America’s security and intelligence agencies are teaming up with airline manufacturers to defend against a catastrophic cyberattack that could cripple the air traffic control system, interfere with the computer systems used by modern aircraft, and potentially even bring down a plane.
As part of a new programme, which will be run from a federal facility outside Washington, US government personnel will work alongside private-sector aviation employees to share information about computer security threats, government and corporate officials said. Their goal is to spot malicious hacker activity on computer networks and to improve the security of airline manufacturing, during which complex software programmes that could create entry points for hackers are installed on passenger aircraft.
For years, cybersecurity experts and government officials have warned that the computer networks underpinning the US air traffic control system could be penetrated by malicious hackers. President Barack Obama emphasised the threat in his first major address on national cybersecurity in 2009. The current air traffic control system remains vulnerable, but more modern aircraft also carry complex navigation and mechanical software, and in the future they will be connected to the air traffic system via new computer networks, making each individual airplane a potential vulnerable target.
The new government and industry information-sharing programme is meant to defend “the entire system. It’s the airports, the [air traffic management] system, the supply chain, the airline manufacturers. There are a lot of attack surfaces there,” said Fred Schwien, the director of Homeland Security at Boeing, which is participating in the programme.
To bring all sides together, a new information-sharing and analysis centre will be built at a Transportation Security Administration facility near Ft. Meade, Md., the headquarters of the National Security Agency and US Cyber Command, which oversees military computer security. According to a presidential directive, Cyber Command also would be involved in responding to a cyberattack on any critical infrastructure in the United States, including the air traffic control system.
US officials said the TSA is leading the programme in a partnership with the Office of the Director of National Intelligence, which oversees all American intelligence agencies, and the National Counterterrorism Center, which is currently the hub for information about potential threats to the aviation system from terrorists and hijackers.
The TSA will launch a pilot programme “that will focus on aviation-related security and intelligence sharing to include the private and public sectors,” said a TSA spokesperson, who added it would be “premature to comment on the particulars” before the programme begins. Officials didn’t say when that would happen.
A spokesperson for the Director of National Intelligence confirmed the existence of the new programme but said, “We cannot comment at this time on the details of this effort as the final composition and responsibilities are still being worked out.”
The government has been sharing information about threats to aviation from passengers and explosives hidden in luggage and cargo since shortly after the Sept 11 terrorist attacks. And it’s been sharing some cyber-related threat information on a limited basis. But the new centre “is going to make the information-sharing much tighter,” said Schwien, the Boeing executive. “This will be a place where people will know each other and trust each other.”
Schwien said that as a model, the aviation industry and government officials are looking to an existing system that connects the government with computer security personnel from banks and financial services companies. The so-called Financial Services Information Sharing and Analysis Center is a well-regarded cyberthreat programme designed to counter financial fraud and defend against attacks on bank networks. Both sides are supposed to share intelligence about known hacker techniques, network breaches, and malicious software that’s being used against government or corporate networks. The group has been credited with helping banks to better monitor emails that contain computer viruses.
Cyber threats to aviation are among the oldest and most feared, since they could cause massive damage and loss of life.
Cyber threats to aviation are among the oldest and most feared, since they could cause massive damage and loss of life. One of the first major cyber attacks to attract officials’ attention in Washington occurred in 1998, when a teenager broke into a Bell Atlantic telephone network and disabled the communications system at regional airport in Worcester, Mass. The hacker cut off communications to the control tower and turned off a transmitter that allowed incoming aircraft to turn on runway lights. The teenager, who later reached a plea agreement with the Justice Department, exploited a flaw in the phone system that let him also disable communications with the fire department, airport security, and the weather service for six hours.
The modern air traffic control system may fare no better than that airport in Massachusetts. Over the next decade, the federal government plans to roll out its so called NextGen system, which promises to reduce congestion in the skies and, hopefully, make air travel more efficient and less expensive. But NextGen will rely on global positioning satellites, which are vulnerable to computer hackers. Two years ago, researchers at the University of Texas at Austin demonstrated that they could commandeer the controls of a remote-piloted drone by tricking it with fake GPS coordinates.
The experiment was organised by the Department of Homeland Security, which oversees the TSA and hence is in charge of the new cyber security programme for the aviation industry. The vulnerability the Texas researchers found in the GPS system was “just the tip of the iceberg of a much bigger security issue we have in this country,” Logan Scott, a GPS industry consultant, told Wired magazine at the time.
Paul Rosenzweig, a cyber security expert and former Homeland Security official, wrote last year that the hackable GPS system poses a risk for commercial aviation. He said that to prevent against a catastrophe, air traffic controllers would have to use GPS that can recognize when they’re being fooled or that cross-check their position against internal navigations systems that aren’t connected to computer networks.
Devising those kinds of defensive solutions, and putting them into practice, is what the new aviation security centre aims to do. –Foreign Policy