⚡NIMITZ TECH NEWS FLASH⚡

“Aviation Cybersecurity”

Senate Committee on Commerce, Science, and Transportation

September 18, 2024 (recording linked here)

HEARING INFORMATION

Witnesses and Written Testimony (linked):

• Marty Reynolds: Managing Director for Cybersecurity, Airlines for America.

• Lance Lyttle: Aviation Managing Director, Seattle-Tacoma International Airport

• John Breyault: Vice President of Public Policy, Telecommunications, and Fraud National Consumers League

HEARING HIGHLIGHTS

IN THEIR WORDS

OPENING STATEMENTS FROM THE COMMITTEE

• Chairwoman Cantwell opened the hearing by emphasizing the increasing cybersecurity threats facing the aviation industry, noting a 74% rise in cyber attacks since 2020. She highlighted the industry's significant contribution to the U.S. economy—over 5% of GDP, amounting to $1.9 trillion and supporting 11 million jobs—and stressed the urgency of addressing these threats. The Chairwoman cited a recent ransomware attack on Seattle-Tacoma International Airport by the Resida Group, which disrupted systems like ticketing, display boards, and baggage claims, causing confusion and delays for passengers and staff. She drew parallels to past vulnerabilities in the power grid, advocating for strong national standards for resiliency, whether through voluntary measures or stricter regulations, to protect consumers and the industry.

  She also mentioned other cyber incidents at airports in San Francisco and San Antonio, as well as a 2015 hack into an airline's flight control system via inflight entertainment. She underscored the importance of federal action, referencing the FAA reauthorization bill that includes measures to strengthen cybersecurity and designate a cybersecurity lead at the FAA. Expressing gratitude to the witnesses, including SeaTac's Aviation Management Director Lance Lyttle and cybersecurity expert Marty Reynolds, she looked forward to their insights on emerging threats and solutions. The Chairwoman emphasized that airlines must adhere to passenger commitments even during disruptions and introduced Mr. Breyault from the National Consumer League to discuss passenger resources and rights regarding flight disruptions and refunds.

• Ranking Member Cruz began by highlighting the massive scale of cybercrime, stating that if measured as a nation, it would constitute the third-largest economy globally, costing about $10 trillion annually—up from $3 trillion a decade ago. He pointed out that the transportation sector is frequently targeted by cybercriminals, referencing the 2021 ransomware attack on the Colonial Pipeline and various hacks affecting airlines, pilots' unions, and airports worldwide. Noting that travelers were largely spared widespread disruptions during the recent Port of Seattle hack, he expressed interest in hearing from SeaTac Managing Director Lance Lyttle about the airport's response and lessons learned. The Ranking Member acknowledged the significant investments airlines and airports make in cybersecurity but cautioned against over-reliance on increased regulations and reporting requirements, expressing concern over potentially duplicative compliance burdens.

  He criticized the federal government's poor track record in protecting data from cyberattacks and noted that current laws allow the government more time to report incidents than private entities. The Ranking Member cited issues with TSA's cybersecurity directives for pipelines, which were implemented without industry input and led to confusion due to impractical requirements. He suggested that a regular rulemaking process with notice and comment could have avoided these problems. The Ranking Memberruz expressed a desire for greater scrutiny of TSA's operations, mentioning his ongoing investigation into the use of commercial airports to house illegal aliens and the lack of cooperation from DHS and FAA in providing requested information. He also discussed concerns about TSA's use of facial recognition technologies at checkpoints and supported holding a hearing on the topic. Concluding, the Ranking Member emphasized the need for TSA and DHS to collaborate more effectively, especially in rulemaking, and looked forward to the witnesses' insights on enhancing aviation sector security.

WITNESS STATEMENTS

• Mr. Lance Lyttle testified about a recent cyber attack that began on August 24. He explained that while the attack initially impaired some operations and inconvenienced passengers, safety was never compromised, and significant progress has been made in restoring services. Mr. Lyttle highlighted lessons learned, such as the need to continually evolve cybersecurity defenses, the importance of effective communication and partnerships during incidents, and the value of developing operational workarounds. He urged Congress and federal agencies to help improve information sharing of industry-wide best practices and to prioritize timely, actionable cyber threat information.

• Mr. John Breyault addressed the serious impact of cybersecurity incidents on airline passengers. He noted that such events often lead to flight delays or cancellations, compromised personal information, and financial burdens on families. Breyault highlighted the increasing vulnerability of airline rewards programs, citing a 166% rise in bot attacks on airline accounts and the lack of consumer protections for stolen airline miles. He urged Congress to pass comprehensive national data security standards, protect airline rewards from fraud, require airlines to clearly communicate passenger rights during cyber incidents, and codify the Department of Transportation's authority to mandate delay compensation rules.

• Brigadier General Marty Reynolds testified on the critical challenges of aviation cybersecurity. He emphasized that airlines recognize cybersecurity as one of the greatest threats to critical infrastructure and have invested significantly—$36.5 billion from 2018 to 2023—in IT and cybersecurity. Brig. Gen. Reynolds expressed concern over the increasing complexity of regulatory requirements, which can divert resources from actual cybersecurity efforts, and recommended that the federal government harmonize its cybersecurity mandates. He also stressed the importance of improved information sharing among aviation regulators, the intelligence community, and private stakeholders to enhance the sector's safety, security, and resiliency.

SUMMARY OF Q and A

• Chairwoman Cantwell confirmed with Mr. Lyttle that Seattle-Tacoma International Airport was designed for 30 million passengers but currently serves 52 million, with ongoing construction adding strain. She asked if Seattle was specifically targeted in the recent cyberattack, to which Mr. Lyttle responded that there was no specific information yet. The Chair inquired about cybersecurity hygiene, with Lyttle explaining that phishing, ransomware, and denial-of-service attacks are concerns they regularly mitigate through exercises and audits. When asked if the investigation findings would be made available, Mr. Lyttle confirmed that an independent after-action report would be shared.

  Chairwoman Cantwell emphasized the need for better information sharing among government agencies in response to cyberattacks. She mentioned the FAA’s Aviation Rulemaking Committee (ARC) and asked if Airlines for America (A4A) would participate. Brig. Gen. Reynolds confirmed A4A’s eagerness to collaborate and noted that industry-government partnerships produce the best cybersecurity recommendations. He emphasized that the ARC would help establish stronger cybersecurity requirements for airports. The Chair remarked on the timeliness of the process and Brig. Gen. Reynolds thanked her for including the ARC in the reauthorization.

  Chairwoman Cantwell asked Mr. Breyault what is most important in protecting consumers from the impacts of cyberattacks. Mr. Breyault explained that vulnerabilities affect consumers throughout their travel experience, from frequent flyer programs to TSA data. He noted that while cybersecurity investments are crucial, they won’t prevent all attacks, and recovery measures for consumers are needed. He stressed the importance of helping consumers recover from the inevitable impacts of cyber incidents.

• Ranking Member Cruz asked Brigadier General Reynolds how the FAA Reauthorization Act has helped protect aviation from cyber threats. Brig. Gen. Reynolds highlighted the Aviation Cybersecurity Rulemaking Committee and the FAA’s sole jurisdiction over avionics cybersecurity rulemaking as key developments. The Ranking Member pointed out the discrepancy between the 72-hour reporting requirement for critical infrastructure and the seven-day timeline for federal agencies. Brig. Gen. Reynolds confirmed that airlines face ten different regulatory requirements for incident reporting, calling for a single reporting framework to streamline the process. He noted ongoing efforts by CISA to address this through the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).

  The Ranking Member inquired about the TSA’s recent cybersecurity directives and asked whether entities had been allowed to provide input. Brig. Gen. Reynolds explained that initial comments were provided, but the TSA issued emergency amendments without further comment due to urgency. He emphasized the close working relationship between airlines and the TSA to ensure compliance.

• Sen. Hickenlooper discussed ransomware attacks aimed at stealing and extorting sensitive data and asked Mr. Breyault about proactive steps businesses can take to protect personal data. Mr. Breyault suggested that businesses inventory the data they collect, minimize unnecessary information, securely dispose of unneeded data, and have a recovery plan in place. He noted that agencies like the Federal Trade Commission offer guidance to help businesses safeguard customer and employee information.

  Sen. Hickenlooper then focused on recovery from cyber attacks, asking Brigadier General Reynolds about steps companies take to prepare. Brig. Gen. Reynolds emphasized that customer safety, security, and privacy are priorities. He explained that companies implement risk-based programs, conduct tabletop exercises, and engage in training, both internally and in collaboration with federal agencies. He highlighted the global exercises conducted by the Aviation Information Sharing Analysis Center and the FAA’s Aviation Cyber Initiative, which help identify gaps and strengthen resilience.

  Sen. Hickenlooper asked Mr. Lyttle about lessons learned from the SeaTac cyber attack and how they could benefit other airports. Mr. Lyttle stressed the importance of tabletop exercises, continuity of operations plans (COOP), and regular practice of emergency procedures. He also recommended partnering with federal agencies like CISA and TSA and conducting ethical hacking exercises to test systems. Sen. Hickenlooper suggested reviewing data retention policies to minimize potential targets, and Mr. Lyttle agreed, emphasizing that sensitive data should only be stored if necessary and always encrypted.

• Sen. Blackburn expressed concerns about security vulnerabilities in the Known Crew Member program, citing incidents where flight attendants allegedly smuggled drug money and hackers created fake employee profiles to bypass security. She asked Brigadier General Reynolds what steps were being taken to secure the program. Brig. Gen. Reynolds, while not directly responsible for the Known Crew Member program, explained that it involves collaboration between TSA, Airlines for America (A4A), and the Air Line Pilots Association (ALPA) and promised to provide more details after consulting with the relevant experts.

  Sen. Blackburn emphasized the need to address these vulnerabilities, especially given the nation's drug trafficking challenges, and requested further information. She then asked Brig. Gen. Reynolds to elaborate on his earlier remarks about streamlining reporting requirements and improving information sharing, noting the growing number of internet-connected devices.

  Brig. Gen. Reynolds outlined two key aspects of information sharing: first, the need to share real-time cybersecurity threat data, such as tactics and incidents, to protect networks; and second, using shared information to update regulatory and policy requirements. He commended the SeaTac team for sharing critical information during their recent cyber attack, which helped other industry members secure their systems.

• Sen. Klobuchar discussed the recent CrowdStrike outage, asking Mr. Breyault how investing in secure interoperable networks could protect consumers in the aviation sector. Mr. Breyault emphasized that investing in cybersecurity resiliency would strengthen aviation networks and provide essential training for staff, who are often the weakest link due to human error. He also expressed concern that AI could make it easier for cybercriminals to launch attacks, increasing the overall threat. Mr. Breyault stressed that investment in cybersecurity is critical, given the rising risks.

  Sen. Klobuchar then asked Brigadier General Reynolds about the tools and skills needed in the cybersecurity workforce. Brig. Gen. Reynolds acknowledged the shortage of IT professionals, particularly those with aviation experience. He explained that companies often need to provide internal training to bridge the gap between cybersecurity expertise and aviation knowledge.

  Sen. Klobuchar followed up with Mr. Lyttle, citing his testimony about federal support for workforce development at Seattle airport and highlighting the significant number of unfilled cybersecurity jobs in the U.S. Mr. Lyttle suggested that increasing pay could help attract talent but stressed the importance of engaging students in aviation careers early, encouraging them to see aviation as a viable career path before choosing other industries.

• Sen. Budd raised concerns about GPS spoofing, which is increasingly affecting commercial and general aviation aircraft, particularly in regions like the Middle East. He cited pilots receiving false terrain warnings at high altitudes and noted that the FAA Reauthorization Act of 2024 includes provisions to secure aircraft electronics. Budd asked Brigadier General Reynolds if additional actions from Congress or the executive branch are needed.

  Brigadier General Reynolds explained ongoing efforts with the federal government, noting that the FAA is identifying interference patterns in areas like Ukraine and the Middle East, helping pilots prepare for these risks. He also mentioned collaboration with the Aviation Cyber Initiative (ACI) to develop protocols for pilots to report GPS spoofing incidents, allowing the FAA and other agencies to respond and notify others. Reynolds highlighted a recent ACI tabletop exercise focused on GPS spoofing, aimed at identifying system gaps, and suggested that further engagement with the FAA could help assess additional resource needs to address the issue fully.

• Sen. Duckworth emphasized the severity of the recent SeaTac cyber attack, linking it to broader national security concerns due to the involvement of the Russian-based Rucida Ransomware group. She noted the rise in aviation cyberattacks, up 24% in early 2023, and asked Mr. Lyttle what more the federal government could do to help airports improve cybersecurity. Mr. Lyttle suggested that while airports submit Security Improvement Plans (SIPs) to TSA and CISA, these agencies could improve by consolidating the information, developing best practices, and sharing timely recommendations with airports to enhance cybersecurity defenses.

  Sen. Duckworth then asked Brigadier General Reynolds how the federal government could help airlines defend against foreign cyber threats, particularly in partnerships with foreign carriers. Brig. Gen. Reynolds stressed the need for harmonized reporting requirements and improved information sharing between federal agencies and industry stakeholders to stay ahead of threats. He assured Sen. Duckworth that threat-based analyses are conducted when systems are connected or data is shared, minimizing risks as much as possible.

  Sen. Duckworth expressed concerns about redundancy in aviation systems, citing the Boeing 737 MAX crashes and a recent software update that caused disruptions. She asked how airports, airlines, and the federal government could collaborate to improve redundancy and resilience in aviation cybersecurity. Mr. Lyttle emphasized the importance of increased information sharing between airports, TSA, CISA, and the aviation industry. He suggested that TSA and CISA consolidate cybersecurity plans submitted by airports and share timely recommendations to continuously improve defenses across the aviation sector.

• Sen. Schmitt highlighted the aviation sector's increasing reliance on modern networks and the growing threat of cyberattacks on airports and airlines. He criticized the administration's focus on inclusivity initiatives, referencing the FAA's renaming of the NOTAM system under Secretary Buttigieg, and pointed to incidents like the 2023 nationwide ground stop caused by a NOTAM input error and the recent CrowdStrike software failure. Sen. Schmitt argued that the administration's priorities are misplaced, focusing more on social issues than aviation safety, and called for stronger leadership to ensure aviation system reliability.

  Sen. Schmitt then asked Mr. Breyault about the vulnerability of biometric data to cyberattacks, particularly as TSA adopts more biometric technologies. Mr. Breyault acknowledged that no cybersecurity solution is perfect, and consumers should assess the risks of sharing sensitive biometric data. Personally, he avoids services like CLEAR due to concerns about data protection. He emphasized that biometrics are unique and cannot be changed if compromised, making their protection critical. While biometrics can enhance security by preventing identity spoofing, Mr. Breyault stressed the importance of stringent safeguards by government agencies and companies handling such data.

• Sen. Welch asked Mr. Lyttle about SeaTac's response to the recent cyber attack, noting that the airport had backup systems. Mr. Lyttle confirmed that the backups were not compromised, which helped mitigate the attack. He explained that systems were shut down to prevent further breaches, and operations, including manual baggage handling, were carried out. Systems for some airlines, such as Alaska and Delta, were restored within two days, while others took longer.

  Sen. Welch also inquired about protecting personal information compromised during the attack. Mr. Lyttle assured that affected employees would be notified and provided with credit monitoring and support services. He added that SeaTac is conducting a third-party after-action report, which will be shared to help improve industry-wide cyber defenses.

  Sen. Welch then asked Brigadier General Reynolds if passengers affected by the CrowdStrike outage had been reimbursed. Brig. Gen. Reynolds explained that his expertise is in cybersecurity, not passenger accommodations, but promised to gather the relevant information and provide an accurate response.

  Lastly, Sen. Welch asked Mr. Breyault about the security of in-flight Wi-Fi. Mr. Breyault advised caution when using public networks, including in-flight Wi-Fi, recommending that sensitive activities like online banking be avoided. He emphasized treating in-flight Wi-Fi as any public network and promised to look into specific airline security protocols for further details.

• Sen. Rosen emphasized the importance of cybersecurity for Nevada’s travel and tourism industry, noting the vulnerability of critical infrastructure like airports to cyber threats. She asked Mr. Lyttle about network segmentation at Seattle-Tacoma International Airport and whether critical systems were sufficiently separated from public networks to prevent ransomware access.

  Mr. Lyttle explained that segmentation was already in place, which protected certain systems like access control and conveyors. While the impacted network was segmented, the airport’s practices allowed for faster recovery. Following the attack, they plan to further improve segmentation.

  Sen. Rosen inquired about the vulnerability of airline and airport systems during a cyber attack, particularly in relation to baggage handling. Brigadier General Reynolds explained that their cybersecurity programs are risk-based and follow NIST standards, stressing the importance of identifying critical systems and applying controls to mitigate risks when systems are connected.

  Sen. Rosen also expressed concern about third-party vendor vulnerabilities, particularly in the Known Crew Member program. Brig. Gen. Reynolds acknowledged the importance of vendor cybersecurity but noted that the program is outside his expertise and offered to provide more information from the relevant leads.

• Sen. Capito highlighted the importance of cybersecurity insurance in aviation and discussed a bill she introduced with Sen. Hickenlooper, the Insure Cybersecurity Act, aimed at improving understanding and information sharing. She asked Brig. Gen. Reynolds if the bill would be beneficial and what challenges airlines face in securing insurance. Brig. Gen. Reynolds acknowledged the complexities of cyber insurance, noting that it is evolving and expressed support for a working group to provide clarity.

  Sen. Capito referenced Reynolds’ earlier testimony about the burden airlines face in reporting to 10 different agencies with varying timelines. She asked if this posed a security risk. Brig. Gen. Reynolds said that while it doesn’t enhance security, it is burdensome and inefficient during critical response times.

  Sen. Capito asked Mr. Lyttle about SeaTac’s decision not to pay a ransom in a recent cyberattack and how smaller airports could learn from larger ones. Mr. Lyttle emphasized that their decision was based on values and highlighted the importance of sharing lessons learned. He stressed that while larger airports have more resources, smaller ones can benefit from shared information, helping improve cybersecurity across the industry.

  Sen. Capito also mentioned CISA’s role in sharing best practices and suggested that Mr. Lyttle’s insights could be useful for Marshall University’s cybersecurity institute, which focuses on critical infrastructure. She underscored the need for a workforce ready to meet future cybersecurity challenges in aviation.

• Sen. Peters emphasized the importance of cybersecurity for critical infrastructure, including aviation and maritime ports, highlighting Michigan's reliance on its cargo ports. He introduced the Protecting Investments in Our Ports Act to ensure ports receive digital infrastructure grants and have proper cybersecurity measures. He asked Mr. Lyttle about the complexity of managing a cyber attack that affected both aviation and maritime operations at the Port of Seattle. Mr. Lyttle explained that the challenge stemmed from managing a wide network covering both aviation and maritime operations across multiple facilities. The Port's IT and security departments oversee both sectors, which helped during the response. He noted that while some maritime services were impacted, critical cargo operations were protected due to network segmentation.

  Sen. Peters announced the introduction of the Streamlining Federal Cybersecurity Regulations Act, aimed at easing compliance across regulatory agencies to allow teams to focus more on security. He thanked Mr. Reynolds for supporting the bill, emphasizing the importance of reducing regulatory burdens.

  Sen. Peters asked Mr. Breyault for recommendations on preventing fraud after major cyberattacks, like phishing attacks following the CrowdStrike incident. Mr. Breyault emphasized that consumers often bear the consequences of cyber incidents, such as missed flights or lost airline miles. He called for Congress and the Department of Transportation to implement policies that help consumers recover, suggesting that DOT's delay compensation authority be codified and that stolen airline miles be protected similarly to stolen funds from credit or debit cards.

• Sen. Markey discussed the July 19th CrowdStrike IT outage, which disrupted multiple sectors and exposed vulnerabilities in interconnected IT systems. He asked Mr. Breyault if airline consumer protection policies should be part of a broader cybersecurity strategy. Mr. Breyault agreed. Sen. Markey stressed that even brief disruptions have serious consequences for travelers, citing his provision in the FAA Reauthorization Act, which mandates automatic refunds for flight delays or cancellations when travelers don’t opt for rebooking or vouchers. He was frustrated that some airlines claimed this provision hadn’t taken effect and asked Mr. Reynolds if airlines would provide automatic refunds during cyber-related disruptions. Brig. Gen. Reynolds affirmed that airlines comply with the law and would follow refund requirements.

  Sen. Markey asked Mr. Breyault if airlines reimburse passengers for missed events, like concerts or work shifts, when flight cancellations cause them to miss these events. Mr. Breyault confirmed they do not. Sen. Markey noted that these losses have real impacts on travelers and highlighted that European regulations require cash compensation for significant delays. He supported the Biden-Harris administration’s proposed rule to require airlines to compensate passengers for delays and cancellations caused by the airline and asked Breyault if cash compensation is vital for consumer protection. Mr. Breyault agreed.

  Sen. Markey emphasized his "three Cs" of consumer protection: communication, correction, and compensation. He insisted that airlines must clearly communicate passengers' rights, correct their mistakes with automatic refunds, and compensate passengers for airline-caused disruptions. He criticized airlines for not investing enough in cybersecurity, concluding that the cost of system failures should not be passed on to consumers.

• Chairwoman Cantwell acknowledged Senator Markey's efforts in the FAA bill to protect consumers and stressed the need for better communication and cybersecurity practices, referencing the SeaTac cyberattack. She asked Mr. Lyttle if the FBI was leading the investigation. Mr. Lyttle confirmed. The Chair then asked the panel how to improve communication of cybersecurity best practices while waiting for the FAA’s Aviation Rulemaking Committee (ARC) to complete its work. She highlighted the success of the National Transportation Safety Board’s annual report in addressing near misses and suggested a similar approach for cybersecurity. Mr. Breyault emphasized the importance of clear communication from airlines to consumers during cybersecurity incidents, pointing to confusion during the CrowdStrike incident when passengers received mixed messages about delays and cancellations.

  Chairwoman Cantwell asked Mr. Reynolds how to streamline communication of best practices across airports and airlines. Brig. Gen. Reynolds highlighted the role of industry standards, tabletop exercises, and the Aviation Information Sharing and Analysis Center in improving information sharing. He noted progress with agencies like TSA and FAA but said the process was still developing.

  Chairwoman Cantwell suggested formalizing a communication process, similar to the utility sector’s voluntary cooperation and urged both the FAA and the industry to act quickly on improving cybersecurity hygiene and communication, even before FAA rulemaking is complete. Finally, The Chair proposed leveraging the National Guard and Reserves, especially those with IT experience, to address workforce shortages and enhance cybersecurity. Brig. Gen. Reynolds agreed, praising their capabilities. Cantwell concluded by emphasizing the importance of consumer protection, better communication, and hardening critical infrastructure.

ADD TO THE NIMITZ NETWORK

Know someone else who would enjoy our updates? Feel free to forward them this email and have them subscribe here.