Commerce Committee Democrats Set Focus on Cybersecurity Threats to Nation’s Aviation System, Impact on Consumers

September 19, 2024

Hearing comes in the wake of cybersecurity attack on Sea-Tac Int’l Airport

U.S. Senator Maria Cantwell (D-Wash.), Chair of the Senate Committee on Commerce, Science and Transportation, and Committee Democrats focused during yesterday’s hearing on the need to invest in resilient and redundant information technology systems at airports and airlines to better protect against cybersecurity threats, safeguard passengers’ and employees’ personal data—including credit card and frequent flyer accounts—and ensure consumers have the tools they need to recover when they are harmed.

The Committee heard testimony from Seattle-Tacoma International Airport Aviation Managing Director Lance Lyttle regarding last month’s cyberattack, as well as Airlines for America Managing Director for Cybersecurity Marty Reynolds, and National Consumers League Vice President of Public Policy, Telecommunications and Fraud John Breyault.

“The reality is stark: our aviation industry is under constant threat from cyberattacks, up 74 percent since 2020,” said Sen. Cantwell. “Every time we witness these technology failures, consumers are the ones left holding the bag.”

Last month, Sea-Tac International Airport was hit by a ransomware attack from the Rhysida Group, forcing the airport to shut down various computer systems, including its internal email and website. Gate display boards went dark, employees used paper signs to direct passengers to gates, airlines issued paper tickets and customers waited at baggage claim while airport staff manually sorted thousands of checked bags. The attack group, believed to be a Russian organization, has threatened to release personal identifiable information of airport employees unless the Airport pays $6 million worth of Bitcoin ransom.

“That is why we are here today – to spotlight this issue and figure out what more needs to be done, and to let the travelling public know [what] Congress and the federal government are doing to combat potential disruptions to their air travel and safety,” Sen. Cantwell said.  

Watch Senator Cantwell’s Opening Statement Here


Sen. Duckworth stressed the importance of avoiding a single point of failure and the importance of information sharing to build stronger network systems.

Sen. Duckworth: I am a pilot myself. I know that the basic thing in aviation safety is you should never be left to a single point of failure in any system and that redundancy saves lives. When Boeing left a safety critical system on the 737 MAX dependent on a single angle of attack sensor, two flights crashed, killing 346 people. So when I see the NOTAM system knocked out by an accidental file deletion and so much of the aviation system knocked out by the CrowdStrike software update, that really worries me, that’s a single point of failure and we don't want that.

To better protect the aviation systems from cyberattacks, I believe we need to improve both redundancy and resiliency.

Mr. Lyttle, how can airports, airlines, and the federal government work better together to help improve the redundancy and the resiliency in our systems computer network?

Mr. Lyttle: I think we have to do far more information sharing. We can always learn from each other. Airports can learn from other airports. We can also learn from the TSA and CISA in terms of the information they are gathering and seeing out there. Sharing this information immediately with the aviation industry.

Airports in general have very robust cybersecurity, but nothing is impenetrable, nothing is 100% secure. So if each airport can actually learn from each other … we are required to submit these plans to the TSA and CISA, if they can consolidate this information, come up with a recommendation and standards in a much more timely manner and disseminate that back to the aviation industry so that we can continuously improve our cybersecurity defenses.

Watch Senator Duckworth’s Exchange Here


Sen. Rosen discussed the importance of segmenting networks to prevent cyberattacks from infiltrating or further spreading across airport or airline systems.

Senator Rosen: Mr. Lyttle … in the wake of the cyberattack on your airport, you said networks ranging from employee email to information systems and public Wi-Fi all became unavailable. One of the first actions taken by the Port of Seattle was to isolate critical systems. However, basic cyber hygiene recommends that networks should already be segmented in a way that separates critical services, including the separation of public and internal systems.

In what way were these critical systems at the airport connected to public systems? You have critical systems, were they connected to external websites? Were they connected to public Wi-Fi? Whereby ransomware could really gain access to them and impact all of these systems at once. Are they segmented in such a way?

Mr. Lyttle: Yes, one of the reasons why we were able to recover so quickly, or not to have some of our services interrupted is actually because of segmentation. For example, our access control system was on a totally segmented network. Conveyer systems were on a totally different network. So, the network that was actually impacted was segmented. That is something we have been doing for years. One of our learned lessons is that we would like more segmentation. But there are several systems at the airport that were not impacted because of segmentation.

 Watch Senator Rosen’s Exchange Here


Sen. Hickenlooper asked Mr. Breyault from the National Consumers League about how cyberattacks bring a unique vulnerability to consumers’ personal identifiable information.

Sen. Hickenlooper: Mr. Breyault, ransomware attackers often attempt to shutdown computer systems and steal confidential data that they can extort businesses or individuals somehow, basically stealing data and trying to sell it. Keeping consumers' data secure, making sure that we don't collect excessive and unnecessary data also helps reduce risks from financial fraud and scams while protecting people's privacy.

What proactive steps, Mr. Breyault, can businesses take to protect their customers and employees' sensitive and personal data?

Mr. Breyault: Number one, it is doing an inventory of what information you are actually collecting then to find out if you actually need that information to conduct the business. If you don't need that information, can you minimize the amount of data you are holding onto? If you are reducing the threat factor, the number of bases you have to cover, to use a baseball term, it is easier to play defense against cyber thieves.

Then, knowing how to get rid of that data securely, get rid of that data you're taking in as part of your business securely, and finally having a recovery plan in place when all of the other things you've done don't work so that consumers at the end of the day can recover from that. 

Watch Senator Hickenlooper’s Exchange Here


Sen. Klobuchar spoke about the recent CrowdStrike cyber incident and the importance of investing in the nation’s aviation networks to protect consumers and prepare for the emerging threat of AI.  

Sen. Klobuchar: The recent CrowdStrike outage we all know plagued our airports, plagued our transportation, and it was caused, as we all know, by a flaw in the security update. Mr. Breyault, in your testimony you highlighted the growing trend in ransomware attacks in the aviation sector. Can you speak to how investing in secure and operable networks can protect consumers while something else was going on here with CrowdsStrike?

Mr. Breyault: I would respond to that by saying that more investment in cybersecurity resiliency will help address not only the ability of aviation networks to resist hacking, but it would also give them resources to help train the staff who interact with those networks.

I think as most experts in cybersecurity will tell you, most humans are often the weakest link in any cybersecurity chain. Chair Cantwell talked earlier about the need for greater hygiene to get staff and people who interact with these networks to avoid things like clicking on suspicious links that can subject a network to a ransomware attack that ultimately shuts it down and has these dramatic impacts on consumers, missed flights and things we talked about.

One thing that hasn't come up yet that may also play a role is the emerging threat of AI. We are very concerned at NCL that the bar to entry for cyber thieves to conduct these ransomware attacks is really going to be dramatically lowered because of the ability of AI to make it easier for people—who may not have the same skill set you may have needed five or ten years ago to commit a ransomware attack—to commit one. The number of threat actors out there we fear is only going to multiply. The kind of investment that we need in cybersecurity resiliency is more urgent now than ever.

Watch Senator Klobuchar’s Exchange Here