11 Feb Aviation Cybersecurity: Between a rock and a hard place
By Nathaniel Snyder
With a recent data breach at Yahoo that compromised three billion user accounts to Russian interference in the 2016 Presidential election, among many other things, there is an urgent need to improve cybersecurity. Networks and the industries they serve are vulnerable. Given legal obligations for passenger data collection, retention and dissemination, in few industries is the need for heightened cybersecurity more urgent than the air transport industry.
Security systems developed decades ago make information on passengers particularly susceptible to cyberattack. This was shown recently when a security expert, Noam Rotem, uncovered a vulnerability in Amadeus’s booking system that potentially exposed passenger information for 44% of the global airline online reservation market.
Rotem discovered the flaw by substituting a random six-digit reference code into an El Al email he received after booking a flight with the Israeli airline. The code, known as a PNR locator, references a Passenger Name Record – a collection of data that includes a passenger’s name, email, itinerary, physical address, destination, and seat preferences. PNR locators are less secure than a 5-digit password.
Rotem noted that the PNR information was sent in an unencrypted message. Passengers often share their flight details on social media, which include PNR locators. The code combined with a passenger’s last name is enough information to access a passenger’s booking information and fraudulently redeem frequent flyer miles. Domestic law as well as international agreements require airlines to collect passenger information and provide it to security authorities. For example, United States law requires airlines to send Advanced Passenger Information to the Department of Homeland Security and U.S. Customs and Border Protection prior to an incoming flight’s departure. The EU has similar rules on the provision of this information.
Passenger information is collected during online purchases and sales of tickets and during check-in at airport kiosks. Thus, laws on passenger data collection, retention and transmission place an onus on the air transport industry – not just airlines but also airports, travel agents and computer reservation systems – to take the lead on cybersecurity. That said, governments carry the obligation to make the cyber environment safe for commercial, civil aviation actors.
Annex 17 of the Chicago Convention mandates that States develop measures to protect information and communications technology systems from interference that may jeopardize the safety of civil aviation. For its part, the U.S. has recently established a Cybersecurity and Infrastructure Security Agency under the Department of Homeland Security, which also houses the Transportation Safety Administration. Under a Cybersecurity Roadmap released in December 2018, TSA plans to work with other stakeholders in the transportation sector, including the CISA, to:
- assess and prioritize evolving cybersecurity risks;
- protect TSA information systems and critical infrastructure;
- respond effectively to cyber incidents; and
- strengthen the security and resilience of the cyber environment.
How these entities will actually interact with other aviation-related stakeholders, such as the DOT and FAA, remains to be seen.
Across the pond, the EU and its member States face the same challenge. The European Commission recently held the 1st Transportation Cybersecurity Conference, bringing together various stakeholders including the EU Agency for Network and Information Security, European Aviation Safety Agency, national authorities and private industry. As with their American counterparts, the EU is trying to ‘Rais[e] the bar by working together’. Like the U.S., the EU Conference concluded that cross-agency and cross-sectoral cooperation would be key to the assuring the security of our information.
We look forward to the implementation of effective collaborations – both domestic and international.
To subscribe to the Journal of Space Law, click here.
Nathaniel Snyder lives in Washington D.C. advising a U.S. congressional office as a space law fellow, as well as being a full-time student within the National Center for Air and Space Law. He’s currently a 2L student editor for the Journal of Space Law.