Aviation Cybersecurity and Third-Party Software Service Providers: Do Companies Like CrowdStrike Get a Free Pass to Create Cyber Vulnerabilities?

Authors

Claire Konerza, Southern Methodist University, Dedman School of LawFollow

Abstract

Commercial aviation has steadily become the busiest and most efficient means of travel across the world. In order to keep up with the increasing demands of its customers, the industry has undergone numerous digital and technological transformations in recent years. Collision avoidance systems have allowed for more planes in the skies, online ticket reservations have made booking a flight as simple as a few clicks, and in-flight wi-fi allows passengers to engage in both work and leisure at 30,000 feet. Overall, these innovations have increased safety, capacity, and convenience for both airlines and their customers. However, these transformations have also exposed the aviation industry to a higher possibility of cyberthreats and attacks with the potential of negative ramifications to systems and lives. With these vulnerabilities mounting and cyberattacks becoming more sophisticated, it has become increasingly important to not only ensure proper regulations and plans are in place to prevent cyberattacks, but also that negligent actors are held accountable when their systems fail to protect American consumers.

The outage caused by CrowdStrike’s defective software update during the summer of 2024 not only caused major inconveniences and financial loss to air travel, but also highlighted the need for a closer look into how our country regulates third-party service providers, specifically as it pertains to cybersecurity in the civil aviation sector. Subject only to the liability they have agreed to in their contracts—if they agreed to any at all—these third-party service providers of cybersecurity software to our nation’s most valuable industries can get away with lax cybersecurity practices that leave their customers vulnerable to the effects of cyberattacks without penalty. As it pertains to the commercial aviation industry, this lack of accountability may not only impose costs to airlines by way of profit loss and legal fees, but it also to their consumers by way of personal data loss, potentially resulting in identity theft and credit card theft.

This Comment seeks to address the current state of cybersecurity law in civil aviation and propose suggestions to reduce risks and hold negligent actors accountable. First, this Comment will provide a detailed background of the increasing prevalence of cybersecurity risks in civil aviation as well as the role network security providers play in decreasing these risks. It will then discuss the current state of cybersecurity rules and regulations within civil aviation, as well as avenues for imposing liability upon cybersecurity service providers. Finally, this Comment will analyze current cybersecurity vulnerabilities despite these mitigation efforts, providing suggestions to not only reduce risks but also hold third-party software service providers accountable when their systems fail.

Recommended Citation

Claire Konerza, Aviation Cybersecurity and Third-Party Software Service Providers: Do Companies Like CrowdStrike Get a Free Pass to Create Cyber Vulnerabilities?, 90 J. Air L. & Com. 453 (2025)