November 7, 2023 | Policy Brief

Boeing’s Cyber Incident Highlights Need for Greater Information Sharing 

November 7, 2023 | Policy Brief

Boeing’s Cyber Incident Highlights Need for Greater Information Sharing 

Boeing confirmed last Wednesday it was experiencing a cyber incident affecting parts of its global services business but not the flight safety of Boeing aircraft. This incident highlights the need for greater information sharing between the government and aviation companies, so the latter have a greater awareness of threats, helping to increase their resilience amid growing cyber risks. 

Boeing’s statement follows a claim last Friday by the ransomware group LockBit that it had exfiltrated a “tremendous amount” of Boeing’s data. LockBit was the most widely deployed ransomware group last year, according to the U.S. Cybersecurity and Infrastructure Security Agency, and the LockBit group’s affiliates continue to be “prolific.” In July, the group launched a ransomware attack on Japan’s largest port in Nagoya, causing a two-day halt in all port shipments. Last week, LockBit threatened to publish sensitive information it previously exfiltrated from Boeing networks and yesterday began leaking information including training materials and a list of the company’s technical suppliers. Boeing has declined to comment on whether LockBit was behind the cyber incident confirmed on Wednesday.  

Like other critical infrastructure sectors, the aviation industry is facing an increasing number of ransomware attacks. The European Organisation for the Safety of Air Navigation found that globally, the industry suffers a ransomware attack every week. The industry’s use of digitally connected technology has broadened the attack surface, leaving various components, from navigation tools to reservation systems, vulnerable to breaches and disruptions.  

As one of the sector risk management agencies responsible for helping the industry mitigate threats, the Transportation Security Administration (TSA) has responded to growing cyber threats by issuing cybersecurity requirements for the aviation industry. Industry reactions were mixed, however, with industry associations have raising concerns about contradictory or duplicative regulations.  

In response to a U.S. government request for information on regulatory harmonization, trade association and lobbying group Airlines for America noted that its members are subject to 11 mandatory and voluntary cyber incident disclosure requirements and seven cybersecurity inspections and assessment regimes. The Aerospace Industries Association, which represents manufacturers and suppliers, warned that early iterations of TSA’s requirement contradicted airworthiness requirements, as directed by the Federal Aviation Administration, which is also a sector risk management agency for commercial aviation.   

Despite these flaws, the TSA’s cybersecurity requirements are a positive step given that existing regulations are not ensuring the aviation subsector is resilient against cyberattacks. The industry’s support for harmonization of regulatory requirements, however, provides an opening to improve private sector involvement in developing aviation-specific cybersecurity standards.  

TSA should ensure the federal government provides the information private companies need to address evolving cybersecurity threats. The Biden administration set a useful precedent by providing classified threat briefings to aviation entities last September. Establishing a standard practice of sharing threat information with the private sector is crucial to collaborative efforts to combat emerging cybersecurity threats. 

Jiwon Ma is a program analyst at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Suyash Pasi is an intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow the Jiwon on X @jiwonma_92. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.