Cybersecurity

Airlines under siege from hackers

The airline industry is under siege from cyberattackers, and lawmakers are struggling to help.

In recent months, hackers have infiltrated the U.S. air traffic control system, forced airlines to ground planes and potentially stolen detailed travel records on millions of people.

Yet the industry lacks strict requirements to report these incidents or even adhere to specific cybersecurity standards.

“There should be a requirement for immediate reporting to the federal government,” Sen. Susan Collins (R-Maine), who chairs the Appropriations subcommittee that oversees the Federal Aviation Administration (FAA), told The Hill.  

“We need to address that,” agreed Sen. Bill Nelson (Fla.), the top Democrat on the Senate Commerce Committee.

With recent revelations that the same suspected Chinese hackers who pilfered millions of people’s information from the government might also have stolen travel records from United Airlines and American Airlines, lawmakers insist the need for legislation is urgent.

“We need a two-way exchange of information so that when a threat is identified by the private sector, it’s shared with the government, and vice versa,” Collins added. “That’s the only way that we have any hope of stopping further breaches.”

But with a crowded legislative calendar in September, many wonder whether Congress will be able to approve the FAA’s budget, let alone pass a cybersecurity bill.

The growing cyber threat to the aviation industry is getting hard to ignore, though.

“I don’t think these kinds of attacks … are a huge surprise to security information insiders,” said Tim Erlin, director of risk strategy at Tripwire, which monitors networks for malicious activity. “We see these kinds of weakness and have seen them for years.”

The FAA recently acknowledged that serious security concerns plague the industry.

The agency agreed with a government watchdog report in March that found “significant security control weaknesses” in the FAA’s systems. The report said flaws could allow cyber saboteurs to disrupt or reroute the nearly 3,000 U.S. flights in the air at any given moment.

The Government Accountability Office released the findings a month after the FAA itself admitted hackers had spread malicious software throughout its networks.

The audit found the FAA has no overarching structure to defend its networks. The conclusion was particularly concerning as the FAA is transitioning to its NextGen air traffic control system, which will help guide flights more efficiently but also make it easier for hackers to rapidly infiltrate the entire network.

The industry is also grappling with the proliferation of digital spies looking to plunder travel records.

“I bet you two months ago, no airline really thought that they may be a target for a foreign intelligence service,” said Jeff Schmidt, a pilot and CEO of JAS Global Advisors, a security consultancy for government and critical infrastructure firms. “That’s a whole different kind of adversary. And one that they were not preparing for.”

In the last month, both United Airlines and American Airlines — the world’s first and fourth highest-grossing airlines — admitted they were investigating suspected breaches. According to reports, both airlines were hit by the same Chinese hacking group that cracked two databases at the Office of Personnel Management (OPM).

Intelligence and national security experts believe Beijing intelligence officials are hoping to cross-reference the purloined travel logs with the OPM security clearance data they stole on 21.5 million Americans.

Both airlines are major government contractors, striking deals to carry military personnel and federal employees.

The attacks could lead to foreign governments “knowing which people travel together, where they tend to go, what their habits are, what foreign cities they frequent,” Schmidt said.

The result, officials fear, is the outing of undercover U.S. agents around the globe.

“It’s all a part of this, you can call it ‘grooming,’ ” Schmidt said. “It’s a long process to try and develop relationships in a very old-fashioned, human intelligence way.”

Those national security implications caught the attention of lawmakers, who found out about the theft through the media, not from the company itself.

That’s why, Nelson said, the airline industry needs mandatory, immediate reporting requirements.

“All the more reason for a cybersecurity bill,” he said. But for years, Congress has been unsuccessful on that front.

Sen. Barbara Mikulski (Md.), the Senate Appropriations Committee’s top Democrat, tried three years ago to move a cyber bill that would have included rigid requirements for reporting breaches in critical infrastructure sectors, such as aviation.

“We were blocked,” she told The Hill recently. “So it’s time for not looking at an individual bill, but one that’s overall for critical infrastructure.”

Congress is struggling to pass the Cybersecurity Information Sharing Act (CISA), punting on the measure yet again this past week. The bill would facilitate the exchange of data on hackers between companies and the government.

But the Senate Intelligence Committee voted down a CISA amendment from Collins that would have required critical infrastructure industries such as aviation to hand over cyber threat data over to the government.

“In the vast majority of cases, I believe that information sharing should be voluntary,” Collins told The Hill. “But when it comes to critical sectors of our economy, I believe it should be mandatory.”

“I hope that the continuing concerns that people are having as they witness more and more serious breaches makes them more sensitive to the fact that the critical infrastructure of this country — whether it’s our electric grid, our water systems, or our air traffic control system — are at serious risk,” she added.

Lawmakers say they want to encourage better public-private communication with the FAA authorization bill, which funds the agency. Congress is coming down to the wire on the spending measure, delaying its consideration until September, the last month of the fiscal year.

“I’ve spent a great amount of time and energy identifying cyber vulnerabilities in our aviation sector, pushing the FAA to better communicate with Congress about threats and their efforts to prevent successful attacks,” said Rep. Frank LoBiondo (R-N.J.), chairman of the House Transportation subcommittee on aviation, in an email. “Cyber issues are one of the key sections of the upcoming FAA authorization bill that I’ve worked closely on.”

But security specialists are split on whether breach reporting and information sharing would actually help thwart the cyberattacks that have beset the airline industry.

“What’s troubling,” Schmidt said, “is that you can’t say ‘this is the kind of adversary you should be preparing for.’”

But Tripwire’s Erlin and others contend such legislation “absolutely has value.”

“If OPM and other organizations could effectively share intelligence about what’s going on, they may be able to use that information to help protect themselves from the same type of attack being successful,” Erlin said.

But he cautioned the value is limited.

As foreign intelligence services become the primary hackers, the attacks become more unpredictable

“It is troubling, because I’m not sure what the right response is to this,” Schmidt said.