Hearing Report: SEA’s Lance Lyttle Testifies on Aviation Cybersecurity Before Key Senate Committee

SEA’s Lance Lyttle Testifies on Aviation Cybersecurity Before Key Senate Committee 
September 18, 2024

Today, Lance Lyttle, Aviation Managing Director for Seattle-Tacoma International Airport (SEA), testified before the Senate Committee on Commerce, Science and Transportation regarding aviation cybersecurity threats.  Other witnesses included Brigadier General Marty Reynolds, Managing Director for Cybersecurity at Airlines for America, and John Breyault, Vice President of Public Policy, Telecommunications and Fraud at the National Consumers League.
 
Lyttle highlighted SEA’s focus on response, recovery, and resiliency in the wake of the August ransomware attack that disrupted operations and disabled IT systems at the airport. He noted the importance of effective cybersecurity measures, such as network separation and robust back-up systems, which allowed SEA to successfully maintain regular operations.
 
The Federal Bureau of Investigation (FBI) is actively investigating the incident, and SEA is conducting its own internal investigation; as a result, there were limited technical details discussed during the hearing. However, Lyttle repeatedly stressed the importance of information sharing to bolster cyber defenses and enable recovery and resiliency and promised to share the after-action report from SEA investigation with Congress, federal agencies, airports, and aviation industry partners as soon as it is available.  Lyttle also stated that SEA is still learning what data may have been compromised and has pledged to alert individuals immediately if their personally identifiable information has been breached and provide appropriate support and mitigation measures.
 
Lyttle thanked the Port of Seattle employees for their tireless work since the incident to keep operations running smoothly, especially over the busy Labor Day travel period, and to build back “stronger after.”  Lyttle explained that many of the technology and process workarounds that have helped to keep people and baggage moving have been effective and will go into the airport’s toolbox for future emergency response best practices.  Lyttle stressed, and A4A’s Reynolds echoed, the importance of tabletop exercises and continuity of operations planning in ensuring that airports and air carriers can quickly recover after cybersecurity incidents.  Both also agreed that, even though airports and air carriers have invested significant resources into cyber defenses and mitigation measures, there is no silver bullet, and cyber incidents will occur given the constant and evolving threat and attractiveness of critical infrastructure as target for cyber criminals and nation-state actors.
 
Several Senators, including Senate Commerce Committee Chair Maria Cantwell (D-WA), asked what, if anything, the federal government could do to help harden cyber defenses for critical infrastructure and the aviation sector in particular.  Lyttle again stressed the importance of having the federal government share timely and actionable cyber threat information as soon as possible with industry to include classified briefings to discuss new and emerging threats.  Lyttle also suggested that there are opportunities to improve the two-way sharing of information.  Airports and airlines are required to report incidents to DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and would benefit from knowing more about the reported cybersecurity incidents to better focus cyber resources and mitigation measures, Lyttle noted.  A4A’s Reynolds shared that air carriers have 10 different cyber-related reporting requirements to various federal agencies with different timeframes and thresholds for reporting.  He stressed that harmonizing reporting requirement into a single government agency would help to streamline the information sharing and better focus resources on recovery (rather than compliance) when an incident does occur.
 
Breyault from the National Consumers League suggested that Congress focus on helping passengers recover from any travel inconveniences caused by cyber incidents, including compensation from air carriers for delayed or cancelled flights.  He also highlighted the cyber vulnerabilities of unused frequent flier awards and customer loyalty miles, expressing concern that the miles do not have the same customer protections that are in place for compromised bank or credit card funds.  Senator Cantwell pointed to the Cybersecurity Aviation Rulemaking Committee (ARC) required by the recent FAA reauthorization law as an excellent opportunity for industry and government to work together to protect against the cyber threats to aviation and our nation’s critical infrastructure.
 
Additional details:
Lance Lyttle’s written testimony
Marty Reynold’s written testimony
John Breyault’s written testimony
Video of today’s hearing