Audit scorches DOT security

Information security weaknesses at the Federal Aviation Administration pale

in comparison to the network vulnerabilities discovered at other Transportation

Department administrations, according to a report released last week by

DOT's Office of Inspector General.

"I think FAA's in better shape than the rest of the department — considerably

better shape," said Kenneth Mead, DOT's inspector general, speaking to the

House Science Committee Sept. 27. The committee was examining security problems

in computers used for air traffic control as well as failures to comply

with FAA policies requiring background checks for employees and contractors

given access to the systems.

The General Accounting Office informed the FAA in December 1999 that

the agency had failed to conduct background checks on contractors hired

to test and fix mission-critical systems for the Year 2000 rollover, said

FAA Administrator Jane Garvey during the hearing. Professional hackers hired

later to test the security of critical information technology systems also

did not receive proper clearance.

In response, the FAA, under the direction of DOT's chief information

officer, completed thousands of security clearances for IT contractors,

and audited and fixed IT security problems in systems at all FAA facilities.

FAA's efforts to improve computer and personnel security could set an example

for the rest of the agency, Mead said.

During a nine-month review of computer networks at DOT headquarters,

the IG found serious weaknesses in the agency's firewall security and lax

enforcement of Internet security requirements specified by DOT's CIO. The

IG found that unauthorized users within and outside the agency could access

private Web sites.

However, of the computers the investigators were able to penetrate,

none were at the FAA or the U.S. Coast Guard, where DOT's most critical

systems are located. George Molaski, DOT's CIO, said he is trying to get

the resources allocated at the departmental level to assist the smaller

administrations in implementing the required security systems and policy.

Molaski has asked for an additional five IT security personnel at headquarters

in the department's $1.1 million budget request for fiscal 2001.

Although Transportation Secretary Rodney Slater has strived to create

a unified DOT, some of the Transportation administrations "still believe

it's the wild, wild West and they can do what they want," Molaski said.

"Security changes the dynamic because we're all tied to the same backbone,

and a vulnerability on one [administration] affects all the other [administrations]."

As a result, Molaski is trying to centralize the backbone infrastructure

for all telecommunications networks under the CIO office. He plans to require

certification of any system that will be connected to the telecommunications

network to keep it from becoming contaminated by less secure systems.

"Not having the operational responsibility for that [infrastructure],

the best we can do is put out the policy and hope the [administrations]

follow it," he said.

One issue that must still be resolved is the ability of the CIO to enforce

information security policies, said Joel Willem-ssen, director of civil

agencies information systems at GAO. As security programs are implemented,

GAO will monitor whether enforcement is effective, he said.

DOT will pay particular attention to the threat from internal unauthorized

use, particularly of financial systems, Molaski said. Employees who embezzled

funds through stolen passwords — including one who embezzled $600,000 from

DOT — were prosecuted, according to the IG's report.