Catherine: The mission of Mobile Satellite Users Association (MSUA) is to exchange news and information relevant to the satellite mobility community – operators, service providers, manufacturers, application providers and users. As part of our weekly data collections, we’ve added an adjacent market series where we gather information that may be relevant to the mobility community. Our present focus is cyber security. From your general perspective, how important do you believe cyber security is to the satellite community and specifically to the satellite mobility community?
Robert: First, let me just say something about the fact that you have users. It's interesting that the association has both the provider community, the operators and the users because much of cyber security involves the interplay and the intersection between the provider-operator community and the user community, especially in light of the way Cyber is being framed around what's called risk management today. Users have an interest in understanding the security measures that are under the control and domain of the operator. The operators have an interest in understanding the interests and capabilities of the user community as they interconnect with the systems.
The other component that you mentioned is the equipment providers who support the various components of the satellite infrastructure. You, in a sense, have all of the right participants in the ecosystem as it relates to the satellite world. That's a pretty big deal to be able to speak to that community in total.
Catherine: Typically a satellite mobility solution is a system of systems. There’s a whole ecosystem involved in each solution, including the user.
Robert: It’s all about interdependencies and shared responsibilities. You’re only as strong as your weakest link. Users need to know how to protect themselves while operators and other vendors in the value chain need to know what each other are doing with their cyber protections. Paying attention to cyber security is paying attention to your core business. You could be doing everything right as a user. You could be doing everything right as a provider. You could be doing everything right as a vendor, but if you're not coordinating that with the people you interface with, then you put yourself at great risks. This is why this kind of conversation and education and awareness has to take place on a kind of ongoing basis.
Catherine: MSUA’s goal is to take a 360-degree view of cyber security. What role do you play in this field?
Robert: I’m involved with cyber security from the policy perspective, from regulators to DHS and the Commerce Department through NIST (National Institute of Standards and Technology) and NTIA (National Telecommunications & Information Association). I believe policy initiatives in cyber are driving market activities and technology innovations.
Catherine: You’re also a group leader of CSRIC (Communications, Security, Reliability and Interoperability Council). What's the best way for MSUA to take part in an initiative such as this one to be part of the ongoing industry / government conversation about cyber security?
Robert: As an association located in Washington D.C., your community could be represented on CSRIC in the COMSEC or coordinating council. Both of those venues enable you to be tapped into the flow, so to speak, of government industry partnership. We have a weekly call with 30 or more members of the committee. It’s an information sharing hub for what's happening at the FCC, White House, DHS, NIST and NTIA. That's one way of understanding government /industry engagement. There's a whole expansion of government industry partnership activities that are on the way, partly because the government recognizes how the cyber security threat is expanding. They recognize their dependency in the private sector since 85% of all of the critical infrastructure is owned by the private sector. There’s also something called the ISACs (Information Sharing and Analysis Centers). ISAC is affiliated with the DHS National Coordination Center, NCC. We have kind of an embedded relationship with the government in this operational environment. If you go the COMSEC, the Coordinating Council website, you'll see all of the different coordination venues. I think there’s an opportunity for members of the satellite industry to take a more active role. It doesn't cost anything. You decide how much you want to be involved.
Catherine: I understand that the final report of CSRIC’s Cybersecurty Risk Management and Best Practices Working Group 4 was issued in March 2015. Is this something that members of the satellite mobility services should read and incorporate into their businesses and user practices?
Robert: The framework, as recommended in the report, is designed around principles that allow for flexibility. If you look at the functions and the categories and subcategories, you will see an approach that is based on a process focused on prevention, detection of the threats, responding to a threat, recovering from a threat, and identifying critical infrastructure. When you focus on process, you're basically recognizing things are going to change. Most big companies understand this and have an internal cyber security team working this issue. At the same time, it’s important to have a common operating environment, a place to talk about cyber issues with other companies in your industry I don't know if and where that's happening in the satellite industry but if it's not happening, that's probably not a good thing or it's a great opportunity for MSUA.
Catherine: Last, we’ve focused on cyber security developments related to the U.S. Government and markets, what about international governments and markets? Is there Industry/Government cyber security collaboration taking place with other governments and industry?
Robert: There are international CERTs which are the Computer Emergency Readiness Teams, CERT, and we have a US CERT and there's a Japan CERT. Sometimes they call it CERTs overseas, but there is a group called FIRST that represents globally all of these various government funded and supported CERTS which collect information on threats and try to get it out to their various communities. That's at the operational level. There is a real effort on the part of NIST to work towards promoting the framework as the model for international dealings in cyber security, because it's not prescriptive. It's flexible and you can prioritize your efforts and it can be tailored towards individual countries and companies. In other words, each country gets to interpret it in its own way. It's getting increasingly recognized as a major cyber security construct for government / industry coordination but the challenges associated with international cyber security rules and expectations and especially cross data, cross transnational data flows, is huge.