Earlier this week the Senate Energy, Commerce and
Transportation Committee
marked
up S 2658, the Federal Aviation Administration Reauthorization Act of 2016.
While the bill includes a number of sections on unmanned aviation systems
(which I will cover in a later post), there was one section of the bill that
concerns cybersecurity and there was an amendment offered in the markup that
would have significantly increased the cybersecurity requirements of the bill.
NOTE: The GPO has finally printed a
copy of
the original bill, but that has already been superseded by
substitute
language that formed the basis for the Committee markup. All references to
the bill in this post refer to that substitute language.
Section 4109
Section 4109 was included in the original version of the
bill and made it whole into the substitute language. It is found in Title IV,
Subtitle A; Next Generation Air Transportation System (pg 267). It would
require the FAA Administrator to {§4109(a)}:
• Identify and implement ways to
better incorporate cybersecurity measures as a systems characteristic at all
levels and phases of the architecture and design of air traffic control
programs, including NextGen programs;
• Develop a threat model that will
identify vulnerabilities to better focus resources to mitigate cybersecurity
risks;
• Develop an appropriate plan to
mitigate cybersecurity risk, to respond to an attack, intrusion, or otherwise
unauthorized access and to adapt to evolving cybersecurity threats; and
• Foster a cybersecurity culture throughout the
Administration, including air traffic control programs and relevant contractors.
In short, the section recognizes that cybersecurity issues
exist and leaves it to the professionals at the FAA to deal with the specifics
while providing them the general authority to do so. And, of course, it
included a requirement for the obligatory report to Congress after one year.
Markey Amendment
Sen. Markey (D,MA) introduced an amendment that would have virtually
re-writen §4109. It
started off with a new paragraph (a) that provided definitions of key terms.
Those terms included:
• Covered air carrier;
• Covered manufacturer;
• Cyberattack;
• Critical software systems; and
• Entry point.
The paragraph (a) requirements (see above) from the bill
would have been made paragraph (b) and the following paragraphs with detailed
regulatory requirements would have been added:
• Disclosure of cyberattacks by the
aviation industry;
• Incorporation of cybersecurity
into requirements for air carrier operating certificates and manufacturer production
certificates;
• Annual report to Congress on cyberattacks
on aircraft systems as well as maintenance and ground support systems; and
• Managing cybersecurity risks of
consumer communications equipment;
In general, Markey’s amendment would have provided the FAA
with specific authority to craft the most comprehensive cybersecurity oversight
regulations in the Federal government (outside of military contractors, anyway).
The Markey amendment was voted down by a vote of 8-12. The
Committee does not provide details of the votes on their web page, but with a
13-11 Republican majority on the Committee, this means that at least 3
Democrats voted against the Markey amendment. In contrast, the overall bill
(and the vast majority of the 60 submitted amendments) passed on a voice vote.
Moving Forward
As I remarked in an
earlier
post this bill will move to the Senate floor fairly quickly. The Senate
just started their two week Easter recess, but I suspect that the Committee
staff will be hard at work writing the report on this bill. I would not be
surprised to see that report filed in one of the three pro forma sessions that
the Senate has scheduled over the next two weeks, but at the very latest it
should be published in the first full week of April when the Senate returns to
Washington.
Commentary
While there is fairly widespread opposition in the
cybersecurity community to additional regulation of cybersecurity, I firmly
believe that public safety and security require more than voluntary application
of cybersecurity principles in certain aspects of our society; especially since
there has been such an obvious dearth of that voluntary application. Aviation
safety and security, are in my estimation, one of the obvious areas where
public good requires legislative and regulatory attention to cybersecurity.
The broadly shaped goals of the adopted version of §4109 can hardly be
opposed because of specificity of equipment or protocols. The requirements are
written with an absolute paucity of specificity. It does, however, rely upon a
significant amount of cybersecurity acumen (if not necessarily technical
knowledge) on the part of the FAA administration to establish the minimum level
of regulatory oversight that the FAA needs to maintain over carriers and
manufacturers to protect the public from cybersecurity vulnerabilities and
their deliberate or accidental exploitation.
The provisions of the Markey amendment were a lot more
specific in their cybersecurity requirements, but still avoided the problems of
specifying techniques or equipment. For example, in the proposed paragraph for
air carrier certificate requirements, there was the following mandate {§4109(d)(2)(a)}:
“Require all entry points to the
electronic systems of each aircraft operating in the United States airspace[,] and
[the] maintenance or ground support systems for such aircraft[,] to be equipped
with reasonable measures to protect against cyberattacks, including the use of
isolation measures to separate critical software systems from noncritical
software systems;”
Unfortunately, the opposition (both inside Congress and out)
to any serious specificity in cybersecurity requirements is obvious and in the
short term (at least) is clearly in the entrenched majority with substantially bipartisan
support. But again, I want to remind people in the cybersecurity community,
political support is fickle at best. All it requires is one cyber incident that
obviously and publicly puts people in harm’s way or kills people and the
politicians in Washington will craft the most demanding and potentially contradictory
cybersecurity rules that one could imagine.
The one area of the Markey proposal that I would like to see
again considered in any floor action on S 2658 would be a requirement for the
reporting of cyberattacks by the aviation industry. I think that the Markey definition
of cyberattack needs some work, but the basics are there. The definition in his
amendment was: “the unauthorized access to aircraft electronic control or
communications systems or maintenance or ground support systems for aircraft,
either wirelessly or through a wired connection.” {§4109(a)(3)}.
Markey then went on in paragraph (c) to demand the DOT establish
regulations for air carriers and manufacturers to report successful or
attempted “cyberattack on any system on board an aircraft, whether or not the
system is critical to the safe and secure operation of the aircraft”. Since
this would include hacking the onboard entertainment system to get a free move
or intercepting someone’s unencrypted wi-fi email, this language is overbroad.
If it were limited to ‘electronic control or aircraft communications systems’
and specifically excluded passenger side communications or the entertainment
system, it would be a more acceptable requirement.