The US ambassador to ICAOsays members of the group’s permanent Council recently learned the organization’s IT system had been compromised “for quite some time” following a November 2016 hack and subsequent cover-up at the agency.
Speaking at a May 7 meeting of the International Aviation Club in Washington DC, US ambassador Thomas Carter said member states and contractors “have had to fend off attacks from malware that emanated from the ICAO system,” adding that ICAO systems were “totally exposed by a foreign state actor, and two completely independent forensic investigations proved this to be true.” He said ICAO was hacked at least four times before the agency became aware of any intrusion.
The hacks and subsequent cover-up by the agency were first reported on by the CBC in February 2019. The US Ambassador said that, if not for the CBC article, “We as Council reps would not have known about the inadequate response to the hacks and the immense harm they inflicted on ICAO’s IT systems.”
The CBC revealed in February that internal ICAO documents showed the breach was discovered by an outside agency, and rather than taking immediate action, ICAO’s Information and Communications Technology (ICT) department decided to conceal evidence of their own failures to secure the group’s IT infrastructure.
Carter said the ICAO permanent Council recently expressed a “significant lack of confidence in the existing IT security,” and recommended concrete steps toward determining whether malware is still present in the group’s domain. He said the “lack of resolve on the part of the Secretariat to deal with the issue in a transparent way—and the effort to downplay the severity of the breach—was truly regrettable.”
When the CBC article broke, some at the Secretariat were “more concerned about finding the leaker than giving the Council an accurate portrayal of what actually happened,” Carter said. He added that “if there is a silver lining in this cloud, it’s become clear that we need to strengthen the whistleblower protection program at ICAO, and the Council has made it a priority to do so.”
Beyond the hacking, Carter expressed disappointment that only two-thirds of member states have reached the 65% compliance threshold for the implementation of ICAO security standards. He said 30% of countries over the last two years that have been notified of pending security audits by ICAO declined to cooperate.
Carter also said when he arrived at the agency in 2017, the secretary general had complete control of whether to initiate investigations into internal matters, which he said resulted in an “atmosphere that allowed sexual harassers and bullies to thrive,” adding that “it’s no wonder ICAO had more than 100 full-time vacancies at the end of 2018.” He said the group created a three-member investigative committee, at the urging of the US, that has the power to recommend investigations independent of secretary general oversight.