Part 4- Regulatory

It is interesting to take note of the regulatory evolution that has been developed over the past decades to see if authorities have been able to respond at the same speed as the technology and the threats it poses on the safety of operations.

Our analysis begins with the Hague Convention of 1970. This convention was adopted to combat aircraft hijacking. It contains provisions for the criminalization of offences that are committed on board an aircraft in flight when a person seizes or exercises control of the aircraft. Even if, at this time, the concept of cyber security was not yet well developed, the Hague Convention may apply to aviation cyber security in case a passenger onboard takes control of the aircraft through a cyber-attack.

Then we looked at the Montreal Convention of 1971. This convention determines the acts that are unlawful and likely to endanger the safety of aircraft in flight. As per the provisions of the Montreal Convention and its applicability, there is no requirement for the offender to be onboard an aircraft in the time of committing the unlawful act. Therefore, this broadens the applicability scope of the Montreal Convention and could include any remote cyberattack affecting not only the aircraft but also air navigation facilities and any providers of critical information that is sent to the aircraft. In 1971, Regulators have started to discuss the possibility to commit a crime when the contravener is not onboard, but nothing about cybersecurity yet.

The Beijing Convention of 2010, was introduced with the primary aim to consolidate the scope of the Montreal Convention of 1971 and the Airport Protocol of 1988. The Beijing Convention expands the applicability scope to the cyber-attacks targeting the air navigation facilities defining them as signals, data, information, or systems necessary for the aircraft navigation. Moreover, the Beijing Convention addresses any attacks on such facilities and aircraft conducted by cyber means.

The Chicago Convention, who is at the origin of the ICAO, marked the beginning of intensive works leading to the completion in March 1974 of the notable Annex 17 (Security) which includes a set of Standards and Recommended Practices (SARPs) relative to aviation security and acts of unlawful interference. Taking into consideration the definition of acts of unlawful interference, it needs to be noted that cyberattacks may fall within its scope whenever they have an impact on aviation safety. Within the Annex 17, the Standard 4.9.1 (measures relating to cyber threats) has been introduced, which requires States to develop and implement measures to protect their critical information, communications technology systems, as well as data used for civil aviation purposes from unlawful interference.

The Assembly Resolution A40-10: Addressing Cybersecurity in Civil Aviation supersedes the Assembly Resolution A39-19. This resolution introduced the ICAO Cybersecurity Strategy as well as instructed ICAO Secretary General to:

• Developed an action plan to support States and industry in the adoption of the Cyber Security Strategy; and

• Swiftly conduct a feasibility study and gap analysis for consideration by the Council, in order to identify the most appropriate cyber security governance structure and coordinating mechanisms to ensure a multidisciplinary approach to cyber security, and foster sharing of information.

On the European side, it is interesting to note that the European Commission has established the Regulation (EU) 2015/1998 of 5 November 2015 laying down detailed measures for the implementation of the common basic standards to safeguard civil aviation against acts of unlawful interference that jeopardize the security of civil aviation, as well as acts of unlawful interference posed by cyber threats.

The Commission Implementing Regulation (EU) 2019/1583 of 25 September 2019 amending Implementing Regulation (EU) 2015/1998 established detailed measures for the implementation of the common basic standards on aviation security, as regards cybersecurity measures. The amendment introduces detailed measures for the implementation of the common basic standards on aviation security as regards cyber security measures. The entry into force of this Regulation is still unknown but should be in effect as of December 31st 2021.

In short, it was not until recently that ICAO saw cybersecurity as a security threat. On the other hand, it is only very recently that the regulatory authorities consider the urgency to establish programs to thwart the threats related to the technology.