Cantwell on Airport Cyberattacks: ‘Every Time We Witness These Technology Failures, Consumers Are the Ones Left Holding the Bag’
WASHINGTON, DC – Today, U.S. Senator Maria Cantwell (D-WA), chair of the Senate Committee on Commerce, Science, and Transportation, convened a panel of expert witnesses for a committee hearing focused on the cybersecurity threats faced by airports and airlines as well as the related impacts to passengers’ experiences. The panel of witnesses included Lance Lyttle, aviation managing director at Sea-Tac International Airport, which was the target of a cyberattack last month that interrupted Sea-Tac’s operations.
“Every time we witness these technology failures, consumers are the ones left holding the bag,” Sen. Cantwell said. She went on to describe how the cyberattack at Sea-Tac harmed flyers:
“The display boards were down for a week. I personally ran through the airport trying to catch a flight, not sure if I was going to the right gate. I had something on my device, but since all the boards were dark, I had no idea if I was going to get to my gate, or if that was really going to be the gate,” Sen. Cantwell said. “Employees had paper signs directing passengers on where to get to a gate. Check-in kiosks were down, too, forcing passengers to wait in line for paper tickets. Other passengers endured long waits at baggage claim as airport staff manually sorted through the checked bags in the terminal. The airport’s internal email systems and website went down, and the attack group, which is believed to be a Russian organization, is now threatening to release personal data from airport employees unless the airport pays $6 million worth of bitcoin ransom. While most systems are now back online, three weeks later, the airport’s website and some internal human resources functions remain down even today.”
Sea-Tac isn’t alone – in 2020, a hacker accessed internal systems at San Francisco International Airport. In 2015, a hacker claimed he had accessed the flight controls on a United Airlines flight using the in-flight entertainment system.
“That is why we are here today – to spotlight this issue and figure out what more needs to be done, and to let the travelling public know [what] Congress and the federal government are doing to combat potential disruptions to their air travel and safety,” Sen. Cantwell said.
Lyttle told the Committee that Sea-Tac has been targeted by cyberattackers before.
“We have successfully in the past thwarted denial of service attacks, phishing attacks, and we continuously do exercises. We have internal and external audits that we conduct on a regular basis to minimize the impact of any cyberattacks on our environment,” Lyttle said.
Lyttle added that the airport is working to determine what happened and agreed to share the findings of their eventual report.
“We will be conducting an after-action report,” Lyttle said. “We are focusing on recovery right now, and once we have done that, we will conduct the after-action report. And we will share this industrywide, as well as with the Committee,” Lyttle said.
On August 24, 2024, the Port of Seattle was the victim of a cyberattack. While the Port, which includes Seattle-Tacoma International Airport, quickly detected a ransomware incursion and shut down its systems before the virus could further penetrate, various airport operations and technologies were impaired or shut down for over a week. The outage blacked out screens throughout the airport that display flight times and luggage carousels, and in some situations forced staff to hand-write boarding passes for passengers.
Sen. Cantwell is a strong proponent of enhancing cybersecurity and technological resilience at airports across the United States. In July, following a wave of technological and customer communications problems at Delta Air Lines due to the CrowdStrike IT outage, Sen. Cantwell wrote a letter to Delta Air Lines CEO Ed Bastian noting that the company’s website didn’t give customers accurate information about their right to a refund as required by the FAA Reauthorization Act of 2024, which Sen. Cantwell spearheaded. She appeared on GMA3 to emphasize that robust airport and airline technology is ultimately a consumer protection issue.
“We can’t just have consumers stranded…because of software updates,” Sen. Cantwell said. “You may be dependent on a vendor who gives you that software, but you’re depended on by the consumers and businesses of America to deliver that service, and your implementation of that software, knowing how it functions, knowing how it works.”
In May, Sen. Cantwell shepherded the passage of the FAA Reauthorization Act of 2024, which reauthorized the Federal Aviation Administration (FAA) and the National Transportation Safety Board (NTSB) for five years. The new law included top Cantwell priorities including enhancing safety oversight, strengthening workforce development, boosting next-generation aviation innovation, and codifying consumer protections. The law additionally directed the FAA to establish a cybersecurity threat management process to track, evaluate, and protect against future aviation cyber threats and attacks, convene an Aviation Rulemaking Committee to improve aviation cybersecurity standards – including for airlines and airports, and designated a cybersecurity lead at the agency.
Over the 2022 holiday season, a winter storm triggered a mass operational failure across Southwest Airlines caused the cancellation of more than 15,000 flights. Following that incident, Sen. Cantwell convened a virtual roundtable of impacted constituents to learn more about their experiences and whether they’d been made whole by the airline. Shortly after that roundtable, she called Southwest Airlines Chief Operating Officer Andrew Watterson before the Senate Committee on Commerce, Science, and Transportation to account for the company’s missteps.
Video of Sen. Cantwell’s opening remarks in today’s hearing is available HERE; video of the full hearing is HERE; photos are HERE; and a transcript is HERE.
###