X

Report raps FAA for continued security lapses

The Federal Aviation Administration fails to protect critical computer systems, including those used for air traffic control, according to a new government report on computer security.

3 min read
Despite its efforts to remedy serious security problems outlined in a government study this summer, the Federal Aviation Administration is still failing to protect its critical computer systems, including those used for air traffic control, according to a new government report on computer security released today.

The report by the General Accounting Office was released and discussed at a hearing before the House Science Committee to investigate continuing computer security lapses at the FAA and how these lapses could affect travelers, the committee said in a statement.

The committee is taking up the matter with industry professionals, government regulators and politicians.

In recent years, government officials have been demanding that Congress introduce legislation that will require government agencies to better protect their computer systems.

"Organized attacks, such as the 'Solar Sunrise' attack on the Department of Defense in early 1998, and widespread computer virus infections such as the 'Melissa' and 'I Love You' viruses illustrate our government's susceptibility to malicious computer-based actions," Joel Willemssen, a GAO official, said before the committee.

In May, the GAO, the investigative arm of Congress, reported that the FAA has put the nation's air traffic control system at risk through lack of compliance with personnel security policies.

The May report found that the FAA did not conduct proper background checks on thousands of contractor employees, some of whom had access to the most sensitive air traffic control systems. Some of the employees were foreign nationals, according to the Science committee.

"In brief, FAA's agency-wide computer security has serious and pervasive problems," Willemssen said. "FAA does not know how vulnerable the majority of its operational air traffic control systems are and cannot adequately protect them until it performs the appropriate risk assessments and addresses identified weaknesses.

"Further, FAA has not always acted quickly to implement corrective actions for the systems that have undergone risk assessments and penetration testing."

In response to the GAO report, FAA officials said they were concerned by the GAO findings and are already working to ensure that the security lapses discovered by government investigators are fixed.

Clearly, the FAA is not alone in addressing the issue of information security," FAA administrator Jane Garvey told the committee. "The threat of cyber-crime is confronting all agencies of the Federal government, as well as the private sector. We are committed to give information security an even greater level of intensity of management focus than we applied to meet the challenges posed by the Y2K issue."

Earlier this month, the House Subcommittee on Government Management, Information and Technology heard testimony on two legislative proposals in the House that called for the appointment of a federal chief information officer to oversee technology and computer security policies.

Both hearings follow the release of two reports by the GAO that strongly suggested that federal agencies as a whole have not done enough to protect information submitted to their Web sites or to defend information systems from predators.

"I believe that we have put into place a structure for information system security that is vigilant; and will continue to seek all ways and means to provide the greatest level of protection for our information systems," Garvey said.