What a Tangled Web: Aviation Prosperity, Cybersecurity Risk

FAA Chief Counsel, Marc Nichols

Thank you, Professor Truxal, for the kind introduction, and thank you to Leiden University (and the Ministry of Infrastructure and Water Management) for the invitation and for hosting this conference. 

It’s a privilege to be in the Netherlands, a nation with which the United States not only has a long-standing relationship in aviation, but also, a history-making one. 

Just over thirty years ago, our Department of Transportation entered into an “open skies” agreement with the Netherlands, thereby opening our markets to each other for the first time with a European partner. Then, three years later, our two nations signed the world’s first bilateral aviation safety agreement (BASA). Both of those efforts led to comparable agreements throughout Europe, so it seems sporting to accord Amsterdam the status of catalyzer for American aviation.

What I can say without reservation is that the Netherlands is certainly in that role today. The thought leadership Leiden University fosters today will undoubtedly strengthen all of our respective efforts to protect our digital aviation infrastructure. 

This conference comes at a crucial time in that effort, speaking candidly. We are on the cusp of what will be aviation’s most cutting-edge epoch, driven principally by technological evolution at an unfathomable pace and its integration into nearly every aspect of our current air travel and good delivery experience.   

To acknowledge the cyber defense challenges attending that evolution is not alarmist. It’s reality. It is reading a website on your phone two months ago and learning that seven, small German airports experienced Distributed Denial of Service, or “DDOS” attacks, which I suspect most of you know are attempts to crash websites by generating overwhelming traffic. It’s turning on your TV and seeing that less than a month ago, the pro-Russian hacker group, Killnet, executed DDOS attacks on Eurocontrol. It’s hearing on the radio that this is Killnet’s modus operandi because it did the same at fourteen U.S. airports last year. Did any of these efforts amount to more than nuisance, website disruptions? No. Because all of us contributing to this effort examine as many data points as possible. 

We look at assessments from private and governmental actors and can reasonably anticipate the type and number of threats will continue to increase, as will the diversity of malicious actors. None of those prognostications is worrisome precisely because we readily admit what we confront. 

We know the only way to travel risk-free is to never move.  Instead, we game out every conceivable scenario to keep that risk as close to zero as possible because we know the humanitarian value in shrinking the world and facilitating cross-cultural exchange at events like this is too beneficial to forego. 

We know the immense economic benefits of aviation improve far too many lives to be any less steadfast. To appreciate the scale of which I speak, the world’s airlines carry over four billion passengers and nearly 61 million tons of freight per year, creating almost ninety million jobs and adding $3.5 trillion to global GDP. The Air Transport Action Group predicts that by 2038, it will be 143 million jobs and $6.3 trillion. 

Of course, it’s precisely the industry’s financial strength and the stabilizing impact it provides nations through economic growth that make aviation such a tempting target for cybercriminals of all stripes.

We have not only rogue actors and state-affiliated hacking groups, but also nation-states attempting to undermine global cybersecurity. According to the U.S. Cybersecurity and Infrastructure Security Agency, both the Chinese and Russian governments have engaged in malicious cyber activities to pursue their national interests and have targeted the aerospace sector. Aviation regulators and the aviation industry must be prepared to adapt to all cybersecurity threats, no matter the source.

The threats we have articulated speak to the existing aviation airspace, which will become increasingly complex. First, we will see an exponential growth in aircraft in the sky. In the U.S., for example, we already have approximately 860,000 registered remotely piloted aircraft systems, or RPAS, the majority of which are hobbyist-owned.  That number is expected to grow to over 2 million within the next five years, with commercial drones constituting the majority.

As with any aircraft, there are vulnerabilities. RPAS customarily rely upon communication links between the controller and the aircraft to fly safely and receive frequent software updates that may contain anything from computer data needed for flight to geo-fencing to keep drones out of restricted airspace. As Eurocontrol notes, some threat concerns include resulting loss of control, theft of the craft or payload, or use of a platform for jamming, spoofing, or eavesdropping.

In addition, we have exciting emerging entrants in Advanced Air Mobility, or AAM, who will challenge us with new cybersecurity risks.  Recently, I toured manufacturing facilities in California for several companies pioneering eVTOLs (electric vertical takeoff and landing vehicles), or what we also call powered lift, or air taxis.  At some point in the next ten years, provided the aircraft meet the FAA’s requirements for safe operations, we anticipate people leaving Los Angeles International Airport, and via ridesharing-style booking, being able to take an eVTOL into the city center for what these companies claim will be only $3-4 per mile.

These aircraft are designed to simplify flying, and one prototype boasts five seats…with no pilot in the plane. I ask people often about flying in pilotless aircraft. By a show of hands, who here would be willing to take the inaugural flight if you knew you had a supervisor on the ground ready to intercede?

There is incredible enthusiasm for this segment, as these crafts are more environmentally friendly and less noisy than many existing options, but as is true with any aircraft, the public must trust their cybersecurity implicitly, especially if and when AAM moves to an autonomous phase.

Several months back, as I contemplated our future cyber challenges, Sir Walter Scott’s most famous and multi-faceted line from his poem “Marmion” sprung to mind: “Oh, what a tangled web we weave when first we practice to deceive.”

The quote resonated most obviously because “the worldwide web” is host to the threats themselves, coming from a tangled web woven within our national and global networks, which have numerous potential cyberattack vectors. And at their core, all of these attacks are based in deception.

But I also thought about the image of a spider web as aptly describing our complementary and intersecting efforts in cyber protection. Each private company or contractor, each government entity, each NGO, adds strands, often overlaying another, and while it may be construed as tangled, even when there seems to be daylight, we catch almost everything that attempts to infiltrate through that web. It’s a symbolic rejoinder to critics of the progress we’re making to date.

As a public servant, one of my highest charges is ensuring we never lull ourselves into a false sense of cybersecurity. We must conduct an honest appraisal of our mutual perils, and this serves us better.

How, then, does the U.S. contribute to the strength of our web of defenses? 

On March 1, 2023, the White House published the Biden Administration’s National Cybersecurity Strategy to guide U.S. cybersecurity policy and infuse it with our shared values of freedom and democracy in order to create an affirmative vision for our interconnected present and future.

As White House National Cyber Director Kemba Walden noted recently, technology is “values neutral.” It can bring democracy-affirming advancements, transparency and privacy protection, or surveillance, cyberintrusions, and digital authoritarianism. It’s incumbent on all of us to craft a lattice that installs democracy-affirming features into our technology. With this purpose, the National Cybersecurity Strategy established the foundation for five pillars of cybersecurity: (1) Defend Critical Infrastructure, (2) Disrupt and Dismantle Threat Actors, (3) Shape Market Forces to Drive Security and Resilience, (4) Invest in a Resilient Future, and (5) Forge International Partnerships to Pursue Shared Goals.

Today, I will talk about pillars one, four, and five, which are most applicable to the FAA.

Defending Critical Infrastructure…

As many of you know, in the United States, the federal government provides air navigation services, through the FAA’s Air Traffic Organization (ATO). In accordance with the First Pillar, the FAA is investing in long-term efforts to implement a zero-trust architecture strategy and modernize informational and operational technology infrastructure by funding multiple zero-trust architecture projects, as well as other efforts to buttress the security of our networks to the greatest extent possible.

Furthermore, the FAA has expanded its cybersecurity partnerships through the Aviation Cyber Initiative (ACI). The ACI is a U.S. government task force comprised of the U.S. Department of Homeland Security, including the Transportation Security Administration (TSA), the U.S. Department of Defense, and the FAA. ACI focuses on identifying and addressing cybersecurity risk and ensuring cyber resilience of the nation’s aviation ecosystem.

Most recently, the TSA issued a number of cybersecurity-related changes to airport and aircraft operator security programs. These changes require the development of network segmentation policies and controls to ensure that operational technology systems can continue to operate safely in the event that an information technology system has been compromised, and vice versa; the creation of access control measures to secure and prevent unauthorized access to critical cyber systems; implementation of continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations; and timely security patches for cyber systems.

The FAA is supportive of TSA’s recent aviation-focused cybersecurity enhancements, which will help United States airport and aircraft operators improve their cybersecurity and resiliency.

Moreover, the FAA partners not only with TSA, but also, with the Cybersecurity Infrastructure Security Agency (or CISA), the Federal Bureau of Investigation, and the Intelligence Community to monitor, assess, and communicate on adversarial cyber capabilities and threat activities, supporting and informing cybersecurity and resilience efforts across the Aviation Ecosystem.

Furthermore, the FAA has a robust and adaptable cyber-risk model in place to support our extensive traffic mission and related systems. The FAA will continue to prioritize cybersecurity research and development activities to keep us ahead of evolving cyber threats and risks. 

The FAA has substantial regulatory authority to oversee the safety of civil aviation, from aircraft, to airspace, to aviators. 

The latest aircraft coming off the assembly lines constitute the most visible example of our expanding aviation cyber connections.  

During the FAA’s certification processes, manufacturers are required to address cyber risks when they apply for design approval or a change to a previously certified product. Electronic systems must be designed and installed to perform under any foreseeable operating condition, including cyberattacks.  The FAA’s regulatory authority for civil aircraft ensures cyber risks are managed through the application of design-specific “special conditions.”

The FAA applies the special conditions when the current airworthiness regulations do not contain adequate or appropriate safety standards for a new or novel design feature. These special conditions carry the weight of regulatory requirements and mandate that critical aircraft systems be protected from intentional unauthorized electronic interaction. 

Once an aircraft is in service, the FAA addresses cybersecurity safety by monitoring safety impacts using a data-driven methodology.

Invest in a Resilient Future

We do so at American airports by encouraging our stakeholders to invest in cybersecurity and including cyber-security-related conditions in certain FAA grants.

The FAA has required that airport grant recipients consider and address cybersecurity related to the expenditure of public funds. Prior to receiving construction funds, this cybersecurity requirement must be met.

The U.S. has devoted resources as well. For the Airport Terminal Program, U.S. Department of Transportation Secretary Pete Buttigieg announced the Department’s intent to spend nearly a billion dollars on 104 projects at 99 airports. Additionally, 40 discretionary grants totaling $144 million will go to airports. For the FAA Contract Tower Program, the DOT will fund 33 projects at 29 airports for $20 million. All of these grants will have a cybersecurity compliance component in the grant agreement.

Forge International Partnerships to Pursue Shared Goals

Perhaps of most interest to all of the diverse nationalities assembled here is the US commitment to “build a broad coalition of nations working to maintain an open, free, global, interoperable, reliable, and secure Internet.”

In furtherance of this goal, the FAA advocates engagement in cyber policy drafting discussions with ICAO and other bodies. Correspondingly, the FAA occupies the US Panel Member role for ICAO’s Cybersecurity Panel and the Trust Framework Panel. The latter seeks to develop provisions and guidance to support aviation stakeholders’ ability to have confidence in the integrity and source of digitally exchanged information.

The U.S. collaborates closely with our European partners, including EASA and EUROCONTROL. For example, at the first ICAO Trust Framework Panel meeting, the US and EU declared that the panel should prioritize the development of provisions and guidance to support globally harmonized information security management system (ISMS) implementation; the development of provisions and guidance to support globally harmonized digital identity (DI) implementation;  review practices to ensure ISMS and DI provision compliance; and activities that support information security capacity building for aviation stakeholders.

As a robust partner in these efforts, the United States will marshal expertise across domestic public and private sectors, and concurrently work with our international partners to pursue coordinated and effective international cyber capacity-building and operational collaboration efforts.

The US and Europe need to coordinate to achieve our goals, which should also embed our values in the enterprise. But we should not forget that many different methods can craft resilient and adaptable cyber networks. Although we may spin our webs with varying techniques, our shared goals of preserving the confidentiality, integrity, and availability of information systems shall remain paramount.

Today, if a cyber-incident occurs, we can’t just rely on rule enforcement and punishment.  We also need to learn what happened, why it happened, and what we can do to adapt our aviation ecosystem and prevent the cyber incident from happening again.

Despite speaking in a different context, one of America’s greatest philosophers and heroes, Dr. Martin Luther King, Jr., stated in his “Letter from Birmingham Jail” that injustice anywhere is a threat to justice everywhere. Similarly, a threat to cybersecurity anywhere is a threat everywhere. Cyber threats never tire, and neither must our cyber defense.

As the technology of the aviation ecosystem evolves, we expect that cybersecurity challenges will continue to evolve and will require vigilance and ongoing risk management. Our duty compels us to deploy in-depth security principles—adding layer upon layer of defensive measures. Also, we must act on threat information, detect attacks, and follow up with remediation and updated best practices throughout our diverse network.

As the U.S. civil aviation authority and air navigation service provider, the FAA exists at the crux of the web responsible for promoting safe, secure, and efficient Aviation operations. As we practice what we preach, I am confident that the FAA’s aircraft certification process, from design to manufacturing certification, has ensured robust cybersecurity protections for our nation’s aircraft fleets.  Once these aircraft lift off, the FAA will continue to keep our internal and navigation services fortified and resilient to maintain our services to the thousands of aircraft in our skies in a single moment.

The FAA’s work and policies implement the United States' commitment to National Cybersecurity Strategy five pillars from the FAA’s internal and external investments in defense to international collaboration.

As international aviation leaders, we cannot haphazardly tie together our cyberspace. Instead, we must carefully design and craft an architecture built to last that can be improved on and defend ourselves against the many avenues of attack available to ill-intended entities.  We live in the tangled international aviation webs we have interwoven, and our shared burden is to build an ever-adapting cyber defense system.

Thank you.