Cyber-based threats are rapidly evolving and may put air traffic control systems at risk.
Speaking to the U.K.’s Daily Express newspaper last month, Deputy Director at The Asia Program Michael Kugelman, warned that China would be able to carry out a cyber attack that essentially destroys air traffic control systems at airports around the U.S.
“All of a sudden you have got all these planes in the air and you have got air traffic control having no way of communicating with them, obviously increasing the risk of crashes.”
China is of course not the only cyber actor that the U.S. needs to be concerned about, making cyber defense of its air traffic network a top priority.
The Federal Aviation Administration (FAA) Extension, Safety, and Security Act of 2016 directs FAA to develop a comprehensive, strategic framework to reduce cybersecurity risks to civil aviation. Part of FAA’s efforts to implement this framework involves coordination and collaboration on aviation cybersecurity with the Departments of Homeland Security (DHS) and Defense (DOD) through the Aviation Cyber Initiative (ACI). The Office of Inspector General (OIG) at the Department of Transport (DOT) has reviewed ACI’s progress.
OIG reports that for the three years since its establishment, FAA and its ACI partners have been providing regular updates to federal agencies on their work, and are collaborating with federal and aviation industry cybersecurity stakeholders.
In March 2019, for example, ACI began meeting with federal agencies and industry to discuss cybersecurity issues, events, and activities, and share information. Referred to as “community of interest” meetings, participants include representatives from agencies such as the National Aeronautics and Space Administration and the Department of Commerce, and industry trade associations such as Airlines for America and the Air Line Pilots Association. These meetings occur every other month.
In May 2019, the Secretaries of DHS, DOD, and DOT finalized the approval of a charter that outlines ACI’s objectives. As DOT’s representative, FAA is an ACI co-chair with DHS and DOD. The co-chairs report to an Executive Committee of senior Agency executives. At the first ACI Executive Committee meeting in May 2019, 10 priorities were set for 2019 and 2020. OIG’s review found that ACI has implemented three of these priorities and they are on-going. ACI has also initiated work on the remaining seven. One—a collaboration sponsored by DOD and endorsed by ACI partner agencies to mitigate cybersecurity risks to the operational security of military aircraft using FAA’s satellite-based surveillance system —is scheduled for completion in the fourth quarter of 2020. Another priority—a summit for Government and industry aviation stakeholders—is also scheduled to occur in the fourth quarter of 2020.
However, OIG reports that ACI has not developed mechanisms to monitor and evaluate results for meeting milestones and timetables for its priorities. The watchdog says ACI lacks an integrated budget and dedicated resources, and, as a result, FAA and its ACI partners face challenges in achieving its priorities. OIG adds that these challenges could inhibit FAA’s ability to develop a comprehensive and strategic framework for cybersecurity.
OIG therefore recommends that FAA identifies the resources needed to meet the current schedule for achieving ACI’s remaining priorities, and how they should be allocated. Subsequently, FAA should revise the current schedule as necessary to reflect the resources that are available. FAA plans to implement the recommendation by December 31, 2020.