Monday, July 17, 2017

S 1405 Introduced – FY 2018 FAA Authorization

Last month Sen. Thune (R,SD) introduced S 1405, the Federal Aviation Administration Reauthorization Act of 2017. This year’s bill includes one cybersecurity provision and a large number of provisions concerning unmanned aircraft systems (UAS). The UAS related items that may be of specific interest to readers of this blog include:

§2105. Analysis of current remedies under Federal, State, and local jurisdictions.
§2123. Small unmanned aircraft safety standards.
§2126. Additional rulemaking authority.
§2128. Special rules for model aircraft.
§2129. Authority.
§2133. Airport safety and airspace hazard mitigation and enforcement.
§2151. Federal and local authorities.
§2163. Unsafe operation of unmanned aircraft.


Section 4109 of the bill would require the FAA revise existing aircraft certification regulations to include {§4109(a)}:

• To address cybersecurity for avionics systems, including software components; and
• To require that aircraft avionics systems used for flight guidance or aircraft control be secured against unauthorized access via passenger inflight entertainment systems through such means as the Administrator determines appropriate to protect the avionics systems from unauthorized external and internal access.

The new regulations would be based upon work of the Aircraft Systems Information Security Protection Working Group as directed by Congress last year in §2111 of PL 114-190 (130 Stat 626).

Model Aircraft

Section 2128 of the bill adds a new §44808 (Special rules for model aircraft) to 49 USC. That section modifies and then codifies the model aircraft rules established in §336 of the FAA Modernization and Reform Act of 2012 (PL 1125-95, 126 Stat 77).

The ‘operational parameters’ in paragraph (a) have been expanded by including the following requirements for the model aircraft exemption {new §44808(a)}:

• Not flown beyond the visual line of sight of persons co-located with the operator or in direct communication with the operator;
• The aircraft is flown from the surface to not more than 400 feet in altitude, except under special conditions and programs established by a community-based organization; and
• The operator has passed an aeronautical knowledge and safety test administered by the Federal Aviation Administration online for the operation of unmanned aircraft systems subject to the requirements of section 44809 or developed and administered by the community-based organization and maintains proof of test passage to be made available to the Administrator or law enforcement upon request.

The FAA is further provided the authority to modify the operational parameters defined in the bill ‘as appropriate’. Paragraph (b)(2) provides an expansive list of considerations that the FAA might use to change those parameters.

Paragraph (d) of the new section provides the FAA with permissive authority to “promulgate rules relating to the registration and marking of model aircraft”. Furthermore, §2129 of the bill specifically re-instates the registration and marking requirements for small unmanned aircraft published by the FAA in December, 2015 and were recently vacated by the United States Court of Appeals for the District of Columbia Circuit in Taylor v. Huerta (No. 15–1495).

Regulation of UAS Operations

Section 2105 requires the Government Accountability Office (GAO) “a review of the privacy issues and concerns associated with the operation of unmanned aircraft systems in the national airspace system”. Additionally, it tasks the GAO with identifying “specific issues and concerns that may limit the availability of existing civil or criminal legal remedies regarding inappropriate operation of unmanned aircraft systems in the national airspace system” {§2105(2)}.

Section 2123 addresses setting safety standards for UAS. It would add a new §44803 to 49 USC (Small unmanned aircraft safety standards). It would require the FAA to establish a rulemaking advisory committee to develop recommendations for regulations to establish {§44803(a)(1)}:

• Risk-based, consensus safety standards related to the safe integration of small unmanned aircraft systems into the national airspace system (referred to in this section as ‘consensus safety standards’) that can evolve or be updated as appropriate; and
• A Federal Aviation Administration process for permitting, authorizing, or approving small unmanned aircraft systems and their operations based on the safety standards to be accepted by the Administrator under this section.

The FAA would then be responsible for implementing those recommendations by establishing a process for {new §44803(d)}

• The acceptance by the Federal Aviation Administration of consensus safety standards recommended;
• Permitting, authorizing, or the approving small unmanned aircraft systems makes and models based upon the consensus safety standards; and
• The certification of a manufacturer of small unmanned aircraft systems that has demonstrated compliance with consensus safety standards.

These safety standards would also specifically apply to model aircraft {new §44803(f)}.

Mitigating Unsafe UAS Operations

Section 2133 would add a new §44810 to 49 USC. That new section would require the FAA to “develop a plan for the certification, permitting, authorizing, or allowing of the deployment of technologies or systems for the detection and mitigation of unmanned aircraft systems” {new §44810(b)(1)}. The implemented plan would “allow appropriate officials of Federal, State, or local agencies requesting to utilize such technologies or systems to take steps to detect and mitigate potential airspace safety threats posed by unmanned aircraft system operations §44810(b)(2)}.

The section goes on to clearly state that the following federal statutes would not apply the operation of these ‘technologies or systems’ {new §44810(h)}:

18 USC 32 – Destruction of aircraft or aircraft facilities;
18 USC 1030 (the bill actually says ‘1031’, an obvious error) – Fraud and related activity in connection with computers;
18 USC Chapter 119 – Wire and electronic communications interception and interception of oral communications; and
18 USC Chapter 206 – Pen registers and trap and trace devices

Section 2163 would make it a federal crime to unsafely operate an ‘unmanned aircraft’. It would add a new section 39B to 18 USC. It would make it a federal offense to operate an unmanned aircraft in a manner that “knowingly or recklessly interferes with, or disrupts the operation of, an aircraft carrying 1 or more occupants operating in the special aircraft jurisdiction of the United States, in a manner that poses an imminent safety hazard to such occupants” {new §39B(a)}.

Committee Mark-Up

On June 29th the Senate Commerce, Science, and Transportation Committee held a mark-up hearing that included the mark-up of S 1405. In that hearing 57 amendments, including substitute language from Chairman Thune, were offered and presumably adopted (though there is no indication on the Committee web site of the status of actions taken). The substitute language made no changes of significance to the provisions previously discussed. There was one amendment from Sen. Johnson (R,WI) that may be of specific interest here.

Johnson’s amendment would add a new §44816 to 49 USC, Unmanned aircraft systems in restricted buildings or grounds. This amendment mirrors current restrictions found in 18 USC 1752 against unauthorized entry of the White House or other grounds where the President (or other persons protected by the Secret Service) is present. It would apply similar legal penalties for flying UAS in such areas.

The amendment further expands upon the §1752 coverage by adding the phrase “impede or disrupt the orderly conduct of Government business or official functions” {new §44816(a)} with respect to UAS operations.

Violation of the new section would be punishable under 18 USC by fines and/or up to one year in prison, unless the offense included mounting a weapon on the UAS or caused serious bodily harm. Then the maximum sentence would be fines and/or up to ten years in prison.

Moving Forward

The FAA reauthorization is one of the ‘must complete’ actions for Congress each year, though that does not specifically apply to this particular bill. A House version of this bill has yet to be offered, but will ultimately happen. Each branch of Congress will pass their own version of an FAA reauthorization bill and a conference committee will iron out the differences. There is always the possibility of short-term continuing-authorization bills being passed.


I am very happy to see that this bill provides not only authority, but specific requirements for the FAA to regulate the cybersecurity of aircraft control systems. I am disappointed, however, in the failure to require specific rules regarding the reporting of cybersecurity attacks (with an appropriate definition of what constitutes an attack) or the discovery of security vulnerabilities in avionics software or devices. Additionally, I would have liked to have seen a specific requirement for regulated air carriers and aircraft (and avionic system) manufacturers to be members of some sort of recognized cybersecurity information sharing organization.

The bill finally addresses one of the major issues related to enforcing UAS operation regulations, the fact that any attempts to immediately stop a UAS from illegal operation (not completely defined by this bill) would almost certainly involve violation of a number of federal criminal statutes.

I am not sure, however, that offering a blanket exemption to those laws is quite the right way to proceed. I would have preferred the bill to require the FAA to establish specific ground rules where such exemptions applied. The way that §2133 is written does not just limit the use of the developed ‘technologies and systems’ to the areas around airports. They would generally apply to any counter-UAS operations conducted by “Federal departments and agencies to detect and mitigate potential threats posed by errant or hostile unmanned aircraft system operations” {new §44810(a)} or more generally by “appropriate officials of Federal, State, or local agencies requesting to utilize such technologies” {new §44810(b)(2)}.

The Johnson amendment is an overly broad extension of current presidential security rules. While arguments could certainly be made to support allowing the Secret Service to control the use of UAS around the White House and presidential functions, the inclusion of the ‘orderly conduct of Government business’ language could have a chilling effect on freedom of speech and be a broad tool to counter civil disobedience usage of UAS.

Finally, there is curiously lacking any mention of potentially applying flight restrictions to UAS operations above or around critical infrastructure or other restricted areas. Actually, what I would prefer to see would be to specifically disallow the operation of UAS over or around facilities where the federal government currently regulates security (for example: CFATS, MTSA and CIP regulated facilities) with the specific permission of the facility owners/operators. This would avoid the vague definition of ‘critical infrastructure’.

No comments:

/* Use this with templates/template-twocol.html */