Thankfully, to date at least, cyberattacks have not been directed against the safety and security of aircraft; they are, however, being carried out against the aviation industry through attacks on airport systems and websites, as happened at the Istanbul Ataturk International Airport in 2013, where the passport control system at the departure terminal was directly targeted. Hackers of the Islamic Cyber Resistance Group claimed to have breached the computer systems of the Israel Airports Authority; Japan Airlines reported a hacker attack in September 2014 with evidence confirming unauthorised access to its Customer Information Management System; American and United Airlines also reported that hackers managed to get hold of user names and passwords of frequent flyers in December last year, and both British Airways’ and Lufthansa’s air-miles accounts were hit by cyberattacks earlier this year. On 12th April, in Tasmania, Hobart International Airport’s website was shut down for over 24 hours due to a cyberattack by a group with alleged ties to Islamic State.
Therefore, should a hacker be able to attack these websites, how long would it take for them to actually bypass the firewalls of the air control system to be able to carry out a cyberattack against an aircraft in-flight? Indeed, the threat of cyberattacks is gradually being seen as a real challenge for the aviation industry. However, what frightens me most is the lack of awareness thereof. Why do people question whether the cyber threat could be a reality? Is it because they are denying any possible threat? Or are they afraid to admit such threats exist, because doing so would then ultimately mean that it would be deemed a reality?
But what if an aircraft has already been subject to a cyberattack, and we have not even realised it? One of the theories put forward regarding the disappearance of Malaysia Airlines Flight MH370 was based on such a possibility. And more specifically, how could it be that in 2015, in an age where technology is being utilised to an absolute degree, we are still not able to identify the whereabouts of an aircraft? Therefore, could this have been the first cyberattack without anyone even realising or declaring it?
However, whether we are ignorant of any future threats towards the aviation industry, or whether we are afraid to acknowledge even the slightest remote possibility of such attacks against an aircraft, I beg to question: Hasn’t the aviation industry suffered enough? And through such suffering, has the lesson been learnt?
With reference to the past terrorist attacks against the aviation industry, it is of utmost importance for us not to let history repeat itself. Immediately after 9/11, security measures were heightened; but are we failing yet again to address in toto future threats? As a direct response to 9/11, there was the establishment of a 9/11 Commission which highlighted four essential failures present in the United States’ aviation security: the failure of imagination, the failure of policy, the failure of capabilities and the failure of management.