Discover the critical connection between technology and aviation safety
Guest: Steve Luczynski, Director, Aerospace Village [@SecureAerospace]
On Twitter | https://twitter.com/cyberpilot22
On LinkedIn | https://www.linkedin.com/in/steveluczynski/
On YouTube | https://www.youtube.com/c/AerospaceVillage
Host: Josh Mason
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/joshua-mason
______________________
Episode Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
______________________
Episode Introduction
Discover the critical connection between technology and aviation safety. Explore the tech-aviation safety nexus with host Josh Mason & former pilot Steve Luczynski. Insights into Aerospace Village & cybersecurity's role in aviation. Uncover hidden complexities securing our skies.
______________________
Resources
______________________
For more podcast stories from Loops and Lifecycles Podcast with Josh Mason, visit: https://www.itspmagazine.com/loops-and-lifecycles-podcast
Watch the webcast version on-demand on YouTube: (coming soon)
Josh Mason: [00:00:00] welcome to loops and life cycles. This is Josh Mason, your host . Today, I've got with me, Steve Luszczynski from the Aerospace Village. Steve and I share a similar background. We both went from the cockpit to the cyber realm. Steve, if you could introduce yourself a little bit.
I know you've got a F 22 back there. I know you've flown. F 35 as well.
Steve Luczynski: Not F 35, F 15 before F 22, but I appreciate it. No, this is awesome. Thanks, Josh. Yeah, this is this is very cool. Another Air Force former pilot. We can talk about the good old days when things were easy just flying around, but I really appreciate getting to be on here.
And I where are you in your podcast series? What number guest am I? Am I think I'm Yes. Number four. Nice. All right. That's awesome. So I got a, you
Josh Mason: inspired me a little bit to do this.
Steve Luczynski: Holy cow. The fact [00:01:00] that you're on here, cause this is all part of ITSP and Sean and Marco, right? Yep. Yep. Man,
Josh Mason: that's awesome.
And I found you listening to them interview you for RSA.
Steve Luczynski: Those guys tolerate me. I do appreciate all of their work and the fact that they give you a platform. Again, thank you for letting me be on here. So for the crowd that's listening and thank you all for joining in you may have heard me if you've listened to some of the other podcasts, but happy to be in here as a part of the aerospace village.
So my background, as Josh said, former air force, it's been a little while. I retired in 2017. But my, most of my career was as a fighter pilot. I had a great time. So I started flying F 15s. I moved into F 22s. I had school and just very few non flying jobs in between. I was very fortunate but one of them was getting into cyber security, building on just being a nerd and [00:02:00] enjoying it but really digging into what the military was doing, what industry was doing, and government side of things way back in 2007.
So when they were thinking about Cyber Command and Things are really starting to pick up. That's where my interest really gets peaked in all of this. And then at the end of my Air Force career, I worked at the Pentagon for three years in cyber policy on the civilian side. And that was, I don't like to brag ever about having been to the Pentagon, but I did, I learned a lot and I really enjoyed the folks I work with.
That's what got me into aviation cybersecurity. I went in the private sector for three years as a chief information security officer, building a security program that was great and really seeing that side of things. And that previous time is what made me say, I want to stay in cyberspace. I worked at CISA agency for one year during COVID leading a task force.
And my current job is [00:03:00] at Accenture Federal, working on critical infrastructure cybersecurity, but all of that aside, the best part is that time at the Pentagon. Again, I don't like to brag about it, but those connections and now being a part of Aerospace Village, that's been a hobby on the side, volunteering for that.
The folks that I work with in the village and bringing in volunteers like yourself, man, that is that's been the So how did
Josh Mason: the village get started? I tried to propose a new village to get new people in and I still got that nonprofit that's doing other stuff. But how did aerospace village actually become
Steve Luczynski: like, what led?
Some smart people is the very short answer. The, if if you think back to 2014, 2015 there were [00:04:00] nobody talked about when I flew and I'm imagining when you flew and granted two different decades, I'm sure nobody, we didn't talk about cybersecurity in the cockpit and things like that.
It just, we didn't worry about that stuff. We didn't know about it or somebody else was worried about it. Bottom line is there were some media reports coming out, some things that security researchers were doing and saying, and the way media was writing about them, both in aviation and space. But people didn't really talk about it.
And sometimes what got written and how it was presented was not not as. Presented as it could for whatever reason. And so from those a number of different incidents and reports, you had some smart folks like at the Atlantic Council recognizing guys like Bo Woods in the cyber state craft initiative, recognizing that there's something going on in this sector that needs to be talked [00:05:00] about what's really happening there.
He got connected with Pete Cooper, who is I'm happy to Talk about him as a counterpart in the sense of we share and he was in the UK air, the Royal Air Force flying background, got into cyber security and then retired. And he and I met because of both. And he was part of, he was the author of report through those work at the Atlantic Council that was published talking about him.
cyber security and aviation sector. And that was the first time it was really talked about publicly with TALIS as the sponsor of that report. And the things I was seeing at the time behind the scenes in the U S government and the U S military and. Research and things that were going on. So it was good to see that out in public talking about it in a very smart, very credible way.
What Pete and Beau and the others on the team that [00:06:00] contributed, I had, I get to say I had a small contribution, but what they drove and then when they rolled out that report in November of 2017, and the other smart people that came in talking about and supporting that, so those efforts, And then that that all of those things leading up to that and then ultimately when you've got, again, smart people like Bo Alex Romero and other and many others.
Again, I know I'm leaving out a lot of names here, but when they know there's DEF CON and they know there's these villages and these specializations and where people want to go focus. And they know there are people who want to talk about these things. A good idea comes up. Next thing you know, 2019, we have the Aviation Village.
Jen Ellis was another contributor. Katie Noble early on and working when she was at the entity, I forget the name now, MPPD. Before it became SZA, Randy Talley was and [00:07:00] just when those groups started coming together and talking about these things and what could be done and what should be done and how and we have an Aviation Village in 2019 at DEF CON and that was, and then it's just taken off since then, literally taken off.
Yeah, so
Josh Mason: classic Air force mission. You got a, the strategy to task, you've got a goal you had set out and you folks set up and put aviation village out there and it grew into the aerospace village, but I look at it like a one flight to the next. How did you grow? How did you did you have a process there?
Or did you just lean on
Steve Luczynski: a lot of people It's not like maybe it was and I didn't know the first year because I was more [00:08:00] on the periphery of what I contributed and helping out. But I know somebody like Bo, smart, talented, involved in a number of villages, creating those villages and how you do it and why you do it and the right path to navigate.
So there was experience there. I don't know if that process was necessarily laid out, but you got somebody like that with the folks with the ideas and you put them together. And this is what committed. So the beauty was taking experiences from other villages, leaning on them to get their expertise to do this.
Don't do that. How they went about doing it concerns, right? Not. Everybody thinks it's a great idea to start talking about cyber security in certain areas where safety is a critical issue, right? Lives are at stake. And. And we want to make sure we do this in the way that it's productive and useful to advancing these efforts, not causing mayhem [00:09:00] and FUD and things that are going to pop up in the media when they're said the wrong way, because that is not what was intended.
So having to navigate all of that, it was I'd say, and I think Pete would tell you a lot more ad lib than any set planning. But again, you have the smart folks coming together. Bringing these things in the right way, connecting with folks, talking, communicating. And that's what we're all about.
And that was the beauty of how we pulled all that together. Nice.
Josh Mason: You're at the helm on this one. How how did you build on what do we want? 31 aerospace village to look like with some of those in the past. Was there a specific we want this, we don't
Steve Luczynski: want that. Yeah, that's a great question.
So I'm at the helm, but I have one separate set of efforts and the incredible crew that does the other part. We started off as a [00:10:00] village. We've grown into a nonprofit. That does the village at DEF CON and other events. So that's the growth we've seen. And this is our fifth year, so it's great to go.
Holy cow, we are at our fifth year. This is awesome. We've done this five times, granted. One and a half of those was virtual. But in person, being able to build on this instead. And specifically to So the first part is I run the nonprofit side of what we do as the chairman for the board of directors, the smart people overseeing generally what's the direction, how are we doing things.
How do we partner? What do we want to pursue next and helping bring those connections in the smart folks that are our speakers or the folks, the companies, the people the government agencies that are bringing things for our audience hands on, [00:11:00] whether it's a simple, easy capture the flag or more complex capture the flag to other demonstrations and trying to grow across all of those areas.
But the team who actually does Defcon and RSA, AIAA, American Institute of Aeronautics, there's so many events out there. We do those things as well as behind the scenes efforts supporting STEM education. That team, the board of directors is volunteers. That team is volunteers. So I'm going to, I'm going to pause and brag on them for a moment and I'll come back to answering your question.
But man, they are. We've got folks from around the world. Japan, a lot of folks in the UK we're picking up more folks that come from the EU as well as all over the United States and they're volunteers. They do this as at, after their day job in between their day job and contribute their time to.
[00:12:00] Organize the events to put out that call for papers and sort through all the things coming in and line them up and get the slides and get people to the right place on time. And Berlin, if you get a chance to talk to her, I'm sure you will when you're out at Def Con, she runs all of that. And it's just amazing.
The folks we have, we, we collect maps. We've got two mats who are the director the executive director and assistant and another mat who's a contributor and those guys Jim Gurney, who works at Gurney, who works on things Jim Ross, just this collection of folks who have been around from the first time that we were a village is the aviation village and what they have done to continue growing.
Back to what you specifically asked. Our approach is our mission early on that we developed is build, inspire, promote. That's the easy task and what that means is [00:13:00] building relationships to sustain trust between the government, between industry, and security researchers, the hacker community. We want to, if it isn't there, we want to establish it.
It is there. In general, it really is there. We want to grow that. We want to make sure folks know who to talk to before there's a crisis, right? That's where you can always better. Something goes down wherever we can help on that. The inspire part is inspiring the next generation of cyber security leaders, right?
It's not always going to be folks like me, the policy level. for the technical level. It's who's next. And we have in our village, those volunteers I talked about. We have everybody from, like I said, somebody like me, older, more experienced less technical, more government, more policy, military strategy type understanding and thinking and connections and perspective on things.[00:14:00]
And we have brand new versions of that. We have brand new technical people, and we have incredibly experienced technical people. We have former military. We have former pilots. We have current pilots. We have gonna be pilots. So we have that range of the cyber side, the flying side, the space side, all of that.
And the point is inspiring those who want to get into cyber security. Especially if we can say cyber security is pretty cool, but look at it on airplanes. And satellites and the airports and ground control, infrastructure, all of that. There's just a world of things out there. So inspiring people.
Final one is promote and that's promote an understanding of what's going on. The reality that there are tons of people behind the scenes, you never hear about. Like you would assume is probably happening in government, but definitely in the private sector, in academia what's going on in these companies where [00:15:00] folks are working together, the research, they were doing things to make things better by making them more secure, which makes them safer.
So that's what drives the things we bring in the village and the people that we bring in that we. We ask and who come in that we allow to give them times. We want to hear what they're going to talk about for our audience. Nice. Nice.
Josh Mason: I can't help, but think of like half Arnold and Billy Mitchell taking what's existing and trying to build out a whole full framework from that.
Yeah. But I think it's really awesome. One of my first roles, once I was an active copilot in C 130, then you have to get a real job was as a safety officer. And I feel like Air Force safety and what we do in cyber are so closely related, taking an incident, [00:16:00] realizing, okay, how do we recover?
And then how do we. Prevent. And then how do we take those lessons learned and prevent it again in the future? Do you see this kind of melding into that same sort of organization like working where safety and cyber are working hand in hand?
Steve Luczynski: Yeah. So most definitely, yes. And the reason why I say that so emphatically is one of the things a few years ago, I heard this quite a bit.
When you have these discussions on the aviation side and then have discovered it similar, I would say, on the space side, and again, as an outsider watching this and talking to the experts who are in the middle of it you cyber people, and again, also as a CISO in the private sector, right? How do you get the business to do the cyber things that are slowing them [00:17:00] down?
But if you don't have the cyber security, they are not operating, right? Put that in an aviation setting. How do you get the engineers to want to do those things that slow them down or the pilots, the crew, the ground, you name it. And so it was always talked about as well. That's your security stuff.
That's what's going to keep the email secured. It's no, that's going to keep your airplane secure, your ground system secure, your air traffic control. Like it's way beyond. So a lot of this is that it. O. T. Type of mindset. Information technology. Email go operational technology, the airplanes, the air traffic control, the communications make that work because if the email stops, nobody's gonna get hurt.
Nobody's gonna die. The other things there's potential. So let's keep that going. And so when you find the smart folks who understand, I know the nerds over [00:18:00] there, they want me to do this security stuff because it's actually gonna help me as an engineer and operator, whatever it is. make things safe. So instead of having that safety versus dirty mindset, it's security to make things safe.
That is, we've seen that evolve and we see the same thing on the space side. So you start getting more appreciation for that, where folks are like, yeah, I guess if I build that in early and I talked to the nerds, I don't normally want to talk to you there. Oh, they know what they're doing and vice versa.
The security folks have to understand What you're asking them to do does not make sense from a mission perspective from an operational perspective, so you better find a way either explain it correctly, which is, I'd say across the board issue in cyber security, talking to the board, talking to business people, in this case, talking to operators or develop the solutions that meet what they need [00:19:00] because we are talking about more than just the email keeps going in some of these areas.
Yeah. Makes a lot
Josh Mason: of sense. Where do you see the next phase going? I know SEC rules just came out. The director national or national director of cybersecurity, whoever is in charge of the White House is looking at putting responsibility on, of course. Yeah. Some of the folks to have secure software.
I think of it like we keep crashing F 16s. Maybe we shouldn't be looking at how we're designing F 16s.
Steve Luczynski: always like to bash on the F 16. So I appreciate that. Yeah. Yeah.
Josh Mason: It's easy going for the easy
Steve Luczynski: kill. Do you think that's going to help that moving in that sort of direction? is positive for us.
Josh Mason: How do you see things going? [00:20:00] You've also been up there at the top level.
Steve Luczynski: So what's good about it is I don't know the SC stuff super well. What I have been seeing, I've seen both sides of happy and unhappy. The cyber security marking system that also was recently announced. The other things from the supply chain security, all the executive orders coming out, right?
You've got what you were talking about, the Office of the National Cyber Director, right? Under Inglis, they published the National Cybersecurity Strategy. The next iteration is the implementation plan that came out a couple months ago. Just yesterday, you had the National Strategy for the Work Cybersecurity Workforce.
And the village, we've had we've been involved in helping be a part of that and see certain things and So certain things I know more about, but [00:21:00] ultimately I list that giant range of just stuff. It shows the difference, the attitude, the change in what government's doing to catch up and get ahead of certain things.
The fact that groups are coming in and able to contribute and be a part of the review, the fact that Not just that ONCD level, but other parts of government that we're seeing just what I know from aviation and space sector where when we've had the chief information security officer of FAA talk in the village.
Next week at Defcon, I'm going to do a fireside chat with the administrator of TSA and the fact that they're willing to come in to an event like Defcon to a place like Aerospace Village, have those conversations with that to me is what's the most telling of it's not only the, we're going to put out a bunch of guidance and [00:22:00] paperwork and things like that's necessary, but we're going to go out there where these experts are and we're going to talk to them at these events and conferences.
Because have no doubt they need the recruiting. Everybody has a workforce shortage to work through. But that's also where the expertise is. And that's where they meet these folks. So to me, all of those things show that positive shift, that change, the willingness to engage, the willingness to be a part of this event and talk to the Hacker Committee.
Josh Mason: Nice, nice. That is really awesome. I think it's great that agencies are sending folks to participate. I know Jen Easterly was at DEF CON in the past and imagine she's going to be in Las Vegas next week
Steve Luczynski: around and about. From what I've heard, yep, exactly.
Josh Mason: Do you see us iterating well enough in cyber? [00:23:00] I know I used to critique once when you're a pilot, you just get in the style of critiquing, right? We all critique one another. I got used to being like, okay, that was a good debrief style or that was not a great debrief style or that IP was, I don't want to fly with them.
Or I feel like I don't really get much when I fly with them. When we get then into the cyber realm, there's all sorts of folks. There's more folks and there's tons and tons of incidents. Do you feel like there's a best way or. a proper way to take lessons learned from incidents or engagements. Really leaning in on you as a, whoa, a weapons officer to
Steve Luczynski: It sounds very familiar.
Yeah. That's a, that's an interesting question. I know this is something that we've [00:24:00] talked about before and I've talked about with others. On the one, I don't think so. And I think I would scoff heavily anybody who's Oh yeah, there is a best way. Here's what works because what we're talking about.
So from my experience on the military side, the way that When we fly, you prepare, you fly the mission, and then you come back in and you debrief we spend all that time and money going out flying, we spend the time on the people, the gas, all of that. You better get every bit of training and learning out of what you just did.
In my example, in the fighter community, we are very where I came from very retentive about certain things for lack of a better way to say it that if I flew for a half an hour, I might come back and talk for two hours to pick out every little bit of what went [00:25:00] right and wrong for me to learn and for my student to learn.
And then when it gets to be 48 plus airplanes going out doing training, there's only that much more to talk about that much more time. But the point was because it was invaluable and making us better. And it's easy, right? That's the standard that was established. It's the military. It's very regimented in many respects, things like that.
And I think that's similar to your experience, whereas and, but then it varied across airplanes and how they did it and all that. So then now throw that in a cyber example. And I think there's way more airplanes in cyber that can do things different. And oh, by the way, every company is different.
There's no reason for them to be exactly the same company, industry, sector, vertical, whatever you want to call it. But I do think when, like I see at the [00:26:00] conferences and the talks people are doing that there's more and more sharing, whether it's just across the security researchers, whether it's bringing the companies in the government agencies, again, all of those groups coming together and being able to go.
And the government's a pain in the ass, but wow, that's useful or industry. You don't know what we do in government. Wait a minute. That's cutting edge. I want more of that in my stodgy bureaucracy of government because it's good stuff. So as we continue to do that, we see that crosstalk and the value of all of that.
So do we ever need to get to be as standardized as what I grew up on in the airplane world? Not necessarily, but there are some lessons there. And you get a few people to start glomming onto those and start applying them. This puts out a framework to try to get everybody thinking about things similarly, not necessarily identically.
[00:27:00] So then at least the language makes sense, and the approach makes sense, and different things can come together. And then they can customize where they need it. So that is the value I see there. Excellent.
Josh Mason: So then since we don't have weapons school and we don't have all these instructor pilots and we don't have this framework of brief fly debrief that we had back when we were in the cockpit do you think that then conferences like DEF CON B sides become much more valuable as a way of sharing the information and taking in information that other people have learned from in the time since the last conference or what they've been
Steve Luczynski: working on.
Oh, absolutely. Absolutely. And it's, there's the, what I really like, and I see this regularly at B sides conferences and DEF [00:28:00] CON and SHMOO. You have those super amazing high level expertise because they're so deeply technical. Of what people have found and the fixes they have found for the problems.
And those are great. And there is a, there is just continually growing group of people who have those skills. And it is awesome to see. And I love to go sit in the talks and get about two or three minutes in. And I'm like, okay, I have no longer understand what's being talked about. But I appreciate that the entire audience is like, this is amazing.
I'm like, yep that I'm sure of. But the things I, I can keep up with is. when you see the, I'll call them less, less sexy, right? There's the basics that a lot of times when somebody comes in and goes, look, I've done this forever. [00:29:00] Here's the basics that work for me all this time. That is amazing because some people would look at it and go that's boring.
It's not the fun, highly technical. Yeah, that's the blocking and tackling the basics that you do that every day consistently. A lot of your problems are solved when it comes to the security side. Simple statement, not necessarily easy to execute, right? And, when you have new people coming in, and that, that's why I love B Sides so much, you have new folks coming in going, I don't know, this is how I think about applying that particular thing, but the way they see it, the way they learned it, or the way they bring in another element of previous experience and how they apply it.
And that makes the old fogeys look at it and go, Oh, I hadn't thought about it that way. And it gives them new ideas. So again, whether it's the highly technical or the basics, the beauty is this consistent sharing and the growth and the crappy part [00:30:00] of COVID that we all dealt with. Yep. We had that. We couldn't go in person, but we got all kinds of stuff recorded because everybody was recording their talks.
And I know from a village perspective. We have an entire YouTube channel from a year and a half of recording our talks because we had to now this year, we're planning on recording our talks because we want to want people to be able to see and we want people to be able to go back and learn and when I get emails saying, hey, how do I get into this?
Start on our YouTube channel. We have so many experts that have talked about space, about aviation from so many perspectives, like start there. And if you want to meet those people, we can make the connection. If you want to go find out more about what they do, you got their website. So you have so many resources now that Again, with the conferences and what's going on, I think that's the beauty of what's happening and what we're seeing continuing.
It's not as a change, it's been there, but it's continuing to [00:31:00] grow. And I know from our village perspective, the benefit is growing.
Josh Mason: That's awesome. So I know I'm going to see you next week. I'm hoping to see your B sides, hear your talk, and then spend some time with you at the village. Where else can people find you, Steve, or how else can they find out about the
Steve Luczynski: aerospace village?
Yeah. A number of things because our village, we've got so many people and the things that we're able to branch out and do things DEF CON next week. So that entire week of Hacker Summer Camp, right? I know I'm doing a couple of talks at B Sides Las Vegas. You got folks that are going to be at Diana Initiative and I'm sure Black Hat.
But then, of course, at DEF CON and all that we're doing with outside of that, I know what we're planning following that is we've got the aviation. I sack having their annual summit. [00:32:00] That's going to be in Dublin. So not a tough place to get to go hang out, but all that they're bringing together specifically focused on aviation cyber security.
I'm going to be participating in a panel talk there about engaging security researchers and how that's evolved and improved over time. I mentioned before, AIAA, they're a close partner of ours as an association that looks at both aviation space, they have a heavy engineering, academic, student presence, and they're growing their cyber security.
And again, getting the engineers to talk to the cyber security people across government, industry, academia, and so our partnership with them is helping them bring that content in. I'm looking forward to doing a panel talk there with a representative from SZA and another company. I can't remember off the top of my head.
I apologize, but being able to talk about the work they're doing when you look at [00:33:00] things about the impact of space, critical infrastructure, where it fits in. where it supports our daily lives in ways you don't always think about. So that's just a couple of things that we're already have on tap for this year.
Josh Mason: Man, I'll have to bring you back on so we can chat some more and get more in depth on what that's going to look like. And you should attend some of those things. Thank you again, Steve, for being here and thank you all for listening. If you enjoyed this, please rank us high and share us with your friends.
And we hope to, we all hope to see you at summer camp next week.
Steve Luczynski: Yeah, you bet. And I'll throw out aerospace village. org. Awesome. Thanks. Appreciate it, Josh.
Josh Mason: See y'all.