The air traffic shutdown last week, the worst since 9/11, represents a salutary warning to government as well as private industry. If you thought our air traffic infrastructure is vulnerable to hackers, you’re right. Between outdated computer systems and inadequate cybersecurity, the world of air travel offers multiple points of entry for the current hacker or a future quantum computer attack. Closing those points, and getting serious about making our skies cyber and eventually quantum-safe should be a major priority for a secretary of transportation—far more, frankly, than any climate change agenda.
The truth is, those malicious attacks have been going on for a while.
· On May 7, 2009, hackers got into the FAA computer system, and stole the personal of some 45,000 employees.
· In 2013 a malicious phishing scam targeted 75 US airports.
· On February 23, 2021, NASA and FAA were both hacked by Solar Wind.
· On October 10, 2022, Russian hackers knocked key US airports offline, including LAX and La Guardia, O’Hare and Midway airports in Chicago.
That’s what can happen if someone targets more stationary targets. Airliners themselves are particularly vulnerable, according to Neucrom Security Labs research, thanks to their WiFi services. By cracking open access to the thousands of accounts using WiFi in the air, or hacking into airline terminals on the ground, hackers will have a gold mine rich with what they are looking for, namely mountains of data, both proprietary and personal. It’s not just a US problem. The European Organisation for the Safety of Air Navigation, or Eurocontrol, published a report in July 2021, “Airlines under attack: Faced with a rising tide of cybercrime, is our industry resilient enough to cope?"
But the threat of quantum computer attack goes far beyond stolen identities, cancelled flights, or even airport shutdowns. An extended quantum threat can disrupt air travel for protracted periods, and generate aerial chaos on a global scale. It could mean downed planes, endless routing chaos, and collisions between commercial flights and mission-critical military aircraft in a time of war or national emergency.
For example, the system that went down a week ago was the Notice to Air Missions (NOTAM). It sends alerts to pilots to let them know of conditions that could affect the safety of their flights. It is separate from the air traffic control system that keeps planes a safe distance from each other, but a critical part of guaranteeing air safety.
Imagine a quantum hack that sends false notices to pilots that send them and their passengers on a deadly journey, all based on false data or weather information, and all using the same system that’s designed to keep airliners in the sky, instead of crashing them to earth.
The heart of America’s air travel infrastructure, the Air Traffic Control system itself (ATC), is kept offline to avoid the threat of malicious attack by state or non-state actors. But some components do communicate via the net, for example for system maintenance, while ATC’s Next-Gen modernization program will rely on IP-based networks in order to communicate, which opens another portal to malicious intrusion, especially by a future quantum computer that can punch through any existing encryption.
Fortunately, this White House has gotten serious about the quantum computer threat. So has Congress. Now the Transportation Department needs to take the lead in adopting the zero trust cybersecurity standards required by executive order, including adopting quantum-safe protocols.
What can the transportation secretary and his cybersecurity staff do?
First, post an accelerated timeline for migration of all air travel-related communication and computer systems to post-quantum cryptography, i.e. the large quantum-resistant algorithms recently standardized by NIST, which can also protect against current hackers.
Second, issue a Request For Information (RFI) to cybersecurity companies familiar with the quantum threat, on how to use those NIST standards to map out a strategy for guarding against future quantum hackers in the event of national emergency or time of war.
Third, meet with those quantum cybersecurity companies who can provide the right flexibility and resilience that a full-court press post-quantum cyber regime will need, including regular upgrading of key existing systems and installing of quantum-safe encryption for future ones.
Fourth, make sure other parts of the US transportation grid—rails, subways, highways—are migrating toward post-quantum solutions, as well; including where—as with industrial systems and the power grid—using quantum cryptography may be the better answer than PQC.
Our transportation secretary, and his counterparts in relevant committees in the Senate and the House, need to be constantly thinking about how keep our skies safe from malicious cyberattack. The advent of encryption-breaking quantum computers will make that task all but impossible, unless we take steps now to match the quantum-safe tools we already today, to the systems that will need them tomorrow.