Aviation and Cybersecurity in the Digital World
- 7 Downloads
At the 40th Session of the ICAO Assembly, the Assembly adopted Resolution A40-10: Addressing Cybersecurity in Civil Aviation which initially recognized that the global aviation system is a highly complex and integrated system that comprises information and communications technology critical for the safety and security of civil aviation operations. This brought to bear the vulnerability of the aviation industry in increasing reliance on the availability of information and communications technology systems, as well as on the integrity and confidentiality of data. The Assembly noted that the threat posed by cyber incidents on civil aviation is rapidly and continuously evolving, that threat actors are focused on malicious intent, disruption of business continuity and theft of information for political, financial or other motivations, and that the threat can easily evolve to affect critical civil aviation systems worldwide.
10.1.1 ICAO’S Work
At the 40th Session of the ICAO Assembly, the Assembly adopted Resolution A40-10: Addressing Cybersecurity in Civil Aviation which initially recognized that the global aviation system is a highly complex and integrated system that comprises information and communications technology critical for the safety and security of civil aviation operations. This brought to bear the vulnerability of the aviation industry in increasing reliance on the availability of information and communications technology systems, as well as on the integrity and confidentiality of data. The Assembly noted that the threat posed by cyber incidents on civil aviation is rapidly and continuously evolving, that threat actors are focused on malicious intent, disruption of business continuity and theft of information for political, financial or other motivations, and that the threat can easily evolve to affect critical civil aviation systems worldwide.
In this context the Assembly recognized in the Resolution that not all cybersecurity issues affecting the safety of civil aviation are unlawful and/or intentional, and should therefore be addressed through the application of safety management systems and that the multi-faceted and multi-disciplinary nature of cybersecurity challenges and solutions and noting that cyber risks can simultaneously affect a wide range of areas and spread rapidly. The main source in this context was recognized as States’ obligations under the Chicago Convention—to ensure the safety, security and continuity of civil aviation with other treaties as the Convention on the Suppression of Unlawful Acts Relating to International Civil Aviation Beijing Convention and Beijing Protocol which are calculated to enhance the global legal framework for dealing with cyberattacks on international civil aviation as crimes and therefore wide ratification by States of those instruments would ensure that such attacks would be deterred and punished wherever in the world they occur.
One of the main focus’ of the Resolution was to recognize importance and urgency of protecting civil aviation’s critical infrastructure systems and data against cyber threats and the consequent compelling need to work collaboratively towards the development of an effective and coordinated global framework for civil aviation stakeholders to address the challenges of cybersecurity, along with short-term actions to increase the resilience of the global aviation system to cyber threats that may jeopardize the safety of civil aviation. In this regard, due credit was given in the Resolution to the fact that the work of the Secretariat Study Group on Cybersecurity had greatly contributed to the format of the Cybersecurity Strategy by linking safety and security characteristics of cybersecurity.
Harmonization of global as well as regional and national measures against cyber threats was considered paramount in order to promote global coherence and to ensure full interoperability of protection measures and risk management systems. Accordingly, the Assembly urges Member States and ICAO to promote the universal adoption and implementation of the Beijing Convention and Beijing Protocol as a means for dealing with cyberattacks against civil aviation and calls upon States and industry stakeholders to take the following actions to counter cyber threats to civil aviation: implement the Cybersecurity Strategy;1 identify the threats and risks from possible cyber incidents on civil aviation operations and critical systems, and the serious consequences that can arise from such incidents; define the responsibilities of national agencies and industry stakeholders with regard to cybersecurity in civil aviation; encourage the development of a common understanding among Member States of cyber threats and risks, and of common criteria to determine the criticality of the assets and systems that need to be protected; encourage government/industry coordination with regard to aviation cybersecurity strategies, policies, and plans, as well as sharing of information to help identify critical vulnerabilities that need to be addressed; develop and participate in government/industry partnerships and mechanisms, nationally and internationally, for the systematic sharing of information on cyber threats, incidents, trends and mitigation efforts; based on a common understanding of cyber threats and risks, adopt a flexible, risk-based approach to protecting critical aviation systems through the implementation of cybersecurity management systems; encourage a robust all-round cybersecurity culture within national agencies and across the aviation sector; promote the development and implementation of international standards, strategies and best practices on the protection of critical information and communications technology systems used for civil aviation purposes from interference that may jeopardize the safety of civil aviation; establish policies and allocate resources when needed to ensure that, for critical aviation systems: system architectures are secure by design; systems are resilient; methods for data transfer are secured, ensuring integrity and confidentiality of data; system monitoring, and incident detection and reporting, methods are implemented; and forensic analysis of cyber incidents is carried out; and collaborate in the development of ICAO’s cybersecurity framework according to a horizontal, cross-cutting and functional approach involving air navigation, communication, surveillance, aircraft operations and airworthiness and other relevant disciplines.
The Assembly also instructed the ICAO Secretary General to develop an action plan to support States and industry in the adoption of the Cybersecurity Strategy; and continue to ensure that cybersecurity matters are considered and coordinated in a crosscutting manner through the appropriate mechanisms in the spirit of the Strategy. The Resolution that followed A40-10 i.e. A40-11: Consolidated statement on continuing ICAO policies related to aviation security, strongly condemns all acts of unlawful interference against civil aviation wherever and by whomsoever and for whatever reason they are perpetrated and notes with abhorrence all acts and attempted acts of unlawful interference aimed at the destruction in flight of civil aircraft including any attack on civil airports by ballistic missiles or drones, and misuse of civil aircraft as a weapon of destruction and the death of persons on board and on the ground. Resolution A40-11 also reaffirms that aviation security must continue to be treated as a matter of highest priority and appropriate resources should be made available by ICAO and its Member States and calls upon all Member States to confirm their resolute support for the established policy of ICAO by applying the most effective security measures, individually and in cooperation with one another, to prevent acts of unlawful interference and to punish the perpetrators, planners, sponsors, and financiers of conspirators in any such acts.
It reaffirms ICAO’s responsibility to facilitate the consistent and uniform resolution of questions which may arise between Member States in matters affecting the safe and orderly operation of international civil aviation throughout the world and directs the Council to continue, as an urgent priority, its work relating to measures for prevention of acts of unlawful interference, and ensure that this work is carried out with the highest efficiency and responsiveness while calling upon ICAO and its Member States to implement UNSCR 2309, 2395 and 2396 (to be discussed below) in accordance with the respective competencies and collectively demonstrate ICAO’s global leadership in safeguarding international civil aviation against acts of unlawful interference.
In this context ICAO’s leadership role in the area of aviation security was reaffirmed and the Assembly requests the Council of ICAO to ensure the long-term sustainability of the Organization’s aviation security programme within the context of the Regular Programme Budget. As for Member States’ obligations they were urged to continue to financially support the Organization’s aviation security activities with voluntary contributions in the form of human and financial resources beyond those budgeted for under the regular programme. It must be mentioned that at the time of writing, the latest development of ICAO’s work was that the seventh meeting of the ICAO Secretariat Study Group on Cybersecurity (SSGC/7)2 was held from 3 to 5 December 2019 at the International Air Transport Association (IATA)’s Headquarters in Montréal, Canada. More than 60 participants from Member States, international organizations and industry gathered to work on an Action Plan for the implementation of the Cybersecurity Strategy recently adopted by the 40th Session of the ICAO Assembly.
10.1.2 Work of the United Nations
10.1.2.1 Resolution 2309
In 2016 The United Nations Security Council adopted Resolution 2309 (2016) Threats to international peace and security caused by terrorist acts: Aviation security3 which reaffirms that terrorism in all forms and manifestations constitutes one of the most serious threats to international peace and security and that any acts of terrorism are criminal and unjustifiable regardless of their motivations, whenever, wherever and by whomsoever committed, and remaining determined to contribute further to enhancing the effectiveness of the overall effort to fight this scourge on a global level. The Resolution raises concerns that the terrorism threat has become more diffuse, with an increase, in various regions of the world, of terrorist acts including those motivated by intolerance or violent extremism, and expressing its determination to combat this threat and that full recognition has to be accorded to commitment to the sovereignty, including sovereignty over the airspace above a State’s territory, territorial integrity and political independence of all States in accordance with the Charter of the United Nations.
The Resolution also recognises the vital importance of the global aviation system to economic development and prosperity, and of all States strengthening aviation security measures to secure a stable and peaceful global environment, and further recognizing that secure air services in this regard enhance transportation, connectivity, trade, political and cultural links between States, and that public confidence in the security of air transport is vital. Some emphasis was placed on cooperation among States bearing in mind that the global nature of aviation means that States are dependent on the effectiveness of each others’ aviation security systems for the protection of their citizens and nationals and relevant aspects of their national security, bearing in mind the common goal of the international community in this regard, which means States are dependent on each other to provide a common secure aviation environment.
One of the compelling reasons for the Security Council adopting Resolution 2309 was that terrorist groups continue to view civil aviation as an attractive target, with the aim of causing substantial loss of life, economic damage and disruption to connectivity between States, and that the risk of terrorist attacks against civil aviation may affect all regions and Member States and that grave global concern exists over terrorist attacks against civil aviation and strongly condemning such attacks, and that civil aviation may be used as a transportation means by Foreign Terrorist Fighters, and that terrorist attacks against civil aviation, like any act of international terrorism, constitute a threat to international peace and security, and that any acts of terrorism are criminal and unjustifiable regardless of their motivations, whenever, wherever, and by whomsoever committed, and reaffirming the need to combat by all means threats to international peace and security caused by terrorist acts, in accordance with the Charter of the United Nations and other international law, in particular international human rights law, international refugee law, and international humanitarian law.
It is encouraging that the international community noted in particular its concern that terrorist groups are actively seeking ways to defeat or circumvent aviation security, looking to identify and exploit gaps or weaknesses where they perceive them, noting in this regard the high priority risk areas for aviation as identified by the Council of ICAO, in its Global Risk Context Statement, and stressing the need for international aviation security measures to keep pace with the evolution of this threat. The Resolution also gives recognition to the role of ICAO as the United Nations organization responsible for developing international aviation security standards, monitoring their implementation by States and its role in assisting States in complying with these standards, noting in this regard ICAO’s “no country left behind” initiative, and noting also the adoption at the 37th Session of the ICAO Assembly in 2010 of the Declaration on Aviation Security and the ICAO Comprehensive Aviation Security Strategy, both of which have become key instruments of leadership and engagement for the Organization in carrying out its aviation security programme, and noting the intention to develop a Global Aviation Security Plan as the future global framework for progressive aviation security enhancement.4
Resolution 2309 therefore calls upon all States to work within ICAO to ensure that its international security standards are reviewed and adapted to effectively address the threat posed by terrorist targeting of civil aviation, to strengthen and promote the effective application of ICAO standards and recommended practices in Annex 17 (Aviation Security), and to assist ICAO to continue to enhance audit, capacity development and training programmes in order to support their implementation.
10.1.2.2 Resolution 2395
Resolution 2309 was followed in 2017 by S/RES/2395 (2017)—Threats to international peace and security caused by terrorist acts5 which inter alia stressed the digital aspects of the security threat when it said that there was a compelling need for Member States to act cooperatively to prevent terrorists from exploiting information and communication technologies, as well as the need for Member States to continue voluntary cooperation with the private sector and civil society to develop and implement more effective means to counter the use of the Internet for terrorist purposes, including by developing counterterrorist narratives and through technological solutions, all while respecting human rights and fundamental freedoms and in compliance with domestic and international law, taking note of the industry led Global Internet Forum to Counter Terrorism (GIFCT) and calling for the GIFCT to continue to increase engagement with governments and technology companies globally, and recognizing the development of the UN CTED-ICT46 Peace Tech Against Terrorism initiative and its efforts to foster collaboration with representatives from the technology industry, including smaller technology companies, civil society, academia, and government to disrupt terrorists’ ability to use the internet in furtherance of terrorist purposes, while also respecting human rights and fundamental freedoms. The Resolution urges Member States and the United Nations system to take measures, pursuant to international law, to address the conditions conducive to the spread of terrorism and violent extremism as and when conducive to terrorism, and further emphasizing that countering violent extremism as and when conducive to terrorism, including preventing radicalization, recruitment, and mobilization of individuals into terrorist groups, is an essential element of addressing the threat to international peace and security posed by terrorism, in a balanced manner.
The Resolution also encourages Member States to consider developing comprehensive and integrated national counterterrorism strategies and effective mechanisms to implement them that include attention to the conditions conducive to terrorism, in accordance with their obligations under international law, and encourages further CTED to cooperate with Member States and international, regional, and sub regional organizations, and other relevant partners, upon request, to assess and advise on formulating comprehensive and integrated national and regional counterterrorism strategies and the mechanisms to implement them, in close cooperation with UNOCT, other relevant UN agencies, and UN field offices, including, as appropriate, through engagement with UNDP, with a view to ensuring coherence and complementarity of efforts and to avoid any duplication in the effort to further implementation of relevant and connected resolutions.
Resolution 2395 further encourages continued, closer cooperation between ICAO and CTED, in particular by working together on identifying gaps and vulnerabilities relevant to counterterrorism and aviation security, promoting the work and tools of each agency, and coordinating closely on CTED assessments and the development of recommendations, noting that Annex 9 and Annex 17 of The Chicago Convention contain standards and recommended practices relevant to the detection and prevention of terrorist threats involving civil aviation, including cargo screening, and welcoming ICAO’s decision to establish a standard on the use of Advance Passenger Information systems by its Member States and reaffirming the importance of Member States developing the capability to process Passenger Name Records (PNR) data and to ensure PNR data is used by the relevant national competent authorities, with full respect for human rights, for the purpose of preventing, detecting, and investigating terrorist offenses.
10.1.2.3 Resolution 2396
Concurrently with the adoption of Resolution 2395 The Security Council adopted Resolution 23967 which inter alia urges Member States and the United Nations system to take measures, pursuant to international law, to address all drivers of violent extremism conducive to terrorism, both internal and external, in a balanced manner as set out in the United Nations Global Counter-Terrorism Strategy. The Resolution underscored the importance of strengthening international cooperation to address the threat posed by foreign terrorist fighters, including on information sharing, border security, investigations, judicial processes, extradition, improving prevention and addressing conditions conducive to the spread of terrorism, preventing and countering incitement to commit terrorist acts, preventing radicalization to terrorism and recruitment of foreign terrorist fighters, disrupting, preventing financial support to foreign terrorist fighters, developing and implementing risks assessments on returning and relocating foreign terrorist fighters and their families, and prosecution, rehabilitation and reintegration efforts, consistent with applicable international law.
An important point is made in Resolution 2396 that terrorists craft distorted narratives, which are utilized to polarize communities, recruit supporters and foreign terrorist fighters, mobilize resources and garner support from sympathizers, in particular by exploiting information and communications technologies, including through the Internet and social media. Therefore Member States were encouraged to collaborate in the pursuit of effective counternarrative strategies and initiatives, including those relating to foreign terrorist fighters and individuals radicalized to violence, in a manner compliant with their obligations under international law, including international human rights law, international refugee law and international humanitarian law and to improve timely information sharing, through appropriate channels and arrangements, and consistent with international and domestic law, on foreign terrorist fighters, especially among law enforcement, intelligence, counterterrorism, and special services agencies, to aid in determining the risk foreign terrorist fighters pose, and preventing them from planning, directing, conducting, or recruiting for or inspiring others to commit terrorist attacks. The Resolution also recognized that that Member States face challenges in obtaining admissible evidence, including digital and physical evidence, from conflict zones that can be used to help prosecute and secure the conviction of foreign terrorist fighters and those supporting foreign terrorist fighters.
Specific mention was made in the resolution to ICAO where the Resolution states that foreign terrorist fighters may use civil aviation both as a means of transportation and as a target, and may use cargo both to target civil aviation and as a means of shipment of materiel, and in this regard that ICAO’s Annex 9 (Facilitation) and Annex 17 to the Chicago Convention, contain standards and recommended practices relevant to the detection and prevention of terrorist threats involving civil aviation, including cargo screening. Of particular interest was that had decided to establish a standard under Annex 9—Facilitation, regarding the use of Advance Passenger Information (API)8 systems by its Member States with effect from October 23, 2017 and recognizing that many ICAO Member States have yet to implement this standard. Resolution 2396 also mentions that terrorists and terrorist groups continue to use the Internet for terrorist purposes, and stressing the need for Member States to act cooperatively when taking national measures to prevent terrorists from exploiting technology and communications for terrorist acts, as well as to continue voluntary cooperation with private sector and civil society to develop and implement more effective means to counter the use of the Internet for terrorist purposes, including by developing counter-terrorist narratives and through innovative technological solutions, all while respecting human rights and fundamental freedoms and in compliance with domestic and international law, and taking note of the industry led Global Internet Forum to Counter Terrorism (GIFCT) and calling for the GIFCT to continue to increase engagement with governments and technology companies globally.
Furthermore, The Resolution welcomes the approval by ICAO of the new Global Aviation Security Plan (GASeP) that provides the foundation for ICAO, Member States, the civil aviation industry, and other stakeholders to work together with the shared and common goal of enhancing aviation security worldwide and to achieve five key priority outcomes, namely to enhance risk awareness and response, to develop security culture and human capability, to improve technological resources and innovation, to improve oversight and quality assurance, and to increase cooperation and support, and calls for action at the global, regional, and national levels, as well as by industry and other stakeholders, in raising the level of effective implementation of global aviation security, urges ICAO, Member States, the civil aviation industry, and other relevant stakeholders to implement the GASeP and to fulfil the specific measures and tasks assigned to them in Appendix A to the GASeP, the Global Aviation Security Plan Roadmap, and encourages Member States to consider contributions to support ICAO’s work on aviation security. Also welcomed was the recognition in the GASeP of the importance of enhancing risk awareness and response, underlines the importance of a wider understanding of the threats and risks facing civil aviation, and calls upon all Member States to work within ICAO to ensure that its international security standards and recommended practices as set out in Annex 17 of the Chicago Convention and related to ICAO guidance material, are updated and reviewed, as appropriate, to effectively address the threat posed by terrorists targeting civil aviation. The ICAO Standard established by ICAO in Annex 9 on facilitation of air transport to the effect that ICAO Member States establish advance passenger information systems as of October 23, 2017, wherein Member States must require airlines operating in their territories to provide API to the appropriate national authorities, in accordance with domestic law and international obligations, in order to detect the departure from their territories, or attempted travel to, entry into or transit through their territories, by means of civil aircraft, of foreign terrorist fighters and individuals so identified, was endorsed by Resolution 2396. Member States were also required to develop the capability to collect, process and analyse, in furtherance of ICAO standards and recommended practices, passenger name record (PNR) data and to ensure PNR data is used by and shared with all their competent national authorities, with full respect for human rights and fundamental freedoms for the purpose of preventing, detecting and investigating terrorist offenses and related travel, further calls upon Member States, the UN, and other international, regional, and sub-regional entities to provide technical assistance, resources and capacity building to Member States in order to implement such capabilities, and, where appropriate, encourages Member States to share PNR data with relevant or concerned Member States to detect foreign terrorist fighters returning to their countries of origin or nationality, or traveling or relocating to a third country.
Another responsibility that devolved upon Member States by the Resolution was that they must develop watch lists or databases of known and suspected terrorists, including foreign terrorist fighters, for use by law enforcement, border security, customs, military, and intelligence agencies to screen travelers and conduct risk assessments and investigations, in compliance with domestic and international law, including human rights law, and encourages Member States to share this information through bilateral and multilateral mechanisms, in compliance with domestic and international human rights law, and further encourages the facilitation of capacity building and technical assistance by Member States and other relevant Organizations to Member States as they seek to implement this obligation. Improved cooperation between ICAO and CTED, in coordination with other relevant UN entities, in identifying areas where Member States may need technical assistance and capacity-building to implement the obligations of this resolution related to PNR and API and watch lists, as well as implementation of the GaSEP was encouraged and in this regard Member States were advised that they must develop and implement systems to collect biometric data, which could include fingerprints, photographs, facial recognition, and other relevant identifying biometric data, in order to responsibly and properly identify terrorists, including foreign terrorist fighters, in compliance with domestic law and international human rights law. Other Member States, international, regional, and sub regional entities were requested to provide technical assistance, resources, and capacity building to Member States. Another digital connect was made when the Resolution called upon Member States to share data responsibly among relevant Member States, as appropriate, and with INTERPOL and other relevant international bodies in order to implement such systems, while calling upon Member States to contribute to and make use of INTERPOL’s databases and ensure that Member States’ law enforcement, border security and customs agencies are connected to these databases through their National Central Bureaus, and make regular use of INTERPOL databases for use in screening travelers at air, land and sea ports of entry and to strengthen investigations and risk assessments of returning and relocating foreign terrorist fighters and their families, and further calls upon Member States to continue sharing information regarding all lost and stolen travel documents with INTERPOL, as appropriate and consistent with domestic law and applicable international law to enhance the operational effectiveness of INTERPOL databases and notices.
10.1.2.4 General United Nations Resolutions
In 2001, The United Nations General Assembly adopted Resolution 55/63. Combating the criminal misuse of information technologies9 where the Assembly, inter alia had its starting point as the recognition that reliance on information technologies, while it may vary from State to State, has resulted in a substantial increase in global cooperation and coordination, with the result that the criminal misuse of information technologies may have a grave impact on all States, and that that gaps in the access to and use of information technologies by States can diminish the effectiveness of international cooperation in combating the criminal misuse of information technologies. The Resolution noted the need to facilitate the transfer of information technologies, in particular to developing countries along with the necessity of preventing the criminal misuse of information technologies and the need for cooperation between States and private industry in combating the criminal misuse of information technologies.
The role played by legislatures around the world was highlighted in the Resolution where it sated that legal systems should protect the confidentiality, integrity and availability of data and computer systems from unauthorized impairment and ensure that criminal abuse is penalized and that those systems must permit the preservation of and quick access to electronic data pertaining to particular criminal investigations. It also recognized that the general public should be made aware of the need to prevent and combat the criminal misuse of information technologies. States are invited to take into account the above-mentioned measures in their efforts to combat the criminal misuse of information technologies.
In 2002 the United Nations adopted Resolution 56/121: Combating the criminal misuse of information technologies Which invited Member States, when developing national law, policy and practice to combat the criminal misuse of information technologies, to take into account, as appropriate, the work and achievements of the Commission on Crime Prevention and Criminal Justice and of other international and regional organizations. The Resolution took note of the value of the measures set forth in its resolution 55/63, and again invited Member States to take them into account in their efforts to combat the criminal misuse of information technologies.
Of grave importance to United Nations efforts at cybersecurity is Resolution 57/239: Creation of a global culture of cybersecurity where in limine The General Assembly noted the growing dependence of Governments, businesses, other organizations and individual users on information technologies for the provision of essential goods and services, the conduct of business and the exchange of information and recognized the need for cybersecurity increases as countries increase their participation in the information society. According to this Resolution, effective cybersecurity is not merely a matter of government or law enforcement practices, but must be addressed through prevention and supported throughout society and that technology alone cannot ensure cybersecurity and that priority must be given to cybersecurity planning and management throughout society. Embodied in this view was the recognition that in a manner appropriate to their roles, government, business, other organizations, and individual owners and users of information technologies must be aware of relevant cybersecurity risks and preventive measures and must assume responsibility for and take steps to enhance the security of these information technologies. Furthermore, gaps in access to and the use of information technologies by States can diminish the effectiveness of international cooperation in combating the criminal misuse of information technology and in creating a global culture of cybersecurity, and noting the need to facilitate the transfer of information technologies, in particular to developing countries. Therefore, the importance of international cooperation for achieving cybersecurity through the support of national efforts aimed at the enhancement of human capacity, increased learning and employment opportunities, improved public services and better quality of life by taking advantage of advanced, reliable and secure information and communication technologies and networks and by promoting universal access was a priority.
As a result of increasing interconnectivity, information systems and networks are now exposed to a growing number and a wider variety of threats and vulnerabilities which raise new security issues for all and therefore, the work of relevant international and regional organizations on enhancing cybersecurity and the security of information technologies is critical to security enforcement. 1. Takes note of the elements annexed to the present resolution, with a view to creating a global culture of cybersecurity. The Assembly invited all relevant international organizations to consider, inter alia, the above elements for the creation of such a culture in any future work on cybersecurity; and further invited Member States to take into account the fact, in their efforts to develop throughout their societies a culture of cybersecurity in the application and use of information technologies was essential.
The ANNEX attached to this Resolution, titled: Elements for creating a global culture of cybersecurity10 states that “Rapid advances in information technology have changed the way Governments, businesses, other organizations and individual users who develop, own, provide, manage, service and use information systems and networks (“participants”) must approach cybersecurity. A global culture of cybersecurity will require that all participants address the following nine complementary elements: (a) Awareness. Participants should be aware of the need for security of information systems and networks and what they can do to enhance security; (b) Responsibility. Participants are responsible for the security of information systems and networks in a manner appropriate to their individual roles. They should review their own policies, practices, measures and procedures regularly, and should assess whether they are appropriate to their environment; (c) Response. Participants should act in a timely and cooperative manner to prevent, detect and respond to security incidents. They should share information about threats and vulnerabilities, as appropriate, and implement procedures for rapid and effective cooperation to prevent, detect and respond to security incidents. This may involve cross-border information-sharing and cooperation; (d) Ethics. Given the pervasiveness of information systems and networks in modern societies, participants need to respect the legitimate interests of others and recognize that their action or inaction may harm others; (e) Democracy. Security should be implemented in a manner consistent with the values recognized by democratic societies, including the freedom to exchange thoughts and ideas, the free flow of information, the confidentiality of information and communication, the appropriate protection of personal information, openness and transparency; (f) Risk assessment. All participants should conduct periodic risk assessments that identify threats and vulnerabilities; are sufficiently broad-based to encompass key internal and external factors, such as technology, physical and human factors, policies and third-party services with security implications; allow determination of the acceptable level of risk; and assist in the selection of appropriate controls to manage the risk of potential harm to information systems and networks in the light of the nature and importance of the information to be protected; (g) Security design and implementation. Participants should incorporate security as an essential element in the planning and design, operation and use of information systems and networks; (h) Security management. Participants should adopt a comprehensive approach to security management based on risk assessment that is dynamic, encompassing all levels of participants’ activities and all aspects of their operations; (i) Reassessment. Participants should review and reassess the security of information systems and networks and should make appropriate modifications to security policies, practices, measures and procedures that include addressing new and changing threats and vulnerabilities”.
The following year, in 2004—the General Assembly of the United Nations followed up with Resolution 58/199: Creation of a global culture of cybersecurity and the protection of critical information infrastructures11 where it was recognized that there was a growing importance of information technologies for the promotion of socio-economic development and the provision of essential goods and services, the conduct of business and the exchange of information for Governments, businesses, other organizations and individual users and that the increasing links among most countries’ critical infrastructures—such as those used for, inter alia, the generation, transmission and distribution of energy, air and maritime transport, banking and financial services, e-commerce, water supply, food distribution and public health—and the critical information infrastructures that increasingly interconnect and affect their operations were essentially linked. Each country was expected to determine its own critical information infrastructures, which would be affected by this growing technological interdependence which relies on a complex network of critical information infrastructure components. The Resolution noted that, as a result of increasing interconnectivity, critical information infrastructures were exposed to a growing number and a wider variety of threats and vulnerabilities that raise new security concerns. It was also noted that effective critical infrastructure protection included, inter alia, identifying threats to and reducing the vulnerability of critical information infrastructures, minimizing damage and recovery time in the event of damage or attack, and identifying the cause of damage or the source of attack.
Effective protection required communication and cooperation nationally and internationally among all stakeholders and that national efforts should be supported by effective, substantive international and regional cooperation among stakeholders. The Resolution invited all relevant international organizations, including relevant United Nations bodies, to consider, as appropriate, inter alia, the aforementioned elements for protecting critical information infrastructures in any future work on cybersecurity or critical infrastructure protection. It invited Member States to consider, inter alia, the elements discussed in the Resolution in developing their strategies for reducing risks to critical information infrastructures, in accordance with national laws and regulations. Member States were also encouraged as well as relevant regional and international organizations that have developed strategies to deal with cybersecurity and the protection of critical information infrastructures to share their best practices and measures that could assist other Member States in their efforts to facilitate the achievement of cybersecurity to do so.
There was considerable stress on the necessity for enhanced efforts to close the digital divide, to achieve universal access to information and communication technologies and to protect critical information infrastructures by facilitating the transfer of information technology and capacity-building, in particular to developing countries, especially the least developed countries, so that all States may benefit fully from information and communication technologies for their socio-economic development.
In 2010 saw the adoption of 64/211: Creation of a global culture of cybersecurity and taking stock of national efforts to protect critical information infrastructures.12 Here, The United Nations recognized further that, in a manner appropriate to their roles, Governments, business, organizations and individual owners and users of information technologies must assume responsibility for and take steps to enhance the security of information technologies as there was a need for all Governments to have an equal role and responsibility for international Internet governance and for ensuring the stability, security as there was a continuing need to enhance cooperation, to enable Governments, on an equal footing, to carry out their roles and responsibilities in international public policy issues pertaining to the Internet, but not the day-to-day technical and operational matters that do not impact on international public policy issues.
It was recognized that each country will determine its own critical information infrastructures, but that did not deter them to adopt enhanced efforts to close the digital divide in order to achieve universal access to information and communications technologies and to protect critical information infrastructures by facilitating the transfer of information technology and capacity-building to developing countries, especially the least developed countries, in the areas of cybersecurity best practices and training. There were continuing threats to the reliable functioning of critical information infrastructures and to the integrity of the information carried over those networks are growing in both sophistication and gravity, affecting domestic, national and international welfare. Therefore the Resolution affirmed that the security of critical information infrastructures is a responsibility Governments must address systematically and an area in which they must lead nationally, in coordination with relevant stakeholders, who in turn must be aware of relevant risks, preventive measures and effective responses in a manner appropriate to their respective roles. The Resolution invited Member States to use, if and when they deemed appropriate, a voluntary self-assessment tool for national efforts to protect critical information infrastructures (containing principles in an ANNEX to the Resolution) in order to assist in assessing their efforts in this regard to strengthen their cybersecurity, so as to highlight areas for further action, with the goal of increasing the global culture of cybersecurity. Member States and relevant regional and international organizations that have developed strategies to deal with cybersecurity and the protection of critical information infrastructures were encouraged to share their best practices and measures that could assist other Member States in their efforts to facilitate the achievement of cybersecurity by providing such information to the Secretary General for compilation and dissemination to Member States.
The Annex to the Resolution, called Voluntary self-assessment tool for national efforts to protect critical information infrastructures—which offered 18 substantial guidelines—started off by stating that Member States should take stock of cybersecurity needs and strategies by assessing the role of information and communications technologies in your national economy, national security, critical infrastructures (such as transportation, water and food supplies, public health, energy, finance, emergency services) and civil society. Next, they should determine the cybersecurity and critical information infrastructure protection risks to your economy, national security, critical infrastructures and civil society that must be managed. This would be followed by understanding the vulnerabilities of the networks in use, the relative levels of threat faced by each sector at present and the current management plan; note how changes in the economic environment, national security priorities and civil society needs affect these calculations.
Determining the goals of the national cybersecurity and critical information infrastructure protection strategy; describing its goals, the current level of implementation, measures that exist to gauge its progress, its relation to other national policy objectives and how such a strategy fits within regional and international initiatives was another important guideline offered. Stakeholder roles and responsibilities were also key drivers where determination of key stakeholders with a role in cybersecurity and critical information infrastructure protection and describe the role of each in the development of relevant policies and operations, including: National Government ministries or agencies, noting primary points of contact and responsibilities of each; Other government (local and regional) participants; Non-governmental actors, including industry, civil society and academia; Individual citizens, noting whether average users of the Internet have access to basic training in avoiding threats online and whether there is a national awareness-raising campaign regarding cybersecurity, were key players.
Policy processes and participation was another important aspect covered where identification of formal and informal venues that existed for Government industry collaboration in the development of cybersecurity and critical information infrastructure protection policy and operations would be determinants. Determinants would also comprise participants, role(s) and objectives, methods for obtaining and addressing input, and adequacy in achieving relevant cybersecurity and critical information infrastructure protection goals. Additionally, identification of other forums or structures that may be needed to integrate the government and non-government perspectives and knowledge necessary to realize national cybersecurity and critical information infrastructure protection goals was necessary.
Public-private cooperation involved the collection of all actions taken and plans to develop collaboration between government and the private sector, including any arrangements for information sharing and incident management. Also, collection of all current and planned initiatives to promote shared interests and address common challenges among both critical infrastructure participants and private-sector actors mutually dependent on the same interconnected critical infrastructure was essential.
Incident management and recovery concerns the identification of the Government agency that serves as the coordinator for incident management, including capability for watch, warning, response and recovery functions; the cooperating Government agencies; non-governmental cooperating participants, including industry and other partners; and any arrangements in place for cooperation and trusted information-sharing. Separately, there is a need to identify national-level computer incident response capacity, including any computer incident response team with national responsibilities and its roles and responsibilities, including existing tools and procedures for the protection of Government computer networks, and existing tools and procedures for the dissemination of incident-management information. Networks and processes of international cooperation that may enhance incident response and contingency planning, identifying partners and arrangements for bilateral and multilateral cooperation, where appropriate should also be identified.
As for legal frameworks governing processes it is thought necessary to review and update legal authorities (including those related to cybercrime, privacy, data protection, commercial law, digital signatures and encryption) that may be outdated or obsolete as a result of the rapid uptake of and dependence upon new information and communications technologies, and use regional and international conventions, arrangements and precedents in these reviews. Ascertaining whether a country has developed necessary legislation for the investigation and prosecution of cybercrime, noting existing frameworks, for example, General Assembly resolutions 55/63 and 56/121 on combating the criminal misuse of information technologies, and regional initiatives, including the Council of Europe Convention on Cybercrime would be integral to the processes involved. The current status of national cybercrime authorities and procedures, including legal authorities and national cybercrime units, and the level of understanding among prosecutors, judges and legislators of cybercrime issues must be determined along with an assessment of the adequacy of current legal codes and authorities in addressing the current and future challenges of cybercrime, and of cyberspace more generally. A close examination of national participation in international efforts to combat cybercrime, such as the round-the-clock Cybercrime Point of Contact Network would also fit into the framework as well as a determination of the requirements for national law enforcement agencies to cooperate with international counterparts to investigate transnational cybercrime in those instances in which infrastructure is situated or perpetrators reside in national territory, but victims reside elsewhere.
Finally, the all encompassing task of developing a global culture of cybersecurity would require summarizing actions taken and plans to develop a national culture of cybersecurity, including implementation of a cybersecurity plan for Government-operated systems, national awareness-raising programmes, outreach programmes to, among others, children and individual users, and national cybersecurity and critical information infrastructure protection training requirements.
In 2018 The United Nations General Assembly adopted Resolution 73/27: Developments in the field of information and telecommunications in the context of international security13 where it was confirmed that that State sovereignty and international norms and principles that flow from sovereignty apply to State conduct of Information communications and technology (ICT)-related activities and to their jurisdiction over ICT infrastructure within their territory and therefore it is the right and duty of States to combat, within their constitutional prerogatives, the dissemination of false or distorted news, which can be interpreted as interference in the internal affairs of other States or as being harmful to the promotion of peace, cooperation and friendly relations among States and nations. There was a duty of a State to abstain from any defamatory campaign, vilification or hostile propaganda for the purpose of intervening or interfering in the internal affairs of other States, Stressing that, while States have a primary responsibility for maintaining a secure and peaceful ICT environment, effective international cooperation would benefit from identifying mechanisms for the participation, as appropriate, of the private sector, academia and civil society organizations. The Assembly welcomed the following set of international rules, norms and principles of responsible behaviour of States: “(a) Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security. (b) States must meet their international obligations regarding internationally wrongful acts attributable to them under international law. However, the indication that an ICT activity was launched or otherwise originates from the territory or objects of the ICT infrastructure of a State may be insufficient in itself to attribute the activity to that State. Accusations of organizing and implementing wrongful acts brought against States should be substantiated. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences. (c) States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs. States must not use proxies to commit internationally wrongful acts using ICTs and should seek to ensure that their territory is not used by non-State actors to commit such acts. (d) States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect. (f) States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 of 23 December 2003 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions. (g) States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty. (h) States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. (i) States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions. (j) States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies for such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-d T-dependent infrastructure. (k) States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity. (l) States should encourage the private sector and civil society to play an appropriate role to improve security of and in the use of ICTs, including supply chain security for ICT products and services. States should cooperate with the private sector and the organizations of civil society in the sphere of implementation of rules of responsible behaviour in information space with regard to their potential role”.
The Assembly called upon Member States to promote further, at multilateral levels, the consideration of existing and potential threats in the field of information security, as well as possible strategies to address the threats emerging in this field, consistent with the need to preserve the free flow of information.
In 2019 the General Assembly of the United Nations adopted Resolution 73/266: Advancing responsible State behaviour in cyberspace in the context of international security14 where it was noted that that considerable progress has been achieved in developing and applying the latest information technologies and means of telecommunication and that this progress confers the broadest positive opportunities for the further development of civilization, the expansion of opportunities for cooperation for the common good of all States, the enhancement of the creative potential of humankind and additional improvements in the circulation of information in the global community. The Resolution also noted that the dissemination and use of information technologies and means affect the interests of the entire international community and that optimum effectiveness is enhanced by broad international cooperation while confirming that information and communications technologies are dual-use technologies and can be used for both legitimate and malicious purposes. It was stressed that it is in the interest of all States to promote the use of information and communications technologies for peaceful purposes and to prevent conflict arising from the use of information and communications technologies. However it was noted that that these technologies and means can potentially be used for purposes that are inconsistent with the objectives of maintaining international stability and security and may adversely affect the integrity of the infrastructure of States, to the detriment of their security in both civil and military fields. Therefore, it was underscored that there was a need for enhanced coordination and cooperation among States in combating the criminal misuse of information technologies.
In this context, The Assembly requested s the Secretary-General, with the assistance of a group of governmental experts, to be established in 2019 on the basis of equitable geographical distribution, proceeding from the assessments and recommendations contained in the above-mentioned reports, to continue to study, with a view to promoting common understandings and effective implementation, possible cooperative measures to address existing and potential threats in the sphere of information security, including norms, rules and principles of responsible behaviour of States, confidence-building measures and capacity-building, as well as how international law applies to the use of information and communications technologies by States, and to submit a report on the results of the study, including an annex containing national contributions of participating governmental experts on the subject of how international law applies to the use of information and communications technologies by States, to the General Assembly at its seventy-sixth session. It also requested the Office for Disarmament Affairs of the Secretariat, through existing resources and voluntary contributions, on behalf of the members of the group of governmental experts, to collaborate with relevant regional organizations, such as the African Union, the European Union, the Organization of American States, the Organization for Security and Cooperation in Europe and the Regional Forum of the Association of Southeast Asian Nations, to convene a series of consultations to share views on the issues within the mandate of the group in advance of its sessions; Finally, The Assembly decide to include in the provisional agenda of its seventy-fourth session the item entitled “Developments in the field of information and telecommunications in the context of international security”.
10.1.2.5 The Budapest Convention on Cybercrime of 2001
The only international treaty so far on cybercrime is the Budapest Convention of 2001 (see text of the treaty at APPENDIX B) adopted under the auspices of the Council of Europe which, although not globally applicable, acts as a precursor to a global effort and gives some idea of how the global threat of cybercrime could be addressed in a future multilateral treaty. Some selected provisions are discussed below that may be relevant to aviation and unlawful interference with civil aviation. The philosophy of the Convention is reflected in the Preamble which observes inter alia that the profound changes brought about by the digitalisation, convergence and continuing globalisation of computer networks brings to bear the ominous possibility that computer networks and electronic information may also be used for committing criminal offences and that evidence relating to such offences may be stored and transferred by these networks and that there is a compelling need for co-operation between States and private industry in combating cybercrime and the need to protect legitimate interests in the use and development of information technologies, alongside a need to pursue, as a matter of priority, a common criminal policy aimed at the protection of society against cybercrime, inter alia, by adopting appropriate legislation and fostering international co-operation.
Articles 2 of the Budapest Convention respectively identify cyber offences as criminal offences under domestic law, when committed intentionally, the access to the whole or any part of a computer system without right. A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system. Article 3 addresses illegal interception and provides that each Party must adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. A Party may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system. The following two provisions deal with the damaging, deletion, deterioration, alteration or suppression of computer data without right as well as the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data which are all identified under the Convention as Criminal offences.
Article 7 is particularly relevant as a reference point for aviation as reflecting a potential threat when it provides that each Party must adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible. A Party may require an intent to defraud, or similar dishonest intent, before criminal liability attaches.
The issue of jurisdiction is addressed in Article 22 which provides that Each Party must adopt such legislative and other measures as may be necessary to establish jurisdiction over any offence established in accordance with Articles 2 through 11 of this Convention, when the offence is committed: in its territory; or on board a ship flying the flag of that Party; or on board an aircraft registered under the laws of that Party; or by one of its nationals, if the offence is punishable under criminal law where it was committed or if the offence is committed outside the territorial jurisdiction of any State. One of the intrinsic threads in both the United Nations Resolutions and the work of ICAO is international cooperation which is crucial to combat cyberterrorism, This is found in Article 23 which provides that the Parties are required to co-operate with each other, in accordance with the provisions of this chapter, and through the application of relevant international instruments on international co-operation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence.
Article 25 refers to the Parties affording one another mutual assistance to the widest extent possible for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence while Article 26 speaks of the provision of spontaneous information by saying that a Party may, within the limits of its domestic law and without prior request, forward to another Party information obtained within the framework of its own investigations when it considers that the disclosure of such information might assist the receiving Party in initiating or carrying out investigations or proceedings concerning criminal offences established in accordance with this Convention or might lead to a request for co-operation by that Party.
At the last count 9 January 2020, 64 States had ratified the Convention which entered into force on 1 July 2004 with 5 Ratifications including at least 3 member States of the Council of Europe.
10.1.2.6 Legal Aspects of Cybersecurity
Cyber Terrorism defines our times. It has brought seismic changes to the way we approach terrorism. This is because global and national reliance placed on cyberspace for the development and sustenance of human interaction will continue to grow in the years to come and with that continued development will come ominous threats and daunting challenges from cyber terrorism. Cyber terrorism has the advantage of anonymity, which in turn enables the hacker to obviate checkpoints or any physical evidence being traceable to him. It is a low budget form of terrorism where the only costs entailed in interfering with the computer programs of a State’s activities and stability would be those pertaining to the right computer equipment. The most intractable challenge posed by cyber terrorism is that the digital environment that we live in, which enables us to create and share knowledge also provides ample opportunity for the commission of a cyber crime since that environment breeds motivated offenders who can develop covert capabilities that could exploit the vulnerability of the cyber environment. The opportunities the cyber environment offers for subterfuge is another challenge to be overcome. However, the most ominous challenge is the lack of sentinels to guard against crimes committed against the digital world.
At the outset, it is necessary to determine the difference, if any, between cyber crime and cyber terrorism and ascertain any link that reflects a commonality. Cyber crime was called “computer crime” in its early stages of evolution and has been called “computer related crime” or “crime by computer”. Cyber terrorism has been simplistically defined as “an assault on electronic communication networks”. The Federal Bureau of Investigation of the United States has given a more extensive definition: “the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against non-combatant targets by sub-national groups or clandestine agents”. One commentator states that cyber terrorism is terrorism in cyberspace, which is carried out through computers, the Internet and technology-based networks or systems against infrastructures supported by computers and networks. Another interpretation is that cyber terrorism is the use of computer networks in order to harm human life or to sabotage critical national infrastructure in a way that may cause harm to human life When all these definitions are considered one notes that the activities concerned with both cyber crime and cyber terrorism are calculated to sabotage infrastructure and disrupt a system. Therefore, although the activities involved may be the same or similar in both categories the intent behind a cyber crime may be different from that which applies to cyber terrorism. The Centre for the Study of Terrorism and Irregular Warfare released a report in 1999 which discussed the likelihood of any significant cyber attacks experienced in the future being supplementary to traditional physical attacks carried out by terrorists.
It has been argued that cyber terrorism is a corollary to a shift of control in manufacturing utilities, banking and communications from secured national control to networked computers. The threat of cyber terrorism resonates the terrifying truth that its occurrence is real and the extent of occurrence of cyber terrorist acts could be prodigious. Blaise Pascal, in his book Ars Cogitandi states that fear of harm ought to be proportional not merely to the gravity of the harm but also to the probability of the event. Fundamentals of risk management tell us that, under similar conditions, the occurrence of an event in the future will follow the same pattern following the past. It follows therefore that we could be faced with the terrifying possibility of a nuclear 9/11 sometime in the future, possibly aided and abetted by cyber terrorism.
The events of 11 September 2001 revealed that the three most vulnerable targets for terrorist attacks are people, infrastructure and technology as they are the preeminent elements of a functional economy in this century. They also brought to bear the inextricable interdependencies between physical and cyber infrastructures. Cyber terrorism represents a “clear and present danger” and the issue has even been raised as to whether 9/11 was a result of cyber terrorism.
Cyberspace, which comprises millions of fibre optic cables enabling servers, computers and routers, is the nervous system of any nation’s critically important infrastructures, prominent among which is transportation. Attacks on cyberspace can cause immeasurable harm, particularly by disrupting essential services such as banking and finance, telecommunications, health and health care, transportation, religious places of worship, infrastructures, government services, education centers, power and energy generation and distribution, manufacturing, agriculture and food, electricity and water supply, and military defence. Of these, aerospace activities and air traffic control are significant targets.
In 2003, The United States adopted the National Strategy to Secure Cyberspace under the signature of President Bush, with a view to preventing cyber attacks against critical infrastructures of the United States; reducing national vulnerability to cyber attacks and minimizing damage and recovery time from cyber attacks that do occur. The Strategy outlines the national priority which is securing the Government’s cyberspace and national security and international cyberspace security cooperation. These priorities will be driven with the assistance of a national cyberspace security response system; a national cyberspace security threat and vulnerability reduction programme; and a national cyberspace security awareness and training programme. A fundamental principle of this strategy lies in the recognition that efforts to counter cyber terrorism would involve robust and active collaboration between the various components involved in the activities of the United States. This is simply because the federal government could not—and, should not—secure nor interfere with the computer networks of privately owned banks, energy companies, transportation firms, and other parts of the private sector. In similar manner, the federal government should not intrude into homes and small businesses, into universities, or state and local agencies and departments to create secure computer networks. The Strategy therefore exhorts each American who depends on cyberspace and information networks, to secure the part that they own or for which they are responsible.
The extent of the threat posed by cyber terrorism is reflected in the Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence of 2010 which states that the agility and technological innovation demonstrated by the cyber criminal sector far exceeds the response capability of network defenders. The Threat Assessment identified Network Convergence—which is the merging of distinct voice and data technologies to a point where all communications are relayed over a common network structure—and Channel Consolidation—which is the concentration of data captured on individual users by service providers through emails or instant messaging—as being particularly vulnerable to cyber attacks. The Threat Assessment drew an implicit parallel between cyber terrorism and international organized crime, expanding that international criminal organizations will increasingly damage the ability of legitimate businesses to compete and may drive some legitimate players out of the market.
Cyber terrorism, whether conducted by individuals, corporations or States could target the electronic systems of companies which design and develop hardware and software used in airports, air traffic control systems. It could target industries involved in the construction of aircraft and components whether they be used for civil or military purposes. One commentator says: “here, the objective is that of manipulating, in the design phase, software or hardware which will eventually come to be used in critical environments. The events linked to the theft of designs relating to the American F-35 project15 are an example of this kind of act”.
Of note are the efforts of various international organizations such as the United Nations, Council of Europe, Interpol, and OECD dating back to the 1980s in responding to the challenges of cyber crime. One significant result of this collective effort was the publication of the United Nations Manual on Cybercrime and United Nations Resolution of 2001 which exhorted States, in the context of an earlier UN Resolution on Millennium Goals—which recognized that the benefits of new technologies, especially information and communication technologies are available to all—to ensure that their laws and practices eliminate safe havens for those who criminally misuse information technologies; while also ensuring law enforcement cooperation in the investigation and prosecution of international cases of criminal misuse of information technologies which should be coordinated among all concerned States. The Resolution went on to require that information should be exchanged between States regarding the problems that they face in combating the criminal misuse of information technologies and that law enforcement personnel should be trained and equipped to address the criminal misuse of information technologies.
The Resolution recognized that legal systems should protect the confidentiality, integrity and availability of data and computer systems from unauthorized impairment and ensure that criminal abuse is penalized and that such systems should permit the preservation of and quick access to electronic data pertaining to particular criminal investigations. It called upon mutual assistance regimes to ensure the timely investigation of the criminal misuse of information technologies and the timely gathering and exchange of evidence in such cases. States were requested to make the general public aware of the need to prevent and combat the criminal misuse of information technologies. A significant clause in the Resolution called for information technologies to be designed to help prevent and detect criminal misuse, trace criminals and collect evidence to the extent practicable, recognizing that the fight against the criminal misuse of information technologies required the development of solutions taking into account both the protection of individual freedoms and privacy and the preservation of the capacity of governments to fight such criminal misuse.
A seminal event in the international response to cybercrime occurred in 2001 with the adoption of the Cybercrime Convention of the Council of Europe which was opened for signature in November 2001 and came into force on 1 July 2004. The Convention was ratified by President Bush on 22 September 2006 and entered into force for the United States on 1 January 2007. The main concern of the Convention was the risk that computer networks and electronic information may also be used for committing criminal offences and that evidence relating to such offences may be stored and transferred by these networks. States Parties to the Convention therefore expressed their view—in a Preambular Clause to the Convention—that co-operation between States and private industry in combating cybercrime was necessary and that there was a need to protect legitimate interests in the use and development of information technologies.
The Convention in Article 2 requires each Party to adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, access to the whole or any part of a computer system without right. The provision goes on to say that a Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or with other dishonest intent, or in relation to a computer system that is connected to another computer system. There are also provisions which call for States Parties to adopt legislative or other measures to counter illegal inception of transmission of computer data, data interception and exchange interception. Of particular significance to aviation is Article 7 on alteration of data and forgery, which goes on to require each Party to adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible. The Provision concludes that a Party may require an intent to defraud, or similar dishonest intent, before criminal liability attaches.
Although cyber terrorism has not caused catastrophic damage yet, it could be but a matter of time. All the treaties in the world would be of no use unless States, individually and collectively, take concrete and practical measures against this threat.
10.2 United States Law
Much of the discussion on cybersecurity, particularly in the legal context, is focused on data protection and privacy, which will be discussed in the next chapter under traveller identity. The discussion under this section concentrates on hacking that would adversely affect the aviation industry and the safe navigation of aircraft through interference with the various systems that are involved. In this regard, the most appropriate start would be the Cybersecurity Information Sharing Act of 2015 of the United States (See APPENDIX A). As the title indicates, the Act is meant to legalize the sharing of information between the Federal Government and any entity including private entities15 such as airlines. Section 103 of the Act provides that, consistent with the protection of classified information, intelligence sources and methods, and privacy and civil liberties, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General, in consultation with the heads of the appropriate Federal entities, shall develop and promulgate procedures to facilitate and promote: the timely sharing of classified cyber threat indicators in the possession of the Federal Government with cleared representatives of relevant entities; the timely sharing with relevant entities of cyber threat indicators or information in the possession of the Federal Government that may be declassified and shared at an unclassified level; the sharing with relevant entities, or the public if appropriate, of unclassified, including controlled unclassified, cyber threat indicators in the possession of the Federal Government; the sharing with entities, if appropriate, of information in the possession of the Federal Government about cybersecurity threats to such entities to prevent or mitigate adverse effects from such cybersecurity threats; and the periodic sharing, through publication and targeted outreach, of cybersecurity best practices that are developed based on ongoing analysis of cyber threat indicators and information in possession of the Federal Government, with attention to accessibility and implementation challenges faced by small business concerns (as defined in section 3 of the Small Business Act.16
Of these, arguably the most important for aviation is the information sharing of cyber threat indicators which are identified in the Act as any threat that would adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system. Therefore a cyber threat indicator would be information that is necessary to describe or identify; malicious reconnaissance,17 including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability; a method of defeating a security control or exploitation of a security vulnerability; a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability; a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability; malicious cyber command and control18; the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat; any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or any combination thereof.
Section 104 gives a private entity considerable leverage to monitor cyber security threats by providing that notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, monitor; an information system of such private entity; an information system of another entity, upon the authorization and written consent of such other entity; an information system of a Federal entity, upon the authorization and written consent of an authorized representative of the Federal entity; and information that is stored on, processed by, or transiting an information system monitored by the private entity excluded are the right to authorize the monitoring of an information system, or the use of any information obtained through such monitoring, other than as provided in the title of the Act (i.e. information sharing); or to limit otherwise lawful activity. No cause of action lies against any private entity for the monitoring of information systems for cybersecurity purposes.
In the 2004 case of Dyer v. Northwest Airlines Corps19 it was held that businesses offering their traditional products and services online through a website are not providing an ‘electronic communication service’ on the basis that a “provider of an electronic communication service is the provider of the underlying service which transports the data, such as an internet service provider or a telecommunications company whose cables and phone lines carry internet traffic, and not the provider of a product or service which facilitates the data transport.20
A different dimension was seen in In re: Michaels Stores Pin Pad Litigation21—a case decided in 2011—the store in question used PIN (personal identification number) to enable client transaction by the simple method of swiping a credit card. Clients paid by this method for the purchase of art and crafts from the store. On May 4, 2011, Michaels reported that PIN pad tampering may have occurred in its Chicago area stores. And subsequently revealed that between February 8, 2011, and May 6, 2011, skimmers22 placed approximately 90 tampered PIN pads in 80 Michaels stores across 20 states. At the time of the security breaches, Michaels was not in compliance with Visa’s Global Mandate or the PCI PIN Security Requirements. The plaintiffs’ contention against the defendant Michaels was that the store had not adequately protected their data. In other words the case was grounded in negligence under common law principles.
The law under consideration was The Stored Communications Act (“SCA”) which provides that a person or entity providing an electronic communication service to the public must not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service. The court found that there was a reasonable inference that the allegations demonstrate the existence of an implicit contractual relationship between Plaintiffs and Michaels, which obligated Michaels to take reasonable measures to protect Plaintiffs’ financial information and notify Plaintiffs of a security breach within a reasonable amount of time.
In the 2012 case of United States v. Jones23 where the U.S. Government obtained a search warrant permitting it to install a Global-Positioning-System (GPS) tracking device on a vehicle registered to respondent Jones’s wife, agents installed the device on the 11th day in Maryland whereas the warrant decreed that it be installed in The District of Columbia within 10 days. The Government then tracked the vehicle’s movements for 28 days. The issue was whether the acts of the government agents was ultra vires the Fourth Amendment of the United States Constitution which protects the “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures” The court held that the Government’s attachment of the GPS device to the vehicle, and its use of that device to monitor the vehicle’s movements, constitutes a search and seizure under the Fourth Amendment.
Justice Scalia quoted an earlier dictum wherein Lord Camden expressed the significance of property rights (which in the Jones case involved the plaintiff’s wife’s car) in the in search-and seizure analysis: “[O]ur law holds the property of every man so sacred, that no man can set his foot upon his neighbour’s close without his leave; if he does he is a trespasser, though he does no damage at all; if he will tread upon his neighbour’s ground, he must justify it by law”.24 Justice Scalia drew the distinction between the argument of some that the Fourth Amendment did not involve a person’s property by saying that: “The text of the Fourth Amendment reflects its close connection to property, since otherwise it would have referred simply to “the right of the people to be secure against unreasonable searches and seizures”; the phrase “in their persons, houses, papers, and effects” would have been superfluous”.
In Federal Trade Commission v. Wyndham Worldwide Corporation,25 The Federal Trade Commission alleged that Wyndham Worldwide—a hospitality company that franchises and manages hotels and sells timeshares through three subsidiaries26—engaged in unfair cybersecurity practices, since April 2008, and that Wyndham had “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” The process that Wyndham followed, according to FTC was that it: had allowed Wyndham-branded hotels to store payment card information in clear readable text; and allowed the use of easily guessed passwords to access the property management systems. The allegations followed that Wyndham had failed to use readily available security measures such as firewalls to limit access between hotels. The overriding implication was that Wyndham had laid its clients information open for hackers to access. The plaint stated that “on three occasions in 2008 and 2009 hackers accessed Wyndham’s network and the property management systems of Wyndham-branded hotels. In April 2008, hackers first broke into the local network of a hotel in Phoenix, Arizona, which was connected to Wyndham’s network and the Internet. They then used the brute-force method—repeatedly guessing users’ login IDs and passwords—to access an administrator account on Wyndham’s network. This enabled them to obtain consumer data on computers throughout the network. In total, the hackers obtained unencrypted information for over 500,000 accounts, which they sent to a domain in Russia”.
The FTC stated that as a result of the three instances of being hacked clients of Wyndham had obtained payment card information from over 619,000 consumers, which (as noted) resulted in at least $10.6 million in fraud loss. It further stated that consumers suffered financial injury through “unreimbursed fraudulent charges, increased costs, and lost access to funds or credit”. As such, it was the FTC’s claim that Wyndham had indulged in Wyndham engaged in “unfair” and “deceptive” practices. Wyndham had several counter arguments against the FTC one of which being that according to Congressional interpretation of policy on the Federal Trade Commission Act the FTC had no authority to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition. In determining whether an act or practice is unfair, the Commission may consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination. The crux of Wyndham’s argument on the “unfair” criterion was that there was no conclusive evidence or even persuasive evidence of such unfairness. Wyndham concluded that a business “does not treat its customers in an ‘unfair’ manner when the business itself is victimized by criminals.”
The Court of Appeals opined that the Wyndham position was: “The FTC has not yet declared that cybersecurity practices can be unfair; there is no relevant FTC rule, adjudication or document that merits deference; and the FTC is asking the federal courts to interpret § 45(a) in the first instance to decide whether it prohibits the alleged conduct here. The implication of this position is similarly clear: if the federal courts are to decide whether Wyndham’s conduct was unfair in the first instance under the statute without deferring to any FTC interpretation, then this case involves ordinary judicial interpretation of a civil statute, and the ascertainable certainty standard does not apply. The relevant question is not whether Wyndham had fair notice of the FTC’s interpretation of the statute, but whether Wyndham had fair notice of what the statute itself requires”.
In the 2014 case of Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C.,27 where the customers of a healthcare company—Portal—had filed an action resulting from a data breach of their details, the court held that the insurance company covering Portal’s liability was not absolved from its responsibility to make on Portal’s insurance coverage against such exposure, notwithstanding the fact that the insurance company argued that Portal had not “placed before the public” such data to meet the criterion of “electronic publication” that warranted Porta’s liability. This view clashes with the earlier decision involving the hacking of the Sony databases where the court held that “publication of material that violates a person’s right to privacy only applies if the policyholder, not third-party hackers, committed the alleged acts”.28
The Computer Fraud and Abuse Act (CFAA) (See APPENDIX C) is another important legislative attempt at countering cyber threats. This law is the primary law by which the federal government prosecutes computer hacking. The CFAA also allows hacking victims to bring civil suits against hackers in certain circumstances. In the 2018 case of United States v. Nosal29 The Court affirmed the lower court conviction of an employee who gained unauthorized access to computer records of his former employer’s computer system to obtain trade secrets and other information, his company.30 The Court also “affirmed Nosal’s conviction for trade secret theft under the Economic Espionage Act of 1996. The court rejected Nosal’s contention that the data taken were not trade secrets, because even compilations of public information can be trade secrets if they are commercially valuable and sufficiently protected”.31
10.3 European Law
In 2013 The European Union adopted Directive 2013/40/EU (See APPENDIX D) on attacks against information systems, the objective of which was to approximate the criminal law of the Member States in the area of attacks against information systems by establishing minimum rules concerning the definition of criminal offences and the relevant sanctions and to improve cooperation between competent authorities, including the police and other specialised law enforcement services of the Member States, as well as the competent specialised Union agencies and bodies, such as Eurojust, Europol and its European Cyber Crime Centre, and the European Network and Information Security Agency (ENISA).32 The Directive establishes minimum rules concerning the definition of criminal offences and sanctions in the area of attacks against information systems. It also aims to facilitate the prevention of such offences and to improve cooperation between judicial and other competent authorities.
The underlying premise extolled by the Directive, inter alia was that large-scale cyber attacks can cause substantial economic damage both through the interruption of information systems and communication and through the loss or alteration of commercially important confidential information or other data. Particular attention should be paid to raising the awareness of innovative small and medium-sized enterprises to threats relating to such attacks and their vulnerability to such attacks, due to their increased dependence on the proper functioning and availability of information systems and often limited resources for information security.
The Directive notes that cyber attacks could be facilitated by various circumstances, such as where the offender has access to security systems inherent in the affected information systems within the scope of his or her employment. In the context of national law, such circumstances should be taken into account in the course of criminal proceedings as appropriate and calls upon member States to provide for aggravating circumstances in their national law in accordance with the applicable rules established by their legal systems on aggravating circumstances. They should ensure that those aggravating circumstances are available for judges to consider when sentencing offenders. It remains within the discretion of the judge to assess those circumstances together with the other facts of the particular case.
The deadline given to EU member States to implement the Directive was 4 September 2015. Directive 2013/40/EU is driven by two strategies, the first being The European Agenda on Security. The key principles of the Agenda are: full compliance with fundamental rights; more transparency, accountability and democratic control, to give citizens confidence; the need to ensure better application and implementation of existing EU legal instruments; the need for a more joined-up inter-agency and a cross-sectorial approach; and the need to bring together all internal and external dimensions of security.
The second strategy is the Digital Single Market Strategy for Europe which aims at a digital single market which ensures the free movement of goods, persons, services and capital and where individuals and businesses can seamlessly access and exercise online activities under conditions of fair competition, and a high level of consumer and personal data protection, irrespective of their nationality or place of residence. Achieving a Digital Single Market will ensure that Europe maintains its position as a world leader in the digital economy, helping European companies to grow globally. This concept is built on three objectives: better access for consumers and businesses to online goods and services across Europe—this requires the rapid removal of key differences between the online and offline worlds to break down barriers to cross-border online activity. Creating the right conditions for digital networks and services to flourish—this requires high-speed, secure and trustworthy infrastructures and content services, supported by the right regulatory conditions for innovation, investment, fair competition and a level playing field; and maximising the growth potential of our European Digital Economy—this requires investment in ICT infrastructures and technologies such as Cloud computing and Big Data, and research and innovation to boost industrial competitiveness as well as better public services, inclusiveness and skills.
At the time of writing there were no cases that had been decided in the European Court of Justice (ECJ) directly on litigation pertaining to cyber security. However, there is a cursus curiae that could be taken to analogically relevant. In a judgment handed down by the ECJ on 8 April 2014 concerning Directive 2006/2433 the Court held that the Directive affected “in a comprehensive manner, all persons using electronic communications services, but without the persons whose data are retained being, even indirectly, in a situation which is liable to give rise to criminal prosecutions. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime. Furthermore, it does not provide for any exception, with the result that it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy”.34
In a 2016 decision35 the ECJ recognized Directive 2006/24 to be invalid and held that with regard to national legislation imposing a general obligation to retain data relating to electronic communications and the safeguards which accompany it must be provided for in legislative form that possesses characteristics of accessibility, foreseeability and adequate protection against arbitrary interference. Such an obligation must be strictly necessary in the fight against serious crime, which means that no other measure or combination of measures could be as effective in the fight against serious crime while at the same time interfering to a lesser extent with the rights enshrined in Directive 2002/5836 and Articles 7 and 837 of the Charter of Fundamental Rights. Furthermore, the obligation must be proportionate, within a democratic society, to the objective of fighting serious crime, which means that the serious risks engendered by the obligation, in a democratic society, must not be disproportionate to the advantages which it offers in the fight against serious crime.
Canada has one piece of legislation—Personal Information Protection and Electronic Documents Act (PIPEDA)38 which consolidates a national standard for the use, disclosure and protection of information. Section 4 (1) is relevant to air transport in terms of passenger identification and the obligation of air transport enterprises and other entities which store information, which will be discussed in the next chapter. The Act provides that every organization in respect of personal information that the organization collects, uses or discloses in the course of commercial activities; or is about an employee of, or an applicant for employment with, the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business. The Act does not apply to any government institution to which the Privacy Act39 applies;40 any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.
10.5 Cyberwarfare and Aviation
The shooting down on 8 January 2020 a Ukraine International Airlines aircraft while operating flight PS752 from Teheran to Kiev, was shot down by Iranian military personnel seemingly using digital equipment to discharge the missile that caused the destruction of the aircraft. Flight 752 (PS752) was carrying 176 people who died in the crash, including: 82 Iranians, 57 Canadians, 11 Ukrainians, 10 Swedes, four Afghans, three Germans and three British nationals. CNN reported on Saturday 11th January 2020 that Iran’s explanation for the “human error” was that the plane was shot down while Iran was on “high alert” at the time of shooting and was in a sensitive state.41 Furthermore, the Iranian authorities are reported to have stated that the Ukrainian aircraft was “misidentified” as it turned to the direction of an Iranian Revolutionary Guard base. The exact statement of the Iranian authorities is reported to be that “Under such sensitive and critical conditions, the Ukrainian Airlines flight 752 took off from the Imam Khomeini airport and while rotating, it was placed completely in the position of approaching a sensitive military center in the altitude and trajectory of an enemy target. They must have thought the plane on their radar, flight PS752 was a foreign air force plane about to blow up.”
Prime Minister of Canada, Justin Trudeau demanded accountability, transparency and justice for the families and the loved ones of the victims of the shooting down on 8 January of the Ukrainian International Airways Boeing 737–800 aircraft. Several Canadians were on that aircraft. Prime Minister Trudeau said: “Iran must take full responsibility”. It was reported that Iran announced the arrest of several suspects in the destruction of the aircraft.
It is encouraging that Iran has allowed Canada to participate in the accident investigation, which seems to accord with the recommendation made as early as 1949, where, in its Report to the General Assembly, the International Law Commission recommended a draft provision which required that: “Every State has the duty to conduct its relations with other States in accordance with international law and with the principle that the sovereignty of each State is subject to the supremacy of international law”.
The fundamental issue in the context of State responsibility is to consider whether a State should be considered responsible for its own failure or non-feasance to prevent an act of destruction against civil aviation or whether the conduct of the State itself can be impugned by identifying a nexus between the perpetrator’s conduct and the State. One view is that an agency paradigm, which may in some circumstances impute to a State reprehensibility on the ground that a principal-agent relationship between the State and the perpetrator existed, can obfuscate the issue and preclude one from conducting a meaningful legal study of the State’s conduct. The objective responsibility theory seems to suggest that the gravity of responsibility that devolves upon the State imputes strict liability, where irrespective of the fault, the State has to pay compensation to those aggrieved.
In November 2019 The United Nations General Assembly introduced a draft Resolution which decides to include in the provisional agenda of its seventy-seventh session the item entitled “Responsibility of States for internationally wrongful acts” and to further examine, within the framework of a working group of the Sixth Committee and with a view to taking a decision, the question of a convention on responsibility of States for internationally wrongful acts or other appropriate action.
This having been said, one cannot overlook the most important factor in this tragic situation—the human element and the plight of the unsuspecting and trusting passenger and the family left behind. The International Civil Aviation Organization has taken proactive steps on State responsibility which are indeed to its credit. A salient feature of these measures is that States are called upon to assist in any accident involving victims of accidents, irrespective of the circumstances which caused such accident. During its 32nd Session of the ICAO Assembly in October 1998, States considered the subject of assistance to aircraft accident victims and their families, acknowledging that the policy of ICAO should be to ensure that the mental, physical and spiritual well-being of victims involved in civil aviation accidents and their families are considered and accommodated by ICAO and its Contracting States. Following discussions, Assembly Resolution A32-7 was adopted, calling on Contracting States to reaffirm their commitment to support civil aviation accident victims and their families and urging them, in cooperation with ICAO and other States, to promptly review, develop and implement regulations and programmes to provide that support. The Council of ICAO was urged to develop material citing the need for the establishment of regulations and programmes by Contracting States and their air operators to support aircraft accident victims and their families.
Accordingly, the Council of ICAO has requested States to reaffirm their commitment to ensure that adequate and sufficient assistance is provided to aircraft accident victims and their families; establish legislation, regulations and/or policies addressing family assistance plans to ensure that family assistance providers have the necessary financial, personnel, and equipment resources, and that systems are available at short notice to provide assistance to aircraft accident victims and their families in a timely manner; ensure that their family assistance plans consider the following factors: recipients of family assistance; types of family assistance to be provided; when family assistance should be provided; family assistance providers; periodic review and exercise of the plan; and enactment of legislation, regulations and/or policies necessary to implement the plan; establish legislation, regulations and/or policies required to implement effective coordination and control of the efforts to provide the required family assistance; require that air operators implement family assistance plans, and ensure that these plans are exercised regularly, supervised and audited as necessary; require that airport operators implement family assistance plans, which can be part of their Airport Emergency Plans, in coordination with air operators, and ensure that these plans are exercised regularly, supervised and audited as necessary; and require air operators to have proper arrangements with airports in which they operate, so as to facilitate the provision of family assistance as required.
The overriding consideration should be prevention rather than reparation after the fact. For this, there are treaty provisions which I have discussed in an earlier article on Ukraine International Airways Flight 752. States have only to give them serious consideration.
In the context of treaty provisions, one sees a historical element. Malaysian Airlines Flight MH 17, operated by a Boeing 777 -200ER aircraft flying from Amsterdam to Kuala Lumpur on 17 July 2014, and carrying 283 passengers and 15 crew, was shot down by a BUK surface to air missile over Donetsk Oblast in Eastern Ukraine, while at an altitude of 10,000 m. Two thirds of the passengers on board were of Dutch origin. All those on board perished.
A similar event had occurred in September 1983 when a Russian SU-15 Interceptor plane shot down a Korean Airlines Boeing 747 aircraft operating flight KE 007 bound from New York City to Seoul via Anchorage. The plane was destroyed over Sakhalin Island while navigating over prohibited Russian airspace. All 269 passengers and crew on board died.
Consequent upon the 1983 shooting down of KL 007, and amidst a vociferous international outcry, the International Civil Aviation Organization (ICAO) convened a special Assembly of ICAO member States which adopted article 3 bis to the Convention on International Civil Aviation (Chicago Convention) which now provides that ICAO member States undertake to refrain from using force against civil aircraft, and, in the case of interception, the safety of lives of those on board should be the paramount consideration.
Additionally, according to Article 28 of the Chicago Convention, Iran was required to provide in its territory air navigation facilities inter alia to facilitate international air navigation. This provision imputes to Iran the obligation to provide air traffic services that is calculated to ensure an aircraft’s navigational safety. A more compelling provision in the Convention is Article 9 which states that each contracting State may, for reasons of military necessity or public safety, restrict or prohibit uniformly the aircraft of other States from flying over certain areas of its territory, provided that no distinction in this respect is made between the aircraft of the State whose territory is involved, engaged in international scheduled airline services, and the aircraft of the other contracting States likewise engaged. Such prohibited areas must be of reasonable extent and location so as not to interfere unnecessarily with air navigation. Descriptions of such prohibited areas in the territory of a contracting State, as well as any subsequent alterations therein, are required to be communicated as soon as possible to the other contracting States and to ICAO.
One could argue that Iran had an obligation to adhere to the aforementioned provisions and close its airspace in the wake of hostilities between Iran and the United States. The only instance where these provisions would not apply is when a State invokes Article 89 of the Chicago Convention which provides that in a state of war or “national emergency” the provision of the Convention would not affect the freedom of action of a State so involved provided that State advises the Council of ICAO.
The final question would then be, considering the fact that Iran was not at war with the United States, was it under a state of national emergency? Would “high alert” qualify as a national emergency? And did Iran advise the ICAO Council?
The Tallinn Manual42of 2009—the most comprehensive codification of rules applicable to cyber security and international law—in Rule 68 provides that “any cyber activity which constitutes a threat or use of force against the territorial integrity or political independence of any State, or that is in any other manner inconsistent with the purpose of the United Nations, is unlawful”. The words “use of force” in the context of the Charter of the United Nations have been discussed in an earlier chapter (see CHAPTER THREE, third paragraph). Alicia Kearns, an independent counter-disinformation and hybrid warfare consultant states: “Attacks targeting Government, nuclear, water, energy, aviation and defence CNI are achieved by sending spear-phishing emails to employees or infecting websites in what is called a ‘waterhole attack’.”43
In the aviation context, mere intelligence gathering, or a temporary interruption of services may not be considered an “armed attack” against an aircraft or an aviation system in the strict sense of Article 51 of the United Nations Charter which calls for self defence. However, taking into consideration the flow of interpretations of terminology that followed the 9/11 attacks, it can be argued that any imminent threat of a cyber attack against aviation could be countered by pre-emptive strikes.44
A cyber attack that damages or destroys an aircraft and persons on board—carried out during a period of war, belligerence or other clash between two States—where one State attacks the aircraft of the other could be construed as an act of war against the State in which the aircraft has been registered as such registration is deemed to ascribe to the aircraft the nationality of that State.45 The registration of an aircraft in a particular State devolves upon that State certain safety related obligations. For example Article 12 of the Chicago Convention states: that each Contracting State undertakes to adopt measures to insure that every aircraft flying over or manoeuvring within its territory and that every aircraft carrying its nationality mark, wherever such aircraft may be, shall comply with the rules and regulations relating to the flight and manoeuvre of aircraft there in force. Each Contracting State undertakes to keep its own regulations in these respects uniform, to the greatest possible extent, with those established from time to time under this Convention. Over the high seas, the rules in force shall be those established under this Convention. Each Contracting State undertakes to ensure the prosecution of all persons violating the regulations applicable.
In the context of equipment on board aircraft, Article 30 of the Convention requires that over the territory of States other than their State of registration, aircraft shall carry radio transmitting apparatus only if a license to install and operate such apparatus has been issued by the appropriate authorities of the State in which the aircraft is registered. The use of radio transmitting apparatus in the territory of the Contracting State whose territory is flown over shall be in accordance with the regulations prescribed by that State.
These provisions clearly demonstrate that any digital or cyber attack against an aircraft can be imputed to the State, the nationality of which the aircraft holds. In pursuance of the above obligations, one could validly conclude that digital uniformity among States is reflected in Article 37 of the Chicago Convention which imposes an obligation on each Contracting State to undertake to collaborate in securing the highest practicable degree of uniformity in regulations, standards, procedures, and organization in relation to aircraft, personnel, airways and auxiliary services in all matters in which such uniformity will facilitate and improve air navigation. These Standards and Recommended Practices are contained in the 18 Annexes to the Chicago Convention, all of which except Annexes 9 (Facilitation) and 17 (Security) are applicable to safety oversight either directly or indirectly.
ICAO’s Cybersecurity Strategy is comprised of the following measures: INTERNATIONAL COOPERATION—where ICAO will, inter alia, organize, facilitate and promote international events that serve as a platform for knowledge exchange between States, international organizations and industry. States are encouraged to engage in discussions on cybersecurity in civil aviation and included cybersecurity in global and regional plans; GOVERNANCE—where States are encouraged to develop clear national governance and accountability for civil aviation cybersecurity. Civil Aviation authorities are encouraged to ensure coordination with their competent national authority for cybersecurity, recognizing that the overall cybersecurity authority for all sectors may reside outside the responsibility of the civil aviation authority. It is also essential that appropriate coordination channels among various State authorities and industry stakeholders be established. Furthermore, Member States are encouraged to include cybersecurity in their national civil aviation safety and security programmes; EFFECTIVE LEGISLATION AND REGULATION—where the principal aim of international, regional and national legislation and regulation on cybersecurity for civil aviation is to support the implementation of a comprehensive Cybersecurity Strategy to protect civil aviation and the travelling public from the effects of cyber-attacks. Member States must ensure that appropriate legislation and regulations are formulated and applied, in accordance with ICAO provisions, prior to implementing a national cybersecurity policy for civil aviation. Further development of appropriate guidance for States and industry in implementing cybersecurity related provisions is necessary; CYBERSECURITY POLICY—which is to be included within a State’s aviation security and safety oversight systems as part of a comprehensive risk management framework; INFORMATION SHARING; INCIDENT MANAGEMENT AND EMERGENCY PLANNING and INFORMATION SHARING.
ICAO Secretariat Study Group on Cybersecurity (SSGC) was established in August 2017. The SSGC is organized as a plenary group supported by one Sub-Group (Research Sub-Group on Legal Aspects) and three Working Groups (Working Group on Airlines and Aerodromes, Working Group on Air Navigation Systems and Working Group on Cybersecurity for Flight Safety). The scope of the group is to: serve as the focal point for all ICAO cybersecurity work; define relevant areas to be considered by the Working Groups (WG) of the SSGC and validate their respective terms of reference to ensure that no overlapping of duties and responsibilities occur; conduct a review of ICAO Annexes to consolidate existing Standards and Recommended Practices (SARPs) related to cybersecurity; review the proposals for amendments to ICAO provisions or new provisions to be developed related to cybersecurity proposed by the Working Groups; encourage the development of, and participation in, government/industry partnerships and mechanisms, nationally and internationally, for the systematic sharing of information on cyber threats, incidents, trends and mitigation efforts; and promote cybersecurity awareness throughout the aviation community.
S/RES/2309 (2016), Security Council Distr.: General 22 September 2016.
The Resolution encouraged States which have not already done so to ratify the following international treaties: the Convention on Offences and Certain Other Acts Committed on Board Aircraft (Tokyo, 1963), by the Convention for the Suppression of Unlawful Seizure of Aircraft (The Hague, 1970), by the Convention for the Suppression of Unlawful Acts Against the Safety of Civil Aviation (Montréal, 1971), by the Protocol for the Suppression of Unlawful Acts of Violence at Airports Serving International Civil Aviation, Supplementary to the Convention for the Suppression of Unlawful Acts Against the Safety of Civil Aviation (Montréal, 1988), by the Convention on the Marking of Plastic Explosives for the Purpose of Detection (Montréal, 1991), by the Convention for the Suppression of Unlawful Acts Relating to International Civil Aviation (Beijing, 2010), by the Protocol Supplementary to the Convention for the Suppression of Unlawful Seizure of Aircraft (Beijing, 2010), by the Protocol to Amend the Convention on Offences and Certain Other Acts Committed on Board Aircraft (Montréal, 2014) and by bilateral agreements for the suppression of such acts.
S/RES/2395 (2017) Security Council Distr.: General 21 December 2017.
The United Nations Security Council Counter-Terrorism Committee (CTC). Guided by Security Council resolutions 1373 (2001) and 1624 (2005), the CTC works to bolster the ability of United Nations Member States to prevent terrorist acts both within their borders and across regions. It was established in the wake of the 11 September terrorist attacks in the United States. The CTC is assisted by the Counter-Terrorism Committee Executive Directorate (CTED), which carries out the policy decisions of the Committee, conducts expert assessments of each Member State and facilitates counter-terrorism technical assistance to countries.
2396 S/RES/2396 (2017): Security Council Distr.: General 21 December 2017.
API and related issues such as the Passenger Name Record (PNR) and tools will be discussed in the next chapter.
A/RES/55/63, General Assembly Distr.: General 22 January 2001.
A/RES/57/239, General Assembly Distr.: General 31 January 2003.
A/RES/58/199 General Assembly Distr.: General 30 January 2004.
A/RES/64/211, General Assembly Distr.: General 17 March 2010.
A/RES/73/27, General Assembly Distr.: General 11 December 2018.
A/RES/73/266, General Assembly Distr.: General 2 January 2019.
The term “private entity” means any person or private group, organization, proprietorship, partnership, trust, cooperative, corporation, or other commercial or non profit entity, including an officer, employee, or agent thereof which would include a State, tribal, or local government performing electric or other utility services but would not include a foreign power as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978.
15 U.S.C. 632.
The term “malicious reconnaissance” means a method for actively probing or passively monitoring an information system for the purpose of discerning security vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat.
“Malicious cyber command and control” means a method for unauthorized remote identification of, access to, or use of, an information system or information that is stored on, processed by, or transiting an information system.
334 F.Supp.2d 1196, 1199 (D.N.D.2004). See also, In re Jetblue Airways Corp. Privacy Litig., 379 F.Supp.2d 299, 307 (E.D.N.Y.2005).
See Andersen Consulting, 991 F. Supp. at 1043.
No. 11 C 3350, United States District Court, N.D. Illinois, Nov 23, 2011830 F. Supp. 2d 518 (N.D. Ill. 2011).
“Skimming” is the unauthorized capture of debit and/or credit card data by unauthorized persons, often referred to as “skimmers.” Skimmers use the information in a number of illegal ways, including selling the information or creating a fraudulent duplicate card. One method skimmers use to obtain debit and credit card information from retail stores is referred to as “PIN pad swapping”.
No. 10–1259. Argued November 8, 2011—Decided January 23, 2012.
Entick v. Carrington, 95 Eng. Rep. 807 (C. P. 1765), at 875.
No. 14–3514.Decided: August 24, 2015 United court of Appeal, Third Circuit at https://caselaw.findlaw.com/us-3rd-circuit/1711436.html.
Wyndham licensed its brand name to approximately 90 independently owned hotels. Each Wyndham-branded hotel has a property management system that processes consumer information that includes names, home addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes. Wyndham managed these systems and required the hotels to “purchase and configure” them to its own specifications.
35 F. Supp. 3d 765 (E.D. Va. 2014).
Zurich Am. Ins. Co. v. Sony Corp. of America et al., Case No. 651982/2011, 2014 WL 8382554 (N.Y. Sup. Ct. Feb. 21, 2014).
United States Court Of Appeals For The Ninth Circuit Aug 2, 2018No. 18-10089 (9th Cir. Aug. 2, 2018).
844 F.3d 1024 (9th Cir. 2016).
See United States v. Nosal (Nosal II), Ninth Circuit Affirms Conviction of a Former Employee Who Used Another Employee’s Password. Feb 10, 2017, 130 Harv. L. Rev. 1265.
The European Agenda on Security lists cybercrime as one of the three top priorities for the current mandate of the European Commission in the field of security. Commissioner Avramopoulos, in charge of Migration and Home Affairs, said: “Cybercriminals violate the fundamental rights of EU citizens and harm our economy. Users have a right to feel safe online, and perpetrators must not feel that they can act with impunity. We need to strengthen the trust in online services that is essential for the Digital Single Market. The implementation of the Directive is a key step towards closer cooperation across the EU.” See Combating Cybercrime: EU-wide rules against cyber attacks come into force, European Commission, Migration and Home Affairs at https://ec.europa.eu/home-affairs/what-is-new/news/news/2015/20150904_1_en.
DIRECTIVE 2006/24/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC. The Directive aims to harmonise Member States’ provisions concerning the obligations of the providers of publicly available electronic communications services or of public communications networks with respect to the retention of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law. It applies to traffic and location data on both legal entities and natural persons and to the related data necessary to identify the subscriber or registered user. It shall not apply to the content of electronic communications, including information consulted using an electronic communications network.
Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others. In Joined Cases C-293/12 and C-594/12, see https://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX%3A62012CJ0293.
Ele2 Sverige AB V Post- Och Telestyrelsen (C-203/15) and Secretary of State for the Home Department v. Tom Watson, Peter Brice, Geoffrey Lewis (C-698/15).
DIRECTIVE 2002/58/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications. The Directive harmonises the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community. It applies to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community.
Article 7 on respect for private and family life recognizes that everyone has the right to respect for his or her private and family life, home and communications. Article 8 on protection of personal data recognizes that everyone has the right to the protection of personal data concerning him or her and that such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules are subject to control by an independent authority.
Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5.
The Privacy Act pertains to the protection of the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.
However, Section 4 of the Act provides that no personal information must be collected by a government institution unless it relates directly to an operating program or activity of the institution. This is followed by Section 7 which provides that personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose; or for a purpose for which the information may be disclosed to the institution.
A curious parallel comes to mind where, on 3 July 1988 The United States accidentally downed Iran Air Flight 655 which was operated by an Airbus A-300B aircraft, killing 290 passengers and crew The U.S fired two surface-to-air missiles launched from the U.S.S. Vincennes, a guided-missile cruiser on duty with the United States Persian Gulf/Middle East Force in Iranian airspace over the Islamic Republic’s territorial waters in the Persian Gulf. The incident occurred in the midst of an armed engagement between U.S. and Iranian forces, in the context of a long series of attacks on U.S. and other vessels. The parallel seems to end there as there is a difference between “a state of high alert” which existed in Iran on 8 January and a battle which brought down the Iran Air aircraft.
The Tallinn Manual is a compilation by an independent group of international cyber experts invited by NATO in 2009 to produce a Manual on the law governing cyber warfare. According to the authors of the Manual “the focus of the original Manual was on the most severe cyber operations, those that violate the prohibition of the use of force in international relations, entitle states to exercise the right of self-defence, and/or occur during armed conflict”. See Leetaru, Kalev, What Tallinn Manual 2.0 Teaches Us About The New Cyber Order https://www.forbes.com/sites/kalevleetaru/2017/02/09/what-tallinn-manual-2-0-teaches-us-about-the-new-cyber-order/#58053582928b.
O’Flaherty, Kate, Quoted in Cyber Warfare: The Threat From Nation States, Forbes, May 3, 2018, at https://www.forbes.com/sites/kateoflahertyuk/2018/05/03/cyber-warfare-the-threat-from-nation-states/#2eb2791c7867.
U, S. National Security Council, The National Security Strategy of the United States of America 6 (2002).
Article 17 of the Chicago Convention provides that an aircraft is deemed to have the nationality of the State in which it is registered.