DHS Finally Declares Year-Old Cyber Emergency for Aviation
Brian Cavanaugh /
Only a quarter of the way through 2024, an undeniable reality has emerged: America’s critical infrastructure faces an unparalleled threat of cyberattack.
As foreign adversaries, emboldened and armed with advanced tools, push the boundaries of our cybersecurity measures and prime themselves to launch attacks, Americans must ask: If the federal government is taking action, is it the right action?
During a national security summit last week at Vanderbilt University, FBI Director Christopher Wray emphasized the seriousness of the cyberthreat to the U.S.
Wray declared that China “has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage, and that its plan is to land low blows against civilian infrastructure to try to induce panic and break America’s will to resist.”
Wray’s comments are the most recent in a series of warnings about China’s intentions from key government officials.
In January, the FBI director was joined by Army Gen. Paul Nakasone, then director of the National Security Agency, and Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, in testifying before the House Select Committee on Strategic Competition Between the United States and the Chinese Communist Party.
The three officials testified to the troubling shift from the Chinese Communist Party’s historical focus on espionage to one of preparing and launching destructive cyberattacks against U.S. critical infrastructure.
As with most of what Americans see from the federal government, the public messaging on this development seems reactive and without a sense of urgency.
Case in point: Last Friday, the Department of Homeland Security’s Office of Strategy, Policy, and Plans issued in the Federal Register what it calls a Recommendation Regarding Emergency Action in Aviation. On the surface, the notice continues prior messaging regarding the threat to U.S. critical infrastructure. But the details suggest that this was intended to be a “nothing to see here” release to the public.
The details are clear. On March 7, 2023, the Transportation Security Administration, which is part of the Department of Homeland Security, issued Joint Emergency Amendment 23-011 to certain aviation stakeholders, to address a significant cybersecurity threat to the aviation system.
This notice triggered a statutory review of plans by the Transportation Security Oversight Board. On April 20, 2023, the board recommended that a cybersecurity emergency warranted the Transportation Security Administration’s decision to expedite implementation of critical cyber-mitigation measures through the exercise of emergency regulatory authority.
The fact that DHS filed its notice in the Federal Register precisely one year after the oversight panel’s recommendation, and on a Friday, reveals the Biden administration’s desire to avoid public messaging.
This notice of a cybersecurity emergency for the aviation industry is just the most recent in a growing list of warnings from the Department of Homeland Security. Earlier last week, ABC News reported that DHS sent out an alert that public emergency communications systems were a likely target for cyberattacks, only to see system outages across four states affecting millions of Americans later that same evening.
It is not a sustainable strategy to continue to absorb cyberattack after cyberattack without taking action to stop them. And yet that appears to be the course the Biden administration is set on.
In fact, despite the growing number of cybersecurity experts, and the higher salaries these positions command, the trends are going in the wrong direction. According to IBM’s Cost of a Data Breach report, the mean time to identify a data breach in 2023 was 204 days. That demonstrates not much has changed since 2016, when the mean time to identify a data breach was 201 days.
DHS’ role in cybersecurity has been muddled by interagency squabbling and a lack of clear focus. The department’s Cybersecurity and Infrastructure Security Agency must find a way to engage proactively with critical infrastructure owners and operators to address the clearly identified threats from nation-states, DHS leadership also needs to challenge the status quo for solutions.
The department should look to the president’s Office of Science and Technology Policy to challenge the private sector in developing innovative solutions to close the gap in detecting malware. We should be measuring the mean time for detecting data breaches in hours, not hundreds of days.
CISA’s Joint Cyber Defense Collaborative is falling short in its ability to produce results. It relies too heavily on large, established tech companies instead of agile, smaller start-up companies that drive innovation.
Additionally, the government has other tools available to combat persistent cyberattacks, thanks to Executive Order 13961, Governance and Integration of Federal Mission Resilience, which delegated authorities from the Executive Office of the President to DHS’ Office of Science Technology Policy.
The director of the latter office may exercise the authorities vested in the president by section 706(a) and (c) through (e) of the Communications Act of 1934—which are the war powers of the president as they relate to priority communications.
If the threats to our critical infrastructure are so severe, the government should be planning for, and exercising, its capabilities.
In the meantime, the light is blinking red for our nation’s critical infrastructure.