To counter cyber risks to critical sectors such as aviation we need international collaboration

As technology grows more intrinsic to everyday life, from the citizen through to the operations of critical national infrastructure, the importance of cybersecurity is becoming increasingly recognized all around the world.

While industry sectors operate in different contexts, many of the most prominent online challenges are not unique to a single country. When it comes to tackling these global cyberthreats, working with international partners can have benefits for resilience.

By coordinating regulatory approaches so that common high standards of cybersecurity practice can be applied across industries and borders, national authorities can help secure international supply chains and create a safer digital world for citizens globally.

The coronavirus pandemic has posed new challenges around the world, including in cyberspace. While technology has enabled many organizations to continue operating remotely, it has also brought new challenges associated with securing devices and data. Cybercriminals are taking advantage of our common fears in scam messages, which are designed to trick users into sharing sensitive information or downloading malware.

Ransomware attacks have become increasingly common in recent years, with attackers now shifting their model of attack to include threatening the confidentiality of data as well as disrupting its availability. Victims need to consider the threat of their sensitive data being exposed to the world, and the risks of reputational damage. Ransomware is often a visible symptom of a more serious network intrusion, so it is vital that the right security protections are implemented to reduce the chance of a compromise in the first place.

Another challenge is posed by how interconnected cyber-physical systems are, from the smart appliances used in our homes to industrial control systems. Working out how safety requirements for this technology can be integrated with security needs is vital for assessing how cyberattacks might have physical, real-world outcomes.

When it comes to defending ourselves from common cyberthreats, taking an international, multistakeholder approach helps countries and sectors benefit from and build on each other’s successes. Cybersecurity is a team sport that is most effectively addressed together, and global collaboration and information-sharing are vital for our communal defence from criminal activity.

Good cybersecurity principles in one country or industry are often very applicable in another, and effective, joined-up regulation can play a vital role in improving global standards. Establishing a higher common baseline of cybersecurity practices across industries is vital for preventing threat actors with low sophistication. And rather than international organizations facing multiple regulatory approaches and standards, coordination can harmonize and improve performance standards across Critical National Infrastructure (CNI) sectors.

The Cyber Assessment Framework (CAF) developed by the UK’s National Cyber Security Centre (NCSC) – a part of GCHQ – is a positive example of what national authorities can do to spearhead flexible regulatory approaches to cybersecurity.

The framework does not offer a rigid checklist of cybersecurity controls, but instead offers a set of cybersecurity and resilience principles that are applicable to a range of organizations across multiple sectors. The CAF has been designed to align with a number of internationally recognized cybersecurity frameworks (such as the NIST Cybersecurity Framework), and to enable assessments to draw on evidence of compliance from a range of established cybersecurity standards.

The UK’s Civil Aviation Authority (CAA), engaging closely with the aviation sector, incorporated the use of the Cyber Assessment Framework for Aviation into its regulatory oversight regime for cybersecurity in 2019. Importantly for the CAA, the CAF for Aviation is outcome-based, scalable and can be applied to various technologies (IT and OT) and organizational implementations to support safe and secure outcomes. This removes duplication for the regulated entity and the regulator, and provides a consistent view of the cybersecurity risk across the sector.

By ensuring that organizations adopt sufficient measures to mitigate some of the most common threats they face, the CAF for Aviation will help them become harder targets for adversaries.

The UK input, alongside other global industry and aviation specialists, into the WEF Aviation Report has been essential to highlight key systemic cyber-risks in order to prioritize and define pathways to anticipate and mitigate the impact from future digital shocks.