Reports reveal weaknesses in systems security at State, FAA

A test of computer systems security at the State Department and the Federal Aviation Administration revealed pervasive weaknesses that could threaten the operation of the agencies, according to reports released today during hearings before the Senate Governmental Affairs Committee.

AND COLLEEN O'HARA (ohara@fcw.com)

A test of computer systems security at the State Department and the Federal Aviation Administration revealed pervasive weaknesses that could threaten the operation of the agencies, according to reports released today during hearings before the Senate Governmental Affairs Committee.

At the request of the committee, the General Accounting Office began a large-scale investigation of computer security problems at the largest federal agencies. To test the security systems at State and the FAA, GAO tried to penetrate security systems and access data contained on computer systems at both agencies.

Although some of the findings remain classified, GAO found that the FAA is "ineffective in all critical areas included in our security review." This includes physical security at air traffic control (ATC) sites, operational systems information security for ATC systems, future systems modernization security, and management structure and policy implementation.

The FAA was criticized for only assessing three out of 90 operational ATC computer systems to determine system threats, vulnerabilities and safeguards. In addition, only one of the nine operational ATC telecommunications networks has been analyzed. "Without knowing the specific vulnerabilities of its ATC systems, the FAA cannot adequately protect them," the GAO report said.

The penetration tests at State demonstrated that the department's computer systems and the data contained within them, "are very susceptible to hackers, terrorists or other individuals seeking to damage State operations or reap financial gain by exploiting the department's information security weaknesses," according to the report.

Not only has the FAA fallen short in protecting its current systems, but future ATC systems are also at risk. The FAA does not consistently include well-formulated security requirements in specifications for new ATC modernization systems as required by FAA, the GAO said. It also does not have the well-defined security architecture or security standards needed to ensure a secure ATC network.

The Transportation Department recognizes that facility, systems and data security are critical elements in the FAA's management of the ATC systems, according to GAO. However, DOT did not agree that FAA's management of computer security has been inappropriate or that ATC systems are vulnerable to the point of jeopardizing flight safety.

Investigators gained access to State's networks through dial-in connections to modems without any knowledge of the systems or without any passwords. Having gained access, investigators could have modified, stolen, downloaded or deleted data, shut down services and monitored network traffic such as e-mail, according to the report.

In addition, investigators were able to circumvent State's internal network security controls and access sensitive data such as international financial information, travel arrangement and employee performance appraisals.

In a written response to GAO, State officials said that its chief information officer is beginning to address the "lack of central focus for information systems security" detailed in the report. State officials also agreed to formalize and document risk management decisions and to correct the technical weaknesses defined in the GAO report.