Tuesday, June 23, 2015
Polish national carrier, LOT Airlines, temporarily suspended service on Sunday because of an external attack on its computer systems. International aviation's various security treaties are often cited as a model for an international cybersecurity regime (see Hathaway, et al, The Law of Cyber-Attack). Presumably this attack would be covered by the 1971 Convention for the Suppression of Unlawful Acts against the Safety of Civil Aviation or its 1988 Supplementary Protocol for the Suppression of Unlawful Acts of Violence at Airports Serving International Civil Aviation, but without more specific information about the attack it is difficult to assess the legal implications with certainty. The 1971 Convention covers acts that seriously endanger the safety of an aircraft while in flight, including damaging air navigation facilities or interfering with the operation of an aircraft. It would seem a good case could be made to include disruption of the computer system that produces flight plans for the operation of aircraft, which is reportedly what took place, under those categories. Even so, this incident should provide sufficient incentive for the international civil aviation community should to examine how well the existing security conventions cover all forms of attack on airline computer systems, even those less directly connected to the operation of aircraft.