HR 4489 Introduced - FLIGHT R&D Act

Last week Rep. Knight (R,CA) introduced HR 4489, the FAA Leadership in Groundbreaking High-Tech Research and Development (FLIGHT R&D) Act. The bill is a separate authorization bill for a variety of research and development programs to be carried out by the Federal Aviation Administration and the National Aeronautics and Space Administration. It includes a number of aviation related cybersecurity programs.

Funding is included for programs thru 2019 under 49 USC 48102, including {§3}:

• Safety Research and Development programs;

• Economic Competitiveness Research and Development programs;

• Environmental Sustainability Research and Development programs;

• Mission Support programs;

Cybersecurity Programs

Section 21 amends the UAV integration research road map requirements under §332(a)(5) of the FAA Modernization and Reform Act of 2012 (49 USC Note 40101). The new requirements include “an update on the advancement of technologies needed to integrate unmanned aircraft systems into the national airspace system, including decision making by adaptive systems such as sense-and-avoid, availability of frequency spectrum, and cyber physical security [emphasis added]” {§332(a)(5)(D)}.

Section 31 requires the FAA to establish a Cybersecurity Testbed “for research, development, evaluation, and validation of air traffic control modernization programs or technologies”. This testbed would be “test environment capable of creating, identifying, defending, and solving cybersecurity-related problems” for both current national air space (NAS) and Next Gen systems.

Section 32 requires the FAA to determine the “the research and development needs associated with cybersecurity vulnerabilities of cabin communications, entertainment, and information technology systems on civil passenger aircraft” {§23(a)}.  The evaluation will include {§23(b)}:

• Technical risks and vulnerabilities;

• Potential impacts on the national airspace and public safety; and

• Identification of deficiencies in cabin-based cybersecurity

Section 33 requires the FAA, in consultation with the National Institute of Standards and Technology (NIST), is required to {§33(a)(1)}:

• Develop an internal FAA cybersecurity threat modeling program to detect cybersecurity vulnerabilities;

• Track how those vulnerabilities might be exploited, and

• Assess the magnitude of harm that could be caused by the exploitation of those vulnerabilities.

Section 36 requires the FAA to develop a cybersecurity research and development program “to improve the cybersecurity of civil aircraft and the national airspace system” {§36(a)}. In addition to developing the program the FAA will be required to implement a plan for that program that includes “that contains objectives, proposed tasks, milestones, and a 5-year budgetary profile” {§36(a)(1)}. Additionally, the Administrator will arrange with the National Academy of Sciences for a study of the plan.

Moving Forward

Knight is a member of the Science, Space and Technology Committee to which this bill was assigned for consideration. The bill has already been considered in Committee where the bill passed by a voice vote. This is normally a sign of bipartisan support, but most of the Democrats on the Committee had previously walked out in protest of some of the activities that had gone on prior to the hearing. Thus the bill does not appear to have bipartisan support in Committee.

The bill will come to the House floor for a vote. The lack of even partial bipartisan support means that it will have to be considered under a rule where at least some amendments are considered. I expect that the bill will pass the Republican controlled House, but unless there is some fence mending done between now and the time the bill comes to a floor vote, I do not expect that this version of the bill will be considered by the Senate.

Commentary

None of the amendments considered by the Committee in last week’s hearing were of specific interest to readers of this blog. There were a number of Democratic amendments to this bill that were not considered even though the proposing members remained in the meeting as retaliation by the Chair for the protest. I expect that we will see these among the amendments presented to the Rules Committee when they take up the bill for consideration.

It continues to look like the passage of the information sharing bill last year in the spending bill has marked a watershed in how Congress will be considering cybersecurity language. We have seen more and more bills that have included significant cybersecurity language specifically allowing/requiring the various Executive agencies to consider cybersecurity as part of their general duties. This bill has some of the more extensive cybersecurity requirements to date, but I expect that this is part of a continuing trend.

This is an R&D authorization bill so it would be highly unusual for any cybersecurity regulatory requirements to be specifically established in the bill. But, having said that, good R&D into the problem will certainly be (and should be) required before the government attempts to establish any regulatory programs. The R&D programs outlined in this bill will certainly be the basis upon which any successful regulatory program will be based.

The political shenanigans that continue to plague the Science, Space and Technology Committee under Chairman Smith have a detrimental impact on the R&D community which certainly does not do the cybersecurity portion of that community any good. Hopefully we will see a bipartisan bill on this topic come out of the Senate.