[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]



 
      UNDERSTANDING THE CYBERSECURITY OF AMERICA'S AVIATION SECTOR

=======================================================================

                             JOINT HEARING

                               before the

                            SUBCOMMITTEE ON
                           CYBERSECURITY AND
                       INFRASTRUCTURE PROTECTION

                                and the

                            SUBCOMMITTEE ON
                           TRANSPORTATION AND
                          PROTECTIVE SECURITY

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                           SEPTEMBER 6, 2018

                               __________

                           Serial No. 115-75

                               __________

       Printed for the use of the Committee on Homeland Security
                                     


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                     

        Available via the World Wide Web: http://www.govinfo.gov

                               __________
                               
                   U.S. GOVERNMENT PUBLISHING OFFICE
                   
34-446 PDF                 WASHINGTON : 2019      
                             
                               
                               
                               
                               
                               

                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Sheila Jackson Lee, Texas
Mike Rogers, Alabama                 James R. Langevin, Rhode Island
Lou Barletta, Pennsylvania           Cedric L. Richmond, Louisiana
Scott Perry, Pennsylvania            William R. Keating, Massachusetts
John Katko, New York                 Donald M. Payne, Jr., New Jersey
Will Hurd, Texas                     Filemon Vela, Texas
Martha McSally, Arizona              Bonnie Watson Coleman, New Jersey
John Ratcliffe, Texas                Kathleen M. Rice, New York
Daniel M. Donovan, Jr., New York     J. Luis Correa, California
Mike Gallagher, Wisconsin            Val Butler Demings, Florida
Clay Higgins, Louisiana              Nanette Diaz Barragan, California
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
Ron Estes, Kansas
Don Bacon, Nebraska
Debbie Lesko, Arizona
                   Brendan P. Shields, Staff Director
                   Katy Flynn, Deputy General Counsel
                  Hope Goins, Minority Staff Director
                                 ------                                

      SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION

                    John Ratcliffe, Texas, Chairman
John Katko, New York                 Cedric L. Richmond, Louisiana
Daniel M. Donovan, Jr., New York     Sheila Jackson Lee, Texas
Mike Gallagher, Wisconsin            James R. Langevin, Rhode Island
Brian K. Fitzpatrick, Pennsylvania   Val Butler Demings, Florida
Don Bacon, Nebraska                  Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
             Kristen M. Duncan, Subcommittee Staff Director
                                 ------                                

         SUBCOMMITTEE ON TRANSPORTATION AND PROTECTIVE SECURITY

                     John Katko, New York, Chairman
Mike Rogers, Alabama                 Bonnie Watson Coleman, New Jersey
Brian K. Fitzpatrick, Pennsylvania   William R. Keating, Massachusetts
Ron Estes, Kansas                    Donald M. Payne, Jr., New Jersey
Debbie Lesko, Arizona                Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
               Kyle D. Klein, Subcommittee Staff Director
               
               
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable John Ratcliffe, a Representative in Congress From 
  the State of Texas, and Chairman, Subcommittee on Cybersecurity 
  and Infrastructure Protection:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable Cedric L. Richmond, a Representative in Congress 
  From the State of Louisiana, and Ranking Member, Subcommittee 
  on Cybersecurity and Infrastructure Protection:
  Prepared Statement.............................................    10
The Honorable John Katko, a Representative in Congress From the 
  State of New York, and Chairman, Subcommittee on Transportation 
  and Protective Security:
  Oral Statement.................................................     6
  Prepared Statement.............................................     8
The Honorable Bonnie Watson Coleman, a Representative in Congress 
  From the State of New Jersey, and Ranking Member, Subcommittee 
  on Transportation and Protective Security:
  Oral Statement.................................................     4
  Prepared Statement.............................................     5
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Prepared Statement.............................................     9

                               Witnesses

Mr. Christopher Porter, Chief Intelligence Strategist, FireEye:
  Oral Statement.................................................    11
  Prepared Statement.............................................    13
Mr. Jeffrey L. Troy, Executive Director, Aviation Information 
  Sharing and Analysis Center:
  Oral Statement.................................................    15
  Prepared Statement.............................................    17
Mr. Michael A. Stephens, Executive Vice President, IT and General 
  Counsel, Tampa International Airport:
  Oral Statement.................................................    18
  Prepared Statement.............................................    20

                                Appendix

Question From Honorable James R. Langevin for Jeffrey L. Troy....    39
Questions From Honorable James R. Langevin for Michael A. 
  Stephens.......................................................    39


      UNDERSTANDING THE CYBERSECURITY OF AMERICA'S AVIATION SECTOR

                              ----------                              


                      Thursday, September 6, 2018

       U.S. House of Representatives,      
        Committee on Homeland Security,    
  Subcommittee on Cybersecurity and Infrastructure 
                                        Protection,
    Subcommittee on Transportation and Protective Security,
                                                    Washington, DC.
    The subcommittees met, pursuant to notice, at 10:08 a.m., 
in room HVC-210, Capitol Visitor Center, Hon. John Ratcliffe 
[Chairman of the Cybersecurity and Infrastructure Protection 
subcommittee] presiding.
    Present: Representatives Ratcliffe, Katko, Donovan, 
Gallagher, Fitzpatrick, Bacon, Lesko, Watson Coleman, Keating, 
Langevin, Payne, and Demings.
    Mr. Ratcliffe. Good morning. The Committee on Homeland 
Security, Subcommittees on Cybersecurity and Infrastructure 
Protection and Transportation and Protective Security will come 
to order.
    The subcommittees are meeting today to receive testimony 
regarding the cybersecurity posture of this Nation's aviation 
sector. I now recognize myself for an opening statement.
    I am grateful to be holding this hearing this morning with 
my good friend and Chairman of the Transportation and 
Protective Security Subcommittee, John Katko. I want to thank 
him for convening this hearing with me today to examine a topic 
that I think fits hand-in-glove with the security of our 
Nation.
    I have always said that cybersecurity is National security. 
There is no better example of that than in the aviation 
industry. When we think of threats to the industry, traditional 
avenues of attack are what first come to mind. These threats, 
like hijackings and bombings, will continue to pose a major 
security concern moving forward.
    However, as devices, aircraft, and systems become more 
interconnected, cybersecurity will increasingly play a larger 
role in aviation security. That is because nation-states, cyber 
criminals, and hacktivists all possess an incentive to 
manipulate systems within this sector. Whether it be looking to 
gain a competitive advantage, or financially motivated actions, 
or simply a political statement, the space will always be 
crowded by malicious actors seeking to do us harm.
    That is why we need to understand all avenues of attack, to 
prioritize their severity and to mitigate those vulnerabilities 
as quickly as we can.
    Innovation has brought increased efficiencies to daily 
life, but it has also tied together networks like we have never 
seen before. Therefore, this is not a single-minded task. We 
cannot be narrow in our focus. We have to explore the entire 
aviation ecosystem as a whole.
    If we have a single weak link anywhere along the chain, 
then the entire chain can fail, like earlier this year, when we 
saw a ransomware attack which targeted the city of Atlanta and 
forced Hartsfield-Jacksonville Atlanta International Airport to 
turn off its WiFi services for hours. That is one of many 
examples I could give to illustrate the cross-cutting nature of 
the sector.
    All of these pose inherent logistical, financial, and 
security concerns. It therefore becomes incumbent upon the 
Department of Homeland Security, Congress, and the private 
sector to work together to find ways to create resilient 
systems, to create redundancies, to share threat information, 
and to build safety and trust into systems that have become 
integral to American travel.
    Trust is instrumental in the continued health of the 
aviation industry. Customers and travelers need to have faith 
in the systems they are using, whether it be from the 
information on arrival and departure boards to security on the 
airplanes themselves. Losing the trust of the everyday American 
would be disastrous for the sector, and gaining it back would 
be an uphill battle.
    Fortunately, safety has always been an overriding concern 
of the aviation industry. The industry has typically and 
generally risen above all others in this case. Safety has been 
culturally built into this sector over time. The lessons 
learned from 9/11 have matured both private-sector and Federal 
Government entities to the point they are at today.
    However, we still need to clearly delineate roles of 
entities like NPPD, TSA, and the FAA, which we have come to 
rely upon for our security concerns. We have to build 
partnerships both within the private sector and within the 
Government, partnerships like the Aviation Cyber Initiative, 
which brings together Government stakeholders from DHS, DOT, 
and DOD to tackle cybersecurity problems across the aviation 
sector. It provides auditing on a voluntary basis to further 
the goal of a safer, more secure ecosystem.
    DHS's National Protection and Programs Directorate recently 
announced the creation of a National Risk Management Center in 
its effort to enhance risk management integration across the 
public and private sectors. I am very interested in the rollout 
of the center and hope it will become another essential tool 
for the public-private collaboration based on and focused on 
cybersecurity.
    By leveraging existing practices and partnerships already 
in existence, the aviation industry can maximize security 
benefits. A 2016 study found that 91 percent of airlines are 
planning to invest more in cyber programs over the next 3 
years, which is up from only 41 percent back in 2013. That is 
good news.
    Stakeholders remain poised to tackle the issues at hand and 
ensure a safe cyber ecosystem within their sector. It is my 
hope that organizations like DHS's NPPD are offering support 
that is beneficial to this sector.
    In our continued efforts to support the work and mission 
space of NPPD, I want to remind my colleagues that late last 
year, the House passed H.R. 3359, the Cybersecurity and 
Infrastructure Security Agency Act, a bill that is essential to 
solidifying and strengthening DHS's cybersecurity mission and 
which would support NPPD's efforts to bolster aviation 
cybersecurity.
    I am excited to explore the issue of aviation cybersecurity 
today. I have faith that all parties will rise to the occasion 
and ensure that the American people can always have trust in 
the cybersecurity within the aviation sector.
    I want to thank the witnesses for their time and for being 
here today. I very much look forward to their testimony.
    [The statement of Chairman Ratcliffe follows:]
                  Statement of Chairman John Ratcliffe
                           September 6, 2018
    I am glad to be holding this hearing with my good friend, and 
Chairman of the Transportation and Protective Security Subcommittee, 
John Katko. I want to thank him for convening this hearing with me 
today to examine this topic that fits hand-in-glove with the security 
of our Nation.
    I have always said that cybersecurity is National security. There 
is no better example of that than in the aviation industry.
    When we think of threats broadly to the industry, traditional 
avenues of attack are what first come to mind. These threats, such as 
hijackings and bombings, will continue to pose a major security concern 
moving forward. However, as devices, aircraft, and systems become more 
interconnected, cybersecurity will increasingly play a larger role in 
aviation security.
    Because nation-states, cyber criminals, and ``hacktivists,'' all 
possess an incentive to manipulate systems within the sector.
    Whether it be looking to gain a competitive advantage, a 
financially-motivated action, or simply a political statement, the 
space will always be crowded by malicious actors seeking to do harm.
    This is why we need to understand all avenues of attack, to 
prioritize their severity, and mitigate those vulnerabilities as 
quickly as we can.
    Innovation has brought increased efficiencies to daily life, 
however, it has also tied together networks like we have never seen 
before. Therefore, this is not a single-minded task. We cannot be 
narrow in our focus, as we must explore the entire aviation ecosystem 
as a whole.
    We cannot have a single weak link across the entire chain, or else 
it could all fail.
    For example: A ransomware attack which targeted the city of Atlanta 
earlier this year forced Hartsfield-Jackson Atlanta International 
Airport to turn off its Wi-Fi services for hours. This is one of many 
examples illustrating the cross-cutting nature of the sector. All which 
pose inherent logistical, financial, and security concerns.
    Therefore, it becomes incumbent upon the Department of Homeland 
Security, Congress, and the private sector to work together to find 
ways to create resilient systems. To create redundancies. To share 
threat information. And to build safety and trust into systems that 
have become integral to American travel.
    Trust is instrumental in the continued health of the aviation 
industry. Customers and travelers need to have faith in the systems 
they are using, whether that be arrival boards or the airplanes 
themselves. Losing the trust of the everyday American would be 
disastrous for the sector and gaining it back would be an uphill 
battle, as we cannot explicitly see increased firewall protection, for 
example.
    Furthermore, safety really is key as well. The aviation industry 
rises above all others in this case, as safety has been culturally 
built into the sector over time. The lessons learned from 9/11 have 
matured both private-sector and Federal Government entities to the 
point that they are at today.
    However, we need to clearly delineate rolls of such entities as 
NPPD, TSA, and the FAA which we have come to rely on for our security 
concerns.
    We must build partnerships both within the private sector and 
within Government. Partnerships such as the Aviation Cyber Initiative, 
which brings together Government stakeholders from DHS, DOT, and DOD to 
tackle cybersecurity problems across the aviation sector. It provides 
auditing on a voluntary basis to further the goal of a safer, more 
secure ecosystem. DHS's National Protection and Programs Directorate 
recently announced the creation of a National Risk Management Center, 
in its effort to enhance risk management integration across the public 
and private sectors. I am very interested in the rollout of this Center 
and hope that it will become another essential tool for public-private 
collaboration focused on cybersecurity.
    By leveraging existing practices and partnerships already in 
existence, the aviation industry can maximize security benefits. A 2016 
study by SITA found that 91 percent of airlines are planning to invest 
in cyber programs over the next 3 years, up from only 41 percent in 
2013. Stakeholders remain poised to tackle the issues at hand and 
ensure a safe cyber ecosystem within their sector, and it is my hope 
that organizations like DHS's NPPD are offering support that is 
beneficial to this sector.
    In our continued efforts to support the work and mission space of 
NPPD, I want to remind my colleagues that late last year, the House 
passed H.R. 3359, the Cybersecurity and Infrastructure Security Agency 
Act, a bill that is essential to solidifying and strengthening DHS's 
cybersecurity mission and would also support NPPD's efforts to bolster 
aviation cybersecurity.
    I am excited to explore the issue of aviation cybersecurity today. 
I have faith that all parties will rise to the occasion and ensure that 
the American people can always have trust in the cybersecurity of the 
aviation sector.
    I want to thank the witnesses for their time and I look forward to 
their testimony.

    Mr. Ratcliffe. The Chair now recognizes the gentlelady from 
New Jersey, Ms. Watson Coleman, the Ranking Member of the 
Transportation and Protective Security Subcommittee for any 
opening statements she may have.
    Mrs. Watson Coleman. Thank you very much, Chairman 
Ratcliffe and Katko and my fellow Ranking Member, Mr. Richmond, 
who will be here, for holding today's hearings.
    Thank you, Mr. Porter and Mr. Troy and Mr. Stephens, as 
being our witnesses here today.
    I am very glad we are holding this hearing, because it 
seems to me that the topic of aviation cybersecurity has not 
received the attention it demands. Threats to the 
transportation sector are constantly evolving and efforts to 
secure transportation must be beyond simply reacting to the 
most recent attempted attacks.
    Next week, we will commemorate the 17th anniversary of the 
September 11 attacks. One reason terrorists were able to carry 
out such deadly attacks on that day is that they took us by 
surprise. The U.S. aviation sector was vulnerable because 
security efforts had not focused on the possibility of 
terrorists hijacking a plane and using the plane itself as a 
missile.
    In the years since then, we have invested heavily in 
aviation security by hardening cockpit doors, creating a TSA, 
improving passenger and baggage screening, and refining 
intelligence-sharing and vetting processes. These efforts have 
unquestionably made air traffic more secure, but we cannot let 
our guard down now. We must urge security agencies to think 
creatively about potential new attack vectors, as terrorists 
continue to search for vulnerabilities to target.
    With that in mind, we must do more when it comes to the 
cybersecurity or transportation systems. Seventeen years after 
terrorists gained access to cockpits via physical means, we 
cannot allow them access to cockpits via cyber means. I must 
have a mouthful of marbles today.
    Last fall, reports emerged that a research team led by DHS 
Science and Technology Directorate was able to remotely hack 
into the systems of a commercial passenger jet. As a matter of 
fact, as a part of my briefing, I was informed of three 
additional opportunities that were used to try to hack into 
systems, even those involving the notorious Russia.
    In the wrong hands, such a capability could result in mass 
casualties. Even a much less drastic security breach could have 
major consequences. The aviation sector relies on a vast 
network of interconnected systems, including air traffic 
control, airports, airline, operation systems, and reservation 
and ticketing systems. A cyber attack against any one of these 
could cause chaos and confusion, resulting in canceled flights, 
diminished consumer confidence, and enormous cost to the 
airlines and airports.
    Despite the clear vulnerabilities and the consequences of a 
cyber attack with the aviation sector, not much has been done 
to improve cybersecurity. Although TSA requires the airports 
and airlines to adopt and implement security programs covering 
a wide range of measures to protect against attack, TSA does 
not require these programs to include any cybersecurity 
measures. Instead, TSA only shares a list of recommended best 
practices for airports and airlines to implement at their 
discretion.
    It is clear that we need the investment on the part of the 
Government and research and development on what to do when we 
find these intrusions to take place, not just to identify them, 
categorize them, ensure them, but how do we stop them, should 
they become a threat?
    When it comes to securing air travel, voluntary measures 
are just not enough. That is why I am working with my 
colleagues to develop legislation to require TSA to issue new 
rules to airports and airlines requiring implementation of 
baseline security measures, some of which may also apply to 
surface transportation systems, as well.
    Additionally, while this hearing is focused on the aviation 
sector, I would be remiss if I didn't note that these issues 
do, indeed, affect other modes of transportation, as well. Mass 
transit passenger rail, freight rail, and pipeline systems all 
rely on networks that must be secured against cyber attacks. It 
is my hope that today's hearing will provide us with more 
information on current cybersecurity efforts within the 
aviation sector and what work remains to be done.
    Again, I want to thank the witnesses for joining us. Thank 
you, Chairmen, for bringing this hearing to us today. I yield 
back the balance of my time.
    [The statement of Ranking Member Watson Coleman follows:]
           Statement of Ranking Member Bonnie Watson Coleman
                           September 6, 2018
    Thank you to Chairmen Ratcliffe and Katko, and my fellow Ranking 
Member Richmond, for holding today's hearing.
    Thank you also to our witnesses for being here today to share your 
expertise with us.
    I am really glad we are holding this hearing because it seems to me 
that the topic of aviation cybersecurity has not received the attention 
it demands.
    Threats to the transportation sector are constantly evolving, and 
efforts to secure transportation must go beyond simply reacting to the 
most recent attempted attacks.
    Next week, we will commemorate the 17th anniversary of the 
September 11 attacks.
    One reason terrorists were able to carry out such deadly attacks on 
September 11 is that they took us by surprise.
    The U.S. aviation sector was vulnerable because security efforts 
had not focused on the possibility of terrorists hijacking a plane and 
using the plane itself as a missile.
    In the years since then, we have invested heavily in aviation 
security by hardening cockpit doors, creating the TSA, improving 
passenger and baggage screening, and refining intelligence-sharing and 
vetting processes.
    These efforts have unquestionably made air travel more secure, but 
we cannot let our guard down now.
    We must urge security agencies to think creatively about potential 
new attack vectors, as terrorists continue to search for 
vulnerabilities to target.
    With that in mind, we must do more when it comes to the 
cybersecurity of transportation systems.
    Seventeen years after terrorists gained access to cockpits via 
physical means, we cannot allow them to gain access to cockpits via 
cyber means.
    Last fall, reports emerged that a research team led by the DHS 
Science and Technology Directorate was able to remotely hack into the 
systems of a commercial passenger jet.
    In the wrong hands, such a capability could result in mass 
casualties.
    Even a much less drastic security breach could have major 
consequences.
    The aviation sector relies on a vast network of interconnected 
systems, including air traffic control, airports, airline operations 
systems, and reservation and ticketing systems.
    A cyber attack against any one of these systems could cause chaos 
and confusion, resulting in canceled flights and diminished consumer 
confidence.
    Such an attack would likely cost airports and airlines millions and 
have lasting effects on the economy.
    Despite the clear vulnerabilities and consequences of a cyber 
attack within the aviation sector, not much has been done to improve 
cybersecurity.
    Although TSA requires airports and airlines to adopt and implement 
security programs covering a wide range of measures to protect against 
attack, TSA does not require those programs to include any 
cybersecurity measures.
    Instead, TSA only shares a list of recommended best practices for 
airports and airlines to implement at their discretion.
    When it comes to securing air travel, voluntary measures are not 
enough.
    That is why I am working with my colleagues to develop legislation 
to require TSA to issue new rules for airports and airlines requiring 
implementation of baseline cybersecurity measures.
    Additionally, while this hearing is focused on the aviation sector, 
I would be remiss if I did not note that these issues affect other 
modes of transportation as well.
    Mass transit, passenger rail, freight rail, and pipeline systems 
all rely on networks that must be secured against cyber attacks.
    It is my hope that today's hearing will provide us with more 
information on current cybersecurity efforts within the aviation sector 
and on what work remains to be done.
    Again, I thank the witnesses for joining us, and I yield back the 
balance of my time.

    Mr. Ratcliffe. I thank the gentlelady. The Chair now 
recognizes the Chairman of the Subcommittee on Transportation 
Protective Security, the gentleman from New York, Mr. Katko, 
for his opening statement.
    Mr. Katko. Thank you, Chairman Ratcliffe. I am pleased our 
subcommittees could work together to hold this timely and 
obviously very important hearing.
    In the wake of the devastating attacks on September 11, 
2001, Congress created the Transportation Security 
Administration to protect and secure our Nation's 
transportation systems. Seventeen years later, our aviation 
sector remains a highly attractive target for malicious actors 
who seek to inflict harm on the United States.
    However, these threats have proliferated to include the 
realm of cybersecurity, something that was much less of a 
concern during the creation of TSA. The travel and tourism 
industries contribute trillions of dollars to the U.S. and 
global economy, and passenger volumes have steadily increased 
year after year. The fact that our aviation system is vital to 
the vibrancy and interconnectedness of our Nation is precisely 
what makes it such a highly-valued target.
    Make no mistake about it: We are absolutely a highly-valued 
target by the bad guys, and they are constantly trying to probe 
how to get into systems and how to attack our airlines.
    Protecting America's transportation systems is a 
collaborative effort between numerous Government and private-
sector entities who share the goal of protecting the free 
movement of people and commerce. Therefore, as innovations in 
technology change the way our aviation sector operates, our 
collective security posture needs to adapt accordingly.
    This hearing today will focus on cybersecurity in the 
aviation domain, and I look forward to discussing how TSA--and 
the Department of Homeland Security in general--interact with 
various stakeholders as partners to bolster the cybersecurity 
of the aviation ecosystem.
    On any given day, the TSA and its partners in the aviation 
community secure around 2.4 million travelers, 1.2 million 
checked bags, and 8.4 million pounds of cargo. These security 
operations incorporate a wide array of technologies and invoke 
a considerable number of stakeholders, including airports, 
airline groups, and air carriers, among many others.
    As the aviation community increasingly relies on connected 
systems for critical operations, we must acknowledge the 
urgency and importance of protecting the aviation sector's 
information technology systems and data against cyber threats.
    The impact of cyber attacks can be far-reaching. In 
addition to significant security consequences, cyber attacks on 
the aviation sector can prompt considerable economic loss, 
passenger frustration, and undermine the public's trust in the 
aviation system.
    As Chairman of the Subcommittee on Transportation and 
Protective Security, I have been a very vocal advocate for 
forward-leaning security policies and best practices to 
safeguard our Nation's transportation systems, and I believe we 
need to start thinking about cybersecurity as a critical 
element of that overall security posture.
    That is why I am pleased to hold the hearing this morning 
with my colleagues from the Subcommittee on Cybersecurity and 
Infrastructure Protection. Our discussions surrounding aviation 
security should not ignore the vulnerabilities and risks posed 
by broad and interconnected systems with multiple vectors of 
attack.
    As our systems in the air and on the ground become more 
advanced and more interconnected, cybersecurity will continue 
to be inextricably linked with aviation security.
    TSA was created in the aftermath of 9/11 and charged with 
the mission of preventing another large-scale act of terrorism 
on American transportation system. While physical threats like 
improvised explosive devices continue to pose a major security 
concern, the reality is that U.S. networks and databases are 
under daily cyber threat by nation-states, international crime 
organizations, and individual hackers.
    Now, we need to pause for a second and really think about 
what this all means. Cyber threats can manifest themselves in 
many different ways. They can paralyze our systems or shut down 
the system. They could affect things such as SIDA access or 
access controls to secure areas, allowing people to get into 
secure areas who shouldn't be there. We know from recent 
incidents in Dallas-Fort Worth and elsewhere, enough criminal 
conduct goes on with people who have SIDA access. Imagine what 
could happen with people who don't and can get into those 
areas.
    Airplane security, of course, is a big one. But let's not 
forget what was reported last year in 2017 where a report 
surfaced that Homeland Security was able to hack into a Boeing 
757 that was sitting on the tarmac. Now, some people have 
harpooned various aspects of that report, but the specter 
remains that a plane could actually technically be weaponized 
against us and be taken over by bad guys through cybersecurity 
threats. That is something we need to talk about today and 
something we need to talk about tomorrow and all the way 
through.
    As Ms. Watson Coleman alluded to, as well, same holds true 
for the transportation sector and trains, taking over a train 
and weaponizing a train. That is a new threat. It is a new 
frontier.
    Our military has recognized this threat to such an extent 
that they have a Cyber Command. I am concerned that we may not 
be having the same priorities bestowed upon TSA and Homeland 
Security, and we have to understand the threat is real and it 
is going to keep getting worse.
    This hearing illustrates my commitment to bringing a 
necessary focus to cybersecurity in the aviation sector, and I 
look forward to learning about the Federal Government's role in 
this space from our esteemed witnesses. I hope to understand 
how the partnerships between the Department of Homeland 
Security, TSA, and aviation stakeholders can be leveraged to 
make cyber risk awareness a key part of aviation security.
    Thank you, Mr. Chairman. I yield back my time.
    [The statement of Chairman Katko follows:]
                    Statement of Chairman John Katko
                           September 6, 2018
    Thank you, Chairman Ratcliffe. I am pleased our subcommittees could 
work together to hold this timely and important hearing. In the wake of 
the devastating attacks on September 11, 2001, Congress created the 
Transportation Security Administration to protect and secure our 
Nation's transportation systems. Seventeen years later, our aviation 
sector remains an attractive target for malicious actors who seek to 
inflict harm on the United States. However, threats have proliferated 
to include the realm of cybersecurity--something that was much less of 
a concern during the creation of TSA. The travel and tourism industries 
contribute trillions of dollars to the U.S. and global economy, and 
passenger volumes have steadily increased year after year. The fact 
that our aviation system is vital to the vibrancy and 
interconnectedness of our Nation is precisely what makes it such a 
highly-valued target.
    Protecting America's transportation systems is a collaborative 
effort between numerous Government and private-sector entities who 
share the goal of protecting the free movement of people and commerce. 
Therefore, as innovations in technology change the way our aviation 
sector operates, our collective security posture needs to adapt 
accordingly. This hearing today will focus on cybersecurity in the 
aviation domain, and I look forward to discussing how TSA--and the 
Department of Homeland Security in general--interact with various 
stakeholders as partners to bolster the cybersecurity of the aviation 
ecosystem.
    On any given day, TSA and its partners in the aviation community 
secure around 2.4 million travelers, 1.2 million checked bags, and 8.4 
million pounds of cargo. These security operations incorporate a wide 
array of technologies and involve a considerable number of 
stakeholders, including airports, airline groups, and air carriers, 
among many others. As the aviation community increasingly relies on 
connected systems for critical operations, we must acknowledge the 
urgency and importance of protecting the aviation sector's information 
technology systems and data against cyber threats. The impact of cyber 
attacks can be far-reaching. In addition to significant security 
consequences, cyber attacks on the aviation sector can prompt 
considerable economic losses, passenger frustration, and undermine the 
public's trust in the aviation system.
    As Chairman of the Subcommittee on Transportation and Protective 
Security, I have been a vocal advocate for forward-leaning security 
policies and best practices to safeguard our Nation's transportation 
systems, and I believe we need to start thinking about cybersecurity as 
a critical element of that overall security posture. That is why I'm 
pleased to hold this joint hearing with my colleagues from the 
Subcommittee on Cybersecurity and Infrastructure Protection. Our 
discussions surrounding aviation security should not ignore the 
vulnerabilities and risks posed by broad and interconnected systems 
with multiple vectors of attack. As our systems in the air and on the 
ground become more advanced and more interconnected, cybersecurity will 
continue to be inextricably linked with aviation security.
    TSA was created in the aftermath of 9/11 and charged with the 
mission of preventing another large-scale act of terrorism on the 
American transportation system. While physical threats like improvised 
explosive devices continue to pose a major security concern, the 
reality is that U.S. networks and databases are under daily cyber 
threat by nation-states, international crime organizations, and 
individual hackers. This hearing illustrates my commitment to bringing 
a necessary focus to cybersecurity in the aviation sector, and I look 
forward to learning about the Federal Government's role in this space 
from our esteemed witnesses. I hope to understand how the partnerships 
between the Department of Homeland Security, TSA, and aviation 
stakeholders can be leveraged to make cyber risk awareness a key part 
of aviation security.
    Thank you, Mr. Chairman. I yield back.

    Mr. Ratcliffe. Thank the gentleman. Other Members of the 
committee are reminded that opening statements may be submitted 
for the record.
    [The statements of Ranking Members Thompson and Richmond 
follow:]
             Statement of Ranking Member Bennie G. Thompson
                           September 6, 2018
    Next week, we will observe the anniversary of the terrorist attacks 
of September 11, 2001.
    Seventeen years ago, our adversaries exploited the cracks in our 
aviation security apparatus to carry out the deadliest terrorist attack 
in our Nation's history.
    Since that time, we have focused on closing those gaps, making 
improvements to the way we share threat intelligence, screen 
passengers, and secure physical aviation infrastructure.
    Although I recognize the progress we have made improving aviation 
security, I am concerned that we are overlooking an important attack 
vector: Cyber.
    The aviation sector represents a wide array of critical assets, 
including the systems and networks that support airports, air traffic 
control, and aircraft, to name a few.
    We rely on these diverse assets to support not only personal 
travel, but also commercial shipping, disaster relief, and a host of 
other activities essential to the health of our economy and National 
security.
    All these assets are subject to a unique set of cybersecurity risks 
and vulnerabilities.
    But we have done little to protect them against evolving cyber 
threats.
    When it comes to physical security at our airports and our 
airplanes, we impose strict requirements designed to keep bad actors, 
explosives, and other illicit materials out.
    But there are no equivalent cybersecurity standards.
    Although we encourage owners and operators of aviation assets to 
take advantage of OHS cybersecurity programs and services, it is no 
substitute for requiring cybersecurity measures as part of site 
security plans.
    And in many cases, aviation sector owners and operators struggle 
with the same cyber challenges that plague other industries: A National 
shortage of skilled cybersecurity personnel, a workforce with minimal 
cybersecurity training and awareness, and resource constraints across 
the board.
    These gaps in our security framework represent ``low-hanging 
fruit'' for our adversaries.
    A relatively simple intrusion could upend airport operations, 
costing airlines millions.
    A more sophisticated breach of a cockpit could bring down a plane.
    I am far from convinced that the Federal Government is investing 
enough in research around aviation-related cyber vulnerabilities.
    Right now, some of the most significant Federal research in this 
area is being led by the OHS Science and Technology Directorate, which 
operates on a shoestring budget that Republicans in Congress continue 
to slash, year after year.
    Nevertheless, last year, officials involved in this research 
reportedly managed to carry out a remote hack of a commercial passenger 
jet.
    These findings underscore that this threat is real, and more 
attention is needed.
    I look forward to hearing from this panel of witnesses today, and I 
hope they will give us a candid assessment of the cybersecurity posture 
of our aviation sector.
    I will be interested to hear what progress has been made on areas 
like cyber threat information sharing, and how Congress can support 
those efforts.
                                 ______
                                 
              Statement of Ranking Member Cedric Richmond
                           September 6, 2018
    Seventeen years ago, 19 terrorists weaponized 4 passenger airplanes 
and launched the most devastating attack on U.S. soil since Pearl 
Harbor. As we struggled to understand how such a horrific tragedy could 
happen, the chairman of the 9/11 Commission issued a painful 
indictment: ``This was a failure of policy, management, capability, and 
above all, a failure of imagination.''
    Since then, we have invested heavily in securing airplanes and 
airports against the kinds of attacks perpetrated by the 9/11 
terrorists. But the threat landscape has evolved, and our adversaries 
have changed. Those who wish to do us harm have new tools at their 
disposal--giving them the ability to target aviation systems without 
stepping foot in an airport and without clear lines of attribution.
    In March, the Department of Homeland Security and the FBI issued a 
joint alert warning that Russian government cyber activity had been 
targeting U.S. critical infrastructure, including the aviation sector. 
And research conducted by the DHS's Science and Technology Directorate 
have revealed troubling vulnerabilities in aircraft systems.
    Although I am encouraged by Federal efforts to build awareness and 
address cybersecurity vulnerabilities to aviation infrastructure, I am 
concerned that we are, once again, playing catch up with our 
adversaries.
    As we speak, the Transportation Security Administration does not 
require airport security plans to address cybersecurity 
vulnerabilities. It is unclear how cybersecurity factors into safety 
considerations involved in building aircraft. We must do better.
    This hearing is an important step in our efforts to understand the 
full scope of cyber vulnerabilities to aviation assets and to help 
relevant Federal agencies work with stakeholders to manage and mitigate 
cyber risks. Pursuant to the National Aviation Security Strategy, an 
interagency task force--known as the Aviation Cyber Initiative--is 
charged with reducing cybersecurity risks to the Nation's Aviation 
Ecosystem.
    The ACI is co-chaired by the Department of Homeland Security, the 
Department of Defense, and the Department of Transportation, and its 
charter is being updated to facilitate the tri-chair structure. I will 
be interested in hearing from our witnesses today about ACI's outreach 
to the stakeholder community and about the nature of aviation asset 
owners' and operators' engagement with the ACI.
    More generally, I will be interested to learn how effectively the 
Federal Government shares cyber threat information across the aviation 
sector, and how that information informs efforts to harden assets, 
secure networks, and train aviation workers--from pilots and flight 
attendants to airport employees.
    Finally, I will be interested in learning about the other 
challenges associated to improving the cybersecurity posture of the 
aviation industry--from technology to resources.

    Mr. Ratcliffe. We are pleased to have a very distinguished 
panel of witnesses before us today on this very important 
topic. Mr. Christopher Porter is the chief intelligence 
strategist for FireEye, as well as a senior fellow at the 
Atlantic Council. Previously, he had a distinguished 9-year 
career in the Central Intelligence Agency, working on 
cybersecurity issues.
    Welcome, Mr. Porter.
    Mr. Jeffrey Troy is the executive director of the Aviation 
Information-Sharing and Analysis Center and currently works as 
a senior IT manager at General Electric. Prior to this, Mr. 
Troy served for 25 years in the FBI, including his final stint 
as deputy assistant director of the cyber division.
    We are grateful to have you here testifying today, Mr. 
Troy.
    Finally, Mr. Michael Stephens is the executive vice 
president for IT and general counsel at the Tampa International 
Airport, where he has primary responsibility for all legal 
information technology, governance, regulatory, and compliance 
matters.
    Welcome, Mr. Stephens. We are excited to hear your 
testimony, as well.
    I would now ask the witnesses to please stand, if able, and 
raise your right hand so that I can swear you in to testify. Do 
each of you swear or affirm that the testimony which you will 
give today will be the truth, the whole truth, and nothing but 
the truth, so help you God? Let the record reflect that each of 
the witnesses has answered in the affirmative, and you may be 
seated.
    The witnesses' full written statements will appear in the 
record. The Chair now recognizes Mr. Porter for 5 minutes for 
his opening statement.

STATEMENT OF CHRISTOPHER PORTER, CHIEF INTELLIGENCE STRATEGIST, 
                            FIRE EYE

    Mr. Porteir. Thank you, Chairman Ratcliffe, Ranking Member 
Richmond, Chairman Katko, and Ranking Member Coleman, for 
convening this joint hearing today. We appreciate the 
opportunity to share FireEye's perspective on threats to the 
aviation sector and provide an overview of how we are helping 
to secure American aviation.
    As was mentioned, my name is Christopher Porter. I am the 
chief intelligence strategist at FireEye. Our strategic 
intelligence products that inform my testimony today reach over 
4,000 customers in 67 countries. Prior to joining FireEye, I 
worked at CIA for almost 9 years. That includes not only work 
with the agency, but also a short stint as the briefer at the 
White House for cyber threat intelligence issues, several years 
in counterterrorism operations, and war zone service, as well.
    I want to share with you today FireEye's perspective, which 
is mostly informed responding to breaches in the aviation 
sector, but also the intelligence that we have collected on 
what might be coming next to try to get ahead of the problem.
    I am sure it will come as no surprise to the Members of 
these two subcommittees that the aviation sector is one of the 
most targeted for cyber attack that our company sees. Safe, 
reliable air transport is vital for everything from National 
defense to global commerce to personal freedom.
    Malicious actors seeking to undermine America's strength in 
aviation through cyber attacks and through theft of data 
include foreign governments, terrorists, organized crime, and 
non-state actors acting on their own.
    I want to start by discussing the most common cyber threat 
that the aviation industry faces, which is cyber espionage. 
Foreign governments routinely seek to steal industrial secrets 
from American manufacturers, researchers, designers, operators 
of military aircraft, and cutting-edge civilian planes. It is 
about who you would expect: China, Russia, more recently Iran 
have all targeted the United States or, in some cases, our 
close allies, who we share technology with overseas, to try and 
steal aviation secrets via computer network operations.
    All three countries also routinely target ticketing and 
traveler data, shipping schedules and manifests, and partner 
industries, such as railways and hotels, mostly for domestic 
security reasons.
    There are two aspects of cyber espionage, though, that I 
want to focus on. The first is that because it is a pervasive 
threat, the best defense against cyber espionage is rapid, 
detailed information sharing with context. Our company pushes 
alerts to customers in real time when possible. The technical 
alerts are in real time. We try to provide context within 24 to 
48 hours.
    Industry groups share information between peers, because as 
we have all learned, a threat to one is usually a threat to 
all. The U.S. Government also shares its threat information, 
although it is generally Classified and only available to 
cleared vendors. There is room for improvement at the speed of 
dissemination of intelligence, mostly from collector to 
agencies like DHS that then share it.
    Most importantly, the timeliness of information within 
industry and between the private sector and the U.S. Government 
must improve, so it is not just the Government that has work to 
do.
    The thing to know about cyber espionage, though, is that 
because it is routine, any one individual activity should not 
be viewed as destabilizing, you know, to the whole Nation. 
Media reporting on cyber incidents is naturally going to focus 
on the worst-case scenario of what could happen. Sometimes that 
is justified. Oftentimes it is not.
    The public should not be needlessly alarmed or lose their 
confidence in what is, you know, generally a very safe industry 
because of individual cyber espionage incidents. Every major 
cyber power, including the United States, has an interest in 
knowing about the potential defense technology developments of 
both its friends and potential threats, and the U.S. aviation 
sector isn't the only one that is being targeted in this way.
    So while espionage on its own does not pose an urgent 
threat to life, I am concerned that continued theft or trade 
secrets could pose a long-term threat to American economic 
health. Aviation is one of our Nation's leading export 
industries. China in particular is harnessing all aspects of 
national power to displace the United States as a military and 
economic power.
    Chinese theft of intellectual property for commercial 
purposes has almost entirely dropped off since the September 
2015 agreement between President Xi of China and President 
Obama. You know, diplomacy does work as a cybersecurity means.
    However, that depends a lot on what industry you are in. 
For the aviation security, research and development is so 
closely tied to National defense that it really never stopped 
being targeted. So, you know, unfortunately, the matter before 
these committees is not defended by those diplomatic efforts. 
They continue.
    Cyber criminals, likewise, pose an economic threat to the 
aviation sector and its customers. For years, we have seen 
airlines and third-party ticket sellers exploited so that 
illicit tickets could be resold for profit in underground fora. 
In the last 2 years, our devices have detected a sharp increase 
in the use of ransomware to temporarily disable airline 
ticketing and support operations. That is often untargeted, not 
specifically aimed at airports, but as we have seen, it could 
be, as well.
    Air travel is a time-sensitive business. Cyber criminals 
know they can extort payment from airline that are unable to 
move passengers until their systems are decrypted.
    Finally, in addition to threats to the aviation sector's 
proprietary information customer records and systems that 
support flight operations, there are cyber threats that are 
intended to use aviation's prominent place in our lives as a 
means of creating psychological damage when it is effected.
    Airports in Europe, the Middle East, Southeast Asia, to a 
limited extent here at home have had their websites defaced or 
disrupted in order to draw attention to political causes. The 
primary victim in those situations are members of the public 
who may wrongly fear that a loved one is at risk or grow in 
their distrust of flying, even though the affected systems are 
public relations-focused or don't support flight operations.
    So it is important that officials and airline 
representatives communicating with the public during such 
events differentiate between systems that are affected, where 
if you take them down it just causes inconvenience or 
reputational damage, versus systems that if they are targeted 
or damaged, you know, directly support flight operations and 
could affect passenger safety.
    So thank you again for the opportunity to participate in 
today's discussion. I thank you for your leadership improving 
cybersecurity in the aviation sector. I look forward to working 
with you to strengthen our partnership, and I am happy to 
answer any questions from the committee.
    [The prepared statement of Mr. Porter follows:]
                Prepared Statement of Christopher Porter
                           September 6, 2018
    Thank you Chairman Ratcliffe, Ranking Member Richmond, Chairman 
Katko, and Ranking Member Coleman for convening this joint hearing 
today. We appreciate the opportunity to share FireEye's perspective on 
threats to the aviation sector and provide an overview of how the 
private sector is helping to secure the sector.
    My name is Christopher Porter, and I'm the chief intelligence 
strategist for cybersecurity company FireEye and a nonresident senior 
fellow at the Atlantic Council. At FireEye I manage our ``Intelligence 
for Executives'' program for senior corporate and government clients 
across the globe. Our strategic intelligence products reach more than 
4,000 customers in 67 countries.
    Prior to joining FireEye in 2016, I served for nearly 9 years at 
the Central Intelligence Agency, including an assignment as the cyber 
threat intelligence briefer to White House National Security Council 
staff, several years in counterterrorism operations, and warzone 
service.
    In addition to the 300-plus security professionals responding to 
computer intrusions, FireEye has over 200 cyber-threat analysts on 
staff in 18 countries, speaking 30 different languages, to help us 
predict threats and better understand the adversary--often by 
considering the political and cultural environment of the threat 
actors. We have an enormous catalog of threat intelligence, and it 
continues to grow everyday alongside the continually increasing attacks 
on organizations around the world.
    FireEye is supporting the aviation sector here at home. We're 
protecting the Transportation Security Administration with both email 
and web inspection, managed by the Department of Homeland Security's 
Enterprise Security Operations Center. As TSA continues to stand up its 
intelligence capabilities, we are providing support through their 
subscription to our intelligence reporting.
    The Federal Aviation Administration also makes great use of our 
intelligence reporting and they're using our malware analysis tool to 
help prevent and detect future cyber attacks.
    I want to share with you today FireEye's perspective responding to 
breaches in the aviation sector and from the intelligence we have 
collected on what might be coming next.
    I am sure it will come as no surprise to you that the aviation 
sector is one of the most targeted for cyber attack. Safe, reliable air 
transport is vital for everything from National defense to global 
commerce to personal freedom. Malicious actors seeking to undermine 
America's strength in aviation through cyber attacks and theft include 
foreign governments, terrorists, organized crime, and other non-state 
actors.
    I want to start by discussing the most common cyber threat facing 
the aviation industry: Cyber espionage. Foreign governments routinely 
seek to steal industrial secrets from manufacturers, researchers, 
designers, and operators of both military aircraft and cutting-edge 
civilian planes. China, Russia, and more recently Iran have all 
targeted the United States or its close allies for theft of aviation 
secrets via computer network operations.
    All three countries also routinely target ticketing and traveler 
data, shipping schedules and manifests, and partner industries such as 
railways and hotels as they gather counterintelligence data on 
suspicious travelers and intelligence on VIPs they wish to track.
    There are two aspects of cyber espionage targeting the aviation 
sector overall that I want to emphasize: First, that because of its 
pervasive nature, the best defense against cyber espionage is rapid, 
detailed information sharing with context. Our company pushes alerts to 
customers in real time, and industry groups share information between 
peers because, as we have learned, a threat to one is often a threat to 
all. The U.S. Government also shares threat information, although it is 
generally Classified and available only to cleared vendors; there is 
room for improvement in Government information sharing with uncleared 
industry partners. Most importantly, the timeliness of information 
within industry and between the private sector and U.S. Government must 
improve. In my line of work, if we can't provide context and additional 
information in 24-48 hours of an attack, we have not met customer 
expectations.
    The second thing to know about cyber espionage though is that, 
because it is routine, it should not be viewed as destabilizing. Media 
reporting on cyber incidents is often focused on the worst-case 
scenario in ways that are sometimes unjustified and needlessly alarm 
the public or inflame opinion against a foreign adversary. Every major 
cyber power, including the United States, has an interest in knowing 
about the potential defense technology developments of both its friends 
and potential threats, and the U.S. aviation sector is not unique in 
being targeted in this way.
    When cyber espionage operators get a foothold on a system, they can 
often use that access for stealing information or to launch a disabling 
or destructive attack using the same technology. But they rarely choose 
to do so, and in the United States there are significant redundancies 
in place to ensure safety. A crashed IT system does not mean a crashed 
plane, and it's important for the public to keep that in mind.
    So while cyber espionage on its own does not pose an urgent threat 
to life, I am concerned that continued theft of trade secrets poses a 
long-term threat to American economic health. Aviation is one of our 
Nation's leading export industries, and China in particular is 
harnessing all aspects of National power to displace the United States 
as a military and economic power in Asia and world-wide. Chinese theft 
of U.S. intellectual property for commercial purposes has almost 
entirely dropped off since a September 2015 agreement between President 
Xi of China and President Obama, but because aviation research and 
development is so closely tied to National defense this particular 
sector of the American economy never stopped being targeted.
    Chinese hackers pursue fewer targets in the United States than they 
did before the Xi-Obama Agreement, but they have just as many hackers 
who are more skilled and better resourced than ever, meaning that 
industries that do continue to be threatened face a greater threat than 
ever before that technologies the United States spends billions 
developing will be stolen and adopted by economic competitors and 
military rivals in China.
    Cyber criminals likewise pose an economic threat to the aviation 
sector and its customers. For years we have seen airlines and third-
party ticket sellers exploited so that illicit tickets could be resold 
for profit in underground fora. Because airlines are trusted by their 
customers with a wide variety of sensitive personal data, they are also 
frequently targeted by cyber criminals looking to gather data to enable 
other types of fraud. In the last 2 years, our devices have detected a 
sharp increase in the use of ransomware to temporarily disable airline 
ticketing and support operations--air travel is a time-sensitive 
business, and cyber criminals know that they can extort quick payment 
from airlines that are unable to move passengers until their systems 
are decrypted.
    Finally, in addition to threats to the aviation sector's 
proprietary information, customer records, and systems that support 
flight operations, there are cyber threats intended to use aviation's 
prominent place in our lives as a means of creating psychological 
damage or political pressure. Airports in Europe, the Middle East, 
Southeast Asia, and here at home have had their websites defaced or 
disrupted, mostly by non-state actors seeking to draw attention to a 
particular political cause.
    The primary victim in these situations are members of the public 
who may wrongly fear that a loved one is at risk or grow in their 
distrust of flying, even though the affected systems may be public 
relations-focused and support no flight operations at all. The fear 
these operations cause is particularly pronounced when those outages 
are caused by groups affiliated with terrorists.
    In other cases, these virtual sit-ins that affect a company's 
website have, in limited cases, delayed takeoffs for airlines that also 
relied on those computers to make or distribute flight plans, though 
even these attacks did not have a direct effect on flight safety.
    It is important that officials and airlines representatives 
communicating with the public during such events differentiate between 
taking down systems that cause inconvenience from those that directly 
support flight operations and passenger safety.
                               conclusion
    Thank you again for the opportunity to participate in today's 
discussion. Thank you for your leadership improving cybersecurity in 
the aviation sector. I look forward to working with you to strengthen 
the partnership between the public and private sectors and to share 
best practices to thwart future cyber attacks. I'm happy to answer any 
questions from the committee.

    Mr. Ratcliffe. Thank you, Mr. Porter.
    The Chair now recognizes Mr. Troy for his opening 
statement.

  STATEMENT OF JEFFREY L. TROY, EXECUTIVE DIRECTOR, AVIATION 
            INFORMATION-SHARING AND ANALYSIS CENTER

    Mr. Troy. Good morning. My name is Jeffrey Troy. I am the 
executive director of the Aviation Information-Sharing and 
Analysis Center. The Aviation ISAC is a global, member-driven, 
nonprofit company. Our member companies are headquartered on 
five continents and represent a cross-section of the many 
businesses that make up the aviation ecosystem.
    They include the makers of aircrafts, their engines, 
airlines, airports, satellite communication providers and 
aviation services, as well as their supply chains. The mission 
of the Aviation ISAC is to increase the cyber resiliency of the 
aviation sector across the world.
    Safety comes first in every aspect of the aviation 
industry. Cybersecurity is no exception. Each segment of our 
industry has numerous automated computer-based processes which 
contribute to the overall safety and efficiency of aviation. 
Each member of the Aviation ISAC has a chief information 
security officer or someone comparable who assumes the 
responsibility of protecting the computer networks and products 
that are performing the operations of the business and 
protecting them from cyber attack.
    The Aviation ISAC works with each CISO to understand their 
company's risk profile. We use this information to drive 
industry programs and to reduce cyber risk. The Aviation ISAC 
builds communities of experts within each of the specialties 
supporting the CISO. These include cyber threat analysts, 
compliance experts, network security architectures, and product 
security specialists.
    Each community leverages the combined capabilities of 
members to expedite the development of solutions and 
intelligence to either reduce or eliminate risk. We facilitate 
automated and in-person intelligence exchange training, best 
practices, and tabletop exercises. We proactively hunt for 
treats, stolen network access, indicators of compromise, and we 
engage with security researchers.
    Our focus is on finding information that can be used by the 
aviation industry to reduce cyber risk and increase operational 
resilience. Every business and every industry, including 
aviation, can only succeed when the needs and the concerns of 
the customers are met. This includes addressing misperceptions.
    Flying is the safest mode of transportation. However, there 
have been times over the past few years when persons 
incorrectly allege they were able to impact the safety of 
flight by hacking a system on a plane.
    The Aviation ISAC has addressed these issues head on. 
Working with industry and coordinating with Government 
partners, we play a leading role in investigating alleged 
vulnerabilities and conducting extensive testing to ferret out 
any vulnerabilities, validated or invalidated.
    The Aviation ISAC recognizes the value of the work of 
cybersecurity researchers in finding these vulnerabilities, 
even if the vulnerabilities are minor, contained, and do not 
pose a risk to flight safety. The aviation industry will 
continue to investigate vulnerability claims and take swift 
action when required. As of today, none of the vulnerabilities 
that have been investigated by the Aviation ISAC or its members 
have impacted the safety of flight.
    The Aviation ISAC is also pleased to have a strong and 
productive relationship with our Government partners. Indeed, 
liaison with Government was part of the founding idea of the 
Aviation ISAC. We collaborate in many forms and on a wide scope 
of aviation, cybersecurity-related projects.
    For example, in a recent engagement with a threat 
researcher who sensationalized the claim of being able to hack 
a plane, we kept both our industry members and Government 
partners well-apprised of our work to include the sharing of 
technical details. We engaged with the Department of Homeland 
Security, Transportation Security Administration, the Federal 
Aviation Administration, and the European Aviation Safety 
Agency.
    The aviation industry, like all industries with all 
extensive digital integration, has not declared victory, but 
rather is constantly engaged in the battle. As I said earlier, 
in aviation, security and safety comes first. Digital 
enhancements to processes are adopted at a deliberate pace to 
ensure that there is no impact to safety. Security around the 
digital processes begins in the design stages and runs through 
the build, deploy, operate, and continuously monitor phases.
    Air framers and their suppliers extensively test new 
technologies and design layered safety and security controls, 
both digital and physical, to ensure the highest level of 
safety in flight.
    We do not know what we do not know. Many vulnerabilities in 
computer systems were discovered years after the systems were 
designed and deployed. New technologies are being added to 
existing platforms. As such, as our industry is constantly red-
teaming our systems and seeking to uncover issues before they 
become impactful.
    We believe safety and security are significantly enhanced 
when companies and Government agencies communicate on cyber 
threats and vulnerabilities. On behalf of all of our members, I 
thank you for the opportunity to come before you today and 
answer questions about cybersecurity and cyber resilience in 
the aviation industry.
    [The prepared statement of Mr. Troy follows:]
                 Prepared Statement of Jeffrey L. Troy
                           September 6, 2018
    Good morning. My name is Jeffrey Troy. I am the executive director 
of the Aviation Information-Sharing and Analysis Center. The Aviation 
ISAC is a global, member-driven, non-profit corporation. Our member 
companies are headquartered on 5 continents and represent a cross-
section of the many businesses making up the aviation industry 
ecosystem. They include the makers of aircraft, engines, airlines, 
airports, air traffic control, ground traffic control, satellite 
communication providers, and aviation services as well as their supply 
chains. The mission of the Aviation ISAC is to increase the cyber 
resiliency in aviation world-wide.
    Safety comes first in every aspect of the aviation industry, and 
cybersecurity is no exception.
    Each segment of our industry has numerous automated, computer-based 
processes, which contribute to the overall safety and efficiency of 
aviation. Each member of the Aviation ISAC has a chief information 
security officer (CISO) or someone comparable who assumes the 
responsibility of protecting computer networks and products performing 
the operations of the business from cyber attacks. The Aviation ISAC 
works with each CISO to understand their company's risk profile. We use 
this information to drive industry cooperation and collaboration on 
projects and programs to reduce cyber risk.
    The Aviation ISAC builds communities of experts within each of the 
specialties supporting the CISO. These include cyber threat analysts, 
compliance experts, network security architects, and product security 
specialists. Each community leverages the combined experience and 
intelligence capabilities of the members to expedite the development of 
solutions and intelligence to reduce or eliminate risk.
    We facilitate automated and in-person intelligence exchange, 
training, best practices, and table-top exercises. We proactively hunt 
for threats, stolen network access, indicators of compromise, and 
engage with threat researchers. Our focus is on finding information 
that can be used by the aviation industry to reduce cyber risk and 
increase operational resilience.
    Every business and every industry, including aviation, can only 
succeed when the needs and concerns of their customers are met. This 
includes addressing misperceptions. Flying is the safest mode of 
transportation. However, there have been times over the past few years 
when persons incorrectly alleged they were able to impact flight safety 
by hacking a system on a plane.
    The Aviation ISAC has addressed these issues head-on. Working with 
industry and coordinating with Government partners, we play a leading 
role in investigating alleged vulnerabilities, and conducting extensive 
testing to ferret out any vulnerabilities validated or invalidated. The 
Aviation ISAC recognizes the value of the work of cybersecurity 
researchers in finding cyber vulnerabilities, even if those 
vulnerabilities are minor, contained, and do not pose a risk to safety. 
The aviation industry will continue to investigate vulnerability claims 
and take swift action when required. As of today, none of the 
vulnerabilities that have been investigated by the Aviation ISAC or its 
members have impacted the safety of flight.
    The Aviation ISAC also is pleased to have a strong and productive 
relationship with our Government partners. Indeed, liaison with 
Government was a founding idea behind the creation of the ISAC. We 
collaborate in many forums and on a wide scope of aviation, 
cybersecurity-related projects. For example, in a recent engagement 
with a threat researcher who sensationalized a claim of being able to 
``hack a plane,'' we kept both our industry members and Government 
partners well-apprised of our work to include the sharing of technical 
details. We engaged with the Department of Homeland Security, 
Transportation Security Administration, the Federal Aviation 
Administration, and the European Aviation Safety Agency.
    The aviation industry, like all industries with extensive digital 
integration, has not declared victory, but rather is constantly engaged 
in the battle.
    As I said earlier, in aviation, safety comes first. Digital 
enhancements to processes are adopted at a deliberate pace to ensure no 
impact to safety. Security around the digital processes begins in the 
design stages and runs through the build, deploy, operate, and 
continuously monitor phases. Airframers and their suppliers extensively 
test new technologies and design layered safety and security controls, 
both digital and physical, to ensure the highest level of assurance in 
flight safety.
    We do not know what we do not know. Many vulnerabilities in 
computer systems were discovered years after the systems were designed 
and deployed. And new technologies are being added to existing 
platforms. As such, our industry is constantly red-teaming their 
systems and seeking to uncover issues before they become impactful.
    We believe safety and security are significantly enhanced when 
companies and Government agencies communicate on cyber threats and 
vulnerabilities. On behalf of all our members, I thank you for the 
opportunity to come before you today and answer your questions about 
cybersecurity and cyber resilience in the aviation industry.

    Mr. Ratcliffe. Thank you, Mr. Troy.
    The Chair now recognizes Mr. Stephens for 5 minutes for his 
opening statement.

STATEMENT OF MICHAEL A. STEPHENS, EXECUTIVE VICE PRESIDENT, IT 
        AND GENERAL COUNSEL, TAMPA INTERNATIONAL AIRPORT

    Mr. Stephens. Thank you, Mr. Chairman. Chairman Ratcliffe, 
Chairman Katko, Ranking Member Richmond, Ranking Member Watson 
Coleman, and Members of the subcommittee, good morning. My name 
is Michael Stephens. I am the executive vice president and 
general counsel for information technology for Tampa 
International Airport. We thank you for the opportunity to 
participate in today's hearing on the critically important 
topic of understanding and mitigating cybersecurity threats to 
our Nation's airlines, airports, and our critical aviation 
infrastructure.
    More than 2.5 million passengers travel safely in and out 
of America's airports each and every day. The largest 5 U.S. 
airports alone move more passengers through them on an annual 
basis than the entire population of the United States. Our 
airports facilitated the shipment of more than 40 billion 
pounds of cargo. In total, the aviation sector contributes 
approximately 5.1 percent to our National GDP.
    Aviation is essential, not only to our economic prosperity, 
but to our National security interests, as well. In order to 
meet the increasing demand of the needs of international 
commerce and the traveling public, virtually all of the 
essential airport operations and functions, as well as aviation 
safety, security, access control, navigations, communications, 
industrial systems controls, and emergency response systems 
must rely heavily on a multitude of technology applications and 
platforms.
    For that reason, it is my opinion, like the other witnesses 
here, that cybersecurity risks without question represent the 
most preeminent and persistent threat to the continuous safe, 
secure, and efficient operations of U.S. airports in the global 
aviation system.
    Airports and airlines defend against hundreds of thousands 
of malicious intrusion attempts each and every day. In short, 
computers, kiosks, and keyboards have become the newest tools 
of criminals and the new weapons of war. It is of paramount 
importance that we exercise increased urgency and vigilance to 
mitigate cybersecurity threats to our Nation's critical 
aviation infrastructure.
    While there is no silver bullet or perfect defense against 
cybersecurity threats within the aviation industry, there are 
some critical areas that I believe present great opportunities 
for airports, along with our airline partners and aviation 
stakeholders to achieve greater preparedness, responsiveness, 
and resilience.
    First, the adoption of a standard. Although airports and 
airlines and other aviation stakeholders have engaged in 
building and achieving the levels of cybersecurity capability, 
maturity, and resilience, there are currently no minimum 
standards or frameworks being used across the sector. In fact, 
according to a survey of U.S. airports by the Airport 
Cooperative Research Program and its guidebook on best 
practices for airport cybersecurity, only 9 out of 24, or 34 
percent, of airport respondents indicated that they had 
implemented a National cybersecurity standard or framework.
    I believe significant considerations should be given by 
airports and airlines to mandate within their respective 
organizations the adoption and implementation of established 
cybersecurity standards and frameworks.
    A second opportunity is what the witnesses who are joining 
me here today have talked about, and that is the increased 
sharing of information and threat intelligence, because it is a 
critical component for airports to assess our vulnerabilities 
and to enhance our preparedness and more effectively respond 
and recover in the event of a critical cyber incident.
    It is essential to have strength in information sharing, 
and consideration should be given to more proactive and broader 
disclosure within the sector by airports and airlines of 
cybersecurity incidents that meet an agreed-upon threshold, 
irrespective of whether or not the incident resulted in a data 
breach or a system compromise.
    Finally, the human factor. The human factor remains the 
most highly-exploited vector for penetrating cybersecurity 
defenses. Cybersecurity threat awareness and information 
security training programs for all airports, airline, and 
aviation sector employees is perhaps the most effective and 
cost-efficient way of increasing airport and airline 
cybersecurity readiness.
    Airports and airlines should be given strong consideration 
to adopting uniform standards which establish baseline training 
requirements for airport, airline, and other key aviation 
sectors' employees on a defined and reoccurring basis.
    As the adoption of current and future technologies 
increases to support the aviation sector, the threat of 
disruptive cyber attacks on airports, airlines, and critical 
aviation information sector systems undoubtedly will increase, 
as well. Evolution toward a more effective cyber risk 
management mitigation strategy by airports, key aviation sector 
stakeholders, through the adoption and implementation of 
baseline cybersecurity frameworks and standards is absolutely 
essential to the Nation's security and long-term prosperity.
    Again, I thank you for the opportunity to testify before 
you all today, and I look forward to answering any questions 
that you may have.
    [The prepared statement of Mr. Stephens follows:]
               Prepared Statement of Michael A. Stephens
                           September 6, 2018
    Chairman Ratcliffe, Chairman Katko, Ranking Member Richmond, 
Ranking Member Coleman, and Members of the subcommittees, thank you for 
the opportunity to participate in this hearing on the critically 
important topic of understanding and mitigating cybersecurity threats 
to our Nation's airlines, airports, and National aviation system.
    According to the Federal Aviation Administration (FAA), more than 
2.5 million passengers fly in and out of America's airports each and 
every day. The most recent available statistics show U.S. airports 
facilitated the shipment of more than 40 billion pounds of cargo. In 
total, our Nation's airports along with our airline partners and all 
other aspects of the aviation industry contribute more than 5.1 percent 
to our National GDP. By any standard, airports, particularly our 
commercial airports are incredibly complex, connected critical 
infrastructure ecosystems that are essential not only to our Nation's 
economic prosperity, but to our National security as well.
    The size and scope of operations, as well as the passenger volume 
in our Nation's airports is vast. The FAA classifies the Nation's 30 
largest airports by passenger volume, as large hub airports. Tampa 
International is in that category. Out of those 30 airports designated 
as large hubs, the top 4 or 5 have more passengers flowing through them 
on an annual basis than the entire population of the United States.
    As with most industries, to meet the increasing demand and needs of 
international commerce and the traveling public, airports along with 
our airline partners, have increasingly relied on technology out of 
operational necessity and to enhance passenger safety, security, and 
convenience. The ubiquitous use of technology has made airports, 
airlines, and global aviation more efficient and has undergirded and 
facilitated the tremendous growth of global mobility, commerce, and 
connectivity. However, as a result of our increasingly interconnected 
and technologically-dependent world, airports and airlines, like other 
industries, face significant challenges from a looming cyber threat 
environment.
    In today's modern and technologically-advanced airports, there are 
virtually no areas or functions that do not rely at some level on a 
digital network, data transfer, computer application, or interface with 
the internet. Virtually all functions that are essential to airport 
operations, as well as aviation safety and security, such as access 
controls, navigation, airfield lighting, communications, industrial 
system controls, and emergency response systems rely heavily on a 
multitude of technology applications and platforms. Moreover, airport 
information systems contain or process tremendous amounts of sensitive 
data such as passenger manifests, security plans, and data containing 
financial and personally identifiable information (PII).
    The operational importance of these systems coupled with the fact 
that they are often interconnected through networks and remote access 
points makes airports, immensely appealing targets and potentially 
vulnerable to malicious cyber threats, such as criminal organizations 
and state-sponsored actors.
    Given the rapidly-growing reliance on technology as well as the 
implementation of future technologies such as Next Generation Air 
Transportation System (NextGen) and remote air traffic control towers, 
it is my opinion that cybersecurity risks without question represent 
the preeminent and persistent threat to the continuous, safe, secure, 
and efficient operations of U.S. airports and the global aviation 
system.
    One of the clearest examples of this threat to aviation safety and 
security was confirmed by the FBI and the Department of Homeland 
Security (DHS), Computer Emergency Readiness Team (CERT) earlier this 
year when they officially acknowledged that hackers attempted to 
penetrate the U.S. civilian aviation, energy, and other critical 
infrastructure sector networks. CERT released a report on March 15 
detailing what were believed to be State-sponsored cyber efforts that 
targeted ``U.S. Government entities as well as organizations in the 
energy, nuclear, commercial facilities, water, aviation, and critical 
manufacturing sectors.'' The attempted attack was determined by 
intelligence assessments to be a sophisticated and coordinated assault 
that could have resulted, if successful, in significant potential 
disruptions to our critical infrastructure.
    Imagine if you will, the potential dire consequences of a 
successful coordinated cyber attack on any one or more of our large hub 
airports. The potential resulting disruption, chaos, and economic harm 
could be enormous. Consider the consequences of a single non-cyber-
related disruption that occurred at Atlanta International Airport in 
December 2017. In that instance, a power failure at Hartsfield-Jackson 
disrupted operations at the world's busiest airport, which resulted in 
the cancellation of more than 1,150 flights and stranded thousands of 
passengers in terminals and on planes for hours. The power failure at 
the airport, which moves more than 100 million passengers a year and 
serves as a major hub for domestic and international flights, led to 
additional disruptions across the country and affected flights in 
Chicago, Los Angeles, and abroad.
    The full economic impact resulting from this incident is still 
being fully assessed but conservatively the estimated losses in 
productivity as well as direct costs could be well in excess of $40 
million. The power disruption in that instance was determined to have 
been caused by fire in a critical airport electrical node. However, had 
the incident been the result of a cyber attack, the consequences of 
disruption, psychological impact, and costs could have been far 
greater.
    In short, computers, keyboards, and kiosks have become the newest 
tools of criminals and the new weapons of war, and it is of paramount 
importance that we exercise increased urgency and vigilance to 
anticipate, identify, and mitigate cyber threats to our Nation's 
airlines, airports, and aviation system critical infrastructure. Given 
the nature of these existing and growing threats, proactively 
implementing standards, protocols, and counter measures to protect 
ourselves against potential catastrophic system disruption must be one 
of our highest priorities.
    While there is no perfect defense against cybersecurity threats 
within the aviation industry or any industry for that matter, there are 
critical activities that we must undertake to mitigate as many risks as 
possible. For the purposes of this hearing, I have distilled my remarks 
down to three critical areas that I believe present the best 
opportunity for airports along with our airline partners and aviation 
sector stakeholders to achieve greater preparedness, responsiveness, 
and resilience.
                      mandatory minimum standards
    Under the Federal Information Security Management Act (FISMA), 
which defines a comprehensive framework to protect Government 
information, operations, and assets against natural or man-made 
threats, Federal agencies are required to adopt and implement a 
baseline National standard for cybersecurity preparedness. In 2013, 
President Obama issued Executive Order (EO) 13636, Improving Critical 
Infrastructure Cybersecurity, which called for the development of a 
voluntary risk-based cybersecurity framework that is ``prioritized, 
flexible, repeatable, performance-based, and cost-effective.'' 
Subsequent Executive Orders and Presidential Directives have also been 
issued to address and respond to the ever-changing cybersecurity threat 
landscape and strengthen the requirements by Federal agencies for 
ensuring and maintaining a baseline level of preparedness.
    Although, airports, airlines, and other aviation stakeholders have 
engaged in building and achieving various levels of cybersecurity 
capability, maturity, and resilience, there are currently no 
significant requirements for adherence to minimum standards for 
preparedness. According to a survey of airports in the United States, 
by the Airport Cooperative Research Program (ACRP) as published in 2015 
in its Guidebook on Best Practices for Airport Cybersecurity, only 9 
out of 24 (34 percent) of airport respondents indicated that they had 
implemented a National cybersecurity standard or framework.
    I believe that we are at a point in the growing threat environment 
where voluntary compliance is no longer adequate. I believe that strong 
consideration should be given by Congress and by regulatory agencies 
such as the FAA and Transportation Security Administration (TSA) which 
have primary responsibility for oversight and regulation of aviation 
operational safety and security respectively, to mandate the adoption 
and implementation of uniform minimum cyber security standards and 
frameworks. The National Institute of Standards and Technology (NIST) 
Framework for Improving Critical Infrastructure for Cybersecurity 
provides robust and comprehensive guidance for establishing minimum 
standards for the aviation sector.
    Such a baseline cybersecurity framework would not replace an 
existing cybersecurity program that an organization already has in 
place. The framework would be used to augment, enhance, and strengthen 
any existing program and align it with best practices for greater 
coordination and effectiveness throughout the aviation industry. For 
airports, airlines, and key stakeholders that do not have a baseline 
cybersecurity program, such a requirement would ensure a minimum level 
of readiness and facilitate the development of greater preparedness and 
program maturity.
           cybersecurity information sharing & communication
    While one of the stated objectives of EO 13636 focused on 
increasing information sharing between Government and the private 
sector, it has not been as effective as it could be due to the 
voluntary nature of the program. The sharing of information and threat 
intelligence is a critical component to assessing airport and aviation 
sector vulnerabilities, enhancing our preparedness, as well as giving 
airports and our airline partners the ability to more effectively 
respond and recover in the event of a cybersecurity incident.
    Often information-sharing practices within the aviation sector have 
been reactive versus proactive. A voluntary information-sharing program 
may have arguable utility when reacting to and recovering from a cyber 
incident, but often possesses minimized utility effectiveness in 
preventing an incident when not shared in a timely manner.
    To strengthen information sharing, consideration should be given to 
requiring mandatory disclosure of cyber incidents that meet an agreed-
upon threshold irrespective of whether or not the incident resulted in 
a data breach or system compromise. Information-sharing standards 
should ideally address whom the information should be shared with and 
its confidentiality within the industry in line the protections 
currently afforded to airport System Security Information (SSI).
    Recent laws such as the Cybersecurity Information Sharing Act 
(CISA) and the corresponding programs such as the DHS Cyber Information 
Sharing and Collaboration Program (CISCP), if coupled with the 
implementation of mandatory minimum standards within the aviation 
sector, may help to accelerate the progress of information sharing and 
collaboration. However, mandating a minimum common standard and 
enhancing opportunities to share critical cybersecurity threat 
intelligence in a timely manner, will ultimately result in greater 
industry-wide capability to combat cybersecurity risks.
         information security awareness and workforce training
    Notwithstanding the most effective program standards, technological 
cybersecurity defenses and threat intelligence information-sharing 
efforts, the human factor remains the most highly exploited vector for 
penetrating cybersecurity defenses within the aviation sector.
    Cybersecurity threat awareness and information security training 
programs for all airport, airlines, and aviation industry employees is 
perhaps one of the most effective and cost-efficient ways of increasing 
airports and airlines cybersecurity readiness. The NIST ``Framework for 
Improving Critical Infrastructure Cybersecurity'' (NIST 2014) 
specifically indicates that cybersecurity awareness and training is a 
critical and indispensable component to an entity's overall 
cybersecurity program.
    Numerous resources are available for cybersecurity training at the 
Federal, department, and State level. According to the survey of 
airports in the United States, by the Airport Cooperative Research 
Program (ACRP) as published in 2015, 20 of 27 (74 percent) of the 
responding airports indicated that they engage in some form of employee 
information security awareness training. However, due to the multitude 
of differences within airport governance and organizational structures, 
the scope, depth, and quality of training may vary significantly from 
airport to airport. Numerous additional factors may also adversely 
impact the quality and scope of training such as availability of 
budgets, subject-matter expertise and adequate buy-in from senior 
management. Adopting and requiring a uniform standard which establishes 
a minimum training requirement for airport, airlines, and other 
aviation-sector employees on a defined and reoccurring basis should be 
given strong consideration by Congress and appropriate aviation sector 
regulatory agencies such as the FAA and TSA.
                               conclusion
    Our Nation's airports, airlines, and other critical aviation 
infrastructure are heavily reliant on information technology and 
complex data networks to support the growing demands of our economic 
and strategic interests. As the adoption of current and future 
technologies increases to support the aviation sector both here and 
abroad, the threat of disruptive cyber attacks on airports, airlines, 
and critical aviation information systems and data will undoubtedly 
increase as well. Evolution toward a more effective, non-voluntary 
cyber risk mitigation strategy against this pernicious and imminent 
threat must be undertaken proactively and with a renewed sense of 
urgency. The need for increased assistance and improved regulatory 
oversight, as well as the urgent adoption and implementation of a 
baseline cybersecurity protection framework and standard for 
information sharing and workforce training, is absolutely essential to 
the Nation's security and long-term economic prosperity.
    Thank you again for the opportunity to testify before you today. I 
look forward to answering any questions you may have.

    Mr. Ratcliffe. Thank you, Mr. Stephens. We will now move 
into the questioning portion of our hearing. I will recognize 
myself for 5 minutes.
    Mr. Porter, I want to start with you. FireEye has been very 
vocal about APT33 and its links to the Iranian government. 
APT33 has targeted, among other things, Middle Eastern carriers 
and airports and utilities. So I want your perspective on how 
Iran is using cybersecurity as a geopolitical tool. More 
specifically, how does--if you can get into how breaching the 
airlines and airports of its neighboring countries furthers the 
geopolitical goals of the Iranian regime?
    Mr. Porter. Sure, thank you, Mr. Chairman. The perspective 
that I have on what Iran and all the other major antagonists of 
the United States and its allies, they basically are all 
engaged in the same class of activity, which is, for the most 
part, they are looking at domestic security, so, you know, 
looking at traveler movements and that sort of thing.
    So for them, it is probably viewed mostly as a domestic 
security issue, looking at what is going on in the region. It 
is, however, also an opportunity for them to look at what the 
United States is doing with its partners, intelligence 
gathering in support of military operations or in support of 
their own technological and economic development.
    So I think for them they would view it as it naturally 
being in their backyard to look at this from a security 
perspective, not necessarily--as I mentioned in my opening 
remarks, not necessarily an attack.
    The thing to keep in mind, Mr. Chairman, is that any 
foothold that any adversary gets into a system that is used for 
cyber espionage, which is widespread and everyone does it, that 
can easily be turned into an attack. That same foothold can be 
used and turned, depending on the willingness of the aggressor 
as an attack vector. By attack, I mean disabling the computer 
system, not necessarily causing kinetic action against an 
airplane.
    But the primary restraint is not technological. It is going 
to be the willingness of the actor to do that.
    Mr. Ratcliffe. Perfect. I want to ask you a little more 
broad question, as--you know, innovation in technology widens 
the attack surface. I am wondering how FireEye is spending its 
time these days, in terms of what is the most frequent, most 
likely venue of attack with respect to the aviation sector?
    Mr. Porter. Sure. Thank you for that question, Mr. 
Chairman. If I were looking at it from an adversary's 
perspective, I think the real weakness of the aviation sector 
isn't going to be something like the airplanes themselves, 
which have a lot of resilience, and the class of actors that 
could bake in a destructive capability against an airplane by 
cyber means also have other means of disabling airplanes.
    So what I am primarily concerned about is reputational 
damage. Could you go out and make people think that airplanes 
are unsafe? Could you hack websites and then create the 
perception that it is no longer safe in a region? That could 
cause massive economic damage that a CISO sitting at an airport 
or an airline or a manufacturer would have a hard time 
defending themselves against, because they are not really the 
direct target. It is the system of interconnected computers, 
some of which may not even be under their physical control. It 
could be a third-party system that is compromised and used to 
draw attention to what--you know, alleged safety deficiencies.
    I would also say, secondarily, I am concerned that some 
actors are that capable of causing kinetic loss of airplanes 
through traditional, conventional means might claim that 
downing an airplane was the result of a hacker, in other words, 
there is no actual cyber threat, but the feasibility of it 
could be used to explain a loss by other means. So I think you 
could see that coming, as well.
    That is why it is important to keep the public, I think, 
just the right amount of scared, you know, enough to want to 
invest in defense and resilience, especially, but not 
necessarily assuming that every case of cyber espionage is 
leading to an attack. Because that is another way of 
interpreting my remarks, is that if cyber espionage is 
pervasive and there is no attacks happening, that will imply 
that the willingness to do so isn't there at this time. People 
should keep that in mind, as well.
    Mr. Ratcliffe. I want to move to you, Mr. Troy. The 
transportation sector--and of course, within that, the aviation 
industry has two sector-specific agencies that they have to 
work with in the Department of Transportation and the 
Department of Homeland Security. As I referenced in my opening 
statement, TSA, NPPD, FAA, they all have equities in this 
space.
    I want your perspective from the ISAC perspective, I guess, 
with regard to what I mentioned in terms of how well those 
entities are sort-of playing with one another in that space and 
whether or not there needs to be greater clarity with respect 
to the roles or issues that we need to be aware of in 
addressing.
    Mr. Troy. So the Aviation ISAC, we have a lot of 
touchpoints with each of those agencies. When the Government 
set up each of the 16 critical infrastructure sectors, they 
created the Government coordinating committees and on the 
industrial side the sector coordinating committees for each of 
the sectors.
    So the Aviation ISAC is a part of the aviation sector 
coordinating committee. Through that, we meet regularly with 
each of those different agencies and work on the highest-
priority projects for protecting the sector.
    Separately, we have a person that is on the floor of the 
NCICC inside of NPPD. We have a person who is daily at the 
ADIAC, the Air Domain Intelligence Analysis Cell, which is run 
by the TSA, and we have routine engagement with the FAA.
    So I would characterize each agency as very much 
understanding what their different roles are and through those 
and other forms that they are protecting--working well in terms 
of efforts to protect the sector.
    I would like to also recognize that NPD's movement toward 
this risk management center I think is a very good move to see, 
because I think risk management frameworks, which were 
mentioned also by Mr. Stephens, are a critical part of the 
process in terms of maturing the cybersecurity capability of 
each of the segments inside the industry.
    Mr. Ratcliffe. Thank you. My time has expired.
    I recognize the gentlelady from New Jersey, Mrs. Watson 
Coleman.
    Mrs. Watson Coleman. Thank you, Mr. Chairman, and thank you 
to each of you for the information you have shared with us 
today.
    Mr. Stephens, I want to start with you. You represent an 
airport. Are airports currently required to include any 
cybersecurity measures in their plans?
    Mr. Stephens. Congresswoman Watson Coleman, thank you for 
that question. At this time, there is no absolute requirement 
to do so. The governing regulations 14--excuse me, 49 CFR part 
1540, which is administered primarily by the TSA, has primarily 
been focused on physical security, access to the sterile air 
site areas, making sure SIDA badges are checked, all of those 
types of things.
    But as all of you have pointed out correctly, the 
cybersecurity element has penetrated the domain of the physical 
security element, and yet that similar type of posture hasn't 
been moved over to address the baseline standard on the 
cybersecurity side for airports.
    Mrs. Watson Coleman. Thank you. So if you are not aware, 
though, pretty sure that you in general, and Mr. Porter and Mr. 
Troy, aren't aware of any required standards, either?
    Mr. Troy. No, I am not.
    Mrs. Watson Coleman. Thank you. Mr. Stephens, you indicated 
three things that I thought were really important--the adoption 
of standards, the increased sharing of information and threat 
analysis, and the human factor of baseline training.
    Mr. Stephens. Yes, ma'am.
    Mrs. Watson Coleman. What do you believe is the role of the 
DHS and the TSA in each of those things? Is this a matter of 
additional resources or prioritization?
    Mr. Stephens. Well, again, that is a great question. 
Resources are always an issue, but I think that prioritization 
is one of the critical areas that we have to focus on. Again, 
there are fantastic standards out there. DHS and the Federal 
Government implementing the NIST standard is an excellent 
standard out there, except that there hasn't been broad and 
widespread use of those standards in the aviation sector, 
particularly with respect to airports.
    DHS, for example, offers cybersecurity and WiFi testing. We 
have used and taken advantage of it at Tampa International. It 
has been a great tool. So there are tools out there. I think 
there has to be a more aggressive posture with airports and the 
airline industry in actually leveraging and using those tools.
    Yes, that may be a function of resources. I know DHS is 
tasked heavily just trying to implement the requirements of the 
statute on the Federal side, so there is an issue there. But 
then second, the training element is important. I do believe 
that there may be some room for at least having airports adopt 
a baseline standard.
    Again, as we like to say in our industry, you have seen one 
airport, you have seen one airport, because they are governed 
very differently, their structures are set up very differently. 
But having the notion of a baseline cybersecurity standard I 
think goes a long way.
    Mrs. Watson Coleman. So, gentlemen, I am very concerned 
about land transportation, train stations, freight, you know, 
all those things, buses. Do you believe that what we could 
develop to be more proactive and represent greater protection 
on cybersecurity threats in the aviation industry can also be 
applied to ground transportation systems?
    Mr. Stephens. You know, I would like to maybe start on 
that, because before I became the general counsel and CIO for 
the aviation authority, I was with surface transportation, our 
equivalent of DC Metro. The exact same risks are out there, 
when you look at things like automated train control, when you 
look at signalization, when you look at signalization and 
priority at all of our crossing points.
    So the exact same risks exist. I think the difference to a 
certain extent--and this may be anecdotal--there is a more 
pervasive feeling from the--you know, the traveling public when 
you think about catastrophic attacks or disruptions in 
airports. I mean, if you look at Atlanta, what happened with a 
fire incident that was not related to cybersecurity, you are 
talking about passengers being stranded on airplanes and in 
terminals for hours, $40 million worth of direct value lost. 
But the exact same threats exist on the surface transportation 
side, absolutely.
    Mrs. Watson Coleman. Thank you. Mr. Troy, Mr. Porter, you 
might have a comment on that?
    Mr. Troy. I would agree with that statement that there are 
systems that are--have common functions in terms of helping to 
move the industry. As we move toward smart cities and more and 
more of the controls, again, are automated, they run that risk 
that those industrial security control tools, which are common 
across the industries, could be under attack.
    Mrs. Watson Coleman. Thank you.
    Mr. Porter. Yes. Leaving aside discussion of the attack 
surface, the shared technology I think, the same sort of 
adversaries that would be interested in disrupting one would be 
interested in disrupting the other. We do see that they use the 
same infrastructure to attack both. So information sharing 
would help both.
    Particularly for--I think for military logistics, for 
example, you have got a long train--no pun intended--between 
the United States and wherever soldiers are deploying and for 
their equipment. It is going to go over a variety of methods, 
individual mom-and-pop trucking companies, trains, you know, 
air freight, and it may eventually end up in a naval port 
loading onto a Navy ship.
    So if you can disrupt any one of those, even if it is 
civilian-owned and -controlled, you can, you know, disrupt a 
deployment ability. So certainly I would agree that it is 
valuable to pursue.
    Mrs. Watson Coleman. Thank you, gentlemen. I yield back, 
Mr. Chairman.
    Mr. Ratcliffe. Thank the gentlelady. The Chair recognizes 
the gentleman from New York, Chairman Katko, for 5 minutes.
    Mr. Katko. Thank you, Mr. Chairman. I appreciate all of 
your testimony here today. I just want to circle back for a 
moment back to my opening statement, and some of the things I 
noted in there about how systems could be paralyzed and the 
concern with SIDA access, as well as airplane and rail security 
itself.
    Mr. Porter, you kind-of alluded to that. You didn't think 
it is as likely to have an attack on--a cyber attack on a rail 
or airplane that could basically weaponize it. Is that 
accurately portraying what you said?
    Mr. Porter. You know, I don't want to get too much into 
specifics and mislead you about my expertise. I can't--I would 
defer, I think, to the DHS study on the feasibility. I just 
think it is much more likely that the reputational damage 
scenarios are much more likely to occur.
    However, I did note in your opening remarks and I certainly 
would agree, Mr. Chairman, that the sort of nightmare scenarios 
where a plane or something like that is weaponized probably 
involves someone getting physical access. I think that opens up 
a whole different world of opportunities for cyber attack.
    So to minimize the chance of that happening, certainly 
physical controls are going to be, arguably, from my 
perspective, one of the most important ways of addressing that 
particular concern. As others on the panel have pointed out, 
you never know what you don't know, and a dedicated adversary 
could, of course, research a very specific vulnerability, but 
even then it might require physical access. I think that is a 
great thing for us to focus on defensively.
    Mr. Katko. Yes, and that kind-of gets to my point. These 
threats are real. I mean, we are talking about things kind-of 
at the 30,000-foot level, but let's face it. I mean, the 
threats we have, since I have been a Congressman, I have had my 
stuff hacked. Somebody tried to open up accounts for me in my 
name on the West Coast, bank accounts. That was a direct result 
of my Government records being hacked.
    So I don't think there is many people in this room who 
haven't had some sort of a cyber attack perpetrated upon them. 
So to think of the vulnerabilities that are at these airports 
and the ones I spoke about, to name a few, and the access 
controls is a huge issue for me, too. Then to hear what Mr. 
Stephens said, which was shocking to me, was that on a survey 
of the 24 airports, whatever it was, less than a third said 
they have implemented any sort of cybersecurity strategy, that 
is in line with what you are thinking. That is frightening to 
me. That is absolutely ridiculous that we countenance that.
    So to all of you, I want to hear what you think we should 
be doing to address that.
    Mr. Stephens. Mr. Chairman, I think one of the first areas 
is a greater insistence and urgency that maybe just falls very 
short of the notion of wholesale regulation, but to make sure 
that airports when we do our security checks, when TSA comes to 
check under their governing provisions and when FAA checks for 
airfield security, that there is some consideration of checking 
to see if an airport at least has a basic cybersecurity 
protocol in place to identify, react, respond----
    Mr. Katko. May I interrupt? I am sorry to interrupt you, 
but I am short on time and I did want to make sure I get to 
this. Do I understand you correctly, when they come and do 
airport assessments, they don't assess the cyber 
vulnerabilities of the airports?
    Mr. Stephens. They don't assess the cyber vulnerabilities 
of the airports. That is correct.
    Mr. Katko. What do you think about that?
    Mr. Stephens. Well, you know, I think we can do a better 
job, as I said, across the sector. Right now, airports, 
airlines, and all other aviation sector components have a 
vested interest in doing it. We want to protect the traveling 
public. So we go above and beyond.
    I would say that we are not the only ones across the 
industry. We do a good job. But if we are talking about 
partnering and making sure that there are clear command, 
controls, and communications between Government and the 
oversight agencies, as well as the airports in the sector, key 
components, then there needs to be a more urgent need to adopt 
some of those standards.
    Mr. Katko. Thank you, Mr. Stephens. Mr. Troy, Mr. Porter, 
you want to add anything to that?
    Mr. Troy. I really--Mr. Stephens, I think I agree with his 
statements and he is well-positioned with his background, I 
think, to make those best observations.
    Mr. Katko. OK. Mr. Porter.
    Mr. Porter. Yes, I would agree and also--and deferring to 
Mr. Stephens. I think from other sectors, having those 
standards certainly does have an impact and raise its bar. It 
did in the finance sector. I think there is reason to think 
that it would in aviation, as well.
    You know, for me, I want to make sure that any standards 
that are put in place not only focus on security, but 
resilience. Can the airport operate without internet access for 
a short period of time? Can people still, you know, do some 
basic level of operation? There will be some disruption no 
matter what, but I think that is an area that across all 
sectors, you know, we are falling beyond on as the opportunity 
to make sure that operations aren't totally disrupted when the 
internet or internet-connected device is brought down.
    As long as we are held hostage by our technological and 
economic success, that is going to be a vulnerability, a 
strategic vulnerability for us as a Nation.
    Mr. Katko. OK. Mr. Chairman, just 1 quick second and a 
follow-up with Mr. Stephens. You are at Tampa Airport, correct? 
That is where you have your cyber systems that you oversee, 
correct?
    Mr. Stephens. Yes, sir.
    Mr. Katko. All right. Why in God's name wouldn't the other 
airports be doing the same thing?
    Mr. Stephens. Well, Chairman, I don't want to go as far as 
to say other airports aren't. I am sure that they are. But as I 
said in my written remarks, because of the governing structures 
in airports, so, for example, the largest airport, busiest 
airport in the world, Hartsfield-Jackson, that was referenced 
earlier, it is a subset of the city of Tampa, just like water 
and sewage--excuse me, of city of Atlanta, just like water and 
sewage.
    Tampa International is an independent aviation authority, 
so we have more agility in implementing certain things. Another 
one, Chicago O'Hare, a subset of the city of Chicago. So when 
you look at it from that standpoint, airports are definitely 
doing things. I think they recognize the value for all the 
reasons that the other witnesses have mentioned. It is just 
that there is not necessarily a level of consistency.
    As I pointed out, when that survey was conducted, only 34 
percent had a baseline standard, and we have to do better as an 
industry.
    Mr. Katko. Thank you very much. Appreciate all your 
testimony.
    Mr. Ratcliffe. Thank the gentleman. The Chair now 
recognizes the gentlelady from Florida, Ms. Demings, for 5 
minutes.
    Ms. Demings. Thank you so much, Mr. Chairman. Good morning 
to each of you. Thank you so much for being here with us today. 
Mr. Stephens, I welcome you from my home State of Florida.
    As we all know, September 11 was one of the darkest days in 
American history. On that very dreadful day, I was assigned as 
a police commander to the Orlando International Airport. There 
is no doubt since that time we have really come a long way in 
terms of ensuring the safety of the traveling public.
    But it does appear--and I am more convinced now than ever 
just listening to your testimony this morning--that the area of 
cybersecurity still appears to be or continues to be somewhat 
of a mystery. We still have much work to do.
    I remember a long time ago as a law enforcement officer, we 
were told that you cannot fight today's battles with 
yesterday's weapons. As we have talked about, you know, some 
physical things that we have certainly kept up with to ensure 
the safety of our airports, cybersecurity just does not appear 
that we are quite there yet. But I am sure we will get there.
    Mr. Troy, you were quoted recently in Bloomberg commenting 
on DHS and the FBI reports that Russian hackers attacked some 
aviation sector companies during assaults on U.S. critical 
infrastructure in 2017. In your view, have reports about State-
sponsored attacks on aviation systems had a measurable impact 
on the way aviation sector executives view cybersecurity?
    Mr. Troy. Yes, we have seen that the information that we 
have been able to share with the Government partners and 
amongst our member companies has absolutely driven them to up 
their game with respect to their cybersecurity programs and in 
some instances actually reprioritize certain projects they were 
working on.
    Ms. Demings. I have also heard each of you talk about the 
importance of information sharing, and I know that there have 
been or continues to be some issues, especially between the 
public and private sector. You know, I have heard some say that 
the private sector is more willing to share information, but 
then the public sector are not so much.
    So I would just like to hear from each of you--or perhaps 
Mr. Stephens or Mr. Troy--about what role do you think that DHS 
or the TSA can play in improving the information sharing or 
being more proactive in that area?
    Mr. Stephens. So, Congresswoman Demings, I would start by 
saying that some of the information sharing that happens now, 
while it is good, sometimes it is not as fresh as we would like 
the information. Sometimes it is post facto. So I think they 
certainly can be more proactive.
    There are certainly DHS resources that allow for 
information sharing--AIS, which is the automated indicator 
sharing system. But, again, those tools are out there, but how 
broadly disseminated they are to airports and to key aviation 
sector members is going to demonstrate the adoption of them and 
what their utility is going to be.
    We actively look out there to see what tools are available. 
The resources that are out there from DHS we actively try to 
get everything that we can, where we can, but I think there has 
to be more proactive real-time sharing of information.
    Finally, I would say one of the things that we are doing, 
for example, at Tampa International, in fact, today it is 
happening, our regional security director with TSA and our 
planning and development folks are meeting to look at how we 
can create our own threat fusion center where we have the 
airport operations center, CBP, TSA, other tenant agencies all 
collocated in one place.
    In many airports, based on the structure, they are just 
simply not. Someone may be in discrete locations on the airport 
or maybe not even at the airport altogether. So I think more 
creative efforts to look at how we can break down those 
barriers to enhance information sharing is going to be critical 
to success.
    Ms. Demings. Mr. Troy, anything to add to that?
    Mr. Troy. Yes, so as I mentioned earlier, I really like 
seeing DHS move into this risk management center. That really 
shows a strategic shift, which we think is critically 
important.
    The sharing of information is only valuable when you are 
sharing information that is of value. That is one of the 
concerns that we have. We just don't want noise where the lots 
of indicators and the information moving across everybody and 
saying, wow, look, we are all sharing, this is great.
    What we are looking for is kind-of a process that we use in 
the Aviation ISAC called risk registers, where we are actually 
looking to see what is really the biggest risks that you are 
worried about and where is there information that can help 
reduce those risks and close up those particular gaps.
    So as Mr. Stephens mentioned, for example, there is many 
airports--and I agree with the statement, there are many 
airports that really don't have a cybersecurity plan yet. It is 
difficult to understand how you can help someone who is not 
sure what their plan is.
    So this process of helping people get their plans into 
place and then being able to use that information to develop 
the requirements for the types of information that can help 
them.
    Ms. Demings. Thank you. Mr. Porter, very quickly, anything 
to add?
    Mr. Porter. Sure. Nothing specifically on current 
information-sharing programs. I think it is just worth the 
subcommittee's considering and keeping in mind that the front 
line in the fight is going to be the private sector. I think if 
that were the guiding principle for, you know, Executive branch 
information sharing, it would be very different.
    I think oftentimes it is viewed as an addendum to core 
responsibilities and not actually a core responsibility. But 
the fight is in overwhelmingly the private sector, private 
individuals, private companies, privately-owned infrastructure.
    Ms. Demings. Thank you so much. Mr. Chairman, I yield back.
    Mr. Ratcliffe. Thank the gentlelady. Chair recognizes 
gentleman from New York, Mr. Donovan, for 5 minutes.
    Mr. Donovan. Thank you, Mr. Chairman. Being from New York, 
Mr. Stephens, I welcome you, too, because all my voters 
actually move down to you.
    Mr. Porter, you made a great distinction between a tax that 
may inconvenience our travelers, whether it is the ticketing 
system going down, versus the things that might be dangerous or 
harmful to passengers. We had seen examples of someone with a 
laptop taking over one of these autonomous vehicles, driverless 
vehicles. Is that possible with an aircraft?
    Mr. Porter. That is not research that our company pursues 
independently. So I would have to defer to the aircraft 
manufacturers and the DHS report. I find the concern certainly 
credible enough that when our customers ask, we say that it is 
a credible threat, but we--you know, we generally refer that to 
specialists at the manufacturers or at DHS and others who have 
done the studies.
    Mr. Donovan. I see. Mr. Troy, Mr. Stephens, do you have a 
comment on that?
    Mr. Troy. So our members have not seen a credible report 
that has come in to them regarding the ability to hack a plane 
in a way that affects systems critical to flight. In my 
statement, I also said we don't know what we don't know. So the 
continuous monitoring, the continuous red-teaming, and the 
continuous process of safety integration of new systems 
constantly goes on in our industry to prevent that type of an 
attack from occurring.
    Mr. Stephens. Congressman, I would agree with my fellow 
witnesses from an aircraft perspective, but what I would offer 
is the perspective--I used to be a former air traffic 
controller in the U.S. Air Force. What I would offer is the 
perspective of industrial controls for our NAVAIDs. I think 
that there are vulnerabilities potentially there, if you look 
at some of the studies, particularly as the FAA looks to moving 
toward next gen, right?
    There is the ability potentially to spoof, you know, global 
positioning information systems. So there lies and exists a 
potential threat, whether we are talking about specifically on 
the aircraft, but certainly as the aircraft is approaching the 
surface where it needs to be able to land. We need to make sure 
that the same type of cybersecurity protections are in place 
for all of our NAVAIDs and all of our airport safety devices.
    So that--from my perspective, that is why I think there is 
a particular more credible threat.
    Mr. Donovan. Yes. You must be reading my notes. My next 
question was about the air traffic control system and someone 
compromising that while we have aircraft in the air, aircraft 
landing, aircraft trying to take off, and the dangers that 
would pose.
    One issue if this happens when everything--every aircraft 
is on the ground, but I forget how many aircraft were in the 
air that fateful day that Ms. Demings spoke about that we had 
to put down on the ground, and if that system was compromised, 
how dangerous that would be.
    This may piggyback on my first question and may be out of 
your realm, but in many of the things that we speak about on 
Homeland Security Committee, we talk about component parts. The 
compromising component parts is something that is put together 
elsewhere, whether our aircraft is built outside the United 
States or whether built here, but we have component parts 
coming in from outside, and if a compromised component part is 
built into the making of that aircraft, how dangerous that 
could be.
    Are there measures in place to assure us that component 
parts would not jeopardize the aircraft after--while it is 
being made?
    Mr. Troy. Yes, so our industry, again, is incredibly 
focused on safety. Even in the example of the information 
coming in through an air traffic control system, that is a 
single point of information coming in to the cockpit. The 
systems are not designed to rely on one piece of information or 
one source of information.
    They are built in redundant ways in order to make sure that 
if a system did fail, there are ways to validate whether or not 
that system has failed and then other systems are in place to 
be able to leverage in those instances. That same process is 
also used with respect to the supply chain, so equipment is 
tested extensively, as it is put into each of the products.
    You know, the products in the industry are much more than 
just the plane. I mean, there is many other products there. 
With the plane, again, the very high risk with anything that 
could impact critical flights, so there is going to be more of 
a--I would say more of a prioritization and more emphasis on 
those processes and that equipment.
    Mr. Donovan. I thank you all. Mr. Chairman, I yield the 
remainder of my time back.
    Mr. Ratcliffe. Thank the gentleman. Chair now recognizes 
the gentleman from Rhode Island, Mr. Langevin, for 5 minutes.
    Mr. Langevin. Thank you, Mr. Chairman. I want to welcome 
our witnesses this morning. Thank you for your testimony. I 
think it is a very important hearing on an important topic.
    So I was encouraged by the line of questioning and the 
answers on the--that Ms. Demings had raised about information 
sharing. When we passed the CISA law in 2015, it was with the 
hope that we are going to bring down those legal barriers that 
existed, that were supposedly preventing robust threat 
indicator, sharing information from happening.
    Unfortunately, now, 2 or 3 years later, we haven't--I think 
CISA has really yet lived up to what our hopes and expectations 
would be on info sharing. To date, there is only about 200 or 
so companies that are downloading information from DHS, that 
the Government is offering, and it is only about 6 or 7 
companies that are actually sharing threat information back 
with the--to DHS.
    So I find that troubling. Obviously, in an ideal world, we 
have robust information sharing of threat indicators, we had 
perfect situational awareness, we are going to go a long way 
toward better protecting our networks.
    Mr. Troy, let me ask you. Again, I was encouraged by your 
testimony affirming the value of companies and Government 
agencies sharing information about cyber threats. So how active 
are the Aviation ISAC and your sector's members in DHS's 
automated indicator sharing program? Is the airline industry 
sharing cyber incident data with DHS?
    Mr. Troy. So we have shared information with DHS numerous 
times over the past years that we are aware of that the 
Government actually turned it into an intelligence information 
report and the Government then shared that information amongst 
the Government. So we are proactively sharing with them, as I 
mentioned, information that we think is of value.
    The Aviation ISAC itself is not involved in the automated 
indicator sharing program. However, we have some members who I 
believe are involved in that program with DHS. As, again, I 
mentioned, our focus is really trying to stay away from noise 
and be focused on key information that is critical.
    Mr. Langevin. Why do you think it is that more in the 
airline industry aren't more proactively engaged with DHS in 
the AIS system? What do you see as--I understand that, you 
know, you talked about not just sharing noise, but context. But 
what other things could we be doing to incentivize or ensure 
that more information sharing is actually going to happen from 
the airline industry?
    Mr. Troy. Well, I think that the information that is of 
most value is getting shared. When information comes in, the 
way the Aviation ISAC works is that each member owns their 
data, so we ask them if they are willing to share this 
information beyond membership. We frequently get that thumbs-up 
from our members and are able to share that information with 
the Government.
    The Aviation ISAC also has a person who reports daily to 
the NCICC and has access to our information, is able to have 
those conversations going on with respect to that information. 
So I think that, you know, the key pieces are in place there 
with respect to the sharing of information.
    We are working with the DHS on what we think are some 
barriers to the sharing of information, and it has to do, 
really, with the classification of information by the 
Government. I, as was mentioned in my bio, I am former deputy 
assistant director of the cyber division of the FBI, so I am 
very familiar with the classifications of information and the 
challenges of that, particularly in the cyber area.
    I am constantly challenging the Government to take a look 
at information that it believes is--needs to be classified as 
cybersecurity information. A lot of the information that is 
obtained by the Government is in many, many places on the 
internet. Whether or not a source is at risk I think is a 
challenging question that we continue to push to see if more 
information could be shared.
    Mr. Langevin. Thank you. Mr. Stephens, let me talk to you 
about cyber incident reporting. You suggest in your testimony 
that the Government consider requiring disclosure of cyber 
incidents whether or not the incident resulted in a data breach 
or a system compromise. I couldn't agree more, actually.
    So I discussed this issue more than once with respect to 
the transportation sector, and it is unfortunate to see the 
problem still remain. How would you hope that Tampa 
International Airport's ability to respond to cyber threats 
would improve if cyber reporting were mandatory across the 
sector?
    You know, it is interesting how, you know, in perimeter 
security, if a gate were opened and a vehicle drives on to the 
tarmac, even if nothing happened and the vehicle turns around 
and mistakenly, you know, had gone onto the tarmac and turned 
around and left the perimeter, that incident would be reported. 
But if some--but if there were to be a cyber intrusion, even if 
the--in digital terms the perpetrator even made its way up to 
the plane or even put somebody on the plane, but nothing bad 
happened, I understand that that incident wouldn't have to 
technically be reported in terms of cyber terms.
    Mr. Stephens. If it were a cyber incident, there is no 
mandate or requirement that I am aware of that that information 
would have to be reported. But what I would say, based on that 
comment that I made earlier about having a threshold, as the 
other witnesses have spoken, we don't want threat intelligence 
that just creates noise that is not actionable.
    But say, for instance, something happens at Orlando 
International and there is a particular profile of a threat in 
the cyber space that happens there, there is a lot of utility 
for other airports within the State or within the region or the 
country to be able to have real-time access to that 
information. So sharing that information becomes extremely 
valuable from that perspective.
    The other thing that I would say, again, with respect to no 
requirement on the Federal side that I am aware of, 
interestingly enough, most of the States have some data breach 
reporting requirement through their AG's office. In the State 
of Florida, there are certain triggers that require you to 
report data breach, for example.
    So I think that there at least needs to be some strong 
consideration given to how do we do this in a way where 
airports and airlines and key stakeholders are more encouraged 
and more inclined to share that information in real time, or as 
close to real time as possible?
    Mr. Langevin. Thank you. My time has expired. I will yield 
back. Thank you, Mr. Chairman.
    Mr. Ratcliffe. Thank the gentleman. The Chair now 
recognizes the gentleman from Wisconsin, Mr. Gallagher, for 5 
minutes.
    Mr. Gallagher. Thank you, Mr. Chairman. Mr. Troy, you spoke 
briefly in response to a question about the challenges of 
sharing information between the Federal Government and a 
variety of entities. Then, Mr. Porter, in your written 
testimony, you mentioned that the best defense against cyber 
espionage is the rapid sharing of information to all concerned 
parties.
    It seems that whenever we have hearings related to cyber, 
we all tend to land on or agree upon the idea that we need to 
do something to share information better, but because of the 
challenges you mentioned, we still haven't quite gotten there.
    So beyond urging the Federal Government to be more 
discriminating with how it classifies information, and I share 
your sentiment. As a former human intelligence officer, I share 
the sentiments you express. Are there--for the whole panel, are 
there other steps you think we could take to enhance that 
sharing, which I think we all agree is critical?
    Mr. Troy. Well, that is really what the Aviation ISAC has 
been set up for. We are very active out there in promoting our 
mission and trying to continue to develop increased membership. 
As I mentioned, we pass information out to the Government, and 
we also attend daily Government meetings, both through DHS and 
TSA, to share with them critical information when we have that.
    I think the continued promotion of information sharing by 
the Government and the continued successes that we are seeing 
from the membership that we have at this point in time is 
driving more people to end up sharing more information and 
trying to get through, I think, some of the times that 
difficult decision of, do I want to let people know that I have 
been mugged in the park, so to speak?
    There still is a hesitancy for people to share information 
about attacks. I personally believe that part of that is 
because of the potential for lawsuits that can come out of the 
sharing of information. That is an unfortunate consequence, 
because when you are trying to do the right thing, to share 
information with other people, to have a lawsuit follow on as 
to whether or not due diligence was in place in the protection 
of your system is a real challenge.
    Mr. Gallagher. Thank you. Mr. Porter. No offense to your 
fellow panelists, but your tie is by far the best of the three.
    Mr. Porter. Oh, thanks, yes. So I guess when I think about 
information sharing, you are right. It is an easy plan to just 
say we should do more of it. But as some of the other panelists 
have noted, what the individual members of the aviation sector 
need is not more information. It is more relevant information.
    The primary value that the Government is going to add is 
context. They don't--obviously, some of that may be very 
Classified and they can't share all of it. But much of the 
information is already going to be shared by private sector, 
cybersecurity companies like mine anyway.
    What the Government can do is give you extra context, extra 
specificity, perhaps based on secret information. That is also 
what they are most reluctant to share, and rightly so. That 
information obviously could endanger sources if shared.
    I guess my perspective is that that also describes 
counterterrorism reporting prior to 9/11. We don't want to wait 
until after a major incident to say that it is worth the risk. 
So we should be honest and say that it would be a risk to share 
that kind of context-heavy information. It would be a very real 
risk. But that it--at this point that it is worth it, because 
there is greater risk in not doing so.
    I think as I mentioned earlier in my comments, the fact 
that the fight is primarily in the private sector, not in 
Government-owned networks, means that it is not going to ensure 
as a lasting solution for our country to focus all of our 
National defense resources just defending National defense 
networks. You are going to have push outward or it is not going 
to work. That will be a failure of then action that it will be 
difficult to assign blame, but there will still be victims for 
it.
    So I think beforehand we should be proactive in saying we 
as a country understand the risk. It is a risk. We are going to 
do it anyway. So----
    Mr. Gallagher. Mr. Stephens, do you have anything to add?
    Mr. Stephens. Just simply this. I agree with Mr. Troy and 
Mr. Porter. I think the thing that the Government could do to 
facilitate that so there could be more real-time and ready 
accessibility to threat intelligence, actionable, relevant 
threat intelligence is perhaps creating a scheme where at 
certain critical infrastructure entities, such as airports, 
security clearances are granted to look at particular pieces of 
information.
    Right now, there may be threat intelligence out there that 
may be very good for airports to know. But again, the 
classifications become a problem sometimes. Getting access in 
the real-time manner becomes the main obstruction.
    Mr. Gallagher. It is very helpful. I am out of time, Mr. 
Chairman.
    Mr. Ratcliffe. Thank the gentleman. The Chair recognizes 
the gentlelady from Arizona, Ms. Lesko, for 5 minutes.
    Ms. Lesko. Thank you, Mr. Chair, and thank you for all 
testifying today. I think, Mr. Troy, if I heard you correctly, 
you brought up that red teams are used. So, first, I want to 
confirm that my understanding of red teams are like the good 
guys that try to hack in to check for vulnerabilities. Is that 
accurate?
    Mr. Troy. That is correct.
    Ms. Lesko. OK. I guess I am trying to get an idea of what 
have you--your industry used red teams for? Have they tried to 
hack into the air traffic control system? Have they tried to 
hack into planes? How do you balance--I assume it is difficult 
to balance actually hacking in, because you might bring a whole 
system down. You probably don't want to do that. So how do you 
really test if something can be hacked into or not without 
bringing the system down?
    Mr. Troy. So the FAA runs the air traffic control system, 
and we have not tried to hack it. Let me make sure about that. 
Our members use red teams on a regular basis. They give them 
full access. They allow them basically the ability to try and 
take down the systems, but not actual in-flight system. I mean, 
that obviously would be an issue.
    Do they do tests in flight? Yes, they do tests in flight. 
Test flights, where they are doing work. But they conduct those 
systems--they use in-house employees, as well as they contract 
with specialists in the industry who hopefully come in with a 
different mindset, and used to the culture of the company that 
built it so that they can challenge their thinking and their 
systems, and they conduct those red team exercises.
    But they are given full access to be able to actually find 
those vulnerabilities.
    Ms. Lesko. Thank you. Mr. Chair and Mr. Stephens, you 
brought up an issue about the air traffic control system and 
possible vulnerabilities. It seems--can you expand a little bit 
more? Because we are modernizing the air traffic control 
systems, which right now, if--I think I went on a tour and they 
pass like tapes or something like that to each other, which, 
you know, isn't very modernized. But I assume that one of the 
risks of modernizing is that then it is more hackable. Am I 
correct?
    Mr. Stephens. Yes, ma'am. That is the potentiality. Right 
now, as I referenced in my remarks, we are moving from a radar-
based system, which is the current technology, even when I was 
a young air traffic controller, now to more a satellite-based 
technology with next gen. There are still system 
vulnerabilities with that.
    In fact, the DOD has pointed out its concerns with next gen 
technology with respect to tracking military aircraft. So until 
we plug those vulnerabilities and fully understand, as the 
other panelists have said, we don't know what we don't know, 
there may be other things out there with the implementation of 
these systems that create problems for us.
    I think from an industrial control system standpoint, 
things like NAVAIDs and airfield lighting and those types of 
things that are standard bread-and-butter operational types of 
structures, on every airfield, particularly at every commercial 
airport, those are the things that present some risk, whether 
it is broad-scale risk--as the witnesses have pointed out, 
there are redundant systems in place. But again, it only takes 
that one critical incident to really shock the psyche of the 
American traveling public. That is what we are trying to avoid.
    Ms. Lesko. Thank you. Mr. Chair, I yield back my time.
    Mr. Ratcliffe. Thank the gentlelady. I want to thank all 
the witnesses for their testimony and thank all of the Members 
for their thoughtful questions today.
    The Members of the subcommittees may have some additional 
questions for each of you. If so, we will ask you all to 
respond in writing. Pursuant to committee rule VII(D), the 
hearing record will be held open for a period of 10 days. 
Without objection, the subcommittees stand adjourned.
    [Whereupon, at 11:32 a.m., the subcommittees were 
adjourned.]



                            A P P E N D I X

                              ----------                              

     Question From Honorable James R. Langevin for Jeffrey L. Troy
    Question. What is it that motivates the Aviation ISAC's members to 
share threat and incident data, and how might more sharing be 
encouraged--even with the industry's regulators?
    Answer. Great question! The answer is complicated and varies for 
each member.
    The members are motivated to share because they recognize the cyber 
threat is universal and that the entire infrastructure is a target, not 
just one company. Our member companies take their security 
responsibilities very seriously and they view threat sharing as one of 
the ways in which they can work to better manage risk.
    Trust is the most important element inducing members to share. We 
have a non-disclosure agreement (NDA) binding on all members. This 
agreement prohibits members from sharing information received from the 
A-ISAC or one of its members about cyber attacks on their networks or 
products.
    However, an NDA is only a form. The real sharing only occurs when 
the members trust each other.
    We have built trust through extensive leadership and community 
building. Our board member companies led the way in sharing without an 
expectation of return. They also took the risk of initiating the 
sharing early, when the trust was non-existent. They took the risk and 
led the way.
    We built and maintain our trusted community by hosting in-person 
meetings. We do this at the executive and analyst levels. The CISOs 
have roundtable meetings in their regions. The analysts meet more 
frequently, 4 times per year, in person. We also facilitate daily 
exchange of information via our portal and slack channels. In addition, 
we have bi-weekly calls with the analysts. Frequent communication 
builds trust.
    We are looking to increase sharing by creating more transparency in 
what is shared and how we develop that information. Celebrating the 
wins that come from sharing will drive more sharing.
    This is not a perfect system. There is information that is not 
being shared. As I stated in the hearing, the threat of lawsuits 
inhibits sharing. A cyber attack can be equated to someone being mugged 
in the park. The victim is walking in what should be safe space. An 
attacker takes money and personal information by stealing the victim's 
wallet. The victim goes and tells the police, and now the police have 
the description of an attacker. The police may increase patrols in the 
park and warn others to be more aware. This may even lead reports from 
more victims.
    Now take that scenario into the cyber world. A company network is 
attacked. Financial harm and proprietary information is stolen--but the 
attack is not always reported. Victim companies are concerned about 
being sued and the threat of more regulation which will bring cost, yet 
likely not increase the cybersecurity of the company. What would happen 
if victims in the park were worried they would be sued because they did 
not have strong personal security in place while walking in the park?
    We must find a way to incentivize sharing by reducing the risk of 
lawsuits and over regulation. We need a way to harness market drivers 
that will enable affordable increases in security.
    Nonetheless, the Department of Homeland Security, Federal Aviation 
Administration and the Transportation Security Administration are all 
working well with the A-ISAC. We have a person on the floor of the DHS 
NCCIC each day. This increases the sharing. Each successful share is 
driving more information sharing.
   Questions From Honorable James R. Langevin for Michael A. Stephens
    Question 1a. You suggest that the Government consider requiring 
disclosure of cyber incidents ``whether or not the incident resulted in 
a data breach or system compromise.'' What definition of ``incident'' 
would you deem appropriate for operators?
    Question 1b. How can we ensure that it is not over-inclusive in the 
way today's definition is vastly under-inclusive?
    Answer. There are certain of cyber incidents that I believe rise to 
a level of criticality in airports that could impact one or multiple 
airports within the aviation system or that have an adverse impact on 
aviation security, aviation safety, life safety, or critical airport 
operations and airport performance. This category is potentially very 
broad and may include things such as disruptions to flight information 
display systems, baggage handling systems, as well as other systems 
that are essential to airport operations. These are the types of 
incidents that I believe should be disclosed with certain parameters 
that need to be developed, irrespective of whether the attempt resulted 
in a data breach or system compromise.
    These types of incidents are to be distinguished from systems that 
while if disrupted through a cyber threat, the result may be passenger 
inconvenience or delay but operations, safety, or security would not be 
materially impacted.
    The best way in my opinion to ensure that we are not over-inclusive 
is to allow airports in conjunction with, but not limited to, 
organizations such as the Airport Cooperative Research Program (ACRP) 
and Aviation-ISAC to propose or adopt general guidelines for reporting 
utilizing industry best practices.
    Question 2a. Your testimony sheds light on how airports run on a 
variety of systems and networks--the airlines' ticketing and flight 
operations systems, the airport's ground support systems, the FAA's air 
traffic management systems, and dozens of vendor and support systems. 
How does this interconnectedness impact the cybersecurity risks of 
airports, and who is responsible for addressing the resulting overall 
risk posture or assigning priorities to those risks?
    Question 2b. What might the TSA or FAA do differently to better 
oversee those cyber risks?
    Answer. In my opinion, the interconnected nature as well as the 
prevalence of common-use technology amongst airport operators, tenants, 
vendors, and organizations such as TSA, FAA, and CBP, significantly 
impacts the overall cybersecurity risks of airports due to the sharing 
of information and the reliance of data from a multitude of 
interconnected systems.
    Currently unless otherwise agreed upon, most of these stakeholders 
and entities are responsible for addressing their own overall cyber 
risks. However, virtually all airports play a significant role in 
mitigating risks presented by passengers, vendors, airline partners, 
and other key stakeholders through their own cybersecurity and threat 
prevention programs. The problem in my opinion is that some of these 
programs depending on the airport's resources are less robust and 
effective than others.
    TSA and FAA can perhaps offer airports and aviation stakeholders 
with more proactive assistance in developing and implementing 
cybersecurity standards as well as proactively sharing key threat 
intelligence based recommendations that will allow airports to better 
mitigate risks from cyber threats.
    Question 3. You suggest that the Government consider imposing 
minimum standards of security to the aviation sector. Is there an 
approach that TSA and the FAA might use to develop such standards that 
would encourage industry participation and buy-in?
    Answer. It is my opinion that standards currently exist that can be 
easily adopted by airports and key aviation sector stakeholders to 
enhance their cybersecurity preparedness and resiliency. As discussed 
during the hearing, the NIST standard as well as the COBIT 5 standard 
offer excellent opportunities for airports to build robust threat 
mitigation and cybersecurity programs.
    It is important to note that airports are very different with 
respect to their organization and operations and therefore a one-size-
fits-all approach would be highly inadvisable and I believe 
ineffective. I believe that the TSA and the FAA can begin to more 
actively encourage airports to adopt and implement a standard of the 
airport or stakeholders' choice as a component of their System Security 
Plan. Airports stakeholders should be given the flexibility to adopt 
standards and mitigation measures that best fit their unique structures 
and risks.