U.S. Senator Maria Cantwell (D-Wash.), Chair of the Senate Committee on Commerce, Science and Transportation, delivered the following opening remarks at today’s hearing on cybersecurity threats faced by airports and airlines, including impacts to passengers. Read the witness testimonies and watch the hearing here. Witnesses include Sea-Tac Aviation Managing Director Lance Lyttle, who spoke to the recent cyberattack at the airport.

Chair Cantwell’s Opening Remarks As Delivered: VIDEO

Good morning. The Senate Committee on Commerce, Science and Transportation Committee will come to order. This morning, we are having a hearing on aviation cybersecurity threats. I appreciate the witnesses being here today.

The reality is stark: our aviation industry is under constant threat from cyberattacks, up 74 percent since 2020.

With the aviation sector contributing more than 5 percent of our GDP, $1.9 trillion in total economic activity, and supporting 11 million jobs, we have to wake up and take these aviation cyberthreats seriously.

As we saw in the 1990s, when weaknesses in the power grid exposed the system to catastrophic failures, we have a similar situation today in the aviation sector.  Like with the utility industry, the solution has to be a strong national standard for resiliency, and organizations committed to the highest standard – whether that’s voluntary as an organization, or something stronger.

Because every time we witness these technology failures, consumers are the ones left holding the bag.

Let me share a recent example that hits close to home. Last month, Seattle-Tacoma International Airport was hit by a ransomware attack from the Rhysida Group, forcing airport leaders to shut down various computer systems that run everything from ticketing to display boards to baggage claim, creating a confusing environment for passengers and workers, and yes, delaying flights and some flight cancellations.

The display boards were down for a week.  I personally ran through the airport trying to catch a flight, not sure if I was going to the right gate.  I had something on my device, but since all the boards were dark, I had no idea if I was going to get to my gate, or if that was really going to be the gate. 

The displays were down for a week and employees had paper signs directing passengers on where to go to get to a gate.  Check-in kiosks were down too, forcing passengers to wait in line for paper tickets. Other passengers endured long waits at baggage claim as airport staff manually sorted the thousands of checked bags in the terminal.

The airport’s internal email systems and website went down, and the attack group, which is believed to be a Russian organization, is now threatening to release personal data from airport employees unless the Airport pays $6 million worth of Bitcoin ransom.

While most systems are now back online, three weeks later the airport’s website and some internal human resources functions remain down today.

I appreciate … SeaTac’s Aviation Managing Director, Lance Lyttle, who is with us here to discuss the impacts of this event and the lessons learned.

SeaTac’s situation isn’t unique. Across the country, we've seen troubling examples of cyber vulnerabilities in our aviation sector. In 2020, a hacker accessed internal systems at San Francisco International Airport. In 2020, San Antonio Airport had its website spoofed.  And let's not forget the 2015 incident where a hacker claimed he had access to a United Airlines flight's controls through the in-flight entertainment system.

That is why we are here today– to spotlight this issue and figure out what more needs to be done. And to let the traveling public know that Congress and the Federal Government are going to combat potential disruptions to their air travel and safety.

The FAA Reauthorization bill, which was signed into law, included a subtitle strengthening cybersecurity, including directing FAA to establish a process to track and evaluate aviation cyber threats, and designating a Cybersecurity Lead at the Agency.  And just last year, TSA and FAA both issued cybersecurity requirements for airports, airlines and manufacturers.

I’m grateful to have Marty Reynolds, a cybersecurity expert from Airlines for America, who is here to tell us about emerging threats to aviation cybersecurity and how the industry and government can respond.

Cyberattacks and other recent technology outages in aviation– like the NOTAM failure, or the Southwest meltdown, or the CrowdStrike outage – have made it clear that brittle infrastructure won’t cut it.

In the aftermath of the cyberattack at SeaTac, Port of Seattle Executive Director Steve Metruck said that business and government “need to invest in cybersecurity” and “need to be prepared should a cyber [attack] gain access to systems.”

When airport and airline systems are compromised, it also puts passengers’ personal data at risk. For instance, in 2020 hackers stole the credit card information of over 2,000 passengers. And cyberattacks on frequent flyer accounts are up 166% in just the past three months.

The SeaTac incident created hardships for travelers—like nonfunctioning flight status [boards] and, as I mentioned, delays getting luggage. And it’s easy to imagine a scenario where cyberattacks coinciding with other events could cause more cancellations or delays.

Even in these difficult situations, airlines must abide by their passenger commitments and requirements.

Mr. Breyault is here from the National Consumers League to remind us of those resources passengers have when dealing with flight disruptions. This includes requirements for airlines to provide hassle-free refunds as mandated by the FAA Reauthorization.

Thank you again to our panelists for being here. I look forward to your testimony.