GAO to unveil findings on outdated FAA tech systems

The U.S. government’s top auditing shop will release a report about the use of legacy equipment in the Federal Aviation Administration by the end of this month, according to a person familiar with the matter.

The Government and Accountability Office is unveiling its findings to help shed light on government agencies’ struggles with older technology, said the person, who asked not to be identified in order to share news of the coming findings.

GAO “looked at the FAA’s Air Traffic Control systems that are unsustainable, whether the FAA had associated modernization efforts, and the FAA’s oversight efforts,” Kevin Walsh, the auditing agency’s information technology and cybersecurity team director, said in an email.

“We could not comment on a report that has not been issued,” an FAA spokesperson said.

Legacy equipment has been a prevailing issue in modern government systems, said Rob Joyce, the former head of the NSA’s cybersecurity directorate. Besides stolen credentials or compromised passwords, outdated IT creates pathways for hackers to break into federal networks, he said.

Civilian agencies across the government have some degree of legacy IT equipment, said Mark Weatherford, the former undersecretary for cybersecurity at DHS.

Agencies have often used compensating controls — security privacy measures that are implemented when agencies can’t directly meet the most up-to-date cyber or IT standards — but they’re not permanent solutions to legacy systems, Weatherford added.

“[Compensating controls] extends the problem because eventually, they will have to replace them, but we spend a lot of money just patching old systems that a modernization effort would probably help alleviate,” he said. Both Weatherford and Joyce sit on the public sector advisory board for Tenable, a cybersecurity firm based in Maryland.

Much of the FAA’s infrastructure, including radar systems and communication networks, may be reliant on outdated technology that struggles to meet modern air traffic demands. The White House’s FY2025 FAA budget request includes $8 billion over five years for facility replacement and radar modernization. It also requests $140 million for its Enterprise Network Services program, which the agency says can help with cybersecurity and resilience needs.

The request is probably a “fair ask,” Joyce said, because the FAA’s cybersecurity and IT staff have likely assessed internal equipment and determined that the requested amount will put the aviation agency in its best position to overhaul their systems.

“The CIO and CISOs in this environment want to be secure,” Joyce said. “But that runs into the reality of budgets, and so a key portion of this is getting attention on the problem, and then leadership — both in the executive branch and Congress — working to say ‘we’re going to prioritize reducing this risk.’”

Aviation cybersecurity became a top-of-mind issue in recent weeks after Washington State’s Seattle-Tacoma International Airport was subjected to a ransomware attack after hackers breached the Port of Seattle’s systems and demanded some $6 million in a ransom payment. A Sea-Tac official and others testified before the Senate Commerce Committee this week about the incident.

“The FAA, like many other agencies, is a communications and safety organization. Modernization in this case means more than just equipment updates — it means a pivot to becoming a software-led organization, where technology is built-in,” Joel Krooswyk, federal CTO at GitLab, said in an email.

Nation-state hackers like China’s infamous Volt Typhoon collective have shown interest in breaching aviation systems, which are considered critical infrastructure under current U.S. government standards, Joyce noted.

Modernizing these systems will be key for adapting to cyber threats, Weatherford said, because hacking groups can quickly and more easily innovate on their exploits today compared to even just a few years ago. “[Legacy systems] are a threat that, not just the government, but every private sector company on the face of the earth should be concerned about,” he said.

The FAA itself is in the midst of a rulemaking designed to shore up the cybersecurity of aircraft and aviation equipment. Comments on the proceeding are due in late October with a final rule expected sometime in 2025.