Cybersecurity Gaps in Aviation: Why International Law Is Not Ready?

By Kashvi Shrey (Chanakya National Law University, Patna)

Introduction

On September 19, 2025, a ransomware attack on Collins Aerospace disabled baggage and check-in systems at three European airports: Heathrow, Brussels-Zaventem, and Berlin-Brandenburg. Flights continued to operate, but passengers faced 12-hour delays as ground operations collapsed. A few weeks later, Aeroflot suffered a sophisticated cyberattack that cancelled more than 60 flights and exposed 22 terabytes of passenger data. Then in December 2024, seven Indian airports, including Delhi, Mumbai, Kolkata, Hyderabad, and Bengaluru, experienced GPS spoofing attacks that forced the aircraft to divert.

Yet international aviation law has no answer to a basic question: who pays when a cyberattack harms passengers? This article identifies three specific legal problems. First, the Montreal Convention (1999), which governs the airline liability globally, assumes that airlines control all operational risks but remains silent on cyberattacks from external sources. Second, equipment suppliers like Collins Aerospace face no direct liability when their security failures cascade into harm, unlike maritime law, which imposes strict liability on suppliers regardless of fault. Third, when attacks originate across borders, no court has clear jurisdiction to prosecute attackers or assign liability. These gaps leave passengers uncompensated, airlines bearing unfair costs, and attackers unpunished.​

Problem 1: Montreal Convention Cannot Handle Cyber Incidents

Article 17 of the Montreal Convention states that "The carrier is liable for damage sustained in case of death or bodily injury of a passenger upon condition only that the accident which caused the death or injury took place on board the aircraft or in the course of any of the operations of embarking or disembarking."​ The law uses the principle of strict liability where airlines must pay without proving they were at fault. This principle worked for decades because "accident" meant mechanical failure (engine shutdown) or pilot error (misjudging landing) but cyberattacks do not fit this existing framework because they originate outside the airline's control, yet airlines remain strictly liable under Article 17.

The core ambiguity lies in what counts as an "accident", as courts have tried to interpret this broadly in past cases, as in Labbadia v. Alitalia, where a slip on snow-covered steps qualified as an "accident," suggesting that courts may apply Article 17's definition (an unexpected external event) flexibly. However, no precedent yet addresses whether the cyber-induced operational disruption meets this standard. If ransomware closes check-in systems and flights are cancelled, does that constitute an "accident" for liability purposes? If GPS spoofing forces a pilot to divert, was the "accident" caused by the attacker, the pilot's response, or navigation failure? Current case law does not answer cyber-specific scenarios. This gap remains the core problem: not that Article 17 is inapplicable, but that its application to cyberattacks remains legally untested.

This ambiguity creates numerous problems in the aviation system, as insurance companies cannot predict whether they must cover cyber incidents. Airlines cannot calculate how much compensation to reserve. Passengers lack clear legal rights when disruptions stem from cyberattacks rather than mechanical failure.

Problem 2: Equipment Suppliers Escape Liability

Modern aviation relies heavily on complex technological equipment that is produced by various private manufacturers and cybersecurity vendors. Companies such as Collins Aerospace manufacture various critical aviation systems, such as cockpit displays, flight-management systems, and ground infrastructure, that are used by hundreds of airlines globally. When these systems are compromised, the operational disruption can be severe. For instance, when hackers breached Collins Aerospace systems in September 2025, baggage-handling and check-in operations across several airports were disrupted, causing significant operational delays. Following the incident, the company responded to the breach as a “vendor incident” and indicated that any financial responsibility would depend on contractual arrangements with airline customers.

Despite the central role of such suppliers in aviation infrastructure, the Montreal Convention makes the airline liable toward passengers for damage arising from an “accident” during air carriage. The Convention does not extend this liability framework to upstream technology suppliers or cybersecurity vendors. As a result, when a cyber incident originates from the vulnerabilities in third-party systems, the existing framework places primary responsibility upon the airlines, even though the technological risk may originate elsewhere. SpiceJet's 2022 ransomware attack illustrates this exact problem, where the airline cancelled 60+ flights and exposed passenger data. Yet the software vendor faced no clear legal obligation under the existing liability framework to compensate affected parties. This does not mean that suppliers enjoy complete legal immunity; rather, their responsibility may arise through several indirect mechanisms, including contractual indemnity clauses or regulatory enforcement under national cybersecurity regimes.

A comparison with maritime law highlights this structural gap. Certain maritime liability regimes, such as the International Convention on Liability and Compensation for Damage in Connection with the Carriage of Hazardous and Noxious Substances (HNS Convention), illustrate a more structured approach to risk allocation. Under this framework, shipowners are subject to strict liability for hazardous cargo damage and must maintain compulsory insurance, while an international compensation fund provides an additional tier of recovery for claims exceeding insurance limits. This layered structure ensures that victims receive compensation while distributing risk across the broader industry ecosystem.

Aviation cybersecurity lacks a comparable international mechanism. Neither the Montreal Convention nor existing ICAO frameworks establish mandatory risk-allocation rules for cybersecurity failures within the aviation technology supply chain. Consequently, liability often depends on private contractual arrangements rather than a coherent international framework. As aviation becomes increasingly digitalised and reliant on interconnected systems, the absence of a harmonised regime for allocating cybersecurity responsibility between airlines and technology suppliers represents a significant structural weakness in international aviation law.

Problem 3: Jurisdiction Fails Across Borders

When Indian airports suffered GPS spoofing in December 2024, cybersecurity researchers traced the attacks to state-sponsored actors, but the attacking nation remained unclear, and without knowing the attacker's location, it was impossible to determine which country's courts had authority to investigate or prosecute the perpetrators. The Chicago Convention (1944) grants each country complete sovereignty over its airspace, and if India experiences a cyberattack in its airspace, India can investigate. But if the attacker operates in another country or hides their identity, India's criminal law may not allow the prosecution, as the attacker's home country might refuse to cooperate or deny involvement.

The Montreal Convention assumes that the liable party (the airline) operates in a signatory country, but cyber attackers frequently hide their identity or operate from non-signatory states. If North Korea conducts a cyberattack on Indian aviation, which law will apply? Does international humanitarian law apply? Neither treaty provides clear answers to these questions. The problem deepens when one country deliberately attacks another country's aviation infrastructure, not as ordinary criminal activity but as an act of espionage or warfare. Current aviation law treats all cyberattacks as ordinary accidents, as it does not distinguish between a criminal hacker and a military cyberattack, and this conflation leaves states without adequate legal frameworks for state-sponsored aerial attacks.

Problem 4: India's Acute Vulnerability

Despite December 2024 GPS spoofing attacks at seven major Indian airports, India has no binding cybersecurity requirements for aviation. The Directorate General of Civil Aviation issues rules on aircraft maintenance and pilot training, but not on cyber defence. Whereas, in sharp contrast, the European Union, through Regulation 2022/1645 (effective October 16, 2025), mandates cyber incident reporting within 24 hours for critical events and within 72 hours for other incidents. It also mandates security assessments of equipment suppliers and personnel cybersecurity training. The FAA of the United States published its Cybersecurity Strategic Plan (2024). The UAE published its National Civil Aviation Cybersecurity Guidelines (2024) with detailed requirements for risk management and incident response. Whereas India has published none of these regulations, which further deteriorates the situation.

This regulatory vacuum creates practical harm as Indian airlines cannot demonstrate compliance with the EU cybersecurity standards, limiting their access to European markets. Insurance companies also view unregulated carriers as higher risk and charge higher premiums. Most critically, if a cyberattack harms Indian passengers, Indian law provides no clear compensation mechanism, and traditional negligence law remains the only alternative present, which requires proving that the airline was careless. This is a much higher burden than the strict liability principle that protects passengers in regulated jurisdictions.

Solutions: What Needs to Change

International aviation law must evolve through targeted solutions. First, the Montreal Convention should be amended or supplemented with a "Cyber Protocol" that defines a "cyber accident" as an operational disruption caused by unauthorised access or system compromise, which will be distinct from mechanical failure. This protocol should establish clear liability allocation where third-party suppliers bear responsibility when hacked (similar to maritime strict liability), rather than leaving airlines solely accountable. It should also mandate cybersecurity insurance for airlines, ensuring passengers receive guaranteed compensation regardless of the attack's source, mirroring maritime law's compulsory insurance requirement.

Second, ICAO must accelerate its ongoing work to convert cybersecurity guidance into binding Standards and recommended practices (SARPs). ICAO's Doc 10213 (2025) provides the current methodology, and the ICAO Assembly 42nd session approved work on aviation cybersecurity SARPs, but these remain recommendations and not binding obligations. Full SARP implementation should be accelerated, which will require minimum cybersecurity protections for airlines, airports, and suppliers, along with cyber incident reporting within 24-72 hours (matching EU standards), and personnel training requirements. These would apply uniformly to all 193 ICAO member states.

Third, India should act immediately without waiting for international consensus. The Ministry of Civil Aviation can issue a Cybersecurity Order under the Aircraft Rules, 1937, mandating Indian airlines to implement cybersecurity measures for critical systems, conduct security assessments of software suppliers, report incidents within 48 hours, and train employees. This would align India with EU Regulation 2022/1645 and FAA standards, enabling Indian carriers to compete internationally while protecting domestic passengers.  India cannot afford to wait for a global agreement when its aviation sector faces immediate threats.

Conclusion

Cyberattacks struck Collins Aerospace in September 2025, Aeroflot in July 2025, and seven Indian airports in December 2024. Yet aviation law, which was created before cybersecurity threats, assumes only mechanical failures and presumes attackers are identifiable.

Three urgent steps can address this problem: first, amending the Montreal Convention to define cyber liability and mandate insurance; second, accelerating ICAO’s development of binding cybersecurity standards for all 193 member states; and third, requiring India to introduce immediate aviation cybersecurity regulations.