Opinion: TSA Directives Could Mean Private Flight Delays

In March, the Transportation Security Administration (TSA) issued an emergency cybersecurity amendment for airport and aircraft operators security programs. The aviation industry, designated as critical infrastructure in the U.S., has been plagued with hacker and ransomware attacks. Boeing, for example, reported a 600% increase in ransomware attacks in the last year.

Private air carriers, like commercial airliners, are required to screen passenger data through TSA systems prior to departure, and this passenger data has recently come under the microscope of regulators.

For small private aircraft flight providers, the hurdles can be overwhelming. 

In January, the TSA investigated a data leak from CommuteAir, a Part 121 operator. In the leak, a hacker notified the airline she had accessed an outdated version of the Federal No-Fly list on the Internet through an unsecured server. The hacker published sample data and included the names of known terrorists. Less than 60 days later, the TSA released the new emergency cybersecurity amendment, citing the Biden’s administration’s National Cybersecurity Strategy. 

The investigation and other efforts to modernize the TSA and airlines’ cybersecurity systems are attempting to address legitimate security issues, but the rush to rulemaking without a comment period is creating major issues for private air carriers. 

In 2007, the TSA created new requirements for commercial airlines to screen passengers. Private air carriers were notably left out, with a promise that future rulemaking, including a notice and comment period, would happen at a later date. The frequency of changes in passenger names, dates, times and airports for Part 135 unscheduled air carriers is a vastly different environment than scheduled Part 121. 

Like almost all rulemaking from the FAA, TSA and other regulatory agencies, Part 135 typically needs its own set of rules to take these operational differences into account.

The new directive requires a software implementation plan that features “continuous monitoring and detection, network segmentation, access control and system patching,” which aligns with international security standards, ISO 27001. The agency issued a similar directive to the railroad industry last year. Interestingly, rail providers are not required to match all passenger data to government-issued identification to travel and rely on conductor “spot checks” of IDs. 

While the details and timing of the new systems are security sensitive, the issue seems to be the complexity of integrating air carrier flight management system data into secure connections with the TSA’s systems, and each air carrier gaining approval for their systems under the new TSA security requirements. 

The vast majority of private air carriers are small businesses that may have one or two aircraft--some air carriers do not even use electronic systems to dispatch flights. Yet small air carriers are being asked to create systems with the same level of sophistication that have taken large commercial airlines years to develop. 

What is most telling of the difficulties facing operators is the recent emergency stay motion filed and granted to NetJets in early June. NetJets cites that the TSA has not “turned square corners” and that the order will cause irreparable harm to the business, leading to delays, missed flights and cancelled trips. 

One of the leading software providers to private air carriers, Avinode’s SchedAero, has developed a manual export process that allows operators to comply with the TSA directive, but it will be months before the company is able to build an automated process. NetJets claims in its motion it will need to hire “scores” of personnel for the sole purpose of manually screening passenger names until it can rebuild its systems. 

In the motion, NetJets alleges that the TSA took a “phased, patient approach” with commercial airlines when it issued a new passenger screening effort in 2007, allowing airlines to conduct a testing period, but it denied Part 135 air carriers the ability to conduct analysis and testing as those air carriers would be addressed in future rulemaking. NetJets petitioned the TSA to provide it with more time to comply, stating that it will take approximately 12 months to create and approve the new system. 

For small carriers, the hurdles to gain approvals needed are overwhelming and an alternate process is simply not feasible. The TSA said future rulemaking would address small carriers back in 2007--but for more than 15 years, it has failed to issue a notice of rulemaking for public comment. It must do better.

Jessie Naor is the author of the Sky Strategy column in BCA and is CEO of FlyVizor, an aviation M&A advisory and business consulting firm. She is a former founder and president of GrandView Aviation.