GAO investigators find State, FAA computer systems easy to hack

The State Department and the Federal Aviation Administration have pervasive computer security weaknesses that hackers could use to access international financial and travel information and to interrupt the nation's air traffic control (ATC) systems, according to reports released last week.

The General Accounting Office, at the behest of the Senate Governmental Affairs Committee, has begun a large-scale investigation of computer security problems at the largest federal agencies. To test the security systems at State and the FAA, auditors tried to break into computers at both agencies.

Although some of GAO's findings remain classified, some details of the test results were released last week in two GAO reports. The agency found that the FAA was "ineffective in all critical areas included in our security review." This includes physical security at ATC sites, operational systems information security for ATC systems, future systems modernization security, and management structure and policy.

The FAA was criticized for assessing only three of the 90 operational ATC computer systems to determine threats, vulnerabilities and safeguards of the systems. In addition, only one of the nine operational ATC telecommunications networks has been analyzed. "Without knowing the specific vulnerabilities of its ATC systems, the FAA cannot adequately protect them," the GAO report stated.

Tests at State demonstrated that its computer systems and data "are very susceptible to hackers, terrorists or other individuals seeking to damage State operations or reap financial gain by exploiting the department's information security weaknesses," GAO concluded.

Sen. Joseph Lieberman (D-Conn.) noted that agencies have not taken the necessary steps to protect federal systems from unauthorized infiltration.

"As a result, the most private information of our citizens and the most vital details of our national security, among numerous other things, are available to bad actors, who...may not need more than a good knowledge of computer systems and some time and ingenuity to gain access to our government's computer systems," he said.

The FAA maintains that because ATC systems are 20 years old and are custom built, the potential for unauthorized access is limited. However, GAO pointed out that just because a system is old does not mean it is secure.

Not only has the FAA fallen short in protecting its current systems, but future ATC systems are also at risk, GAO concluded. Although the FAA requires well-formulated security plans in specifications for new ATC modernization systems, the agency does not consistently include such requirements, GAO said. The FAA also does not have a well-defined security architecture or the security standards needed to ensure a secure ATC network.

Until these organizations carry out their security responsibilities, "sensitive information is at risk of being compromised and flight services interrupted," GAO said.

Little evidence indicates that attacks on the FAA's systems or facilities have been anything other than common vandalism, according to a statement released by the FAA last week. None have resulted in any situation that might have posed a threat to the flying public, according to the statement.

In addition, the FAA has created a new information security group to assess system vulnerabilities and to perform additional computer penetration tests.

At State, investigators gained access to networks through dial-in connections and could have modified, stolen or deleted important data, shut down services and monitored network traffic, such as e-mail, according to the report.

The investigators accessed sensitive data such as international financial information, travel arrangements and employees' performance appraisals.

In a written response to GAO, State officials said the agency has agreed to formalize and document risk management decisions as well as to correct the technical weaknesses defined in the GAO report.