Election security bill won't pass ahead of midterms, says key Republican
Cyberattacks are a constant fear 17 years after 9/11
Seventeen years after the 9/11 terror attacks, lawmakers are stepping up their warnings about how the next assault on the U.S. could be a cyberattack.
Airports and airlines increasingly rely on cyber networks to operate, yet there are no federal regulations specifically governing their use.
Lawmakers say they are drafting legislation that would impose new standards for cybersecurity as experts argue U.S. airlines are vulnerable to attacks.
"Cybersecurity risks, without question, represent the most preeminent and existent threat to the continuous safe, secure and efficient operations on U.S. airports and the global aviation system," Michael Stephens, the head of IT and general counsel for Tampa International Airport, said at a congressional hearing last week.
While the industry has its own cybersecurity standards, lawmakers argue they aren't enough and that the roles of federal agencies have to be more clearly spelled out when it comes to addressing cyber threats to aviation.
"We must urge security agencies to think creatively about potential new attack actors as terrorists continue to search for new vulnerabilities to target," Rep. Bonnie Watson Coleman (D-N.J.) said. "With that in mind, we must do more when it comes to the cybersecurity of transportation systems. We cannot allow them access to cockpits via cyber means."
The New Jersey Democrat is working on a bill that would require the Transportation Security Administration to adopt rules that would require both airlines and airports to adopt baseline cybersecurity standards.
A spokeswoman for Watson Coleman told The Hill that the bill is in its earliest stages of development.
In the Sept. 11, 2001, attacks, 19 terrorists hijacked planes and crashed two of them into the twin towers in New York City and another into the Pentagon. A fourth plane crashed near Shanksville, Pa.
The deadly attacks sparked a series of reforms to aviation safety, largely focused on physical safeguards meant to prevent people from weaponizing airplanes as was done on 9/11.
At a hearing last week, Rep. John Katko (R-N.Y.) expressed the fear that in the future, terrorists could use cyber means to turn U.S. aircraft into weapons without even being on board.
"The specter remains, a plane could technically be weaponized against us and be taken over by bad guys through cybersecurity threats," he said.
Experts say that while the scenario is a real possibility, they are more focused on systemic cyber attacks that could cripple flight systems and dramatically disrupt business and life in the United States.
Joel Otto, the vice president of strategy and business development for Rockwell Collins Information Management Systems's business unit who has spent three decades working in aviation, said those working in aviation are more concerned about making sure a plane takes off, flies and lands safely than about any specific example of an attack, like that mentioned by Katko.
"While you worry about the potential outcomes, what you more worry about is that any bad outcome is a bad outcome," he said, adding that cybersecurity is now considered as important as safety within the aviation industry.
Because the industry's standards have not been adopted into federal law, there could be discrepancies in how those standards are applied, experts say.
A survey cited by the federally-operated Airport Cooperative Research Program in its guide last year on best cybersecurity practices found that 32 out of the 41 responding airports had cybersecurity programs in place. However, only 49 percent of respondents felt that the measures offered adequate protection from cyberattacks.
And reports last year that the Department of Homeland Security (DHS) was able to breach a plane on a tarmac also amplified concerns about airlines' cybersecurity. Internal DHS documents, obtained by Motherboard earlier this year, also indicate that some agency officials believe it's only a "matter of time before a cyber security breach on an airline occurs."
The impact of those potential cyberattacks has been partially realized at at least one U.S. airport this year.
The Hartsfield-Jackson Atlanta International Airport shut down its WiFi networks in March as a precaution after Atlanta was targeted by a massive, days-long ransomware attack.
Christopher Porter, the chief threat intelligence specialist for the cybersecurity firm FireEye who testified at last week's hearing, said during an interview this week that a federal baseline on cybersecurity could more clearly lay out the roles of airlines, airports and federal officials in the case of an attack.
Organizations like the Aviation Information Sharing and Analysis Center (A-ISAC) offer a way for the federal government, airlines, airports and aircraft manufacturers to share information about potential cyber threats. But experts said more needs to be done to loop in all parties when it comes to cyber.
"There may be parts of the aviation sector that have underinvested in cybersecurity because they can't justify it as a business expense, but everyone will be required to do it," Porter said of a potential federal framework. "I think that would make it a lot easier for them to bring things up to par."