What the FAA Ground Stoppage Reveals about Cybersecurity

By CHHS Extern Kimberly Gainey

The Federal Aviation Administration (FAA) garnered significant negative attention last month after an overnight outage of its Notice to Air Missions (NOTAM) system grounded early morning domestic flight departures for approximately 90 minutes on Wednesday January 11, 2023. This nearly unprecedented nationwide stop in air traffic, the first in over 20 years, led to thousands of flight delays and cancellations. The FAA attributes the outage to a database file “damaged by personnel who failed to follow procedures.” Despite the FAA’s not so veiled attempt to place the blame on human error, public attention remains focused on outdated technology. A government source indicated that the applicable software is approximately 30 years old, with updates not planned for another six years.

Recent scrutiny reverberates sentiments expressed by airlines about FAA funding constraints, staffing limits, and outdated technology. United Airlines CEO Scott Kirby indicated that the FAA needs both “more funding” and “more investment for technology.” The CEO of the US Travel Association, Geoff Freeman, described the “catastrophic system failure [a]s a clear sign that America’s transportation network desperately needs significant upgrades.”

In spite of FAA assurances that there was no evidence of a cyber attack, people were quick to question the agency’s cybersecurity. Congressman Ritchie Torres (D-NY) expressed concern regarding the “cyber vulnerabilities of the antiquated systems that undergrid modern air travel” and requested a joint review by the Cybersecurity and Infrastructure Security Agency and the Department of Transportation. Transportation Secretary Pete Buttigieg welcomed attention from Congress given the upcoming FAA reauthorization bill, which will provide the agency with funding and direction for next five years. The FAA’s budget estimate for 2023 includes the need to “eliminate the failing vintage hardware that currently supports . . . the national airspace system.” Senator Ted Cruz (R-Texas) called for Congress to “enact reforms” in the impending legislation, describing the “FAA’s inability to keep an important safety system up and running [a]s completely unacceptable and just the latest example of dysfunction within the Department of Transportation.” The House of Representatives responded, passing the NOTAM Improvement Act of 2023to strengthen the reliability and effectiveness of the FAA’s NOTAM system.”

This myopic focus on the NOTAM system is a missed opportunity to discuss the multifaceted nature of cybersecurity, which attempts to manage and mitigate dynamic threats across an expansive threat landscape. The FAA extolls its efforts “to be increasing proactive and vigilant when it comes to cyber threats,” highlighting “a cybersecurity workforce that protects our aerospace assets” comprised of “unsung heroes, because this cyber battle is being fought behind the scenes, 24/7/365.” These efforts implement a 2021 Executive Order on Improving the Nation’s Cybersecurity, requiring “agencies to enhance cybersecurity and software supply chain integrity.” However, whether the FAA’s cybersecurity actions are laudable or deficient is an open question that one seems to be asking. The continued reactive focus on the NOTAM system involved with the ground stoppage misses a larger problem. Our leaders need to adjust their perspective and pivot to a proactive assessment of risk from older systems, which may merit updating. It is not enough to figure out what went wrong last month; we need to look for other vulnerabilities and remediate them.