FAA security office opens for business

The hundreds of facilities and the thousands of systems and personnel at

the Federal Aviation Administration can look like Mount Everest to someone

in charge of information security.

That's why the director of a new office to tackle information security

at the FAA is applying a systematic approach at the place where everything

comes together: each facility in the national airspace system.

By examining physical and personnel barriers, nationally deployed computer

systems and locally unique computer systems at each air traffic management

facility, Raymond Long hopes to plug the holes in the FAA's network that

may be at risk of intrusion.

In May, the FAA created the Office of Information Systems Security and

called upon Long, the former director of the FAA's Year 2000 Office, to

head the new office. Long is expected to apply experiences and lessons learned

during the Year 2000 effort to the security issue at FAA.

"This job is 10 times the magnitude of what Y2K [could ever be]," Long

said. "Y2K had a deadline, and the problem was well known. This one never

ends, and we have to create new technology to solve the problems."

The older mainframe systems used by the FAA have kept the critical data

used to control air traffic isolated from external systems. But the introduction

of new decentralized systems to modernize and automate air traffic management

also opens the agency's facilities to a greater risk of attack, Long said.

Long said he sees the information security initiative as primarily an

awareness effort to get agency workers focused on the issue. But the office

also has a systematic approach to certifying its systems as hacker-proof.

FAA chief information officer Daniel Mehan created the office in response

to Presidential Decision Directive 63, which was signed in May 1998. The

directive requires all federal agencies to develop plans and take steps

to protect their critical infrastructure.

Creating a central office is crucial in providing the big picture of

security across the agency, said Jean Boltz, a security expert at the General

Accounting Office. "Also, [the offices] can serve as a conduit to senior

management, a central focus point for issues like incident handling," she

said.

The FAA office has a budget for fiscal 2000 of $42.5 million and has

requested $87.3 million for 2001. Long said he expects another significant

increase for 2002.

A report by GAO in December 1999 found that the FAA's insufficient management

support, insufficient user training, and inadequate policy enforcement led

to its failure to comply with internal personnel security policies.

Added information system security isn't something that has proven to

be a necessity yet, but it is "better to be safe than sorry," said Randy

Schwitz, executive vice president of the National Air Traffic Controllers

Association.

A priority should be the host computer system, which is at the heart

of all en-route air traffic operations as well as personnel systems, Schwitz

said.

—Diane Frank contributed to this article.