S 2658 – FAA and Cybersecurity

Earlier this week the Senate Energy, Commerce and Transportation Committee marked up S 2658, the Federal Aviation Administration Reauthorization Act of 2016. While the bill includes a number of sections on unmanned aviation systems (which I will cover in a later post), there was one section of the bill that concerns cybersecurity and there was an amendment offered in the markup that would have significantly increased the cybersecurity requirements of the bill.

NOTE: The GPO has finally printed a copy of the original bill, but that has already been superseded by substitute language that formed the basis for the Committee markup. All references to the bill in this post refer to that substitute language.

Section 4109

Section 4109 was included in the original version of the bill and made it whole into the substitute language. It is found in Title IV, Subtitle A; Next Generation Air Transportation System (pg 267). It would require the FAA Administrator to {§4109(a)}:

• Identify and implement ways to better incorporate cybersecurity measures as a systems characteristic at all levels and phases of the architecture and design of air traffic control programs, including NextGen programs;

• Develop a threat model that will identify vulnerabilities to better focus resources to mitigate cybersecurity risks;

• Develop an appropriate plan to mitigate cybersecurity risk, to respond to an attack, intrusion, or otherwise unauthorized access and to adapt to evolving cybersecurity threats; and

• Foster a cybersecurity culture throughout the Administration, including air traffic control programs and relevant contractors.

In short, the section recognizes that cybersecurity issues exist and leaves it to the professionals at the FAA to deal with the specifics while providing them the general authority to do so. And, of course, it included a requirement for the obligatory report to Congress after one year.

Markey Amendment

Sen. Markey (D,MA) introduced an amendment that would have virtually re-writen §4109. It started off with a new paragraph (a) that provided definitions of key terms. Those terms included:

• Covered air carrier;

• Covered manufacturer;

• Cyberattack;

• Critical software systems; and

• Entry point.

The paragraph (a) requirements (see above) from the bill would have been made paragraph (b) and the following paragraphs with detailed regulatory requirements would have been added:

• Disclosure of cyberattacks by the aviation industry;

• Incorporation of cybersecurity into requirements for air carrier operating certificates and manufacturer production certificates;

• Annual report to Congress on cyberattacks on aircraft systems as well as maintenance and ground support systems; and

• Managing cybersecurity risks of consumer communications equipment;

In general, Markey’s amendment would have provided the FAA with specific authority to craft the most comprehensive cybersecurity oversight regulations in the Federal government (outside of military contractors, anyway).

The Markey amendment was voted down by a vote of 8-12. The Committee does not provide details of the votes on their web page, but with a 13-11 Republican majority on the Committee, this means that at least 3 Democrats voted against the Markey amendment. In contrast, the overall bill (and the vast majority of the 60 submitted amendments) passed on a voice vote.

Moving Forward

As I remarked in an earlier post this bill will move to the Senate floor fairly quickly. The Senate just started their two week Easter recess, but I suspect that the Committee staff will be hard at work writing the report on this bill. I would not be surprised to see that report filed in one of the three pro forma sessions that the Senate has scheduled over the next two weeks, but at the very latest it should be published in the first full week of April when the Senate returns to Washington.

Commentary

While there is fairly widespread opposition in the cybersecurity community to additional regulation of cybersecurity, I firmly believe that public safety and security require more than voluntary application of cybersecurity principles in certain aspects of our society; especially since there has been such an obvious dearth of that voluntary application. Aviation safety and security, are in my estimation, one of the obvious areas where public good requires legislative and regulatory attention to cybersecurity.

The broadly shaped goals of the adopted version of §4109 can hardly be opposed because of specificity of equipment or protocols. The requirements are written with an absolute paucity of specificity. It does, however, rely upon a significant amount of cybersecurity acumen (if not necessarily technical knowledge) on the part of the FAA administration to establish the minimum level of regulatory oversight that the FAA needs to maintain over carriers and manufacturers to protect the public from cybersecurity vulnerabilities and their deliberate or accidental exploitation.

The provisions of the Markey amendment were a lot more specific in their cybersecurity requirements, but still avoided the problems of specifying techniques or equipment. For example, in the proposed paragraph for air carrier certificate requirements, there was the following mandate {§4109(d)(2)(a)}:

“Require all entry points to the electronic systems of each aircraft operating in the United States airspace[,] and [the] maintenance or ground support systems for such aircraft[,] to be equipped with reasonable measures to protect against cyberattacks, including the use of isolation measures to separate critical software systems from noncritical software systems;”

Unfortunately, the opposition (both inside Congress and out) to any serious specificity in cybersecurity requirements is obvious and in the short term (at least) is clearly in the entrenched majority with substantially bipartisan support. But again, I want to remind people in the cybersecurity community, political support is fickle at best. All it requires is one cyber incident that obviously and publicly puts people in harm’s way or kills people and the politicians in Washington will craft the most demanding and potentially contradictory cybersecurity rules that one could imagine.

The one area of the Markey proposal that I would like to see again considered in any floor action on S 2658 would be a requirement for the reporting of cyberattacks by the aviation industry. I think that the Markey definition of cyberattack needs some work, but the basics are there. The definition in his amendment was: “the unauthorized access to aircraft electronic control or communications systems or maintenance or ground support systems for aircraft, either wirelessly or through a wired connection.” {§4109(a)(3)}.

Markey then went on in paragraph (c) to demand the DOT establish regulations for air carriers and manufacturers to report successful or attempted “cyberattack on any system on board an aircraft, whether or not the system is critical to the safe and secure operation of the aircraft”. Since this would include hacking the onboard entertainment system to get a free move or intercepting someone’s unencrypted wi-fi email, this language is overbroad. If it were limited to ‘electronic control or aircraft communications systems’ and specifically excluded passenger side communications or the entertainment system, it would be a more acceptable requirement.