The Israeli military made (air)waves last week when it announced that it was installing cyber defenses on its F-35 jets. While this may seem like a futuristic concept, it’s actually long overdue from an online security standpoint.
“Bad actors were already doing bad things on the internet before the military caught up with technology,” Richard Blech, founder and CEO of the cybersecurity firm Secure Channels, told the Observer.
Indeed, while hacks of civilian websites like Sony and Ashley Madison have made more headlines in recent years, military jet hacks have also become more common—a group of Chinese hackers actually stole large amounts of data about America’s F-35 fleet from Pentagon and Lockheed Martin servers between 2009 and 2013.
The government needs to take these threats more seriously, according to Blech—and that means funding programs to stop them.
“We have to get the budget out there to stay ahead of this because otherwise it’s gonna have a major impact,” he said.
Some members of Congress share Blech’s sense of urgency—last year Massachusetts Senator Ed Markey sent letters to 12 airlines, along with Airbus and Boeing, asking how the companies were responding to cybersecurity threats in the air.
“As technology rapidly continues to advance, we must all work to ensure that the airline industry remains vigilant in protecting its aircraft and systems from cybersecurity breaches and attacks,” Markey, a member of the Commerce, Science and Transportation Committee, wrote in the letter.
The answers Markey received revealed that there is no uniform standard for cybersecurity testing, so in April he introduced the Cybersecurity Standards for Aircraft to Improve Resilience Act of 2016, which would require the disclosure of information relating to cyberattacks on aircraft systems, and would establish guidelines to identify and address cybersecurity vulnerabilities in commercial aviation.
“We know that terrorists and others that mean to do us harm will try to exploit any loophole or technological advance in our transportation systems, so we must continually bolster the standards and practices of the airline industry to ensure the safety and security of passengers on board commercial aircraft,” Markey said in a press release announcing the bill.
The bill was referrred back to Markey’s committee, but no further action has been taken. Markey’s office did not respond to several requests for comment.
Blech said that Washington red tape was no excuse for risking the security of military air fleets.
“If you don’t have a standard there’s gonna be confusion and there’s not gonna be interoperability,” he said. “Bad actors are gonna find an attack vector to expose. Protections have to be put in at the conceptual stage when you’re building out the aircraft.”
Blech did give politicians like Markey credit for focusing on civilian airlines instead of just military ones—most in-flight wi-fi networks have very little security, and so they too can be easily hacked.
“You have to apply this to commercial aviation,” Blech said. “Are they gonna protect every attack vector? I don’t think so. But stronger security would make it harder for bad actors.”
So should the United States have a uniform standard for cybersecurity in the air?
“Absolutely,” Blech concluded. “This needs to get some significant and serious attention.”