As Senate Debates FAA Reauthorization Bill, Markey Introduces New Legislation Calling for Cybersecurity Standards for Aircraft
Cyber AIR Act follows findings from Senator’s investigation that show airlines may experience frequent attempted infiltrations, but there is no requirement to report successful attempts
Washington (April 7, 2016) – Last December, Senator Edward J. Markey (D-Mass.) requested information from airlines and aircraft manufacturers on cybersecurity protections for their aircraft and computer systems. The responses he received reveal that while there have been no confirmations of successful intrusions into aircraft systems, hacking attempts are common and cybersecurity testing is conducted inconsistently and with little uniform oversight. In response to this lack of knowledge and standards about the current and potential risk of cyberattacks to commercial aircraft, today Senator Markey introduced the Cybersecurity Standards for Aircraft to Improve Resilience Act of 2016 to require the disclosure of information relating to cyberattacks on aircraft systems and establish standards to identify and address cybersecurity vulnerabilities to the United States commercial aviation system. The bill also seeks a report to study cybersecurity vulnerability of consumer wi-fi on planes. Currently, airlines are under no obligation to report attempted or successful cyberattacks on their systems to the appropriate government authorities. Without this information, other airlines, manufacturers, and regulators cannot effectively address mounting risks associated with cybersecurity vulnerabilities. Senator Markey has filed his legislation as amendments to the Federal Aviation Administration Reauthorization Act of 2016 currently being debated in the U.S. Senate.
“As technology rapidly advances to keep passengers and planes connected, we must ensure that the airline industry is vigilant in protecting its aircraft and systems from cybersecurity breaches and attacks,” said Senator Markey, a member of the Commerce, Science and Transportation Committee.“The Cyber AIR Act directs the FAA to establish comprehensive cybersecurity standards and will mandate that all airlines disclose cyberattacks to the federal government. We know that terrorists and others that mean to do us harm will try to exploit any loophole or technological advance in our transportation systems, so we must continually bolster the standards and practices of the airline industry to ensure the safety and security of passengers on board commercial aircraft.”
A copy of the Cyber AIR Act can be found HERE.
In December 2015, Senator Markey sent letters to 12 different airlines and two aircraft manufacturers to inquire about company protections and protocols against the threat of cyberattacks in relation to the integration of new technologies onboard modern aircraft. Seven airlines responded to Senator Markey’s letter, and five did not. The five airlines (Alaska Air, American Airlines, Hawaiian Air, JetBlue, and United) that did not respond were represented in a collective letter from their trade organization, Airlines for America (A4A).
Findings from Senator Markey’s investigation of aircraft cybersecurity defenses include:
- Airlines may experience frequent attempted infiltrations, but none have reported any successful attempts
- Aircraft manufacturers have not acknowledged any susceptibility to their avionics systems being hacked
- Cybersecurity testing by airlines is conducted unevenly and by different parties
- Uncertainty exists for whether background checks are standard for software installers
- There is collaboration, though inconsistent, with government agencies
- Information sharing across the industry may be uneven
- The impact of NextGen technology on cybersecurity is uncertain
- The FAA certification process involves some cybersecurity requirements
- On-flight Wi-Fi has not been universally adopted
- Airlines do not recognize the risk of hacking of in-flight entertainment systems as compromising critical avionics systems
A copy of the responses to Senator Markey from the airlines and aircraft manufacturers can be found HERE.
“We promised to Never Forget our heroes or the lessons of September 11, 2001. This drives our action as first responders to maintain the safety and security of aviation,” said Sara Nelson, president of the Association of Flight Attendants-CWA. “Senator Markey has a consistent record of standing with us to keep our promise. We commend him for introducing this legislation to assess potential threats and vulnerabilities of expanded communications onboard commercial aircrafts. This is a small investment to protect millions of lives traveling in our skies every day. All of us are responsible for the duty of care for all passengers and crewmembers.”
The following groups support the Cyber AIR Act: Association of Flight Attendants-CWA (AFA-CWA), Global Business Travel Association (GBTA), Federal Law Enforcement Officers Association (FLEOA), and International Association of Machinists and Aerospace Workers (IAM).