Cyber Security in Aviation: Legal Aspects

The cyber threat has been deemed as a new and emerging threat against the aviation industry, being referred to as the second major risk to airlines, following natural disasters. Moreover, the International Civil Aviation Organisation (ICAO) has identified cyberterrorism as a distinct threat to the aviation industry, being described as ‘the newest and, arguably, the most elusive threat to civil aviation in the 21st century’. Dr Rebekah Tanti-Dougall delves into the legal aspects of the cyber threat and whether there exists a legal framework to combat such threat.

In today’s digitalised world, there is an increase of dependency upon information technology by the aviation industry for critical parts of its operations, and as a result, cyber security is becoming more necessary than before. Consequently, vulnerabilities present in computer systems may be exploited by cyberterrorists resulting in serious interruption of services within the aviation industry. This is due to the fact that cyberterrorism is an attractive alternative for contemporary terrorists; it is cheaper than traditional terrorist methods since no great expenses are involved, and all that is practically needed is a computer and an internet connection. Moreover, cyberterrorism has the advantage of anonymity, enabling the hacker to avoid any physical evidence being traceable to him. It also enables the hacker to obviate physical airport checkpoints through the medium of cyberspace, allowing the terrorist to perform the act in the comfort of his own home.

The Use of the Internet as a Direct Weapon
Cyberterrorists may carry out an attack against the aviation industry by having access to the computer systems of control towers and aircraft. As a result, cyberterrorists may affect the scheduled timetables of aircraft; shut down airport administrative systems; suspend security measures; disengage communication lines between the control tower and the aircraft; tamper and manipulate information between the control tower and the aircraft; ‘spoof’ the Global Positioning System (GPS); as well as inject data into an aircraft’s Automatic Dependent Surveillance Broadcast (ADS-B) display, creating a ‘ghost plane’ or negating the existence of an aircraft.
In fact, cyberattacks that have already been carried out within the aviation industry include cyberattacks targeting airports such as the Istanbul Ataturk International Airport and Sabiha Gökçen Airport in 2013, where the passport control system at the departure terminal was hit causing many problems at the airport. Technical problems resulting in the failure of the passenger processing system at Indira Gandhi International (IGI) Airport in Delhi in 2011 was also believed to be a cyberattack by the Central Bureau of Investigation (CBI). Moreover, hackers of the Islamic Cyber Resistance Group have claimed to have breached the computer systems of the Israel Airports Authority. Likewise, one of the theories put forward regarding the disappearance of Malaysia Airlines Flight MH370 has been, in fact, a cyberattack.

Current International Conventions
The Convention Relating to the Regulation of Aerial Navigation of 1919 (the Paris Convention) and the Convention on International Civil Aviation of 1944 (the Chicago Convention) attempted to develop rules for international civil aviation. However, they were drafted too early in the history of aviation security to contemplate the extensive threat of cyberterrorism against the aviation industry.