December 13, 2019


MONTREAL – On December 13, 2019, the UN International Civil Aviation Organization (ICAO) fired whistleblower Vincent Smith for his disclosure that ICAO’s leadership responded inadequately to a cyber-espionage group’s breach that exposed a gateway to nearly every airline, airport, and government aviation agency globally. Those responsible for the termination decision include the two subjects of Smith’s complaint, Secretary General Fang Liu and Council President Olumuyiwa Benard Aliu.

Beginning in 2016, Smith started making internal disclosures of security safeguards breaches that threaten the civil aviation security and safety worldwide along with ICAO’s lack of response. According to a forensic investigation report, the breach was part of a cyber-hack spanning back to 2010. As reported by Canadian Broadcasting Corporation (CBC) News in February 2019, the Chinese government-backed threat actor “Emissary Panda” (also known as TG-3390, APT 27, and Bronze Union) was likely responsible for the attack. In July 2019, after years of ignored complaints, cover-ups, inaction, and lack of consequences at ICAO, Smith finally made disclosures to  CBC News about ICAO’s culture of impunity, whistleblower retaliation, and harassment against him. Other ICAO whistleblowers provided CBC with information and documents that revealed that the Council President’s son, Maxim Aliu, who formerly worked at ICAO’s IT department, may have been the original source of the virus that infected ICAO’s IT system.

The Secretary General and Council President blamed Smith for all of the contents of CBC’s reporting, despite Smith not being the source for much of the information. Their mission since July 2019 has been to discredit and fire Smith for his public disclosure. Remarkably, the Secretary General sought to sabotage the whistleblower policy that the ICAO Council approved on June 20, 2019 during its 217th session. During that meeting, the Council directed the Secretary General to incorporate the whistleblower policy into the organization’s Service Code, which she failed to do, hoping that such inaction would shield her and the President from consequences that would result from retaliating against whistleblowers.

In October 2019, the U.S. State Department, which provides almost a quarter of ICAO’s annual budget, announced that it is withholding its dues in accordance with Section 7048(a)(1)(B) of the Consolidated Appropriations Act. This Act provides that 15 percent of funds may not be obligated to any UN organization, department, or agency if they do not effectively implement or enforce best practices whistleblower protection policies and procedures.

Samantha Feinstein, Government Accountability Project’s Senior Legal and International Analyst, and counsel to Mr. Smith, said:

“ICAO is not complying with their obligations to implement and enforce a best practices whistleblower protection policy under Section 7048(a). The United States and other Council members should hold the Secretary General and Council President accountable and take action to protect the whistleblowers. The consequences are inaction against what could be the largest global security breach in aviation history. Rather than defending the public, ICAO chose to target the messenger. It is also imperative that there is an independent investigation into the cyber breach and whistleblower retaliation that is free of any conflicts of interest. A breach of this magnitude cannot be swept under the rug and kept from the public.”

Contact: Samantha Feinstein, Senior Legal and International Analyst
Email[email protected]
Phone: (202) 457-0034 x162