| by Dr. Ruwantissa Abeyratne
( March 20, 2014, Montreal, Sri Lanka Guardian) In this journal's issue of 20 April 2011, I published an article on cyber terrorism. That article re-surfaces in significance in the context of one of the theories that have been put forward on the disappearance of Malaysia Airlines Flight 370 - that this could be the start of cyber attacks on aircraft. Philip Ross writing in the International Business Times of 16 March 2014 says: "As the search for the missing Malaysia Airlines Flight MH370 continues, investigators have come across some startling evidence that the plane could have been hijacked using a mobile phone or even a USB stick. The theory comes from a British anti-terrorism expert who says cyber terrorists could have used a series of “codes” to hack the plane’s in-flight entertainment system and infiltrate the security software. According to Sally Leivesley, a former scientific adviser to the UK’s Home Office, the Boeing 777’s speed, direction and altitude could have been changed using radio signals sent from a small device. The theory comes after investigators determined that someone with knowledge of the plane’s system intentionally flew the jet off course".
Cyber crimes and cyber terrorism are becoming increasingly menacing and the latter has been identified internationally as a distinct threat requiring attention.
Author Michael Hanlon envisions the consequences of a cyber attack: “at first, it would be no more than a nuisance. No burning skyscrapers, no underground explosions, just a million electronic irritations up and down the land. Thousands of government web pages suddenly vanish… the disruption continues: thousands of popular websites, from eBay to YouTube, start malfunctioning or are replaced by malicious parodies. Tens of millions of pounds are wiped off the share price of companies like Amazon as fears grow that the whole Internet credit card payment network is now vulnerable and insecure… eventually, reports start to flood in that hundreds of thousands of personal bank accounts have been raided overnight”. See Michael Hanlon, Attack on the Cyber Terrorists,
James D. Zirin, writing to the Washington Times said: “It is an irony of the digital age that technology has aided the security forces in detecting and thwarting terrorist operations and has helped terrorists do their evil”.
In taking action against cyber crimes, then US President Bill Clinton, in a 1999 speech to the National Academy of Sciences said: “open borders and revolutions in technology have spread the message and the gifts of freedom, but have also given new opportunities to freedom’s enemies… we must be ready… ready if our adversaries try to use computers to disable power grids, banking, communications and transportation networks, police, fire, and health services—or military assets".
Jack Phillips writing to EpochTimes of 17 March 2014 recounts the instance in 2013, at a conference entitled " the Hack in the Box Conference", that : " security researcher Hugo Teso went on stage and took out his phone. He accessed an app, Planesploit, that he coded himself, which he said could affect a plane’s navigation systems. Teso, who is a researcher, said that he could theoretically change a plane’s route and make it crash with the app. He reportedly did a demonstration on stage to show that systems on board planes are vulnerable".
This was reportedly discounted by regulators of the United States as impossible on the ground that such a hacking technique would not work on certified flight hardware incorporated into the avionics system of a certified commercial jetliner. It was reported in the article that the authorities had further said: " the described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot. Therefore, a hacker cannot obtain ‘full control of an aircraft’ as the technology consultant has claimed". This view had been corroborated by the European Aviation Safety Agency (EASA) which had downplayed Teso’s findings, on the basis that embedded software has a “robustness that is not present on ground-based simulation software".
Be that as it may, and since anything is up for grabs in the search for the missing aircraft, with theories galore, the cyber attack theory deserves at least a cursory discussion.
Cyber crimes and cyber terrorism are becoming increasingly menacing and the latter has been identified internationally as a distinct threat requiring attention. At the 21st Aviation Security Panel Meeting of The International Civil Aviation Organization (ICAO) (AVSECP/21, 22 to 26 March 2010) a new Recommended Practice related to cyber threats was proposed for adoption by the Council as part of amendment 12 to Annex 17 (Security) to the Convention on International Civil Aviation (Chicago Convention). It was adopted on 17 November 2010, became effective on 26 March 2011 and applicable on 1 July 2011. This Recommended Practice suggests that each Contracting State develop measures in order to protect information and communication technology systems used for civil aviation purposes from interference that may jeopardize the safety of civil aviation. At the 22nd Meeting of the Panel, conducted by ICAO from 21 to 25 March 2011, the Panel noted the value of vulnerability assessments pertaining to cyber security in aviation whose objectives are to evaluate the efficiency of existing mitigation measures and identify any vulnerabilities from a threat-based perspective and further noted that better understanding of residual risks will support a State’s efforts to refine its risk response.
Member States of ICAO, at ICAO's 38th Session of the Assembly (September/October 2013) adopted Resolution A38-15 (Consolidated statement of continuing ICAO policies related to aviation security) which inter alia strongly condemned all acts of unlawful interference against civil aviation wherever and by whomsoever and for whatever reason they are perpetrated. The Resolution noted with abhorrence acts and attempted acts of unlawful interference aimed at the destruction in flight of civil aircraft including any misuse of civil aircraft as a weapon of destruction and the death of persons on board and on the ground and reaffirmed that aviation security must continue to be treated as a matter of highest priority and appropriate resources should be made available by ICAO and its Member States.
The first international convention which addressed the subject of interference with aviation by cyber hacking was the 2010 Convention on the Suppression of Unlawful Acts Relating to International Civil Aviation adopted in Beijing (which unhappily is not in force, still begging for 22 ratifications) which China has signed (but not ratified) and Malaysia is yet to sign. The Convention states in Article 1d) that an offence is committed when a person destroys or damages air navigation facilities or interferes with their operation, if any such act is likely to endanger the safety of aircraft in flight. This clearly refers, inter alia, to cyber terrorism, yet anomalously links the offence exclusively to the safety of aircraft in flight. Article 2a) of the Convention provides that an aircraft is considered to be in flight at any time from the moment when all its external doors are closed following embarkation until the moment when any such door is opened for disembarkation. In the event of a forced landing, the flight would be deemed to continue until the competent authorities take over responsibility for the aircraft and for persons and property on board.
Perhaps the events unfolding from MH 370 would spur more States to ratify the Beijing Convention?
More generally, yet with relevance to the field of aviation, are the activities conducted since the 1980s by international organizations such as the United Nations, Council of Europe, INTERPOL, and the Organization for Economic Co-operation and Development in response to the challenges posed by cyber crime. A significant result of such collective efforts was the publication of the United Nations Manual on Cybercrime and 2001 United Nations Resolution (United Nations Resolution on Combating the Criminal Misuse of Information Technologies General Assembly Resolution 55/63) exhorting States, in the context of an earlier United Nations Resolution on Millennium Goals, which recognized that the benefits of new technologies, especially information and communication-related technologies, are available to all, to ensure that their laws and practices eliminate safe havens for those who criminally misuse information technology. The Resolution also urged States to ensure the cooperation of law enforcement authorities in the investigation and prosecution of international cases of the criminal misuse of information technology, and that this should be coordinated among all concerned States. The Resolution further required information to be exchanged between States regarding the challenges faced in combating such criminal misuse and stated that law enforcement personnel should be trained and equipped to address any criminal misuse of information technology.
A particular feature of cyber terrorism is that the threat is enhanced by globalization and the ubiquity of the Internet. Given such a global problem, requiring a global solution, the one forum that can provide a global framework against cyber terrorism is ICAO. A sustained global process of security risk assessment is the first necessary step. One definition of security risk assessment considered by the ICAO Aviation Security Panel at its Twenty-second Meeting was: “an outcome based process, coordinated by the Appropriate Authority utilising all appropriate resources, consisting of an analysis of prevailing threat factors compared against current mitigation measures, with a view to determining levels of risk that result in the application of appropriate mitigation measures”.
In pursuance of these objectives, ICAO, in collaboration with its Member States, could undertake a study to identify critical aviation information systems; review the effectiveness of existing mitigation measures established for such systems; identify any vulnerabilities in current security arrangements; analyse best practices on how to address these vulnerabilities; and determine how to better manage identified residual risks.
The author is an aviation consultant with over 30 years work experience in aviation. He worked for 23 years at the International Civil Aviation Organization as Senior Air Transport Officer and Senior Legal Officer respectively