It has been 17 years since the 9/11 attacks radically changed this nation and ultimately, the world. Many authorities believe the next 9/11 won’t be a military strike but — instead — could be a massive cyber attack.
Airports and airlines will — however — again be a key to the predicted attacks.
Airlines and airports are still very vulnerable says Tampa International Airport IT head Michael Stephens. He put the danger in perspective for the House Homeland Security Committee’s subcommittee on transportation and protective security. “Cybersecurity risks, without question, represent the most preeminent and existent threat to the continuous safe, secure and efficient operations on U.S. airports and the global aviation system,” he told a congressional hearing on the matter.
There are no regulations governing cyber networks used by airports and airlines. Rep. Bonnie Coleman is a Democrat from New Jersey. She’s working on a bill to require the Transportation Security Administration (TSA) to require airlines and airports to adopt baseline cybersecurity standards.
Her bill — however — is in the earliest stages of development.
Bad guys — she noted — could hack into the computers and servers that run boarding systems, air traffic control systems and any number of systems that control flights. An attack in those areas could cripple the system and dangerously disrupt businesses in the U.S.
A survey from the federal government’s Airport Cooperative Research Program on cybersecurity best practices at airports says there is a huge problem:
• 32 of the 41 airports responding said they have cybersecurity programs in place
• Just 49% of the people who run the programs feel they are adequate to protect from a cyber attack
Officials from the Department of Homeland Security and others working in the cybersecurity area believe it is only a matter of time before a cyber security breach happens at an airline or at many airlines.
Other problems are also present when it comes to airport security. Reports say an investigator from the Department of Homeland Security was recently able to breach a plane on a tarmac. Other security tests — as noted earlier — found huge holes in security inside airports and outside on the tarmac.
And most of us are aware of the employee from Horizon Airlines who hijacked a plane last month at the Seattle-Tacoma International Airport (SeaTac). Richard Russell was fully-credentialed and had a Security Identification Display Area badge. That means he was authorized to work around aircraft.
Russell worked on the airline’s tow team that tows airplanes onto the tarmac for takeoff and also did baggage loading and unloading. So as a ground support employee, he — or others for that matter — have a great deal of access to jets and other aircraft.
No one knows how he learned how to fly an airplane but he grabbed a plane and took a joy-ride around SeaTac doing all kinds of aerial stunts before crashing and dying near Tacoma, Washington.
The air traffic control people he communicated with at SeaTac said Russell told them he learned to fly the plane by playing video games and that it wasn’t that hard to figure out how things worked in the cockpit.
Horizon is owned by the Alaska Air Group and its CEO Brad Tilden said the plane was inside the security fence so no security measures were violated. Russell was fully screened and had a criminal background check.
No red flags were found and an anonymous source at Horizon told CBS News, “We vet against someone who would hijack a plane for terrorism. This is an Horizon Air employee with a clean background, no known criminal activity, no terror relation, and wanted to commit suicide. TSA isn't screening for that because you cannot. We're the processor; the employee (Horizon) is the steward.”
Erroll Southers is a former FBI agent and now works as a transportation security expert. He told CBS the guy likely had some kind of pilot training. If he knew how to do loops in the air then he had the skills to attack people on the ground or fly into buildings.
"The greatest threat we have to aviation is the insider threat. Here we have an employee who was vetted to the level to have access to the aircraft and had a skill set proficient enough to take off with that plane,” Southers said.
Christopher Porter of the cybersecurity company FireEye told the subcommittee meeting the federal government needs to create and lay out a baseline on cybersecurity that clearly defines the roles of airlines, airports and the federal government.
“There may be parts of the aviation sector that have underinvested in cybersecurity because they can't justify it as a business expense, but everyone will be required to do it. I think that would make it a lot easier for them to bring things up to par,” he said.
Commenting on her still-in-development bill, Coleman said, “We must urge security agencies to think creatively about potential new attack actors as terrorists continue to search for new vulnerabilities to target. With that in mind, we must do more when it comes to the cybersecurity of transportation systems. We cannot allow them access to cockpits via cyber means.”
The September 11th attacks in 2001 got airports and airlines — because of new federal involvement in what they do — to tighten security. This has only been moderately successful because tests to the passenger boarding systems and the luggage screens seem to have holes.
Huge holes sometimes.
Republican Rep. John Katko of New York — who is also on the subcommittee — said cyber criminals and terrorists may now be able to attack via an airliner without even having to be in the cockpit of the plane. “The specter remains, a plane could technically be weaponized against us and be taken over by bad guys through cybersecurity threats,” he said.
The events of 9/11 on that horrible day 17 years ago radically changed insurance. Losses hit $32.5 billion. In today’s dollars that figure is much, much higher. Only Hurricane Katrina produced a higher insurance payout.
The 9/11 attacks impacted a number of insurance lines:
• Business interruption
• Workers compensation
Out of the attacks came the federal government’s Terrorism Risk Insurance Act (TRIA) which shares the insurance burden with insurers and caps insurance losses. It has been extended to December 31, 2020 and is now called the Terrorism Risk Insurance Program Reauthorization Act of 2015.
Source links: The Hill, CBS News, Insurance Information Institute