November 22, 2022 | Policy Brief

No Room for Half-Measures in Aviation Cybersecurity

November 22, 2022 | Policy Brief

No Room for Half-Measures in Aviation Cybersecurity

A Boeing-owned subsidiary, Jeppesen, confirmed in early November that a cyber incident had impacted flight planning and communication software, causing flight delays for airlines using their services. In the wake of Russian hackers’ headline-grabbing spamming of U.S. airports’ websites last month, the Jeppesen incident underscores the need for the Transportation Security Agency (TSA) to implement meaningful cybersecurity standards for the aviation industry.

Jeppesen’s cyber incident affected a number of widely utilized services, including the Notice to Air Missions (NOTAMs), which alerts pilots and airlines about potential hazards on their planned routes. While Jeppesen officials said the incident did not affect aircraft safety, NOTAMs contain information considered “essential” to flight operations, according to the Federal Aviation Administration.

The aviation sector has faced increasing threats and cyberattacks since at least 2017. Last year, the European Organisation for the Safety of Air Navigation (Eurocontrol) found that globally, the aviation sector suffers a ransomware attack every week. In addition to the financial costs they impose and the business interruption they cause, cyberattacks on the aviation sector could endanger flight safety when they disrupt or compromise essential safety systems.

Against this backdrop, the Biden administration has taken steps to address aviation cybersecurity. In September, the White House provided classified threat briefings to transportation industry executives, including representatives from 104 aviation entities. The administration urged these entities to adopt a more robust cybersecurity posture.

Last year, President Biden also signed a national security memorandum to improve the cybersecurity of the nation’s critical infrastructure. The memorandum tasked the Cybersecurity and Infrastructure Security Agency (CISA) with creating Cybersecurity Performance Goals (CPGs) to serve as voluntary baseline measures that all critical infrastructure — including entities in the aviation sector — should implement.

Not all of the administration’s efforts have been successful. TSA faced industry pushback when it released a rule in November 2021 requiring companies to report cybersecurity incidents to CISA within 24 hours. The International Air Transport Association — a global trade association of airlines — also criticized TSA for failing to consult industry prior to issuing the directive and align its definitions with international guidance from bodies like the International Civil Aviation Organization, of which the United States is a member.

Despite this negative feedback, TSA should continue to bolster efforts to secure the aviation industry from malicious cyberattacks. TSA must do a better job soliciting and incorporating industry feedback, but it also must continue to press forward developing and implementing meaningful cybersecurity standards in its new directives. Half-measures are not enough when the consequences of an attack may be catastrophic. Additionally, CISA can support TSA by soliciting and incorporating industry feedback on its CPGs. Combining these efforts could provide a flexible model for the aviation industry and other critical infrastructure operators to implement tailored security measures to address a range of cyber incidents.

RADM (Ret.) Mark Montgomery is a senior director at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where he is also a senior fellow. He directs CSC 2.0, which works to implement the recommendations of the congressionally mandated Cyberspace Solarium Commission, where he previously served as executive director. Jiwon Ma is a program analyst at CCTI, where she contributes to the CSC 2.0 project. For more analysis from the authors and CCTI, please subscribe HERE. Follow them on Twitter @MarkCMontgomery and @jiwonma_92. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.

Issues:

Cyber