S 2764 Introduced – Aircraft Cybersecurity

Last week Sen. Markey (D,MA) introduced S 2764, the Cybersecurity Standards for Aircraft to Improve Resilience (Cyber Air) Act of 2016. The bill replicates the three amendments that Markey proposed to HR 636, the FAA authorization bill currently under consideration in the Senate.

Definitions

With the combination of the three amendments §2 provides a common set of definitions. Terms included in this section are:

• Covered air carrier;

• Covered manufacturer;

• Cyberattack;

• Critical software systems; and

• Entry point.

The two critical terms are ‘cyberattack’ and ‘critical software systems’. Cyberattack is defined as “the unauthorized access to aircraft electronic control or communications systems or maintenance or ground support systems for aircraft, either wirelessly or through a wired connection” {§2(3)}. The term ‘critical software systems’ is defined as “software systems that can affect control over the operation of an aircraft” {§2(4)}.

Incident Reporting

Section 3 of the bill is essentially SA 3468, the first of three cybersecurity amendments that Markey proposed to HR 636. It would require the Administrator to prescribe regulations requiring air carriers and manufacturers to disclose cyberattacks to the FAA. The attacks would have to be reported whether or not they were successful. The attacks would have to be reported “whether or not the system is critical to the safe and secure operation of the aircraft, or any maintenance or ground support system for aircraft, operated by the air carrier or produced by the manufacturer, as the case may be” {§3(a)}.

FAA would use the information disclosed by air carriers and manufacturers to inform future regulatory actions. The FAA would also be required to “notify air carriers, aircraft manufacturers, and other Federal agencies of cybersecurity vulnerabilities in systems on board an aircraft or maintenance or ground support systems for aircraft” {§3(b)}.

Cybersecurity and Operating/Manufacturing Certificates

Section 4 is essentially SA 3469. It would require the Secretary of Transportation to prescribe regulations incorporating cybersecurity standards into the requirements to obtain/maintain air carrier operating certificate or a production certificate under 49 USC Chapter 447. Those regulations would include requirements to {§4(b)(2)}:

• Require all entry points to the electronic systems of each aircraft operating in United States airspace and maintenance or ground support systems for such aircraft to be equipped with reasonable measures to protect against cyberattacks, including the use of isolation measures to separate critical software systems from noncritical software systems;

• Require the periodic evaluation of the measures described in subparagraph (A) for security vulnerabilities using best security practices, including the appropriate application of techniques such as penetration testing; and

• Require the entry point measures to be periodically updated based on the results of the evaluations conducted above.

Consumer Communications Equipment

Section 6 address the role of the DOT-FCC’s Commercial Aviation Communications Safety and Security Leadership Group as did amendment SA 3470. The bill would make them responsible for evaluating the cybersecurity vulnerabilities of broadband wireless communications equipment designed for consumer use on board aircraft operated by covered air carriers. They would be required to {§6(b)}:

• Ensure the development of effective methods for preventing foreseeable cyberattacks that exploit broadband wireless communications equipment designed for consumer use on board such aircraft; and

• Require the implementation by covered air carriers, covered manufacturers, and communications service providers of all technical and operational security measures that are deemed necessary and sufficient by the Leadership Group to prevent cyberattacks described above.

Reports to Congress

Section 5 of the bill can be found in the language of the first Markey amendment to HR 636. It requires an annual report to Congress on the attacks reported under provisions of §3.

Section 6(b) would require annual reports by the Leadership Group to Congress. Those reports would include {6(b)(1)}:

• The technical and operational security measures developed to prevent foreseeable cyberattacks that exploit broadband wireless communications equipment designed for consumer use on board aircraft operated by covered air carriers; and

• The steps taken by covered air carriers, covered manufacturers, and communications service providers to implement the measures described above.

Moving Forward

Markey is a rather junior Democrat on the Senate Commerce, Science and Transportation Committee. Normally this might provide him sufficient influence to have the Committee consider this bill. But slightly different versions of the HR 636 amendments that formed the basis for this bill were already considered and rejected by moderately bipartisan votes in the Committee during markup of S 2658. The Committee is extremely unlikely to take up this bill with that history.

Commentary

It looks like Markey is trying to make a name for himself as the cybersecurity Senator. He is well out in front of his colleagues in suggesting detailed legislative solutions to cybersecurity problems that most of his compatriots have not yet recognized as being serious problems. At this point that kind of leaves him as a voice crying in the wilderness. How long he will be willing to continue to do this in the face of general opposition in the Senate is an interesting political question.

Of course it will take a single high-visibility cyber incident to change Markey from a political odd ball into a prophet. If such an incident (probably with loss of life) occurs during the remainder of this session of Congress, we can expect that this bill would probably form the initial basis for the knee jerk reaction of the Senate.

With that in mind, let’s look at some of the problems that arise in legislation when politicians try to get too detailed in their technical mandates. The use of the term ‘critical software systems’ unnecessarily limits the application of this bill. It should instead read ‘critical control systems’ or maybe ‘critical electronic systems’ if one wanted to include electronic communications systems in the cybersecurity coverage. The way the bill is currently written, for example, completely ignores firmware issues.

In section 6 of the bill we see a similar problem with the use of the term ‘broadband wireless communications’ to describe potential cybersecurity problems caused by customer communications equipment. While wi-fi connections are a potential route of entry into critical aircraft systems, they are not the only consumer communications mode that may cause problems. Cyber radio and even potentially cell phone traffic could prove to be problematic in future configurations. To allow the broadest application of the intent of this section this probably would have been better written as ‘consumer communications equipment’.

One of the complaints I have heard repeatedly from cybersecurity specialists when we start talking about legislation in this realm is that such legislation is likely to be out-of-date or inadequately focused before the legislation is passed. Legislation like this bill is certainly what they are talking about. Legislation needs to be broadly written to allow the regulators with at least some technical background to address the changing technological environment in which the regulated industry operates.

Not only are legislators likely to get the technical details wrong, but legislators take even longer to adapt to change than do regulators. When you add the legislative delay on top of the regulatory delay you end up with obsolete regulations attempting to control completely unforeseen circumstances.