Wednesday, May 27, 2015

Cockpit Computer Hacking Update

A few weeks ago I wrote about the possibility of cockpit electronics and computers being hacked through inflight entertainment systems. The story centered around a self styled computer expert claiming that he had hacked into an airliner's flight control systems through the entertainment system and had affected the flight path of the aircraft in some fashion.

I suppose it's one thing to do this, but it seems to me that it is to transcend to a significantly higher level of stupid to then publicly announce that you've done this. Of course this guy ended up being interviewed by the FBI and also got himself declared persona non grata on United Airlines, the airline he claimed to have hacked. He also got some air time on several news shows which perhaps was his goal.

But notwithstanding this clown's antics, the question remains of whether aircraft control system computers are vulnerable to hacking through Wifi, entertainment, gaming, or other onboard passenger systems. While not being a computer expert by any stretch myself, I did ask a friend who is more of a computer guru. He was able to point me toward some resources addressing inflight computer hacking. (Hat tip to Dennis Corkery)

Inflight Hacking is a Recognized Concern

The US government has recognized that the proliferation of "IP" or internet protocol networks in critical aviation computer systems presents a vulnerability to malicious attacks on systems that were previously not connected to public networks. The GAO, an investigative arm of Congress, has issued several reports in recent years critical of the FAA and their deployment of information technology. One recent report highlights the potential of aircraft systems to be compromised:

Modern aircraft are increasingly connected to the Internet. This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems. As part of the aircraft certification process, FAA's Office of Safety (AVS) currently certifies new interconnected systems through rules for specific aircraft and has started reviewing rules for certifying the cybersecurity of all new aircraft systems.
Historically, aircraft in flight and their avionics systems used for flight guidance and control functioned as isolated and self-contained units, which protected their avionics systems from remote attack. However, according to FAA and experts we spoke to, IP networking may allow an attacker to gain remote access to avionics systems and compromise them. 
Firewalls protect avionics systems located in the cockpit from intrusion by cabin system users, such as passengers who use in-flight entertainment services onboard. Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented.

So, yeah, I know it's the government, but intrusion into airborne systems at least sounds plausible.

Some information system experts quickly retorted that the government experts don't know what they're talking about. (Sacre bleu!)  In a Forbes article, a professor of digital forensics (whatever that is) at Bloomsburg State University in Pennsylvania claimed that the GAO report was " put together by people who don't understand how modern aircraft actually work". He insisted that:

The information passed on to the inflight entertainment system is via something called a NED (Network Extension Device).  This device is not a router. This is a device that must be programmed to pass certain information to the entertainment system (aircraft position, etc.). 
This is a one-way communication. Even if someone were able to send information back toward the avionics, they aren’t listening for information from the in-flight entertainment systems… Since the computer doesn’t try and read information on those wires it is not likely to be useful to an attacker.

So there you have it. Some "experts" say we're all f*cked and others say they're smoking weed. What's the truth? I have no idea. The concept of aircraft systems being compromised at least sounds plausible but like all accounts of cyber-warfare, it seems to devolve into a cat and mouse game where each side attempts to score points against the other but it is the technology laggers who typically get owned.

Personally, this issue won't keep me awake at night. And probably shouldn't keep you up either.

Monday, May 25, 2015

Mideast Insurgents Invade America

There is an invasion of America in progress emanating from the Arabian peninsula. No, I'm not talking about ISIS nor al Qaeda; this invasion consists of airlines. Flying under the radar of popular opinion, three Persian Gulf based airlines, Etihad, Emirates, and Qatar Airways have been growing like weeds while invading American and European markets. They have now grown large enough to become serious competitors to established American and European carriers who claim the three upstarts are abusing provisions of international accords known as "open skies" agreements.

All three of these airlines, Etihad, Emirates and Qatar are relative youngsters having been founded in 2003, 1985, and 1993 respectively. But in spite of their youth, these airlines have quickly grown to join the ranks of some of the largest international airlines. Etihad, for instance, has over 17,000 employees and reported over $6 billion in revenues for 2013. Emirates boasts over 56,000 employees and is the third largest airline in the world based on passenger-miles flown, while Qatar employs over 19,000 and was the first airline in the Mideast to fly the Boeing 787.

All three of these airlines operate the Airbus A380, the world's largest aircraft, and collectively serve over 480 destinations. By way of contrast, American Airlines employs about 94,000 after their merger with US Airways and reported $42 billion in revenue for 2014. Weighing in for Europe, Lufthansa employs 118,000 and reported revenue of over €30 billion (about $33b) for 2014. So while not threatening to eclipse the largest US or European carriers, the three Arabian entrants have grown large enough to become noticed.

And noticed they have become. At this point the story simply reads like the disruption of established market players by more nimble or better managed interlopers. In any other industry that might be the case, but the international airline business is a completely different animal.

Fulfilling roles as objects of national pride and diplomacy while acting as both cultural ambassadors and political footballs, international airlines, or flag carriers, have historically never enjoyed free markets. The international airline market has always existed as a tangle of pacts and alliances subject to protectionist impulses, political manipulation, backdoor subsidies and labor strife.

Dating back to the postwar years when passenger aircraft first became capable of crossing the oceans, the world's nations have simultaneously worked to untangle this Gordian knot of international air travel while also protecting their own flag carriers from competition.

The Quest for Open Skies

Signed in 1944, the Convention on International Civil Aviation (the Chicago Convention) first provided a framework through which individual nations could enter into two-way or bilateral agreements for international air travel. Among other things, this agreement defined various "freedoms" which might or might not be allowed in international air commerce.

One point of contention has always concerned the "fifth freedom" as outlined in the Chicago Convention otherwise known as "cabotage". In this scenario, an airline from country A flies to country B whereupon it picks up passengers from country B and takes them to either country C or another destination in country B. You can see how the government and airlines of country B might object to this "invasion" of their airline market by the airline from country A. As a result, cabotage is generally prohibited in most international airline agreements.

Other provisions in these agreements might involve schedule frequency, pricing, specific airport slots and even ownership limits. Taxes, code-share arrangements, and antitrust issues had to be addressed. Since many countries may have only one national airline, government subsidies to hometown airlines were also a consideration.

A continuing goal of international airlines has been to progress beyond individual two-way agreements towards multilateral or "open skies" agreements. Under such an agreement, airlines from all participants would be free to serve markets to each other's countries. Pricing and schedules would be at the discretion of airline managements with few restrictions. Cabotage was generally still prohibited, but otherwise there would be no quotas. The economic chips would fall where they might.

The 2008 EU-US Open Skies Agreement was considered a triumph of this effort and provides for unlimited competition between all airlines in the European Union and the United States. Likewise, the first open skies agreements between the US and Gulf States such as UAE and Qatar were signed in 1999. Fast forward to today and attitudes about at least some of these agreements are changing.

Illegal Subsidies or Better Product?

US airlines have always been at the forefront of efforts to pass open skies agreements. While an image of ruthless efficiency may not immediately come to mind when thinking of US legacy airlines, they could easily out compete the high cost national airlines of smaller countries and were able to offer connections to many desirable US destinations through extensive domestic networks. A foreign competitor might only be able to offer service to a US gateway such as Dulles or JFK after which a change to a US domestic airline would be required.

The consolidation of Europe into one large market along with code-share arrangements has blunted both of these advantages. And now with the rise of the three Gulf State juggernauts, misgivings about open skies has turned into full-throated protest by the largest US airlines. They claim that the three Gulf airlines are not playing by the established rules.

Foremost of the complaints is that Etihad, Emirates, and Qatar have been subsidized to the tune of billions of dollars by their governments. With this cash windfall, the allegations state, they have been able to purchase an ultra modern fleet of aircraft with which they dump seats into European and US markets thereby gaining market share.

The Tiff Goes Public (and Ugly)

Naturally, the managements of the three Gulf airlines disagree with the charges of being subsidized by their governments even though they are all government owned. Their arguments consist of two prongs consisting of  "no we aren't subsidized", and "US airlines are subsidized too" through bankruptcy protections, fuel tax waivers and post 9/11 payments by the US government to some airlines. Websites have been set up and a public food fight has commenced.

Earlier this year, Delta airlines CEO Richard Anderson, in a CNN interview, stated that the Gulf airlines shouldn't complain about US government payments to airlines following 9/11 considering that the attack had origins in that region of the world. Predictably, this blew up the internet with protestations of outrage being hurled back and forth. Anderson later apologized for his remarks but the incident serves to showcase the emotions that are flowing just beneath the surface.

On the domestic front, all three CEOs of the big three US airlines have petitioned both the US Commerce and Transportation department heads to request that the existing open skies agreements be opened and renegotiated. The CEOs of the Gulf airlines retort that opening these agreements up would throw the entire framework of open skies into question by setting a precedent of renegotiating agreements when one side can't compete, as is their contention.

And the protests against the incursion of the Gulf airlines are not just US based complaints either. Countries such as the Netherlands and Canada have recently decided to consider restrictions against the Gulf Three. This fight is even raging in places like Australia where Emirates is complaining that it is being discriminated against through charges for air traffic services.

So What's Really Going On?

My feeling is that it's a little bit of all of the above. Having just an inkling of how business is done in the Middle East certainly makes it plausible that the meteoric rise of the Gulf Three has been assisted by oil money. Why build anything when you can buy it? I find it humorously ironic that the names of the three Gulf CEOs: Sir Timothy Clark (Emirates), James Hogan (Etihad) and Akbar al Baker (Qatar) don't sound particularly Arabic. At least Mr. al Baker took a proper Arabic first name, though he may well be a descendant of a storied nomadic tribe of al Bakers. (al Candlestickmakers?)

That said, it also sounds as if the US based airlines doth protest just a little bit too much. It is true that the Gulf airlines have a well placed geographic hub between East and West which no doubt increases their global competitive reach. New long range aircraft help them to bridge continents without stopping for refueling. There is also no doubt that the Gulf airlines offer a product superior to their American competitors based on customer surveys. And therein lies another irony.

We Got What We Wanted

It's been remarked far and wide that the early years of commercial aviation were the glory years. And by the early years I mean the postwar era up until perhaps 1970. Flying was glamorous, people dressed up, the service was impeccable and it was a classy experience. It was the era of "coffee, tea, or me". Flight attendants had to be female, young, thin, and single. Rightly or wrongly, a change in any of those categories was grounds for termination. The food was gourmet, the wine vintage and the silverware real. Oh, and it was crazy expensive.

Thirty years of "progress" has left us with the air transportation system we have today. And it is exactly what we have asked for nay demanded. 

US employment law now forbids discrimination in any of the above mentioned categories. The demand for lower fares resulted in "cattle car" boarding and knee-chewing seat pitch. Management-arranged bankruptcies for the purpose of abrogating union contracts have left a workforce of bitter employees who seem to delight in slamming the jetway door in the face of running passengers. Or they might revel in "slopping the pigs" with an inedible simulacrum of latex flavored food before disappearing for the remainder of the flight. Getting your private parts fondled by a surly TSA agent is just the cherry on top of this nasty confection.

But then again, in 1967, no one but the truly wealthy were flying to Chicago to see a playoff game over the weekend. It is now de rigueur. But we somehow threw the good service baby out with the high fare bathwater. Perhaps the two are mutually exclusive, but perhaps not. 

What Happens Next?

Given the facts in the case, one might be led to believe that the US based carriers have a pretty solid case against the Gulf Three. That their petition to restrict further access by these carriers into the US market would get a sympathetic hearing from US officials. That realizing that the Gulf carriers are not playing by the rules would lead the US flying public to shun the interlopers in favor of the home team. That would be a mistaken belief for a number of reasons.

As I mentioned above, the Gulf carriers consistently get better customer service grades from the flying public. Remember, this is the same flying public that has come to hate the US airline business nearly as much as their cable provider. In spite of widely popular laws requiring the employment of grumpy, middle aged and bitter employees, young attractive employees seem to carry the day.

I recently perused the comments section of relevant articles in several US dailies to get a very unscientific feel for the public's opinion of this fight. The comments were mostly in favor of the continued presence and expansion of the Gulf airlines. The common theme expressed is that the US airlines need to up their game. I'm also guessing that news of illegal subsidies from Arabian Peninsula oil kingdoms is not entirely unwelcome either. People may feel they are getting some of their gas money back.

And don't forget that there are other constituents in this country who don't necessarily mind the success of the Gulf airlines one bit. That would be the Boeing Corporation and its 165,000 employees who happen to do billions of dollars of business with the gulf airlines. In fact we not only sell jets to rivals of US airlines, we loan them the money through our Ex-Im bank at favorable rates. We are great friends indeed. And by we, I mean you, the US taxpayer.

In one sense, this international corporate food fight is really no different than what happens in any global commodity market. It will sort itself out one way or another. But if it goes badly for US airlines, I'm told that Dubai has great weather most of the year.


Friday, May 15, 2015

Planes, Trains (and Automobiles)

As I read about the horrific train crash in Philadelphia, it occurred to me that many of the issues concerning the operation, safety and reportage of different kinds of transportation accidents overlap. Here was a very serious accident which resulted in a tragic loss of life, major equipment damage and serious disruption of operations due to an apparent operator error.

As with all accidents of this magnitude, investigative agencies will be do their best to reconstruct the events and to determine the causal factors which led to the accident. Reports will be filed, suggestions will be offered for safety improvements and blame will be laid. Politics, as per usual, will also intrude and indeed already has.

One of the frustrations of the public concerning dramatic accidents such as this is that official investigations seem to take forever. In the meantime there is a palpable need to determine cause which popular media outlets are only too happy to fulfill. 

Hardly a day had gone past before it was reported that the train had entered a sharp curve at nearly twice the posted speed limit of 55 miles per hour. It at first appears as if this is an open and shut case of egregious malfeasance on the part of the train driver. That may be true, but I found myself thinking that this conclusion was simply too easy. There may be more to the story.

Make no mistake, it certainly sounds like 32 year old Brandon Bostian, the train's engineer and an admitted train enthusiast with a good record, was grossly incompetent in taking the turn at such a high rate of speed but it should also be noted that Mr. Bostian certainly didn't come to work that day with the intent of crashing his train and killing half a dozen of his passengers.

Beyond the Obvious

The challenge before the investigation board will be to go beyond the obvious reason of excessive speed to find out why Bostian was travelling so fast and why he didn't brake until too late. It may be a simple case of distraction or perhaps he just dozed off. 

This accident also highlights the fallible nature of human beings when they have the potential to be a single point of failure in a control loop, as highlighted by this and the recent Germanwings disaster.

A question that I immediately had was that even though the speed limit of that particular curve was posted at 55 MPH, I wondered how closely those limits are adhered to by most engineers. We all know that in certain realms of life there might be a "book" way of operating and a "real world" way which may be quite different. Let me explain.

We all drive on the freeway, and while exiting we all see the "Exit" sign pointing towards the ramp which usually has a speed limit for the ramp. And we all dutifully ignore that limit. A ramp posted at 25 MPH (as many are) can many times be easily be negotiated at 40 and perhaps even 50 if you took your wife's BMW to work that day. And when was the last time you saw a cop pull someone over for speeding around an exit ramp?

Occasionally we encounter a ramp which is truly a tight curve where the posted limit is for real. In these cases we end up jumping on the brake and becoming annoyed that we had no warning. Should you then hit the guardrail, that excuse will hold no water with the insurance company.

Corporate Culture

I would hope that in this case the investigators check the black boxes of other trains on the same route to determine at what speed most engineers take that curve. They might be surprised. Perhaps it was "known" among the ranks that the curve is normally taken at 100 with no ill effects. 

Every operational organization I've ever been a member of has had a "culture" which recognizes that there is the "book" or "schoolhouse" way of operating and the "real" way. And by that statement I don't mean that everyone is running around breaking all the rules but rather that there is some variance between how the books are written and interpretations due to the necessities of real world operations.

In fact, when some unions wish to conduct a work slowdown in the course of labor negotiations, they conduct what is know as a "work to rules" campaign by strictly following every last picayune directive in their operating manuals. This can easily bring any manufacturing or transportation operation to its knees and is actually recognized by many courts as an illegal work stoppage which I find humorously ironic.

Have an accident or incident as an operator, though, and you can be sure that the full weight of the rulebook will be used as a witness for the prosecution as seems to be happening here. Had the train derailed going 56 MPH, the engineer is still completely at fault.

The problem is when "real world" operations get too far away from what the book says. No one may know what the true safe speed is and if someone made the curve at 90 yesterday and nothing bad happened, why not try 100 today? You can easily see that this is an unacceptable method of operation.

Perhaps a solution to this dilemma would be an effort to write more realistic operations manuals. 

Other questions which should be asked are whether there are penalties for being late or incentives for being early. It should be asked if this train was running on time. In airline operations, it is well known that many errors result as a consequence of rushing through checklists. Most airlines' official stance is to not apply any undue pressure on pilots for an ontime operation.

Gate agents, however, are under tremendous pressure to get flights out on time on pain of punitive action up to and including their employment. Threaten someone's livelihood and you get their attention quickly. I often get asked to release the parking brake while still at the gate which will show an ontime departure on our automated reporting system, but surely it is easy to see how policies like this can cause mischief.

Distraction, fatigue, or boredom?

These three perennial bugaboos plague all modes of transportation and seem to never find a solution. The simple reason for this is that they are design defects in the standard issue human. Until humans are completely separated from transportation systems, these problems will never be completely solved but only mitigated.

Investigators will work to determine how long Bostian had been on duty and what his sleep schedule had been. He has already turned in his phone to authorities who will determine if there had been any activity during the time that the train was in motion. A train crash in California was attributed to a texting engineer a few years ago.

I used to love to ride motorcycles and would love to someday get another one, but won't as long as the cell phone exists. Distracted drivers are a real threat to everyone on the road.

Bostian has reported that he remembers nothing just prior to the crash. While it may be a defense, he may have dozed off or was suffering from a "micro-sleep". Fatigue, which used to be characterized as a moral failing, is finally being recognized as a physiological debilitation with real world consequences for persons in safety critical jobs. 

The Wall Street Journal has reported that the train accelerated from 70 to 110 MPH in the 60 seconds before the crash. That could plausibly be attributed to Bostian just dozing for a few seconds. The FAA recently completely overhauled the rest regulations for pilots. While still flawed, this overhaul at least telegraphs a recognizance of the problem facing operators.

Media hype

I want to close this essay with a note about the news coverage of the accident. As per usual, a high profile accident like this will grab the headlines for one or two news cycles. There is nothing new about the old tag line of if it bleeds, it leads. Typically, a few snippets of information will leak out followed by many furrowed brow talking heads being ordered to fill hours of airtime with speculation.

The result will predictably be calls for a murder indictment of the engineer before all the circumstances of the accident are known. Accident investigators are put under tremendous pressure to report a cause quickly which certainly can not help their efforts to understand the underlying causes and possible remedies for a tragedy such as this.

Saturday, May 02, 2015

The Rise of the Machines

I am extremely pleased to announce my first guest blogger for the site. The following is an essay by C2C Robert Graves Jr for his philosophy class at the Air Force Academy. To say that I'm proud of the boy would be an understatement.

C2C Robert Graves                                                                                                  
The Rise of the Machines


                Noel Sharkey’s “Saying ‘No!’ to Lethal Autonomous Targeting” argues that the move from ‘man-in-the-loop’ to ‘man-on-the-loop’ is a dangerous one and that there will be an increase in moral issues raised as a result. Sharkey claims that the current usage of remote piloted robot planes and drones indicate that future robotic platforms could be misused by extending the range of legally questionable, targeted killings by security and intelligence forces.  I propose that lethal autonomous unmanned systems will potentially be capable of performing more ethically on the battlefield than human soldiers and that their progression should not be stopped. If there ever is a point where these unmanned systems achieve better-than-human performance it may result in a decrease in civilian casualties and is therefore worth pursuing. In this paper, I will first summarize Sharkey’s argument against the advancement of Lethal Autonomous Systems. Secondly I will present three objections to Sharkey’s article. Finally I will present two practical implications of my objections to Sharkey’s article.

Summary of article

                Sharkey creates an argument against the advancement of Lethal Autonomous Systems throughout his article. Sharkey does this by first explaining the trend of the United States Military towards Lethal Autonomous Systems.  Next Sharkey observes that ‘Man-in-the loop’ have shown to be a step toward ‘man-on-the-loop’ systems and eventually Lethal Autonomous Systems. By first looking at the ethical dilemmas of ‘Man-in-the-Loop’ and ‘Man-on-the-Loop’ systems, Sharkey predicts future ethical debates about Lethal Autonomous Systems and argues that they should not be pursued as viable military assets. Although Sharkey does acknowledge the obvious military advantages to implementing Lethal Autonomous Systems, these should not be exploited due to ethical concerns that are apparent through ‘Man-in-the-Loop’ and ‘Man-on-the-Loop’ systems. The following reconstruction reproduces the argument that the use of Lethal Autonomous Systems should not be allowed in warfare.

                1) The United States Military has been developing ‘Man-on-the-Loop’ Systems (p)

                2) ‘Man-on-the-Loop’ Systems are impractical without the development of Autonomous Systems (p)

                3) With the United States current goals, Autonomous Systems are inevitable (1, 2)

                4) ‘Man-in-the-Loop’ Systems remove two obstacles of war that previously prevented killing without considering the full consequences (p)

                5) Problems presented by ‘Man-in-the-Loop’ Systems will be exacerbated by ‘Man-on-the-Loop’ Systems. (p)

                6) The alleged moral disengagement by remote pilots will only be exacerbated by the use of autonomous robots (4, 5)

                7) Autonomous Systems cannot implement the principle of discrimination (p)

                8) Autonomous Systems cannot implement the principle of proportionality (p)

                9) The international community need to address the difficult legal and moral issues now, before the current mass proliferation of development reaches fruition (3, 6, 7, 8)

                Since the creation of Weapons, they have evolved to enable killing from increasing distances. This is made apparent by the evolution from rocks to the spear to bow and arrow to cannons all the way to long range bombers during WWII. Today militaries are separating their personnel from the battle field through the use of robotics and Unmanned Aerial Vehicles or UAVs. There has been an obvious push for more robotics and UAVs in the past ten years. In the Iraq and Afghanistan conflict thousands of robots were used compared to the 150 in 2004 (Sharkey).  The undisputed success of UAVs for gathering intelligence has created an insatiable military demand for UAVs. This demand has spread to over 40 countries that either produce their own systems or buy them from other countries.  These systems are still in the infantile stage and their true capability and what they evolve into is not yet known. However it can be predicted that militaries will want to use robotics and UAVs as a force multiplier that will allow one individual to control multiple systems or even to the point where systems will be able to make decisions for themselves.  It would be at this point where a system is considered to be autonomous. These robots will not be like something out of Terminator but will instead be able to gather data from their sensors and then make decisions based on an algorithm to deliver deadly force. It is an important distinction between the use of autonomous in philosophy and politics and how it is used in this sense. 

                There would be four reasons why a military would desire the use of an autonomous system over one that is controlled by human. Sharkey states these as “(i) remote operated systems are more expensive to manufacture and require many support personnel to run them; (ii) it is possible to jam either the satellite or radio link or take control of the system. (iii) one of the military goals is to use robots as force multipliers so that one human can be a nexus for initiating a large-scale robot attack from the ground and the air; (iv) the delay time in remote piloting a craft via satellite (approximately 1.5 seconds) means that it could not be used for interactive combat with another aircraft.” (Sharkey) These obvious limitations to ‘Man-in-the-Loop’ and ‘Man-on-the-Loop’ make the likelihood of autonomous systems entering the battlefield ever higher.

Man-in-the-loop: problems

                A Man-In-the-Loop system is one that a human is consulted with every action, such as a UAV. The United States has led the field with its armed drones. The Predator MQ-1 equipped with two hellfire missiles and its brother the MQ-9 Reaper that can be equipped with up to 14 Hellfire missiles are controlled by the 432nd Air Expeditionary Wing out of Creech Air Force Base in the Nevada desert. Since the first Predator took flight in 2001 there has been a sharp increase in the number of pilots that operate these systems. In 2009, the number of remote pilot operators trained outnumbered the number of conventional pilots. (Sharkey)

                Sharkey argues that the use of these UAVs has definitely “alleviated one of the two fundamental obstacles that war fighters must face – fear of being killed” and possible a second. By taking away this fear of being killed these airmen have no reason to retreat. This has made them much more dangerous especially because a military force is most vulnerable when retreating.  The second element that Sharkey argues is removed by UAV use is resistance to killing. It was discovered after WWII that most men are not ready to kill. Through the analysis of both hit rates and interviews with soldiers after major battles in WWII, it was shown that on the ground, soldiers found killing to be a difficult task. However Sharkey points out that operation of UAVs encourages a ‘Playstation’ mentality. These operators rarely see the faces of those they have killed and are looking at them through a computer screen very similar to a video game. Many airmen that are flying these drones have found that it was unexpectedly easy to kill someone with the use of a UAV. By separating the operator from the battle, Sharkey points out that the operator does not consider the morality of each kill. Instead it is a simple job that the operator goes to every day after which he or she returns home for dinner with their family. In conclusion Sharkey claims “developing technologies of this sort also have the potential to provide for the creation of moral buffers that allow humans to act without adequately considering the consequences.” This would apply to autonomous systems as well as those controlled by humans. By removing the elements that made it difficult to kill another human being, there is the possibility to not fully understand the results from an action.


                “The most recent United States Air Force Unmanned Aircraft Systems Flight Plan 2009-20474 opens the strategy for a staged move from current remote piloted systems to fully autonomous systems.” (Sharkey) There will be a transition from unmanned drones being controlled by operators all the time to the drones controlling themselves for landing take-off and re-fueling. As more advancements are made, humans will no longer be “in the loop” or being consulted for every move, instead they will be “on the loop”. “On the loop” means that humans will monitor the execution of certain decisions and the AI of the drone will carry out those decisions within legal and policy constraints without human input. Sharkey raises one strong issue that a human will not be able to make all of the decisions to kill. As pointed out before, the ability to command these drones is slow and does not work well in a combat situation. Eventually, for these drones to be effective in a combat situation they will need to be able to decide whether to take action or not, essentially autonomous.

How they relate

                Sharkey has shown that there is an obvious trend towards Lethal Autonomous Vehicles. He has also shown that UAVs while still controlled by humans do not have two of the fundamental obstacles to war fighting; fear of death and fear of killing. By removing these two elements, airmen are less averse to killing the enemy without consideration for the morality of each kill. Finally Sharkey has shown that the transition from ‘Man-on-the-Loop’ to Autonomous is inevitable: that ‘Man-on-the-Loop’ is not practical without the transition to Autonomous Vehicles. In Sharkey’s conclusion he explains that this is bad because we cannot trust Autonomous Vehicles to kill another human.

 First Sharkey relies of the principle of discrimination. The principle of discrimination is that no Autonomous Vehicle has the capability to determine between a civilian and insurgent. This issue becomes even more important when we are fighting a force that does not dress in uniform and hides among the civilian population.  Sharkey does acknowledge the extensive amount of sensors, cameras, and facial recognition programs that can be utilized by a drone but these can be rendered useless by a simple ski mask or hooded jacket. Sharkey argues “In a war with non-uniformed combatants, knowing who to kill would have to be based on situational awareness and on having human understanding of other people’s intentions and their likely behavior. In other words, human inference is required. Humans understand one another in a way that machines cannot. Cues can be very subtle and there are an infinite number of circumstances where lethal force is inappropriate. Just think of children being forced to carry empty rifles or of insurgents burying their dead.”

Second Sharkey explains the Principle of Proportionality. Sharkey applies the Principle of Proportionality in that an Autonomous System cannot perform the human subjective balancing act required to make proportionality decisions. There is no way possible to give an insurgent a numerical value that could be compared to the number of civilian casualties. When a commander makes a decision he must first weigh all of the options and then decide which is the best course of action to take. These decisions could not be done by an algorithm and therefore could not be left up to a computer. While humans do make errors, Sharkey claims that humans can be held accountable. It would be impossible to hold a drone to blame for an action that was does unethically.


                Sharkey’s argument that the moral issue of Autonomous Systems needs to be addressed is sound. However I would like to raise objections to three of his points. First I will address the claim that moral disengagement by remote pilots will only be exacerbated by the use of autonomous robots. Secondly I will oppose Sharkey’s point that ‘Man-on-the-Loop’ Systems are impractical without the development of Autonomous Systems. And finally I will object to his claim that Autonomous Systems cannot implement the principle of discrimination. Once I have objected to these three claims made by Sharkey, I will present two practical implications of my objections to the article.

Sharkey’s claims that the by removing two of the obstacles common to all warfighters through the use of UAVs that the implications of each kill will not be fully considered. While it is true that for the first time in history the fighter does not have to fear death and that while the resistance to killing may not be completely gone, it can be said it has diminished. This does not mean that humans will act “without adequately considering the consequences.” (Sharkey) On the contrary, now that these obstacles have been removed, specifically the fear of death, the warfighter can now focus more on the implications of an act without being distracted by instinct. These UAVs do not need to have self-preservation as their foremost drive like humans do.  They are able to act in a self-sacrificing manner without any reservation, carrying out the commander’s intent without distraction. The fear of death does not instill in the warfighter a sense of what is right and what the consequences of an action will be. By removing this obstacle, the ‘Man-on-the-Loop’ or even Autonomous System will be able to adhere to the rules of engagement with more precision. With these obstacles gone there will no longer be the need for a ‘shoot first, ask-questions later’ approach.

                My second objection is to Sharkey’s claim that the development of ‘Man-on-the-Loop’ Systems will inevitably lead to Autonomous Systems. Sharkey supports this claim by explaining that the time delay between operator and system is too long for a practical implication of these UAVs especially when fighting with other aircraft. However, there is no longer a case where aircraft are fighting other aircraft.  These UAVs are currently being used for reconnaissance and the destruction of ground targets. While ground targets may be in moving cars, the time delay does not impede on the UAVs mission to destroy the target. While UAVs may not be able to destroy other aircraft in a traditional dogfight, the likelihood of a UAV getting into a dogfight is slim. The creation of ‘Man-on-the-Loop’ Systems does not necessarily imply that there will also be Autonomous Systems. The creation of an Autonomous System that kills without consulting a human would not be an improvement over ‘Man-on-the-Loop’ Systems because the problems it would solve are not critical factors. The implementation of an Autonomous System is simply not needed in today’s world or in the near future. 

                Finally I object to Sharkey’s claim that an Autonomous System would not be able to implement the principle of discrimination. Sharkey makes this argument by saying that an Autonomous system could not differentiate between a “child being force to carry empty rifles” (Sharkey) and an insurgent. These UAVs can gather much more information than any human possibly could. “This data can arise from multiple remote sensors and intelligent (including human) sources, as part of the US arms network-centric warfare concept and the concurrent development of the Global Information Grid.” (Arkin) While it is true that no intelligence is perfect, and that mistakes will be made, these machines will be able to consider all of the intelligence and form conclusions that would be impossible for humans. A simple ski mask or hooded sweat shirt would deter any human just as much as it would an Autonomous System. Furthermore an Autonomous System does not have any preconceived profiling that a human is subject to. The common mistake of profiling a subject based on race would not affect these Systems.


                While Sharkey’s argument does have some flaws in its premise, the overall assumption that UAVs will change is correct. These Systems whether they evolve to fully Lethal Autonomous Systems or not will change the way our military operates. They have removed the warfighter from the battle field and hopefully lowered casualties, both civilian and military. By allowing the progression of these systems they will only improve their effectiveness. If these systems have the desired outcome of localizing the destruction of war only to those who are attempting to destroy peace they will effectively increase the overall happiness of both the civilian population that is affected by the war and the military forces that are attempting to restore peace. As John Stewart Mill explains in Utilitarianism “The creed which accepts as the foundation of morals, Utility, or the Greatest Happiness Principle, holds that actions are right in proportion as they tend to promote happiness, wrong as they tend to produce the reverse of happiness. By happiness is intended pleasure, and the absence of pain; by unhappiness, pain, and the privation of pleasure.” (Mill) These systems should be allowed to progress, not without scrutiny, but progress all the same because they are an attempt to limit the destruction that is caused by war.

                While the hope with these systems is that they will promote net happiness by reducing the pain caused by war, that can only be achieved if our military leaders employ them correctly and morally. By perfecting this tool for our military, more responsibility will be placed on our leaders to use them with a moral code that will benefit the mission in particular and the country at large. No longer will our leaders be able to provide only a mission goal and leave the implementation up to the interpretation of their subordinates. What is morally correct will now be directly determined by the leaders in control of these systems. Following established decision matrices such as described by Dr. Jensen in “Hard Moral Choices in the Military” will help augment these decisions. However it is imperative that our leaders be taught the application of ethics to help them when dealing with these decisions. 

Arkin, Ronald. "The Case for Ethical Autonomy in Unmanned Systems." Journal of Military Ethics 9.4 (2010): 332-41. Taylor and Francis Online. Web. 1 May 2015. 


Mark N. Jensen (2013( Hard Moral Choices in the Military, Journal of Military Ethics, 12:4, 341-356, DOI:10.1080/15027570.2013.869897

Mill, John Stuart (2012-05-17). Utilitarianism (p. 11).  . Kindle Edition.

Sharkey, Noel. "Saying ‘No!’ to Lethal Autonomous Targeting." Journal of Military Ethics 9.4 (2010): 369-83. Taylor and Francis Online. Web. 1 May 2015. 



Friday, April 17, 2015

Could a Hacker Shut Down the Engines Using Onboard Wifi?

Sitting down with my morning coffee and iPad, I came across a piece of aviation clickbait that seemed to be of the standard  "seven things pilots don't want you to know" variety. The report was about a computer security expert being pulled off a United Airlines flight and questioned by the FBI about hacking into airplane systems.

The expert being questioned was a man named Chis Roberts, CTO of One World Labs, who had previously claimed that vulnerabilities in aircraft in-flight entertainment systems could possibly be used to "turn the engines off at 35,000 feet". The tone of the report was that of the breathless whistleblower sort where a person with critical knowledge was being corralled by "the system". Think Erin Brockovich of the skies I suppose.

At first blush, I thought the whole concept of hackers infecting avionics was ridiculous and that this guy, who's firm had three employees in 2011, was simply a self promoter selling a bit of sensationalism. After listening to an interview with him, I'm not so sure that his premise is completely implausible.

For a hacker to gain access to aircraft data and control systems there has to be some sort of link. That is, if the systems are not physically connected, there can't be any way to get in. So I was thinking that's that: there's no connection between passenger entertainment systems and the cockpit, but I was wrong. There is.

Most entertainment systems, including the wifi on the planes I fly, feature flight tracking information which comes from the aircraft's air data and flight management computers. Information like arrival times, flight plan, altitude, heading and airspeed comes from flight computers and is relayed through a data bus to the wifi and entertainment systems.

Knowing that this data bridge exists, could a resourceful hacker exploit this path to cause trouble? My thought is that if there is a will there is a way. I am no computer guru as my expertise in coding consists of some Fortran language skills used in college many decades ago, but I also know that many computer experts consider no computer network to be completely invulnerable.

If anyone remembers the Stuxnet affair of a few years back, hackers (who were eventually revealed as US intelligence assets) were able to infiltrate Iranian computer networks. They inserted malware which found it's way to the controllers of the centrifuges the Iranians were using to purify uranium. The bug subtly caused the machines to tear themselves apart setting the program back years.

This was an international effort complete with skullduggery which included breakins at some Taiwanese firms to get computer keys which allowed access to the networks and centrifuges. I'm still waiting for the movie. So it seems to me to be at least plausible that airplane systems could be exploited.

I guess that begs the question of why someone would wish to sabotage an airplane on which they were riding, but I think we know the answer to that one. Or, should a method be perfected, an innocent mule could then be sent on a one way trip with a laptop.

Am I particularly worried about my engines shutting down unexpectedly on my next flight? Not really. The 737s I fly have old school hydraulic flight controls, and while the engine controls are electronic, the fuel shutoff valves are not. But on the newest Boeings and Airbuses, you can pretty much count on everything being controlled by some sort of computer.

Make no mistake, the computers on commercial aircraft are extremely robust and designed with multiple failure modes but they are still computers. Simple safety features such as air gaps to isolate critical systems or perhaps unwritable firmware might be employed as countermeasures. An even simpler solution might be to completely isolate all passenger and airplane systems. Get the inflight data from a parallel but separate system.

I can't imagine that this subject has not been discussed and considered by the designers of aircraft computer architecture. A quick search found at least one commercial firm offering software security services for airlines. Apparently the FBI had some concerns. And as the gentleman on the interview mentioned, such an effort would require an expert depth of knowledge of the design of many different control and software systems to pull it off.

It seems that not a day goes by where we don't hear about crappy software or shoddy network security practices resulting in the theft of millions of credit cards or corporate technology. Software designers of avionics have enough of a headache just getting all their millions of lines of code to work properly without having to consider the additional burden of potential malware gumming up the works.

Let's hope that they have this on their radar.

Monday, April 13, 2015

The Great Cockpit Photography Kerfuffle


Inarguably, one of the best parts of the job of being a pilot is the view from the office. It is simply incomparable. From a predawn takeoff where the oncoming glow on the horizon is set off by runway and city lights, to perhaps a night run over central Arkansas during a summer electrical storm where bolts of lightning dance around towering anvil topped clouds, the scenery is awe inspiring.

I never tire of flying the Expressway Visual into LaGuardia as it takes you directly over Brooklyn and Queens providing an unparalleled view of Manhattan (at least from the left seat). Every now and again we get to fly up the Hudson river when landing on Runway 13, giving copilots an even better view of downtown. The Gateway Arch, the Columbia River with Mt. Hood and Mt. Rainier lining up in a perfect frame, the turquoise blue water off southern Florida beaches or a view of Yosemite's Half Dome and El Capitan from above are all routine sights in this job.

I have over the years flown over places like Mt. Fuji, the Arabian Peninsula, Sydney and London to name only a few. Being naturally proud of what they do, pilots like to take pictures of where they've been and the sights they've seen. And the taking of pictures by pilots has never really been a problem as the photographs taken would usually end up in an album on a shelf somewhere or perhaps on a quickly forgotten hard drive.

That all changed with the coming of social media. For in the game of collecting likes and impressing your friends from school who took that accounting job, what better way could there be of showcasing your awesome life than to post pics and selfies from 35,000 feet? And that is more or less exactly what happened. Pictures and videos from the cockpit can, or rather could, be found all over the internet. That is until some killjoy asked the inconvenient question of umm, if you're being a tourist up there, then who's flying the jet?

It's a valid question. The answer is a simple one. The other guy or the autopilot. But of course that's an incorrect answer. The people who own the airplanes and the people who ride in the back generally think it best if both pilots are paying attention to the flying part. It's not an unreasonable request I suppose, and certainly not while on approach. This, then, is the setup for the great cockpit photography kerfuffle.

In December last year, an online magazine called Quartz published a piece detailing how cockpit photos had been showing up on Instagram, and how the taking of these photos violates FAA rules. In the course of gathering information for the article, author David Yanofsky scraped dozens of cockpit photos from the Instagram accounts of pilots who had neglected to set their privacy controls. These photos, including selfies with names, were then published in the article.

What happened next may serve as a signpost to how social media is changing culture or perhaps how already existing trends are highlighted by social media, because some of the pilots who were "outed" in the Quartz expose went on the attack. Author Yanofsky was harassed and threatened himself through many social media sites. Returning fire with fire, editors at Quartz then researched the information of the harassers and contacted the employer of at least one of them.

I guess one lesson learned here is that if you are going to engage in online guerrilla warfare, at least learn how to mask your own IP address.

As everyone from cops to pilots to doctors and other professionals is finding out, ubiquitous cell phone cameras coupled with social media are rapidly highlighting the fishbowl that modern society is becoming. Living in a panopticon society will have far reaching effects which can only be imagined at this point. This, coupled with a growing distrust of professionals and authority figures, may perhaps induce a reaction to publicly lived and posted lives. It certainly will for the pilots in this article.

I personally think that including the names and selfies of some pilots in the article was rather rude as Quartz could've made their point without publishing anyone's personal info. But then again these guys probably should've figured out how to control the privacy settings of their accounts or perhaps just not taken selfies while at work. And some of the pilots involved may not have known that they were breaking some rule or other.

In their defense, the rule prohibiting all photography, and not just that below 10,000 feet is relatively new but restrictions on any non-flight related activity below 10,000 feet have been around for awhile. The FAA has said it is not contemplating any enforcement actions as a result of this article and may actually be gratified that this event has served to publicize the new rules.

Will this kerfuffle stop pilots from taking pictures while flying? Probably not, but you are much less likely to see any such snaps online.

Friday, April 03, 2015

Lubitz Planned Mass Murder

New evidence has been uncovered by investigators suggesting that Andreas Lubitz premeditatively planned to crash his plane some time prior to the actual crash. From the Wall Street Journal:

The prosecutor heading the investigation said Thursday that a tablet computer found in Mr. Lubitz’s apartment contained a record of searches for medical treatments, suicide methods and cockpit security.

I'm no psychiatrist, but my feeling is that this act goes beyond the self destructive urges that may be visited upon a mind struggling with depression alone. Lubitz is beginning to look more like a psychopath. His act was immoral and evil.

Perhaps an argument can be made that he was by definition insane because mentally healthy people do not commit mass murder. And because of his illness, he is therefore absolved of any personal guilt. It's the old debate over the insanity defense.

But to deny any moral agency in a man who was otherwise able to function highly enough to be hired, trained, and employed in a highly trusted and technical job is too facile for my taste. I also can't help thinking that this argument is somewhat circular. Some apples are just bad.

This past week I flew a three day trip and was thankfully spared some of the usual smart remarks about being drunk or in this case being sane that some wiseacre can often be counted on to make while boarding. Truth be told, I am often tempted to respond with "not as far as you know" to the drinking accusations or "as long as I stay on my meds" to the latest questions of mental fitness.

But for obvious reasons I just smile and wave. Many people are nervous getting on an airplane, and I totally get that. A weak attempt at humor is an effort to dispel the unease which comes along with confining oneself like a sardine in an aluminum tube to be hurtled through the air at ungodly speeds. Some guys I fly with take great offense at such jests, but of all the insults to be suffered in life, this is a minor one.

It may be the reason, though, why more pilots seem reticent to greet customers as they board.

Black Box Found

Crash site searchers have located the DFDR, or digital flight data recorder from Flight 9525 which records actual flight parameters and control inputs. The data have revealed that multiple pilot inputs were made commanding the doomed jet to accelerate towards the ground.

These results add further confirmation to the conclusion that the Airbus was deliberately crashed into the Alps and that the crash was not the result of some malfunction in the aircraft. This should help to dispel some of the alternate narratives concerning mechanical causes of the crash.

Friday, March 27, 2015

Murder-Suicide by Plane

An analysis of the CVR from Germanwings 9525 now makes it clear that copilot Andreas Lubitz deliberately locked his captain out of the cockpit and then flew his A320 with 150 passengers into a mountain. There has been speculation that Lubitz suffered from bouts of depression, and there is no doubt that investigators will comb through every bit of his past for clues that might explain his actions.

Finding a history of mental illness will be of little consolation to the friends and relatives of the murdered passengers and crew.  What will matter is explaining how this happened and how it can be prevented from happening again. This was essentially a single point failure due in part to policy, and would be unlikely to happen in the US.

Let me explain.

After 9/11 all airlines globally were required to armor and enhance cockpit doors to prevent a breach. This enhancement included provisions to gain entrance in case of a lockout. A code entered into a keypad by the door unlocks the door in a specified amount of time while alerting the cockpit. Should someone in the cockpit hear this alert, they can push a button which then denies access. There is also a simple deadbolt which can be thrown to deny access.

So if someone is up front and wishes to keep out intruders, the door is essentially impregnable. Recognizing the potential for one person to gain access and then lock the door, the FAA designated the cockpit a "no lone zone" meaning that should a pilot exit the cockpit for whatever reason in flight, a flight attendant had to replace him or her up front. Once up front, the door opens with a simple twist of the door knob. Theoretically, should a rogue pilot or flight attendant attempt anything, it would be easy to open the door to call for help.

At least those are the rules for US airlines. Apparently for whatever reason, the rule was not made or enforced in Europe and other places. After this tragedy, the rule is being quickly changed. Aviation authorities and politicians will now have to explain why the rule was not adopted in Europe.

Mental Health Questions

There has been speculation backed up with some anecdotal evidence that Lubitz had suffered from depression in the past. Questions are now being asked about what sort of mental health screening prospective airline pilots undergo. The answer is very little.

After leaving the military, I interviewed with four airlines before being hired. The process was similar at each airline and included a series of document and background checks along with a series of interviews. As far as any mental health screening, two of the four airlines required the completion of a standard personality inventory such as the MMPI while two did not.

Personality inventories are multiple choice questionnaires designed to assess personality types. Some major US airlines are known to give psych evals with a medical professional, but this is not the rule. I have no idea whether the results of these tests are used to eliminate pilot candidates, but that was the extent of any mental health screening I've ever received. I myself might be completely starkers for all I know. My wife certainly has doubts. My extended family, on the other hand, has no doubts whatsoever.

So should mental health questions arise in a pilot, they will be either self reported or evident through behavior observed by family or co-workers. All pilots undergo routine annual (semi-annual for captains) physicals and by law must report to the FAA any visits to medical professionals or any medications taken. The flight doc checks your vision, listens to your ticker, and has you pee in the cup before collecting his $150 (cash or check only, please) before sending you on your way. That's it.

As far as the FAA is concerned, any condition requiring medication will initially result in the pilot being grounded until evaluated by an AME (aviation medical examiner). The FAA specifically mentions four SSRI drugs which can be used while maintaining a medical qualification after appropriate evaluation. They are Prozac, Zoloft, Celexa, and Lexapro. Conditions requiring other drugs in this category are grounding. While not familiar with European medical policy, it can be assumed that it is similar to that of the US.

It's easy to see that should a pilot suspect that he may have a condition requiring a mental health examination, it might very well ground him. Not exactly a positive incentive to self report depression or anxiety to the flight doc.

The latest reports indicate that Lubitz was in possession of a medical notice grounding him but had torn it up. Watching a life's dream escape through his fingers while also suffering from depression might have been just enough to send him over the edge.

This was an unspeakable tragedy for all involved, including Lubitz and his family. For some time now, post 9/11 security enhancements were thought to be mainly a problem for American air carriers. This attitude may have contributed to a somewhat lax posture towards cockpit security procedures in Europe. This tragedy will understandably force a reassessment of all cockpit security procedures worldwide.

Wednesday, March 25, 2015

Germanwings 9525

Airliners are not supposed to just drop out of the sky.

For the second time in nearly as many months, an Airbus A320 has fallen from altitude and crashed resulting in the deaths of all aboard. The latest accident occurred over the south of France.

Germanwings 9525, enroute from Barcelona to Dusseldorf with 144 passengers and 6 crew, had just levelled off at 38,000 ft when after a minute or so it started a descent. In the 8 minutes between the start of the descent and the impact of the aircraft into the Alps, no communications were heard from the cockpit crew in spite of multiple air traffic control attempts.

The descent, which averaged about 3300 ft per minute is not unusually steep for an airliner. The aircraft also maintained it's flight planned course during the descent suggesting that some measure of automation was still functioning. 

The wreckage is in a remote mountainous area in the French Alps and will present serious difficulties in recovery efforts. There are no expectations of finding survivors due to the violent nature of the impact into steep terrain.

The cockpit voice recorder (CVR) has been recovered and while damaged, has been able to have audio files retrieved by French accident investigators. The flight recorders have not as of yet been located.

At this point, speculation is running rampant but generally pointing in the direction of some sort of loss of cabin pressure resulting in the incapacitation of the crew. This would explain the lack of communication with the pilots. Loss of pressurization at 38,000 ft (FL380 in airline jargon) would result in what's known as a "time of useful consciousness" or TUC of about 20 to 30 seconds. 

That means that the pilots would have about 20 seconds to get their oxygen masks on and to start a descent before succumbing to hypoxia. Loss of cabin pressurization was the cause of the crash of Helios 522, a Greece based airliner in 2005, and also the death of golfer Payne Stuart when the Lear Jet he was riding in lost pressurization. 

Currently there appears to be no suspicion by investigating authorities of terrorism or foul play. Witnesses have reported that the aircraft appeared intact and flying normally except for its low altitude. This would seem to at least preclude an on board explosion.

Any theories given at this early stage in the investigation will be grounded in speculation at least until the CVR transcript can be analyzed or the flight data recorder is found. 

UPDATE: The New York Times is reporting tonight that the CVR indicates that the first officer exited the cockpit at cruise and was not able to re-enter. This development changes the fundamental nature of the investigation.

Tuesday, March 24, 2015

Germanwings A320 Down

A budget European airline A320 has crashed in the south of France in mountainous territory.  As of now, no survivors are expected. More to follow.