GAO discredits the FAA's information security strategy

Government Accountability Office auditors say the Federal Aviation Administration's information security procedures for air traffic control systems are unacceptable.

“Significant information security weaknesses remain that could potentially lead to disruption in aviation operations,” according to a GAO report released Sept. 26.

Many security mechanisms were missing, such as secret passwords, patches for program bugs, logs of security-related events and background investigations of contractors.

Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee and one of the lawmakers who requested the GAO review, said the FAA must fix its cybersecurity flaws fast.

"The FAA is responsible for promoting the safe, orderly and expeditious flow of air traffic in the [United States], and it relies on [information technology] systems and networks to accomplish its mission,” Davis said. “Given the ever-evolving nature of cyberthreats and the thought of someone with malicious intent accessing FAA's IT systems, complacency is not an option.”

In the report and in comments made today, FAA officials said GAO's assessments do not accurately depict all FAA systems.

The auditors looked at only three of the FAA’s 80 systems, spokesman Greg Martin said. He added that the FAA does not rush to introduce program patches because such haste may have unforeseen effects on systems.

The report also fails to take into account several layers of system redundancy that the FAA built into the architecture, Martin said.

“Knowing that the threat of hacking and cybersecurity [are] not new, the system’s history of reliability suggests we’re not complacent but vigilant,” he said.

Dan Mehan, the FAA’s chief information officer, stated in the report that, as a result of the FAA’s information security precautions, it had achieved 100 percent of the President’s Management Agenda goals for certification and authorization of its systems, certified and authorized more than 90 percent of its systems in fiscal 2004 and completed 100 percent of its certifications and authorizations by June 30.

Auditors refuted most of those statements by referring to the report’s specifics.

Although the FAA conducted tests as part of its certification and authorization process, some of them were outdated or incomplete, GAO officials wrote.

In addition to testing the technical controls of three critical systems, GAO auditors reviewed management and operational controls at five other sites and at the FAA’s headquarters.

The GAO report did note that the FAA has made progress on previously reported weaknesses by establishing an agencywide information security program. The program has initiatives under way in each area required by the Federal Information Security Management Act of 2002.

However, the FAA has not fully implemented the program for the air traffic control systems, officials said.

For example, the network configuration allowed unauthorized employees to access system administration functions.

“FAA did not encrypt certain information traversing its internal network," the report states. “Instead, it used clear text protocols that made the network susceptible to eavesdropping.”

In addition, passwords were not taken seriously, according to the report. The agency did not always comply with password parameters, such as number of characters, type of characters and frequency of password changes.

The report also found that administrators and users shared passwords on several devices. Some database passwords were written into the application’s program code or appeared in clear text format on multiple shared server directories.

The FAA does not have a policy that requires officials review physical access logs for suspicious activity. Likewise, FAA officials do not routinely check that contractors and employees previously granted access to sensitive information still need access to that material.

“As a result, none of the sites we visited could ensure that employees and contractors who were accessing sensitive areas had a legitimate need for access,” GAO officials stated in the report.

In 2000, they testified that the FAA did not conduct background investigations on thousands of contractors. The FAA has worked to address the issue, but auditors said the agency neglected to investigate numerous individuals with the power to modify or disrupt critical systems.

GAO officials released a separate report to select individuals with recommendations because the suggestions contain sensitive security information.

Recommendations in the public report include complete risk assessments, patch management, monitoring of physical access and security awareness training.

In oral comments to GAO officials, Mehan agreed to consider the recommendations.

He has stressed the importance of a proper cybersecurity defense system in recent public speeches.