Tuesday, 23 June 2015

Hacking Into Airports And Airlines – An Application To Sri Lanka

This national security and defense policy can be used for furthering Sri Lanka’s cyber security agenda; this policy must also ensure that military operations and civilian missions are protected against   cyber attacks.

Last Sunday, hackers attacked the computer system of LOT Polish Airlines, grounding 10 flights and  delaying   12 other flights.  This caused severe inconvenience to  nearly 1500 passengers.  Cyber attacks on facilities and infrastructure are here.  They are no longer  viewed as things to come.  For instance,  The Guardian has reported that Chinese hackers broke into the computer networks housing the personal information of all federal US government employees in March in an apparent attempt to target people who had applied for top-secret security clearances.

Cyber interference, cyber crime and cyber terrorism against air transport are all offences against civil aviation, particularly resulting in unlawful interference with civil aviation, which has  been addressed on three major occasions, though the Tokyo Convention of 1963, The Hague Convention of 1970 and the Montréal Convention of 1971. Yet none of these conventions referred, directly or indirectly, to cyber terrorism.

The first such Treaty to do so, the 2010 Convention on the Suppression of Unlawful Acts Relating to International Civil Aviation adopted in Beijing, provides  in Article 1d) that an offence is committed when a person destroys or damages air navigation facilities or interferes with their operation, if any such act is likely to endanger the safety of aircraft in flight. This clearly refers, inter alia, to cyber terrorism, but links the offence exclusively to the safety of aircraft in flight. Article 2a) of the Convention provides that an aircraft is considered to be in flight at any time from the moment when all its external doors are closed following embarkation until the moment when any such door is opened for disembarkation. In the event of a forced landing, the flight would be deemed to continue until the competent authorities take over responsibility for the aircraft and for persons and property on board. For instance if, as a result of an act of cyber terrorism, a taxiing aircraft collided with an aircraft that had opened its doors for disembarkation, but passengers were still on board, such an act would not be considered an offence in terms of the passengers in the process of disembarkation. That is, the offender(s) would not be committing an offence under the convention either against the second aircraft or its disembarking passengers. Nonetheless, the Beijing Convention of 2010 is an initial step toward countering the threat of cyber terrorism, a threat directed often toward the target of air transport.

Regrettably the Beijing Convention – the only international attempt at hinting at cyber crime – does not seem to cover the LOT Polish situation.

Interception of data is a significant offense that is a precursor to cyber crime and cyber terrorism. The Cybercrime Convention defines interception as: “Listening to, monitoring or surveillance of the content of communications, to the procuring of the content of data either directly, through access and use of the computer system, or indirectly, through the use of electronic eavesdropping or tapping devices”.

In the context of the hacking into LOT computers  in Warsaw, NBC has reported that  “The General Accountability Office has examined plans by the FAA and partners detailing upgrades to aircraft systems from onboard navigation to ground-based flight tracking and communication — and concluded that more work must be done to protect them against hackers and other cyber security threats. Planes with more robust connections with the ground and other craft would be easier to track and harder to lose, but as the GAO puts it in its report, “this interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems”.

The only workable solution to this conundrum is regulation and certification  and a good analogical study on the enormity of threats posed by cyber crime to the global air transport system is reflected in the approach taken by the Federal Aviation Administration (FAA) of the United States.  FAA’s Office of Safety (AVS) currently certifies new interconnected systems through rules for specific aircraft and has started reviewing rules for certifying the cyber security of all new aircraft systems.

As the Agency transitions to the Next Generation Air Transportation System (NextGen), the FAA has concluded that there are three main challenges to enforcing cyber security in air transport.  They are : ensuring protection of  air-traffic control (ATC) information systems;  protecting aircraft avionics used to operate and guide aircraft;  and clarifying cyber security roles and responsibilities among multiple FAA offices.

At the core of the issue is the ubiquitous Internet as most modern aircraft types are linked to it. This linkage leaves avionics systems vulnerable to remote access by unauthorized individuals. Added to this problem,  significant security-control weaknesses remain that threaten the regulator’s  ability to ensure the safe and uninterrupted operation of the national airspace system. This notwithstanding, The FAA has developed a robust programme that is calculated to protect air transport and air traffic systems.  However, what is still to come is a cyber security threat model. It is reported that “while FAA has taken some steps toward developing such a model, it has no plans to produce one and has not assessed the funding or time that would be needed to do so. Without such a model, FAA may not be allocating resources properly to guard against the most significant cyber security threats”.  The Cyber security Steering Committee which oversees security, plays a significant role in ameliorating damage envisioned with regard to cyber offences against aircraft.

Sri Lanka has its own Computer Crimes Act of 2007 which applies to a person who commits an offence  while being present in Sri Lanka or outside Sri Lanka; where the computer, computer system or information affected or which was to be affected was at the material time in Sri Lanka or outside Sri Lanka;  the facility or service, including any computer storage, or data or information processing service, used in the commission of an offence under the Act was at the material time situated in Sri Lanka or outside Sri Lanka ; or the loss or damage is caused within or outside Sri Lanka by the commission of an offence under this Act, to the State or to a person resident in Sri Lanka or outside Sri Lanka.  The Act imposes penal sanctions on any person who intentionally commits  any act, in order to secure for himself or for any other person, access to any computer; or any information held in any computer, knowing or having reason to believe that he has no lawful authority to secure such access.  Such a person would be deemed to be  guilty of an offence and if convicted would be liable to a fine not exceeding one hundred thousand rupees, or to imprisonment of either description for a term which may extend to five years, or both such fine and imprisonment.

Particularly relevant to hacking in the context of air transport is Article 6 of the Act which provides that any person who intentionally causes a computer to perform any function, knowing or having reason to believe that such function will result in danger or imminent danger to national security; the national economy; or public order, would be, upon conviction,   guilty of an offence which will  be punishable with imprisonment of either description for a term not exceeding five years.

However, post facto laws per force do not prevent cyber crime and prevention is key.  In this context there have already been sage recommendations from Sri Lankan experts.  Reshan Dewapura CEO of ICT Agency (ICTA) has, at a national conference in 2011  said: “It is only through the joint actions of governments and citizens as a whole, as a cohesive force, that a reliable shield against cybercrime can be built… centralized bodies such as Sri Lanka CERT, Law Enforcement Agencies and the Legislature should focus on areas where it has particular competence, such as protecting critical infrastructure and coordinating legal structures, as well as regulating and working with business, consumer protection privacy, and anti-terrorism… The national security policy would need to be extended to include a cyber security agenda that covers the length and breadth of the country, in order to take the message to the people that cyber security is compatible with individual rights, privacy and freedom of speech.

This national security and defense policy can be used for furthering Sri Lanka’s cyber security agenda; this policy must also ensure that military operations and civilian missions are protected against   cyber attacks. Cyber defense should be made an active capability of the country as a whole; it is crucial that Sri Lanka takes advantage of the overlaps it shares with its powerful Asian neighbors to coordinate activities between our countries”.

One cannot offer better advice than this.

View the original content and more from this author here: http://ift.tt/1BJ2GIF



from cyber security caucus http://ift.tt/1N3TUFw
via IFTTT

No comments:

Post a Comment