HR 3198 Introduced – FAA R&D

Last week Rep. Knight (R,CA) introduced HR 3198, the FAA Leadership in Groundbreaking High-Tech Research and Development (FLIGHT R&D) Act. The bill sets forth the research and development agenda for the Federal Aviation Administration. It includes provisions for cybersecurity research, including:

§31. Cyber Testbed.

§32. Cabin communications, entertainment, and information technology systems

cybersecurity vulnerabilities.

§33. Cybersecurity threat modeling.

§34. National Institute of Standards and Technology cybersecurity standards.

§35. Cybersecurity research coordination.

§36. Cybersecurity research and development program.

Most of these provisions address cybersecurity for the FAA flight control system and general FAA IT systems. Two sections (§32 and §36) deal more directly with aircraft cybersecurity.

Cabin Cybersecurity

Section 32 requires the FAA to “evaluate and determine the research and development needs associated with cybersecurity vulnerabilities of cabin communications, entertainment, and information technology systems on civil passenger aircraft” {§32(a)}. The evaluation will address:

• Technical risks and vulnerabilities;

• Potential impacts on the national airspace and public safety; and

• Identification of deficiencies in cabin-based cybersecurity.

Within 9 months of passage of this bill the FAA would be required to report back to Congress on the results of the evaluation and “provide recommendations to improve research and development on cabin-based cybersecurity vulnerabilities” {§32(b)(2)}.

Future Cybersecurity Program

Section 36 directs the FAA to “establish a research and development program to improve the cybersecurity of civil aircraft and the national airspace system” {§36(a)}. There is no specific guidance as to what that plan should include beyond mandating that a study of the topic be conducted by the National Academies. A report to Congress is required in 18 months.

Moving Forward

Knight and his two co-sponsors {Rep. Smith (R,TX) and Rep. Babin (R,TX)} are members of the House Science, Space, and Technology Committee, one of the two committees to which this bill was assigned for consideration. Babin is also a member of the House Transportation and Infrastructure Committee, the other committee. This means that both committees could actually consider this bill. With Chairman Smith as a cosponsor, it will almost certainly be considered in the Science, Space and Technology Committee.

There are no monies authorized to be spent by this bill and there are no provisions (mainly due to the lack of specificity in the requirements) that would draw the specific ire of anyone, so there should be no organized opposition to the bill. I suspect that it will be recommended for adoption by the Space, Science and Technology Committee and if it makes it to the floor of the House for consideration (probably under the suspension of the rules procedures) it will pass with substantial bipartisan support.

Commentary

It is strange that the cybersecurity of avionics control systems is never mentioned in this bill. The provisions of §32 and §36 are clearly intended to address the issue, but they never directly say that. I suspect that this is done so as not to raise the specific objection from aircraft vendors (and their avionics system suppliers) that no one has ever demonstrated a vulnerability of those control systems. The weasel wording allows those concerned to ignore the specific provisions and thus not oppose the entire bill. This is politics.