The aviation industry has long been a vital mode of transportation for people
and goods around the world. However, with the rapid development of technology
and the increasing dependence on digital systems, the industry has become
increasingly vulnerable to cyber security threats.
Cyber attacks pose a
significant threat to the safety and security of the aviation industry, as they
can disrupt critical systems and cause potential harm to passengers and
personnel. As the industry continues to rely on interconnected technologies, it
is crucial for aviation organizations to prioritize cyber security measures to
protect against potential threats and ensure the safe and efficient operation of
Cybersecurity threats have become a major concern for aviation in the last five
to ten years, mainly as a result of digitalisation processes becoming the norm
in the sector.
In July 2021, a report was published by Eurocontrol titled "Airlines under
attack: Faced with a rising tide of cybercrime, is our industry resilient enough
to cope?" which outlined the increasing exposure of the Aviation Industry to
rising levels of risk, as criminals, hackers, and state sponsored
cyber-attackers all look to exploit vulnerabilities, cause chaos and fill their
pockets at the expense of the aviation sector and innocent passengers.
The report was based on data from EATM-CERT (European Air Traffic Management
Computer Emergency Response Team) service. This data showed that cyber-attacks
are up in all threat categories, with a 530% year-on-year rise from 2019 to 2020
in reported incidents across the aviation industry, and with airlines targeted
in 61% of all 2020 aviation cyber-attacks.
The report highlighted that 61% of all cyber-attacks in 2020 targeted airlines,
almost twice as much as the two next biggest affected market segments combined
and of the 335 fraudulent and fake refund websites discovered by the EATM-CERT
team in 2020, 280 were impersonating IATA and A4E airline members, selling fake
tickets and seeking to extract customer credit card data.
Moreover, 62 ransomware cyber attack was made in 2020, amounting to more than 1
per week. In 2021 a demand of cumulative amount of $50 Million USD was made by
hackers and hacktivist groups.
What Constitutes Cyber-Attack?
The legality and use of cyber-warfare under international law remains ambiguous.
This ambiguity is more concerning now than ever since most nations,
particularly, the developed ones and increasingly, the developing ones, are
becoming dependent on information technology for both, civilian and military
purposes. Thus, opportunities increasingly arise for adversaries to strike
inexpensively, remotely, and effectively with little risk. This has in turn,
motivated both, state and non-state actors to conduct warfare in cyberspace.
Hostile acts against a computer system and networks can be distinguished as
destructive and non-destructive. The first form � "cyber attack" refers to the
use of deliberate actions and operations � perhaps over an extended period of
time - to alter, disrupt, deceive, degrade, or destroy adversary computer
systems or networks or the information and (or) programs resident in or
transiting these systems or networks.
The second form - cyber exploitation � is
non-destructive and involves the use of actions and operations � perhaps over an
extended period of time � to obtain information that would otherwise be kept
confidential and is resident on or transiting through an adversary's computer
systems or networks. The use of the wide-ranging term, cyberwarfare, does not
provide a fitting description for a hostile attack in cyberspace due to its wide
The US Department of Defence provides a workable definition of
"cyber-attack" in its DCSINT Handbook No. 1.02 of the US Army which states:
premeditated use of disruptive activities, or the threat thereof, against
computers and/or networks, with the intention to cause harm or to further
social, ideological, religious, political or similar objectives. Or to
intimidate any person in furtherance of such objectives".
Council of Europe's Convention on Cybercrime which is a multilateral instrument
aimed at combating cybercrime tries to define cyberattack. It requires the
signatories to make laws and criminalise "the damaging, deletion, deterioration,
alteration or suppression of computer data without right," as well as "the
serious hindering without right of the functioning of a computer system" by
Most international legal instruments dealing with warfare have traditionally
interpreted 'armed conflict' as conventional military warfare, including the
International Humanitarian Law which distinguishes between two types of armed
conflicts, i.e., international armed conflict between two opposing states and
non-international armed conflict between governmental forces and
non-governmental armed groups or such groups only.
Article 2 of Geneva
Convention of 1949 states:
"In addition to the provisions which shall be
implemented in peacetime, the present Convention shall apply to all cases of
declared war or of any other armed conflict which may arise between two or more
of the High Contracting Parties, even if the state of war is not recognized by
one of them". Thus, defining cyberwarfare in context of the existing
international instruments is difficult.
Biggest most recent cyber attack on aviation Industry in the last few Years
- On 25th May, 2022 following a massive ransomware attack on SpiceJet, hundreds of passengers were stranded at airports across India, particularly those airports where restrictions on night operations were in place. SpiceJet has not revealed which systems were targeted or what it did to overcome the attacks.
- In April 2022, Canadian low-cost airline Sunwing Airlines faced four days of extensive flight delays after the third-party software system it used for check-in and boarding was breached by hackers. The attack forced Sunwing to resort to manually checking in passengers in an effort to minimize disruption to its schedule and caused the Canadian authorities to suspend operations temporarily to ensure that the breach was remedied before flights could resume.
- In March 2022, in what appears to have been a retaliatory strike in response to Russia's invasion of Ukraine, an unidentified group (presumed to be the Anonymous Hacking Group) carried out an extremely effective attack on the Russian Federal Air Transport Agency. As part of the attack, all aircraft registration data and emails, totaling approximately a massive 65 terabytes of data, were deleted from the Agency's servers.
- In March 2022, SITA, an airline technology and communication provider that operates passenger processing systems for airlines, was the victim of a cyber-attack involving passenger data. SITA serves 90% of the world's airlines and disclosed that among the airlines affected were various major airlines including Air India, Japan Airlines, Lufthansa, Malaysia Airlines, and Singapore Airlines.
Major International Instruments Dealing With Cyber Attack
- Convention for the Suppression of Unlawful Seizure of Aircraft (1970)-
The Hague Convention was adopted in 1970 with the aim to criminalize
offences committed on board the aircraft when the aircraft is in flight.
Herein to attract the provisions the person must have seized or exercised
control over the aircraft.
The Convention may also be applied in cases where a passenger on board the
aircraft takes control of the aircraft through a cyber-attack.
- Convention for the Suppression of Unlawful Acts against the Safety of
Civil Aviation (1971)- The Montreal convention of 1971 uses an effect-based
method to identify offences that share the traits of being illegal,
purposeful, and likely to jeopardise the safety of flying aircraft. The Montreal Convention unlike
Hague convention does not require the person to be on board the aircraft and
hence as such broadens its applicability by including any remote cyber attack on
aircraft as well as on air navigation facilities.
- Convention on the Suppression of Unlawful Acts Relating to International
Civil Aviation (2010)- The Beijing Convention further expands the
applicability scope to the cyber-attacks targeting the air navigation
facilities defining them as signals, data, information, or systems necessary
for aircraft navigation. Moreover, the Beijing Convention addresses any
attacks on such facilities and aircraft conducted by cyber means.
- Beijing Protocol (2010) - The Hague Convention of 1970 is supplemented
by the Beijing supplementary Protocol of 2010, which broadens the definition
of unlawful acts in light of technological advancements that could be used
to perpetrate crimes against aviation. By incorporating the seizure of
aircraft using any electronic and technological means within its scope, the
legal document for the first time makes a clear reference to cyber security.
- Annex 17 to Chicago Convention- Annex 17 provides for Standard and
Recommended Practices dealing with Aviation Security.
The Chicago Convention requires the Contracting States to establish and enforce
laws to protect civil aviation from unlawful interference.
It is important to keep in mind that cyberattacks may be considered acts of
unlawful interference if they have a bearing on aviation safety. Within Annex
17, Standard 4.9.1 (measures relating to cyber threats) has been introduced,
which requires States to develop and implement measures to protect their
critical information, communications technology systems, as well as data used
for civil aviation purposes from unlawful interference.
- Article 3 bis of Chicago Convention- The Protocol Pertaining to an Amendment
to the Convention on International Civil Aviation, signed in Montreal on May 10,
1984, which followed the aftermath of the KAL007 incident, is credited with
introducing Article 3 bis into the Chicago Convention. Although this accident
had a significant impact on the creation and implementation of this provision,
its reach has been acknowledged as being wider than just establishing
requirements for the interception of civil aircraft.
In particular, the first sentence of Article 3 bis states that "every State must
from resorting to the use of weapons against civil aircraft in flight
Cyberattack And Attribution
It is pertinent to note that cyberattack are a plausible method employed by
adversaries to jeopardise the safety and security of aviation in general and
civil aviation, in particular. There are multiple instances where cyberattack is
preferred over the traditional methods of attack (such as hijacking) in
threatening an aircraft and its passengers' safety. There are several important
considerations including the direct involvement of the State from which the
attack originated, whether the state itself is complicit or not.
the attack constituted the action of the state itself or individuals acting
independently or otherwise. State responsibility in this context, is articulated
by the International Law Commission's Draft Articles on Responsibility of States
for Internationally Wrongful Acts (ARSIWA) of 2001.
Article 1 of ARSIWA states
that, "Every internationally wrongful act of a State entails the international
responsibility of that State". As Shaw states, "existence of an international
legal obligation between states and a breach of such legal obligation are the
prerequisites for State responsibility in International Law". As per Article
2 of ARSIWA, determining whether there has been an internationally wrongful act
by the state, requires a conduct of the state constituting an act or omission
"(a) is attributable to the State under international law; and (b) constitutes a
breach of an international obligation of the State".
It must be noted that
conduct of a state includes both acts or omissions. It also needs to be emphasised that while a state is an organised entity under international law, it
is also undeniable that it cannot act for itself. An act of state necessarily
involves individuals or groups; it "can act only by and through their agents and
representatives" In consonance Article 4 of ARSIWA states that, "conduct of
any State organ shall be considered an act of that State under international
law, whether the organ exercises legislative, executive, judicial or any other
functions, whatever position it holds in the organization of the State, and
whatever its character as an organ of the central Government or of a territorial
unit of the State".
The customary international law recognises that the state is
completely responsible for its agents as was also observed in Armed Activities
on the Territory of Congo case that, "[a]ccording to a well-established rule of
a customary nature . . . a party to an armed conflict shall be responsible for
all acts by persons forming part of its armed forces". Thus, in case a
cyberattack is conducted by any organ of the state it would be considered an act
of the state itself. This extends, as per Article 5, ARSIWA, even to private
entities that are not an organ of the State under article 4 but which is
empowered by the law of that State to exercise elements of the governmental
This conception holds consistency with the "effective control test".
With respect to "omissions" under Article 2(a), a state should not knowingly
allow an attack (cyberattack in the present context) to originate from its
territory. This is what was held in Corfu Channel Case, where Albania was held
liable for presence of mines in its territorial waters as "it was a sufficient
basis for Albanian responsibility that it knew, or must have known of the
presence of mines in its territorial waters and did nothing to warn their States
of their presence".
An even bigger challenge, in cyberwarfare in particular and, armed conflict in
general, with respect to state responsibility emerges in considering whether an
act of non-state actor can be attributed to state responsibility. Cases of this
kind arise where state organs supplement their own action by recruiting or
instigating private persons or groups who act as "auxiliaries" while remaining
outside the official structure of the State. The G7 in its "Declaration on
Responsible State Behaviour in Cyberspace" noted that the customary
international law of State responsibility supplies the standards for attributing
act to States, which can be applicable to activities in cyberspace.
respect, States cannot escape legal responsibility for internationally wrongful
cyber acts by perpetrating them through proxies. Hacktivists are usually
individuals, that possess sufficient capability to conduct cyber-attack and the
nature of cyberspace permit them to conduct a cyberattack on a state from
anywhere, including from a third state. Thus, any action against such
individuals or groups in the third state raises question of violation of state
Article 51 of UN Charter dealing with use of force does not
specifically deal with use of force against non-state actors, it leaves a
loophole to be exploited by the non-state actors specifically under cyberwarfare, which is in itself a relatively new domain for international law.
While in the case of non-state actors, as provided in Article 8 of ARSIWA, that
an act of persons or groups shall be considered an act of state under
international law if the person or group of persons is in fact acting on the
instructions of, or under the direction or control of, that State in carrying
out the conduct . As was also observed in the Military and paramilitary
Activities in and against Nicaragua case, where ICJ considered whether USA was
responsible for actions of rebels against Nicaraguan government, the ICJ held
that responsibility would entail "effective control" over the non-state actor
group. Thus, state attribution can be made if the group are in effective control
of the state.
Further, "overall control" test developed in the Tadic case is also notable
along with Article 11 of ARSIWA which states that, conduct which is not
attributable to a State under the preceding articles shall nevertheless be
considered an act of that State under international law if and to the extent
that the State acknowledges and adopts the conduct in question as its own. The
United States Diplomatic and Consular Staff in Tehran case, an attack on US
embassy by Iranian militants was endorsed by the State and thus state
responsibility was imposed.
Acts of those without state endorsement presents a more complicated matter.
While an act conducted by persons or groups under effective control of the State
or endorsed by the state, or, a lapse exists on part of the state in not
allowing its territory to be used by a state, may entail state responsibility.
But if measures are taken by the state and yet, a cyberattack still manages to
originate from its territory, the State should not hold state responsibility.
It can thus be concluded that the jurisprudence on state responsibility as
enumerated in the Articles on Responsibility of States for Internationally
Wrongful Acts of 2001 hold substantial applicability in context of cyberattack
as perpetrated by both state and non-state actors.
The provisions relating to
state attribution can be readily interpreted in the context of cyberattacks.
Though, that being said, there are substantial issues particularly, with respect
to the nature of cyberattacks itself that raises several complications with
regards to both establishing responsibility of a state and the extent to which
the responsibility of a state exists.
- M.N. Shaw, International Law (4th Edition, Cambridge University Press, 1997) 541.
- German Settlers in Poland, Advisory Opinion, 1923 PCIJ Series B, No. 6 p. 22.
- Armed Activities on the Territory of Congo (Dem. Rep. Congo v. Uganda), 2005 I.C.J. 116, 214.
- Corfu Channel, Merits, judgement, ICK Reports 1949, p. 22-23.
Award Winning Article Is Written By: Mr.Zaier Ahmad
Authentication No: JU353214182381-15-0623