The Federal Aviation Administration could find itself with more oversight of the cybersecurity threats facing industry if a senator’s information-sharing bill makes it through committee.
The Cyber AIR Act, introduced by Sen. Ed Markey (D-Mass.), a member of the Commerce, Science and Transportation Committee, would require airlines to report any attempted cyber intrusion to the FAA.
“As technology rapidly advances to keep passengers and planes connected, we must ensure that the airline industry is vigilant in protecting its aircraft and systems from cybersecurity breaches and attacks,” Markey said in April. “The Cyber AIR Act directs the FAA to establish comprehensive cybersecurity standards and will mandate that all airlines disclose cyberattacks to the federal government.”
The bill reflect the goal of Suzanne Spaulding, the under secretary of DHS’ National Protection and Programs Directorate, for industry to encourage public-private information sharing on emerging cyber threats.
French Caldwell, the chief evangelist at MetricStream, told Federal News Radio that legislation has been long overdue to address the rapid advancement in technology that has taken over aviation.
“We definitely have to get more formal on how we approach cybersecurity,” Caldwell said. “It is a public-private problem, it’s something that does have to be solved with cooperation between the public sector and the private sector, and Congress has been reluctant to drive that cooperation.”
In 2002, Caldwell worked on a war game exercise with the Naval War College and the White House to test the feasibility of a strategic cyber attack on U.S. critical infrastructure.
“At that time, I learned that there were significant vulnerabilities associated with the data centers that control air traffic,” Caldwell said. It’s only now, he said, that voices in government have come around to implementing “some of the necessary responses to what we learned over a decade ago.”
In an April 2015 report, the Government Accountability Office found that the FAA’s air-traffic control systems had “significant” cyber weaknesses, and called on the agency to adopt an agencywide cybersecurity threat model. The FAA has yet put the GAO’s recommendation into effect.
Caldwell said the rise of information sharing and analysis center (ISACs) organizations have made helped bridge the cyber information divide between industry and government, but said the government needs more of an enforcement role.
“There is definitely a need for cooperation between those officials in government who are responsible for protecting the security and the safety of the public and the private industries who manage the critical infrastructure upon which the public depends,” he said. “The question remains, though, as to where is the line between government involvement in ensuring that safety and security, and the private sector’s overall responsibility and accountability for the safety and security of their systems.”
The Cyber Air Act actually directs the FAA to ensure that airlines have the very type of programs that the GAO reported the FAA does not yet have.
“I think something like a national cybersecurity oversight board could work, but the governance of it,” he said. “There could be some argument that if this were privatized, then we could respond and update and keep upgraded and modernized at a more rapid pace. But it would still have tremendous government oversight, and tremendous government involvement.”
The Cyber AIR Act, if passed, would advance many of the same goals as the much-talked-about Cybersecurity Information Sharing Act, which President Barack Obama signed into law in December as part of the omnibus spending bill.
“CISA was fairly innocuous [in] just encouraging the sharing of information between government and private industry,” Caldwell said. “The crux of the issue quite often is who is going to determine what the standards are. If the standards are driven and enforced from the government side, then you could end up with standards that become more difficult to change as technology evolves, and even as the security threats change.”
Industry standards, Caldwell said, can be more rapidly evolved to keep up with changes in technology.