In this horrifying incident, the co-pilot is alleged to have locked the pilot out of the Airbus A320’s flight deck, set the autopilot to descend to 100 feet, and crashed it into the French Alps. Technical security discussions since the crash have focused on how the pilot was locked out and questioned whether a smarter auto-pilot could have saved the passengers and crew.
According to an Airbus training video, pilots usually press a switch to unlock the cockpit door and allow entry. In the event that the pilots are incapacitated, a crew member can enter a code on a numeric keypad outside the cockpit, a buzzer sounds in the cockpit, and the door unlocks in 30 seconds. The pilots can secure the door at any time by activating a lock mode to prevent entry for five minutes.
The Airbus door security system makes perfect sense. In the event of a hijacking attempt, it is imperative that the pilots be able to secure the cockpit door, even if a member of the flight crew is forced to enter the emergency unlock code.
Suggestions of a smarter auto-pilot capable of preventing a crash make little sense. CNN’s unattributed “new calls from aviation experts to develop and deploy enhanced crash avoidance software that could take control of an aircraft away from a pilot and steer the plane to a safe altitude”are absurd. A primary safety control in modern aircraft is that the pilot is always in control. Nobody wants to fly in a plane that can decide to ignore the pilot.
To decrease the likelihood of this happening again, an obvious procedural control is to require two people in the cockpit at all times. The United States already had this rule in place, and other countries, including Canada, have recently ordered this change. While a fight attendant would not be expected to wrestle control from a pilot, simply opening the door would make a critical difference.
The real security failure did not happen on the flight. It happened days or perhaps weeks prior. The Associated Press, quoting German Prosecutor’s spokesman Ralf Herrenbrueck, reported that a search of the co-pilot’s home revealed ripped-up sick notes covering the day of the crash, which “support the current preliminary assessment that the deceased hid his illness from his employer and colleagues.”
Many jurisdictions require that physicians report patients who may be unfit to drive. In Ontario, this requirement applies to individuals 16 years of age or older, even if they do not have a driver’s license. Similarly, Canadian federal law imposes reporting requirements with respect to flight crew and air traffic controllers. However, the AP reported that in Germany, “Doctors are obliged to abide by medical secrecy unless their patient explicitly tells them he or she plans to commit an act of violence.”
Medical privacy is important, but public safety is paramount. This extends far beyond driving and flying. Many IT professionals are routinely trusted with public safety responsibilities; running information systems for hospitals, air traffic control, and traffic lights. They control the power grid and 911 systems.
Employers, employees, health professionals, and governments must work together to address personnel-related risk. Employers need to recognize that some risks cannot be mitigated through technical controls. Effective personnel security programs must promote employee welfare, ensure employees feel fairly treated at work, identify employees at risk of dangerous behaviour, and get them the help they need.
Employees are often aware of issues long before management. They must be provided with resources to help themselves, their families, and their colleagues. Safe avenues should be available through which medical and psychological issues can be reported and assistance rendered without risking career damage.
Health professionals require an effective mechanism to report employees who should not be at work. It should not matter whether the patent is depressed, at home with the flu, or in hospital. Governments must put in place appropriate legislative and regulatory frameworks that balance privacy rights, liability issues, and protect the public.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…