By Ronak Shah and David Mkrtchian

America’s aviation sector is the lifeblood of our economy. Aircraft manufacturers, their vast supply chains, and airlines collectively drive innovation while connecting people and commerce nationwide. Commercial aviation alone accounted for roughly $1.45 trillion of economic activity in 2024 - 5% of national GDP - and continues to employ more than 10 million across the nation. Yet this critical infrastructure faces escalating cybersecurity challenges that demand immediate action.

In fact, multiple vulnerabilities are converging to threaten the stability of our skies. Persistent operational challenges plague our air traffic management - from ongoing difficulties tracking military aircraft in congested airspace near Reagan National Airport, underscored by years of documented near-misses and National Transportation Safety Board (NTSB) incident reports, to the cascading challenges at Newark where controllers have repeatedly lost radar and radio contact with aircraft.

Layered on documented operational hazards are emerging technological threats: pilots now face misleading Traffic Alert and Collision Avoidance System (TCAS) warnings. In fact, the Cybersecurity and Infrastructure Security Agency (CISA) has issued public advisories on vulnerabilities within core aviation-related software systems, revealing potentially exploitable weaknesses in critical safety nets like TCAS. Meanwhile, sophisticated Global Positioning System (GPS) spoofing attacks increasingly compromise our foundational navigation system, using false signals to deceive aircraft about their true location, potentially leading to dangerous flight path deviations. A recent report noted that incidents of this caliber worldwide surged by 500% in 2024, with 1,500 flights per day affected by GPS attacks in August of 2024 alone.

Each issue alone warrants concern; taken together, they represent a worrying alignment of risks, evoking the “Swiss cheese model” where multiple, independent flaws create pathways to disaster. The holes are simply lining up.

Deep structural impediments cripple our ability to address these threats. The decades-long struggle to modernize critical air traffic control systems exemplifies this point. Consider the Standard Terminal Automation Replacement System (STARS): conceived in the early 1990s, it suffered significant delays and cost overruns from its 1996 contract award. Despite targeting 1999 deployment with completion by 2005, the project faced numerous setbacks. By 2002, the Government Accountability Office reported “significant cost, schedule, and performance shortfalls,” forcing scope reductions and timeline revisions. Full operational capability at key sites like the Potomac TRACON was not achieved until 2011 – nearly twenty years from concept to stable operation. This example illustrates the immense difficulty in rapidly deploying new technologies within aviation.

The government has taken meaningful action on these challenges -launching a comprehensive modernization plan for air traffic control systems, streamlining controller hiring processes, and working with Congress to secure substantial emergency funding. Legislative efforts advancing on Capitol Hill signal genuine bipartisan commitment to infrastructure improvements. These efforts represent significant progress on long-standing problems. Yet cyber threats evolve faster than infrastructure timelines allow.

Complex standards and regulatory oversight lead to lengthy timelines in the aviation industry. Groups such as RTCA and EUROCAE create crucial, yet time-consuming guidance to ensure increased safety of the industry, with cybersecurity now taking the spotlight in recent certifications. Subsequently, regulatory bodies like the Federal Aviation Administration (FAA) endorse these documents as valid for meeting airworthiness standards. While essential for safety, these stringent procedures delay the integration of advanced cybersecurity measures. Coordination difficulties among the FAA, Federal Communications Commission (FCC), Department of War (DoW), airport authorities, airlines, aircraft manufacturers, and international bodies like International Civil Aviation Organization (ICAO) and ARINC compound these delays.

Aviation disasters - accidental or malicious - terrorize the public imagination. The far-fetched scenarios once confined to Hollywood thrillers are no longer fiction. The Department of Homeland Security’s (DHS) Office of Intelligence and Analysis publicly reported on China-based technology firms smuggling signal jammers to disrupt radiofrequency signals. To defend against cyber threats targeting this sector, we must create agile innovation pathways without sacrificing risk. The U.S. Special Operations Command offers a potential model through its Technical Experimentation Program (TE) and its Special Operations Forces Training and Experimentation Center (SOF-TEC) - these key units serve as hubs for experimentation that enables rapid innovation within the broader DoW ecosystem. An aviation cybersecurity equivalent of SOF-TEC could bridge the gap between innovation and deployment, enabling controlled evaluation of new technologies.

Without such a mechanism, our aviation ecosystem will maintain a cybersecurity posture consistently two decades behind current threats. This represents more than a technological deficit - it’s a profound structural vulnerability threatening our economy and national security. The time for decisive action is now.