S18According to a new report by the U.S. Government Accountability Office (GAO), the U.S. airspace system is incredibly vulnerable to hacking and a state-sponsored hacking effort could paralyze air traffic over North America. Very scary stuff. And as a licensed pilot for 45 years, I can tell you that it’s both true and not true, that the system is horribly hackable but that very vulnerability might be what we need to stimulate real airspace innovation.

Ask any American pilot how they feel about the U.S. Federal Aviation Administration (FAA) and you’ll get variations on the same negative theme. It’s not that pilots love-hate the FAA: there’s no love about it. Pilots tend to hate-ignore the FAA, which is generally viewed as a vindictive regulatory agency caught-up in internal politics and bullshit (that’s a technical term for bureaucratic lethargy). Nobody loves the FAA.

The GAO report lays out any number of FAA vulnerabilities and makes 158 specific recommendations for improvements. We can’t know exactly what those recommendations are because they are only in the private version of the report delivered to Congress and presumably to the FAA. But it’s pretty easy to guess that the GAO recommends encrypting FAA communications and making the network more secure. The GAO probably recommends, too, some sort of watchdog program running in parallel to look for signs of intrusion and disruption before they cause real trouble.

The easiest way to mess with U.S. airspace is probably through a Distributed Denial of Service (DDOS) attack. This is a matter of using hundreds or thousands of zombie PCs to drown the FAA in so many communication requests that nobody can get through.  It’s a common attack against websites but the FAA will argue that its network is separate from the Internet and immune to such interference. The problem with this response is two-fold. First, physical separation tends to argue that further techniques for intrusion detection are unnecessary. And second, physical network separation is an illusion if there are hundreds or thousands of PCs that are connected to the FAA and to the Internet, which there are.

Any outward-looking Internet services like the FAA website and the DUATS flight planning system are vulnerable as a matter of course. And any interconnection of networks only extends that vulnerability.

Now let’s kick it up a notch and presume that hackers gain access to airspace computers and try to mess with them. At the least this could disrupt the system creating traffic jams at major airports where the most vulnerable traffic is actually on the ground. If planes can’t get to the runway they can’t get in the air.

Once airborne there’s always the problem that aircraft could be sent bad data about traffic incursions or even given bad navigation information. Given the one-meter precision of Wide Area Augmentation System (WAAS) GPS, it’s possible that airplanes could be deliberately crashed into each other. It’s important to remember that in the case of airline traffic each of the big carriers has its own network that can be messed with in addition to that of the FAA. I’m not sure the GAO got as far as realizing this vulnerability.

Mitigating against all this is the simple fact that airplanes are flown by pilots and pilots aren’t stupid.  I was flying in Silicon Valley back in 1981 when President Reagan fired thousands of FAA air traffic controllers, closing for months the towers at most smaller airports including Palo Alto where I was then based. Suddenly not having a control tower actually improved my life as a pilot back then. Everything ran smoother and there was no increase in the number of accidents. This is not to argue for firing controllers today but just to point out that pilots were (and are) generally up to the job of not crashing into each other.

The U.S. system of positive control airspace came into existence after two airliners collided 21,000 feet over the Grand Canyon back in 1956 killing all 128 people on both planes. The planes (one IFR one VFR) were in touch with Air Traffic Control only through messages passed along via their company (airline) radios. It was the greatest loss of life to that date in an air crash and led directly to the CAA becoming the FAA and spending millions on radio and radar coverage of the continental U.S. Since the 1960s, then, flight above 18,000 feet has been under the positive direction of a human on the ground looking at a radar screen.

That is unlikely to change. New data services are being added but centralized control is still the order and diverting from that strategy would take a decade or more just to plan, much less implement. But that doesn’t mean there are things that could be done to independently improve both the safety and efficiency of airspace.

If the FCC would face reality and authorize use of airborne cellular data, building a parallel air traffic system would be trivial. At the very least every airplane already has a GPS-equipped smart phone on board in the pilot’s pocket. Linking all those together in the cloud to get an airspace picture that could be compared to the one at the FAA would very quickly show when trouble was afoot as the two systems disagreed.

Yeah, we have an app for that.