The consistent glitches and downed systems that have become so characteristic of top airlines (United, Delta, British Airways, to name a few) have not only called into question their ability to manage complex IT systems, but also their ability to protect them. Cyber vulnerabilities, and the need to secure them, touch everything in today’s modern, interconnected, “internet-of-things” world. Cybersecurity is a dynamic, constantly evolving arena that requires organizations—both private and public—to protect themselves from threats as varied as governments, cybercriminals, hacktivists and hobbyists.
As the debate around privatizing the air traffic control mechanism of the FAA continues in Congress, it’s important to consider the potential cybersecurity concerns such a move could also pose. In my former role as director of the Homeland Security Advanced Research Projects Agency under the U.S. Department of Homeland Security, I worked to deploy complex technologies and mitigate their cyber vulnerabilities. As a former senior executive in charge of the design and installation of all security systems at the Pentagon, I understand the enterprise-wide approach we must take to securing our nation’s technological infrastructure.
Removing air traffic control from federal control and oversight puts our aviation infrastructure at greater risk of cyberattack. While I recognize our government and its many agencies have their inefficiencies, there is no entity in the world that rivals the U.S. federal government’s cyber research, development, deployment, and manpower capabilities.
A strong cyber posture demands continuity of defense. Commercial airline control of ATC may jeopardize this continuity. First, the only thing consistent about the commercial airlines seems to be their track record of information technology (IT) failures, which illustrate a consistent inability to manage and maintain complex IT infrastructures, or at best, a lack of investment in backup systems that ensure interruption-less service. Commercial airlines have a track record of noncontiguous IT services, and in the world of cybersecurity, interruptions lead to vulnerabilities.
Second, if our aviation network is to remain resilient to cyberattack, its core components – ATC included – should stay under the same organizational umbrella. Currently, ATC, with the advances and investment associated with the NextGen program, is under the protection of the federal government, the largest security “organization” in the world able to protect and respond with the full might of our cyber and intelligence agencies. A disjointed FAA would inhibit an efficient response to cyberattack or intrusions. When the processes are standardized and the players uniform, crisis response is more coordinated and timely.
The United States has the busiest aviation system in the world. In a time when email servers, financial institutions and energy grids are threatened and penetrated by hackers daily, there is no room for our aviation system to be made more vulnerable to cyberattack in the commercial airlines’ search for profit. With history as evidence, readers can be sure that so long as the FAA maintains ownership of its current systems, it will never risk the security – cyber or otherwise – of our airspace to generate capital.
Paul Benda is a Principal and the Chief Technology Officer of Global Security Innovative Strategies. Benda served as the director of the Homeland Security Advanced Research Projects Agency.