some hands on in other parts of the world and Australian foreign service was not going to give that to me, at that point in time, given just – I go back to that point, I was just a 6-foot white guy that could run a hundred meters and do all the things that ten thousand other guys could do. And so, therefore I just needed to create a different perspective, a different edge. So, I took a sabbatical and took off, landed in the Middle East. At that time, [there were a] whole range of security type challenges and opportunities, both corporate and government – dare I say, mercenary opportunities, depending on what your flavor was. And I ended up doing a training course with an airline, a little airline at that time. I had no idea who they were, what they were doing, and at the end of the training course, I was offered a job. And totally blindsided by the travel benefits, and just kind of went straight to that and, yeah, no worries, whatever the job is, it is what it is – as long as it’s not flying an aircraft, okay, good, I’ll sign up. And after a year of being completely broke, because you don’t realize you might be able to fly there at zero cost, but…

Chris: 

You’ve got to pay for it when you get there, the hotels – everything. No, I’ve lived that, too.

Matt: 

Yeah. So, I you know kind of wiped myself out for the first year. And then in 2012, I signed off my clearance back home and never looked back. And here I am today.

Chris: 

Excellent. So, I want to talk about that role that you took, that was with Etihad, right?

Matt: 

That’s correct. Yep.

Chris: 

And that was Head of Security.

Matt: 

Yep.

Chris: 

Now, every single person that I’ve ever talked to that’s had a similar role like that – so my background, I worked for West Jet, I got to know our head of security there quite well – there are some crazy stories that come with that role. So, what’s your favorite experience that you can share with us that highlights how unique that role could be?

Matt: 

Yeah, that’s a really good question. Yeah, it’s a 24/7 type culture and community. There isn’t Sundays, there aren’t holidays and stuff like that. And also just given the period of time, coming out of that sort of 9/11 phase and the emergence of various terrorist groups and things like that, the role of some of those Gulf countries still remains today incredibly moderate forward-thinking type countries. And so, just their own sort of foreign policy agenda was a risk to certain people. And so, the airlines were an extension of not just the brand, but the national agenda. And foreign policy agenda. So, security-wise, I couldn’t have asked for a better hands-on, really get yourself sort of torn up – to a degree that you don’t get kidnapped or shot at or anything like that.

Chris: 

You get the experience.

Matt: 

You absolutely get the experience. But to think of a story… So Ramadan, 2012, one month before the US Ambassador in Benghazi tragically died in an attack, which ironically occurred on September 11th. But, I was on a freighter aircraft operation into Benghazi airport, we were delivering some fast moving consumables like phones and headphones and just some basic technology that we kind of take for granted today. And there’s no instruments at the airport, so it’s visual and you actually fly the aircraft and land. And fortunately, I had some wonderful, experienced pilots, and I thought that was the day that we were done, because as soon as we landed and stopped the aircraft, there were literally about 50, 60 armed guys just running for us, running towards the aircraft. And they weren’t interested in us or the aircraft, they wanted what was in the aircraft, and, to my surprise, the catering that was on board – they wanted all the nice sandwiches and orange juices and things like that.

Chris: 

Wow. <laugh>

Matt: 

Yeah. So, that’s one of a number of different stories, but I thought my day was done and yeah, wasn’t the case.

Chris: 

So, when I asked that question, I was expecting, an unruly guest or an unruly passenger, that kind of thing, so you just took it to another level, so I appreciate that. That’s excellent.

Matt: 

I could do one of them, if you like. I mean, there’s plenty of them.

Chris: 

No, that’s fantastic! So, with that, a lot of people think that being the head of security for an airline is that physical security side of it, dealing with the front facing side of it. Obviously, there’s a whole other world there. So, in that role, did you experience some of the security challenges with technology and, with the world being so online now, what was that like?

Matt: 

Yeah, that’s a great point. So, unlike the current role where it is just deeply looking at strategy and policy ahead of an airline is a combination of frontline tactical type operations, but also a bit of strategy and being able to plan what, what the next phase looks like. So, I keep saying the word lucky a lot, and it really is the case, right? It’s not through my doing, it just happened to be Johnny on the spot, but I worked for an organization that had a very good pipeline of aircraft procurement – next generation aircraft procurement. And so, the adage being what we just called E-enabled aircraft. So, it went from the traditional sort of hydraulics, electrical-based flight control systems to what we call digital, E-enabled, IP-based flying technologies that we just take for granted now.

Chris: 

Basically, computers with the ability to transport people.

Matt: 

Correct, yeah. And so, when you look at something like the flight management system and the use of iPads as a replacement from the old weight and balance, manual calculation kind of thing, the integration of our day to day technology, just as people into the flight deck, that was really, really different and totally cool. And I saw the Satcom days, and when you asked me about a story – I was flying in business class once and I got called to the cockpit to answer a call that the cockpit had had received in regard to another security issue on another flight, right? And so, I remember everyone in business class kind of looking at me going, “Who is this guy?”.

Chris: 

Yeah. Getting up, going to see the [cockpit].

Matt: 

Getting up and going to the cockpit, right? And just even cockpit access control is a highly sensitive, regulated, type of policy. So, I saw the days of Satcom to where we are now, where some of the in-flight entertainment, the connection is better than my terrestrial home entertainment system, just incredible broadband connectivity and the bandwidth is amazing. So, and if we get into some of the cyber and vulnerability-type discussion – that may be another podcast, but we can touch upon some of those aspects then.

Chris: 

For sure! And that kind of leads to your current role now. So, Director of Aviation Security & Cyber for IATA. And IATA, of course, is the standard that most airlines look to when they’re coming up with those guidelines and those kind of norms that airlines across the world abide by. How’s that been and how’s that like, if you could tell us about your current role now?

Matt: 

Yeah, so, as the title kind of infers, it’s just sort of universal international coordination on setting baseline standards, compliance, risk management, in the way that you do physical and digital security. And it’s closely linked with safety and flight operations and things like that. And I had such a great time in the Middle East that I knew it would be a waste, and I know this sounds really contrived, but just go with me – and it is true, so I stand by my every word – but I wanted to take those experiences and try and put that into a broad set of guidance or standards or best practices that the rest of the industry could leverage. Whether that be an obligation or voluntary, that was up to them, that’s totally what it was about. And so, little did I know though that, to create change in civil aviation, it is almost generational. It is such an old school, status quo, sort of underbelly kind of culture there that it’s harder to get out than in kind of analogy. So, I’ve been here over five and a half years now, and only now do I actually, if you were to ask me what have you achieved, what have you done, I could probably list two or three things that you will feel different in the industry about today. And that’s been five and a half years. So, a different set of responsibilities, that’s for sure.

Chris: 

Well, that’s kind of great of you to tee up my next question that actually works out really well – what are those accomplishments?

Matt: 

So, thank you for asking, that’s great! We have made some pretty cool adjustments at the Chicago convention, the international [agreement]. We’ve made some adjustments to policy standards that were imbalanced between industry and governments. We took advantage of everyone being home in 2020. And so government’s priorities were elsewhere, and so we were able to remove some of administrative, again, using the phrase “pre-9/11” security practices that just had no value what whatsoever. In fact, the time and effort and cost that was being spent on that is now reflowed into other areas. So, that in terms of IATA’s overall mission, that was at least 10 to 11, 12 years in the making. And then I was able to come in and just kind of motivate that a little quicker. And the second one is, we just released an open source, data collection tool with which open source intelligence is not brand new, neither is machine learning, but put those two together and then create an aviation ontology, so the apples to apples – we’re both an aviation, so we can talk in acronyms all day long, but do that in a way that airlines and the wider industry can leverage open source, a bit of machine learning and almost – I don’t want to create this catchphrase, but do the Google for aviation security. And so we just released this online tool. I did a proof of concept in 2020, I nearly lost my hair trying to get the budget and the funding for it, but we managed to get it through. And it’s on a cost recovery type basis. And so, anyone can subscribe and within 60 seconds they’re online, they’ve got oodles and oodles of OSI reporting that they can leverage and embed into their risk assessment type processes. So, yeah, that two, I can go to a third, if the rhetoric of three works better for you, I can do that.

Chris: 

I like the way you phrased that. Where would somebody find that open source document?

Matt: 

So, IATA.org is really the best way, IATA.org. And then when you look down in the programs, you’ll see Aviation Security and it takes you straight into that. Or when you go about promoting this, I’ll give you the URL and you can have it there.

Chris: 

Perfect! For those that are listening, we will definitely link that in the show notes so you’re able to find that information as you see fit.

Matt: 

Yeah.

Chris: 

So, my next question is about, where do you see the biggest challenges coming at airlines as we enter the next stage of this world? I know there’s a lot more talk about cyber warfare when it comes to countries, and it doesn’t necessarily go from nation to nation. It’s industry-based now, and that’s a huge challenge for companies that aren’t prepared. So, where do you see the threats and the vulnerabilities coming from the airline sector, and what should our listeners be aware of on what they need to be thinking about now?

Matt: 

So, digital evolution, absolutely. The old adage, “for all for three good things, there’s always one drawback” kind of thing. So, the difference now in the digital space is, what you did today as a control or an identifier, may not be relevant tomorrow. So, in the counterterrorism space of 20 years ago, you could apply some pressure here and it might pop up over here, but you at least had some time. And the old adage, or the cliché that they would talk about was this time to bang, which is days, hours, and years, and the way that you radicalize and, do 1, 2, 3, kind of thing. Well, in the digital space, there’s no time to bang, it’s there. It’s on. There’s no jurisdiction. So, that’s a big one for aviation. Understanding the Chicago Convention is completely constructed around understanding that there are 193 states that signed that convention, and therefore you essentially have 193 versions of how to do things. In digital, that’s got nothing to do with it. So, I think, again, just using the threes, the final piece is, don’t worry about the workforce today, we’re done in being able to get ready for the sort of opportunities and the vulnerabilities that are ahead – how do we get the kids ready? How do you make digital literacy or cyber literacy in the same way that we did math, science, and English, for example, right? How do you embed that into their curriculum and their education so that you’ve just got a fighting chance further down the track. And so, I guess my last point on that is I’m also very clear to say to people that aviation right now is a sector that is not directly under attack. There’s digital interference, ransomwares, thing of the day right now, But that could change pretty quick. Because if some of these criminals and state actors and whoever, if some of that group start to learn just how seemingly vulnerable the aviation sector is, then we’re really up against it. But today, it’s not quite there. They are getting quick wins, really good economic outcomes in a whole range of sectors that just happen to involve aviation operators, entities of aviation. And it’s really in the IT space, it hasn’t crossed over into operational technology, aircraft, air navigation systems, maintenance, all the different pieces that come with operating airlines.

Chris: 

It reminds me a little bit of pandemic planning. When you worry about a coming virus or coming disease, it’s tough to spend money and energy and time plan for it. And then when it’s there…

Matt: 

It’s too late.

Chris: 

[Then] you seem overwhelmed, right? So, would that be your recommendation? To spend that time now, preparing for some of the scenarios that don’t seem on tomorrow’s doorstep, if that makes sense?

Matt: 

You’re absolutely right. It’s selling a negative. Prepare for a short loss today, or a cost, which could be a hundred times if you don’t do it tomorrow, kind of thing. What I would say is the executive or leadership that would ultimately fund resource this appropriately, at least in aviation, we are bundling risk together. And we’re going to leaders and saying, look, I need to incentivize this, I need you to fund this, I need to resource this… Risk is risk. Well, okay, in the physical world, you could probably get away with that. Safety risk in the cabin versus the hold of an aircraft. All right, I get that. But in digital risk, to me, that’s off the table. It has to be, we’re coming to a board or a chief executive or whatever it is, and we’re saying, look, we’ve got a set of digital risks here I’ve helped prioritize. I need funding resource support for these kind of – if I can lock them up, I can then start to reduce the contagion on other other parts. And so, to put that in practical sense, cloud computing, understanding privacy conditions, and again, back to the jurisdiction piece on basic cloud computing. And then to put that in the operational realm, one of my favorite ones, the maintenance laptop that connects to a 787, for example. So, the aircraft flies around with the laptop in the cockpit that it knowingly can be taken out. And that’s a flight safety critical piece of technology. So, and because I know a little bit about it, at least when it’s delivered and certified it’s cybersafe, actually, sorry, I’ve used a phrase I shouldn’t have – it’s Cyber Resilient.

Chris: 

Resilient. There you go! So, now I know what’s gonna be keeping me up at night based on that last comment, why don’t I bring it to a little bit of a hopeful part of it – have you seen the industry respond in kind, and do you think that people are taking threats seriously and taking steps now? Have you seen that response yet?

Matt: 

Yeah. The national carriers absolutely. They’ve, in some ways, probably got no choice. But to be completely transparent, we still have a long road to go. We still have work to do to create a firewall or proverbial firewall where we’re all on the same page, and then your defense starts from there. And we’re just not there, and actually we may never get there. So, in terms of our mission, it really is about safety of flight, and focusing on that aircraft right piece, which therefore brings in the supply chain before certification, before systems and firmware and hardware are certified, and then you achieve that airworthiness, and then how do you maintain that airworthiness going forward? So, what we have seen though, is that most airlines that are operate – actually, if not all that are operating E-enabled aircraft, do have a pretty good cyber plan for it.

Chris: 

It kind of comes with the territory that type of aircraft.

Matt: 

Absolutely. But, if your website goes down or it’s been taken from you, but you’ve got a cyber resilient aircraft, in terms of customer sentiment, it doesn’t take long to kind of connect that and go, oh, should I be flying on that one? Or in one recent case, pilot training records on the dark web, should I be [ worried]? So, there’s still a bit of learning to go on how that perceptions correlate and what that means in terms of customer sentiment, shareholder, confidence, and all the different bits.

Chris: 

Right. Wow, you’ve given me a lot to think about, and I’m now looking at every password I’ve ever had, making sure it’s long enough now. So, that’s great. One question I wanted to ask before we leave – we’re kind of up for time here, but I’ve asked this of every podcast guest that I’ve had, and I’m interested in your answer because you are collecting air miles quite quickly here.

Matt: 

That’s a good point.

Chris: 

So, living in Australia, living in the Middle East, living in Geneva, living in Montreal, where’s your favorite place to go? You said that you burnt up all your money in that first year of working for aviation, so where should our listeners go next?

Matt: 

You mean in terms of a holiday? Or a…

Chris: 

I’m leaving that up to you.

Matt: 

Okay. Wow, that’s a really good question. So, as an Australian, I should probably never, ever say this, but, I’ll do it because it’s going to be on record, and I know my New Zealand friends will love it, but New Zealand is absolutely a place. Auckland, Christchurch, just get to New Zealand, it’s a magical, magical country. And then the other one, I think if anyone can ever get the chance to go, is northern Iraq, right up there.

Chris: 

Really?

Matt: 

Yea, Kurdistan. It’s not the cradle of man, we all know that’s, that’s Babylon in Baghdad, but the Kurdistan region between sort of Turkey, Iran, and some of those other northern states are just amazing, like the incredible, incredible landscape and people and hospitality and all that sort of stuff that goes with it. So, I believe, in my lifetime, that could become a destination in the same way we treat the Greek islands, and Cyprus, and Malta, and some of these fantastic [locations].

Chris: 

Morocco.

Matt: 

Yeah, Morocco. I absolutely believe at some point that’ll become some of those choice locations.

Chris: 

Excellent. That is a fantastic answer to that question and probably the most off the beaten path answer I’ve gotten. It’s not Hawaii or places like that.

Matt: 

Cancun.

Chris: 

Yeah, exactly.

Matt: 

Carbo St. Lucas.

Chris: 

Matt, thank you so much for spending some time with us, and I look forward to continuing conversations with you in the future and having you back on the pod at a later date.

Matt: 

Sounds great, Chris. Absolutely. We’ve got a couple of topics that we can segue into it.

Chris: 

Perfect. Thank you so much for your time today.

Outro: 

Thanks for listening to the JumpSeat. Catch the next episode on your favorite streaming platform, and follow us on LinkedIn at FLYHT.

Recent Podcasts

Oct 11, 2022

#7: Cyber Resiliency — Preparing for the New Frontier with IATA’s Matthew Vaughan

Listen Now
Jul 27, 2022

#6: Don’t Be Paralyzed By Too Much Data — Industry Veteran Don Wilson On Just-In-Time Aircraft Parts and Operations

Listen Now
Jul 12, 2022

#5: Get In and Get Out & Project Zero — Strategic Operations With Waltzing Matilda Aviation’s Smart New Airline

Listen Now