During World War II, “Loose Lips Sink Ships” was a familiar slogan on both sides of the Atlantic at a time when German U-boats (U for unterwasserboot, submarine) were wreaking a deadly toll on cargo vessels transporting Allied supplies from North America to the beleaguered British Isles. Loose lips, of course, referred to the mention of shipping movements, destinations, cargoes or just about anything else to anyone not having a “need to know,” even apparently harmless comments to a friend like “Jack is going away on Thursday, and won’t be back for three or four weeks.” Overhearing that, a skilled enemy agent might tie it together with the knowledge that Jack is a merchant ship sailor; with a few more pieces of overheard chitchat, Jack might never return.
Seventy years later, there are many fewer classic spies listening for, and then attempting to piece together, incautious snippets of conversation. Instead, teams of analysts use modern technology, typified by the Internet and similar webs, to filter the zillions of bits of data that are constantly flowing by in the search for key words or phrases or other clues that could help flesh out vital intelligence information buried deep in the everyday traffic. China, the U.S. and Russia are regarded as leaders in this cyber warfare, followed by the UK, some other European NATO members and Israel.
Last year AIN learned confidentially that China had intercepted much of the huge amount of test data transmitted from many of the highly classified systems on board the military’s next-generation F-35 joint strike fighter, leading to suspicion about the surprisingly accelerated development of that country’s stealth fighters. In September, according to Aviation Week, the Marine Corps was restricted from operations away from Eglin AFB until its onboard security systems were upgraded, and this may still be the case.
Protection Against Cyberwarfare in the Civil Sector
But we are not in an actual war, so how does this affect civil aircraft operations? That is entirely unknown, because electronic components from reputable manufacturers destined for use in an avionics unit, or a civil ATC system or a ground/air/ground two-way data system such as Swim, can be compromised in the supply chain and then after installation lie dormant and undetected for perhaps years until remotely activated. And these won’t be physically destructive devices. Typically, they will have access to a large, complex system that they can disrupt or disable intermittently. In addition, these devices, such as a fake rivet head, are also difficult to detect without special facilities. Currently, products from two large Chinese electronics component manufacturers are prohibited from import into the U.S., as are their use in government contracts for completely assembled systems. However, repackaging of such components under false “approved” manufacturers’ documentation remains a major concern, as do the sometimes less than rigorous inspection protocols applied to them as they move through the handling, assembly and acceptance test processes en route to their final installation.
Examples of cyber threats were described at a cyber-security session of the recent ICAO Air Navigation Conference. Threats include:
• ADS-B transmissions that showed several non-existent aircraft approaching to land simultaneously.
• Program code sabotage at a new airport terminal by software engineers who had been promised pay raises but never received them. Check-in services failed three days later, delaying 50 flights, with “knock-on” delays across airline networks.
• Tail strikes or crashes are alleged to have occurred due to incorrect crew EFB entries. But EFBs can be extremely vulnerable to unauthorized access, and EFB entries can be easily inserted when the units are connected to external networks to receive updates just before departure.
• Panelists likened a major cyber attack affecting multiple connected systems to a volcanic ash eruption, shutting down an entire region for several days at a cost of billions of dollars.
Several civil industry organizations have already launched studies of cyber threats, but their activities are not coordinated, with a number of gaps, overlaps and even incompatible standards. The Air Navigation Conference committee agreed to establish a cyber-security task force to evaluate the extent of the problem and draw up, with industry, a global cyber-security architecture.