GAO scolds FAA over Year 2000

The Federal Aviation Administration's ineffective management of information technology has exacerbated problems with computer security and the Year 2000 computer bug, two areas where the agency faces huge and immediate challenges, witnesses testified before a House panel last week.

Overcoming these issues should be a top priority for the agency as it modernizes its systems, said Rep. Constance Morella (R-Md.), chairwoman of the House Science Committee's Technology Subcommittee.

"It appears that two key components to effective and safe modernization have been basically ignored in the FAA's initial plans," Morella said. "FAA modernization of the air traffic control system must address computer security issues and the Year 2000 problem."

Although the FAA has made progress in fixing its computers for the Year 2000 glitch, with less than 17 months to go the "FAA must still correct, test and implement many of its mission-critical systems," said Joel Willemssen, director of civil agencies information systems at the General Accounting Office's Accounting and Information Management Division. "It is doubtful that FAA can adequately do all of this in the time remaining. Accordingly, it must determine how to ensure continuity of critical operations in the likely event of some systems' failure."

Raymond Long, director of the FAA's Year 2000 program, disagreed with GAO's assessment and said the FAA systems will be tested and ready in time for the new millennium. An FAA-wide contingency plan will be complete at the end of this month, and all system interfaces that rely on dates will be identified by the end of September, he said.

Morella acknowledged the FAA's significant progress in fixing its Year 2000 problems, in particular for elevating Year 2000 to the highest priority in the agency and renovating two-thirds of its mission-critical systems. But she expressed concern over GAO reports that the agency might not meet the deadlines laid out by the Office of Management and Budget.

GAO also reported that the FAA had security holes in its systems, specifically in the areas of physical security, information systems, telecommunications networks and development of new systems. In a report issued in May, GAO charged that the FAA does not know the specific vulnerabilities in its systems and therefore cannot protect them.

"We can tell you openly that we found evidence of air traffic control systems that had been penetrated and critical ATC data that had been compromised," Willemssen said, adding that he could not divulge detailed information on the break-ins because that information is considered sensitive.

Failure to address the Year 2000 issue or security could be devastating, Willemssen warned. "Careful attention to security issues is even more important during the next 17 months as FAA makes a tremendous number of Year 2000-related changes to its mission-critical systems," he said. "If insufficient attention is paid to computer security during this time, existing vulnerabilities will be compounded."

The FAA already has taken some actions to fix its security holes, Dennis DeGaetano, deputy associate administrator for research and acquisitions at the FAA, told the subcommittee. For example, the agency plans to appoint a chief information officer who will be responsible for information security at the FAA and will report directly to the FAA administrator. Currently, responsibility is shared by several organizations in the FAA.

John Meche, deputy assistant inspector general for financial, economic and information technology at the Transportation Department, said in his testimony that hackers have penetrated DOT's systems at least 15 times since April 1997.

Only about seven of the FAA's 90 information systems and telecommunications networks have undergone risk assessments, Willemssen said. As a result, the FAA does not know how vulnerable they are and so has no way to determine how to protect them. Meanwhile, no ATC system has been certified, he said.