America’s Cyber Adversaries Are Watching The Response To The FAA Outage
A panic spreads across America as planes are unable to take off and people are stranded wondering what is going on. It is almost unbelievable that a disaster as large as this could be caused by a single corrupted file. However, we are in a new age marked by unimaginable connectivity and complexity. If the defenders of America’s critical infrastructure are not careful in how they respond to this incident, we may soon be facing another one perpetuated by a hostile nation state that is much more difficult to recover from.
On the night of January 10th there was an outage of the Notice to Air Missions (NOTAM) system. This system was very important to pilots because it provided necessary information for pilots to fly safely. NOTAM provides pilots with notices containing the details of hazards and abnormalities, such as their time, location, and description. The ground stop issued by the Federal Aviation Administration (FAA) on the morning of January 11th affected over 10,000 flights. An outage of this size has never been seen before in the aviation space.
NOTAM is over seven decades old, but the software utilized in its current iteration was introduced in 1993. Apparently, eight contract employees had access to this particular system where the corrupted file was found. Who knows what controls, if any, were in place to prevent an employee from taking down the system, intentionally or not. The file was also found in the backup system, which made restoring from these backups quite difficult. A senior government official claims that the NOTAM system was going to be updated in six years, a far cry from a reasonable timetable. A former senior vice president of air operations at American Airlines says there have been concerns about FAA technology for some time as it is mostly out of date.
If America does not get serious about its tech debt it is going to continue to face catastrophes on this scale. Government is notorious for running out of date software on unpatched machines. A bill was introduced in the House in 2021 to address much needed improvements to the NOTAM system, but it never reached the Senate. It is easy to whistle past the graveyard if everything is seemingly running well, but all it takes is one configuration error to destroy infrastructure with a poor foundation.
America’s enemies are watching these incompetencies, and possibly salivating. They get a glimpse, if they did not have one already, into just how fickle America’s aging computer infrastructure is. No doubt there are teams of elite nation state hackers actively researching the issue with NOTAM and taking notes for potential compromises in the future. They will not limit their attacks to air travel either. Plenty of other federal government, state, and municipality systems are in dire need of updates, patches, security controls, and personnel. From water to electricity, the things that Americans rely on in their daily lives are supported by insecure and outdated technology. It seems that the American people are the only ones who do not know this.
A thorough review is just the start of what is necessary to address this outage. Time and money must be heavily invested in restoring America’s infrastructure technology across the board. This effort cannot degenerate into a slush fund either. All too often, money is thrown at the government’s problems in hopes that spending more will do more.
It is convenient then that the private sector has just the blueprints necessary to follow. Because they face similar challenges in preventing disasters such as this, businesses and corporations are very concerned with protecting their systems and providing a way to recover if they go down. The private sector should be consulted in efforts to learn from these mistakes. The Cybersecurity and Infrastructure Security Agency should also be leaned on to provide centralized and organized guidance on improving the disaster recovery capabilities of the FAA and other government entities.
America’s foreign adversaries, particularly the Chinese Communist Party, are actively looking for ways to subvert America’s power and influence through offensive cyber operations. It is not time for wishful decrees like those made by Transportation Secretary Pete Buttigieg, in which those responsible for the errors are told to simply “make sure that there are enough safeguards built into the system that this level of disruption can’t happen because of an individual person’s decision or action or mistake.” The federal government must roll up its sleeves and start to get serious about the critical vulnerabilities that exist within countless information technology (IT) and operational technology (OT) systems that control vital infrastructure. If a proper response is not given, this FAA outage will only be the beginning.