S 2181 Introduced – Aircraft Cybersecurity

Last month Sen. Markey (D,MA) introduced S 2181, the Cybersecurity Standards for Aircraft to Improve Resilience (Cyber AIR) Act of 2019. This bill is very similar to S 2764 that Markey introduced in the second half of the 114^th Congress.

Differences

The major difference between the two bills is that the reporting congressional reporting requirements found in §5 of the earlier bill have been removed from the current version. That would have required annual reports to Congress on the attacks reported to the FAA by air carriers and manufacturers under provisions of §3.

Two other changes are found in §5 of the current bill. The formatting is changed from §6 of S 2764 and the last subparagraph {§6(c)(2)} from the earlier bill has been deleted in S 2181. That subparagraph would have required that the report to Congress from the FAA-FCC Leadership Group would have been required to be “submitted in unclassified form, but may include a classified annex”.

Moving Forward

Markey is still a member of the Senate Commerce, Science, and Transportation Committee and he has added a cosponsor {Sen. Blumenthal (D,CT)} who is a senior Democrat on that Committee. This increases the likelihood that this bill would see consideration in Committee. In the 114^th Congress. I suspect that the bill, if considered, would receive substantial opposition from Republicans, thus killing any chances that the bill would move to the floor of the Senate.

Commentary

There is no reference in this bill to cooperation with the DHS Cybersecurity and Infrastructure Security Agency. CISA was not in existence when the earlier version of the bill was introduced, but I would have expected this version to be updated to substitute CISA for generic references to cooperation or coordination with ‘the Secretary of Homeland Security'. CISA is, of course, supposed to be the Federal government’s expert on all thing’s cybersecurity.

Over the years I have been a strong proponent of actively involving ICS-CERT and now CISA in anything involving Federal oversight of control system security in all of its guises. Mainly, I have asserted that the limited availability of control system security expertise in government (and to a somewhat lesser extent in the private sector) meant that that the localization of that talent in a single agency would probably make a great deal of sense. I am starting to rethink that proponency (hmmm, that may be a new word according to spell check).

First, it appears that DHS in general, and CISA in particular, has ‘deemphasized’ the importance of control system security expertise with the effective elimination of ICS-CERT. This has always been the problem of putting all of your ‘eggspertice’ in one administrative basket; bureaucratic adjustments in the size of that basket have unintended consequences outside of the agency’s mandate.

More importantly, not requiring safety regulatory agencies (like the FAA in this case) to have cybersecurity expertise in general, and control system expertise in particular, fails to recognize the impact of cybersecurity on safety. Safety regulators are going to increasingly become control-system cybersecurity regulators as more and more safety systems rely on interconnected control-system components. Safety regulatory agencies are going to have to be forced by Congress to formalize and grow their cybersecurity capabilities.

With that in mind, I would like to suggest an addition to §3 of the bill:

(c) The Secretary will establish within the FAA an Aviation Cybersecurity Office (ACO) to receive the cyberattack reports described in (a) and develop recommendations for, and implement, regulatory actions described in (b). The Director of the ACO will be familiar with avionics control systems and cybersecurity of such systems. Additionally, the ACO will:

(1) Receive cybersecurity incident reports from covered air carriers and covered manufacturers;

(2) Prepare anonymized reports on such incidents that would identify security vulnerabilities (as defined in 6 USC 1501) that could affect other carriers and manufacturers and coordinate the disclosures of those security vulnerabilities;

(3) Establish procedures and processes by which security researchers can report security vulnerabilities for further coordinated disclosure; and

(4) Coordinate with the National Cybersecurity and Communications Integration Center on sharing security vulnerability information.